rpms/ipa
5
0
Fork 0
Code Issues Pull Requests Releases Activity
7caae3a676
ipa/freeipa-3.0.0.pre1-058-add-per-service-option-to-store-the-types-of-pac-it-.patch

356 lines
25 KiB
Diff
Raw Normal View History

Add missing 3.0.0 beta 2 development patches
2012-08-06 16:17:49 +00:00
From fb817d340139822d17414da93853be5bc3bf6086 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Wed, 1 Aug 2012 16:14:11 +0200
Subject: [PATCH 58/79] Add per-service option to store the types of PAC it
supports
Create a per-service default as well.
https://fedorahosted.org/freeipa/ticket/2184
---
API.txt | 12 ++++++++----
install/share/60basev2.ldif | 5 ++++-
install/share/60basev3.ldif | 1 +
install/updates/10-60basev3.update | 2 ++
install/updates/10-selinuxusermap.update | 5 +++++
install/updates/60-trusts.update | 4 ++++
ipalib/plugins/config.py | 9 ++++++++-
ipalib/plugins/service.py | 23 ++++++++++++++++++-----
tests/test_xmlrpc/test_host_plugin.py | 1 +
tests/test_xmlrpc/test_service_plugin.py | 13 +++++++++++++
10 files changed, 64 insertions(+), 11 deletions(-)
diff --git a/API.txt b/API.txt
index 691a9c4dec69f1006e52eafd3a94e351750165b7..e71b79a799837cde2c1e4a5a83c20c8e23fd650f 100644
--- a/API.txt
+++ b/API.txt
@@ -445,7 +445,7 @@ args: 1,0,1
arg: Str('request_id')
output: Output('result', None, None)
command: config_mod
-args: 0,23,3
+args: 0,24,3
option: Int('ipamaxusernamelength', attribute=True, autofill=False, cli_name='maxusername', minvalue=1, multivalue=False, required=False)
option: IA5Str('ipahomesrootdir', attribute=True, autofill=False, cli_name='homedirectory', multivalue=False, required=False)
option: Str('ipadefaultloginshell', attribute=True, autofill=False, cli_name='defaultshell', multivalue=False, required=False)
@@ -462,6 +462,7 @@ option: Int('ipapwdexpadvnotify', attribute=True, autofill=False, cli_name='pwde
option: StrEnum('ipaconfigstring', attribute=True, autofill=False, cli_name='ipaconfigstring', csv=True, multivalue=True, required=False, values=(u'AllowLMhash', u'AllowNThash', u'KDC:Disable Last Success', u'KDC:Disable Lockout'))
option: Str('ipaselinuxusermaporder', attribute=True, autofill=False, cli_name='ipaselinuxusermaporder', multivalue=False, required=False)
option: Str('ipaselinuxusermapdefault', attribute=True, autofill=False, cli_name='ipaselinuxusermapdefault', multivalue=False, required=False)
+option: StrEnum('ipakrbauthzdata', attribute=True, autofill=False, cli_name='pac_type', csv=True, multivalue=True, required=False, values=(u'MS-PAC', u'PAD'))
option: Str('setattr*', cli_name='setattr', exclude='webui')
option: Str('addattr*', cli_name='addattr', exclude='webui')
option: Str('delattr*', cli_name='delattr', exclude='webui')
@@ -2726,9 +2727,10 @@ output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), None)
output: Entry('result', <type 'dict'>, Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None))
output: Output('value', <type 'unicode'>, None)
command: service_add
-args: 1,5,3
+args: 1,6,3
arg: Str('krbprincipalname', attribute=True, cli_name='principal', multivalue=False, primary_key=True, required=True)
option: Bytes('usercertificate', attribute=True, cli_name='certificate', multivalue=False, required=False)
+option: StrEnum('ipakrbauthzdata', attribute=True, cli_name='pac_type', csv=True, multivalue=True, required=False, values=(u'MS-PAC', u'PAD'))
option: Flag('force', autofill=True, default=False)
option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui')
option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui')
@@ -2760,9 +2762,10 @@ output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), None)
output: Output('result', <type 'bool'>, None)
output: Output('value', <type 'unicode'>, None)
command: service_find
-args: 1,9,4
+args: 1,10,4
arg: Str('criteria?', noextrawhitespace=False)
option: Str('krbprincipalname', attribute=True, autofill=False, cli_name='principal', multivalue=False, primary_key=True, query=True, required=False)
+option: StrEnum('ipakrbauthzdata', attribute=True, autofill=False, cli_name='pac_type', csv=True, multivalue=True, query=True, required=False, values=(u'MS-PAC', u'PAD'))
option: Int('timelimit?', autofill=False, minvalue=0)
option: Int('sizelimit?', autofill=False, minvalue=0)
option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui')
@@ -2776,9 +2779,10 @@ output: ListOfEntries('result', (<type 'list'>, <type 'tuple'>), Gettext('A list
output: Output('count', <type 'int'>, None)
output: Output('truncated', <type 'bool'>, None)
command: service_mod
-args: 1,8,3
+args: 1,9,3
arg: Str('krbprincipalname', attribute=True, cli_name='principal', multivalue=False, primary_key=True, query=True, required=True)
option: Bytes('usercertificate', attribute=True, autofill=False, cli_name='certificate', multivalue=False, required=False)
+option: StrEnum('ipakrbauthzdata', attribute=True, autofill=False, cli_name='pac_type', csv=True, multivalue=True, required=False, values=(u'MS-PAC', u'PAD'))
option: Str('setattr*', cli_name='setattr', exclude='webui')
option: Str('addattr*', cli_name='addattr', exclude='webui')
option: Str('delattr*', cli_name='delattr', exclude='webui')
diff --git a/install/share/60basev2.ldif b/install/share/60basev2.ldif
index a299904e958b28d78fe0de912747bb6eb9b4554f..3b05e370147f6cace12913e695e02eb6550c6010 100644
--- a/install/share/60basev2.ldif
+++ b/install/share/60basev2.ldif
@@ -10,11 +10,14 @@ attributeTypes: (2.16.840.1.113730.3.8.3.3 NAME 'enrolledBy' DESC 'DN of adminis
attributeTypes: (2.16.840.1.113730.3.8.3.4 NAME 'fqdn' DESC 'FQDN' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v2' )
attributeTypes: (2.16.840.1.113730.3.8.3.18 NAME 'managedBy' DESC 'DNs of entries allowed to manage' SUP distinguishedName X-ORIGIN 'IPA v2')
attributeTypes: (2.16.840.1.113730.3.8.3.24 NAME 'ipaEntitlementId' DESC 'Entitlement Unique identifier' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v2' )
+# ipaKrbAuthzData added here. Even though it is a v3 attribute it is updating
+# a v2 objectClass so needs to be here.
+attributeTypes: (2.16.840.1.113730.3.8.11.37 NAME 'ipaKrbAuthzData' DESC 'type of PAC preferred by a service' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v3' )
objectClasses: (2.16.840.1.113730.3.8.4.1 NAME 'ipaHost' AUXILIARY MUST ( fqdn ) MAY ( userPassword $ ipaClientVersion $ enrolledBy $ memberOf) X-ORIGIN 'IPA v2' )
objectClasses: (2.16.840.1.113730.3.8.4.12 NAME 'ipaObject' DESC 'IPA objectclass' AUXILIARY MUST ( ipaUniqueId ) X-ORIGIN 'IPA v2' )
objectClasses: (2.16.840.1.113730.3.8.4.14 NAME 'ipaEntitlement' DESC 'IPA Entitlement object' AUXILIARY MUST ( ipaEntitlementId ) MAY ( userPKCS12 $ userCertificate ) X-ORIGIN 'IPA v2' )
objectClasses: (2.16.840.1.113730.3.8.4.15 NAME 'ipaPermission' DESC 'IPA Permission objectclass' AUXILIARY MAY ( ipaPermissionType ) X-ORIGIN 'IPA v2' )
-objectClasses: (2.16.840.1.113730.3.8.4.2 NAME 'ipaService' DESC 'IPA service objectclass' AUXILIARY MAY ( memberOf $ managedBy ) X-ORIGIN 'IPA v2' )
+objectClasses: (2.16.840.1.113730.3.8.4.2 NAME 'ipaService' DESC 'IPA service objectclass' AUXILIARY MAY ( memberOf $ managedBy $ ipaKrbAuthzData) X-ORIGIN 'IPA v2' )
objectClasses: (2.16.840.1.113730.3.8.4.3 NAME 'nestedGroup' DESC 'Group that supports nesting' SUP groupOfNames STRUCTURAL MAY memberOf X-ORIGIN 'IPA v2' )
objectClasses: (2.16.840.1.113730.3.8.4.4 NAME 'ipaUserGroup' DESC 'IPA user group object class' SUP nestedGroup STRUCTURAL X-ORIGIN 'IPA v2' )
objectClasses: (2.16.840.1.113730.3.8.4.5 NAME 'ipaHostGroup' DESC 'IPA host group object class' SUP nestedGroup STRUCTURAL X-ORIGIN 'IPA v2' )
diff --git a/install/share/60basev3.ldif b/install/share/60basev3.ldif
index 03561d13f45768006eb22e3dc00f41f35944dc56..18b23a3d2d00d03424df1c1cd4a5e9ddeba0f6d4 100644
--- a/install/share/60basev3.ldif
+++ b/install/share/60basev3.ldif
@@ -33,6 +33,7 @@ attributeTypes: (2.16.840.1.113730.3.8.11.33 NAME 'ipaBaseID' DESC 'First value
attributeTypes: (2.16.840.1.113730.3.8.11.34 NAME 'ipaIDRangeSize' DESC 'Size of a Posix ID range' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'IPA v3' )
attributeTypes: (2.16.840.1.113730.3.8.11.35 NAME 'ipaBaseRID' DESC 'First value of a RID range' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'IPA v3' )
attributeTypes: (2.16.840.1.113730.3.8.11.36 NAME 'ipaSecondaryBaseRID' DESC 'First value of a secondary RID range' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'IPA v3' )
+# 2.16.840.1.113730.3.8.11.37 ipaKrbAuthzData
objectClasses: (2.16.840.1.113730.3.8.12.1 NAME 'ipaExternalGroup' SUP top STRUCTURAL MUST ( cn ) MAY ( ipaExternalMember $ memberOf $ description $ owner) X-ORIGIN 'IPA v3' )
objectClasses: (2.16.840.1.113730.3.8.12.2 NAME 'ipaNTUserAttrs' SUP top AUXILIARY MUST ( ipaNTSecurityIdentifier ) MAY ( ipaNTHash $ ipaNTLogonScript $ ipaNTProfilePath $ ipaNTHomeDirectory $ ipaNTHomeDirectoryDrive ) X-ORIGIN 'IPA v3' )
objectClasses: (2.16.840.1.113730.3.8.12.3 NAME 'ipaNTGroupAttrs' SUP top AUXILIARY MUST ( ipaNTSecurityIdentifier ) X-ORIGIN 'IPA v3' )
diff --git a/install/updates/10-60basev3.update b/install/updates/10-60basev3.update
index 96d012c14d26133b07a503e78fa1e8b33d2a56d9..dbd68581e7321b3d544a918bc8154e6f2ecda946 100644
--- a/install/updates/10-60basev3.update
+++ b/install/updates/10-60basev3.update
@@ -5,4 +5,6 @@ add:attributeTypes: ( 2.16.840.1.113730.3.8.11.22 NAME 'ipaAllowedTarget' DESC '
add:objectClasses: (2.16.840.1.113730.3.8.12.6 NAME 'groupOfPrincipals' SUP top AUXILIARY MUST ( cn ) MAY ( memberPrincipal ) X-ORIGIN 'IPA v3' )
add:objectClasses: (2.16.840.1.113730.3.8.12.7 NAME 'ipaKrb5DelegationACL' SUP groupOfPrincipals STRUCTURAL MAY ( ipaAllowToImpersonate $$ ipaAllowedTarget ) X-ORIGIN 'IPA v3' )
add:attributeTypes: (2.16.840.1.113730.3.8.11.32 NAME 'ipaKrbPrincipalAlias' DESC 'IPA principal alias' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'IPA v3')
+add:attributeTypes: (2.16.840.1.113730.3.8.11.37 NAME 'ipaKrbAuthzData' DESC 'type of PAC preferred by a service' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v3')
add:objectClasses: (2.16.840.1.113730.3.8.12.8 NAME 'ipaKrbPrincipal' SUP krbPrincipalAux AUXILIARY MUST ( krbPrincipalName $$ ipaKrbPrincipalAlias ) X-ORIGIN 'IPA v3' )
+replace:objectClasses: ( 2.16.840.1.113730.3.8.4.2 NAME 'ipaService' DESC 'IPA service objectclass' AUXILIARY MAY ( memberOf $$ managedBy ) X-ORIGIN 'IPA v2' )::( 2.16.840.1.113730.3.8.4.2 NAME 'ipaService' DESC 'IPA service objectclass' AUXILIARY MAY ( memberOf $$ managedBy $$ ipaKrbAuthzData) X-ORIGIN 'IPA v2' )
diff --git a/install/updates/10-selinuxusermap.update b/install/updates/10-selinuxusermap.update
index 431477adf87d2fd9aaf5ed288c8c9eaba7ca35f1..f9af01fadb219094ce4a748b417cd25635d1774e 100644
--- a/install/updates/10-selinuxusermap.update
+++ b/install/updates/10-selinuxusermap.update
@@ -21,6 +21,11 @@ add:attributeTypes:
X-ORIGIN 'IPA v3')
replace:objectClasses:( 2.16.840.1.113730.3.8.2.1 NAME 'ipaGuiConfig' AUXILIARY MAY ( ipaUserSearchFields $$ ipaGroupSearchFields $$ ipaSearchTimeLimit $$ ipaSearchRecordsLimit $$ ipaCustomFields $$ ipaHomesRootDir $$ ipaDefaultLoginShell $$ ipaDefaultPrimaryGroup $$ ipaMaxUsernameLength $$ ipaPwdExpAdvNotify $$ ipaUserObjectClasses $$ ipaGroupObjectClasses $$ ipaDefaultEmailDomain $$ ipaMigrationEnabled $$ ipaCertificateSubjectBase ) )::( 2.16.840.1.113730.3.8.2.1 NAME 'ipaGuiConfig' AUXILIARY MAY ( ipaUserSearchFields $$ ipaGroupSearchFields $$ ipaSearchTimeLimit $$ ipaSearchRecordsLimit $$ ipaCustomFields $$ ipaHomesRootDir $$ ipaDefaultLoginShell $$ ipaDefaultPrimaryGroup $$ ipaMaxUsernameLength $$ ipaPwdExpAdvNotify $$ ipaUserObjectClasses $$ ipaGroupObjectClasses $$ ipaDefaultEmailDomain $$ ipaMigrationEnabled $$ ipaCertificateSubjectBase $$ ipaSELinuxUserMapDefault $$ ipaSELinuxUserMapOrder) )
+# Add the default PAC service type relies on the new SELinux user map
+# values being there so add it here.
+dn: cn=schema
+replace:objectClasses:( 2.16.840.1.113730.3.8.2.1 NAME 'ipaGuiConfig' AUXILIARY MAY ( ipaUserSearchFields $$ ipaGroupSearchFields $$ ipaSearchTimeLimit $$ ipaSearchRecordsLimit $$ ipaCustomFields $$ ipaHomesRootDir $$ ipaDefaultLoginShell $$ ipaDefaultPrimaryGroup $$ ipaMaxUsernameLength $$ ipaPwdExpAdvNotify $$ ipaUserObjectClasses $$ ipaGroupObjectClasses $$ ipaDefaultEmailDomain $$ ipaMigrationEnabled $$ ipaCertificateSubjectBase $$ ipaSELinuxUserMapDefault $$ ipaSELinuxUserMapOrder ) )::( 2.16.840.1.113730.3.8.2.1 NAME 'ipaGuiConfig' AUXILIARY MAY ( ipaUserSearchFields $$ ipaGroupSearchFields $$ ipaSearchTimeLimit $$ ipaSearchRecordsLimit $$ ipaCustomFields $$ ipaHomesRootDir $$ ipaDefaultLoginShell $$ ipaDefaultPrimaryGroup $$ ipaMaxUsernameLength $$ ipaPwdExpAdvNotify $$ ipaUserObjectClasses $$ ipaGroupObjectClasses $$ ipaDefaultEmailDomain $$ ipaMigrationEnabled $$ ipaCertificateSubjectBase $$ ipaSELinuxUserMapDefault $$ ipaSELinuxUserMapOrder $$ ipaKrbAuthzData) )
+
# Add the SELinux User map schema
add:attributeTypes:
( 2.16.840.1.113730.3.8.11.30
diff --git a/install/updates/60-trusts.update b/install/updates/60-trusts.update
index 577bed27f449ced1160b5ee2aad5ae85ed2440fb..0e40ca4d16133f0c1e93300fc13a08dd5ba4ddf7 100644
--- a/install/updates/60-trusts.update
+++ b/install/updates/60-trusts.update
@@ -65,3 +65,7 @@ replace:aci:'(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword
replace:aci:'(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbUPEnabled || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || krbTicketFlags || ipaUniqueId || memberOf || serverHostName || enrolledBy")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)::(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbUPEnabled || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || krbTicketFlags || ipaUniqueId || memberOf || serverHostName || enrolledBy || ipaNTHash")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)'
replace:aci:'(targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "Admins can write passwords"; allow (add,delete,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)::(targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || ipaNTHash")(version 3.0; acl "Admins can write passwords"; allow (add,delete,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)'
replace:aci:'(targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "Password change service can read/write passwords"; allow (read, write) userdn="ldap:///krbprincipalname=kadmin/changepw@$REALM,cn=$REALM,cn=kerberos,$SUFFIX";)::(targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || ipaNTHash")(version 3.0; acl "Password change service can read/write passwords"; allow (read, write) userdn="ldap:///krbprincipalname=kadmin/changepw@$REALM,cn=$REALM,cn=kerberos,$SUFFIX";)'
+
+# Add the default PAC type to configuration
+dn: cn=ipaConfig,cn=etc,$SUFFIX
+addifnew: ipaKrbAuthzData: MS-PAC
diff --git a/ipalib/plugins/config.py b/ipalib/plugins/config.py
index d632e2edf964919c4f99ee509b31e3bea7d373a3..9573bbb65dbaf8fb0b9c5c3bcc69b02c83db915b 100644
--- a/ipalib/plugins/config.py
+++ b/ipalib/plugins/config.py
@@ -90,7 +90,7 @@ class config(LDAPObject):
'ipasearchrecordslimit', 'ipausersearchfields', 'ipagroupsearchfields',
'ipamigrationenabled', 'ipacertificatesubjectbase',
'ipapwdexpadvnotify', 'ipaselinuxusermaporder',
- 'ipaselinuxusermapdefault', 'ipaconfigstring',
+ 'ipaselinuxusermapdefault', 'ipaconfigstring', 'ipakrbauthzdata',
]
label = _('Configuration')
@@ -189,6 +189,13 @@ class config(LDAPObject):
label=_('Default SELinux user'),
doc=_('Default SELinux user when no match is found in SELinux map rule'),
),
+ StrEnum('ipakrbauthzdata*',
+ cli_name='pac_type',
+ label=_('PAC type'),
+ doc=_('Default types of PAC for new services'),
+ values=(u'MS-PAC', u'PAD'),
+ csv=True,
+ ),
)
def get_dn(self, *keys, **kwargs):
diff --git a/ipalib/plugins/service.py b/ipalib/plugins/service.py
index 60035bf6d8d53a498c6565fef6d3097a85263d20..4f3051aa4d5ba6dfc1768190f3662180353a5006 100644
--- a/ipalib/plugins/service.py
+++ b/ipalib/plugins/service.py
@@ -23,7 +23,7 @@ import base64
import os
from ipalib import api, errors, util
-from ipalib import Str, Flag, Bytes
+from ipalib import Str, Flag, Bytes, StrEnum
from ipalib.plugins.baseldap import *
from ipalib import x509
from ipalib import _, ngettext
@@ -223,8 +223,9 @@ class service(LDAPObject):
'krbprincipal', 'krbprincipalaux', 'krbticketpolicyaux', 'ipaobject',
'ipaservice', 'pkiuser', 'ipakrbprincipal'
]
- search_attributes = ['krbprincipalname', 'managedby']
- default_attributes = ['krbprincipalname', 'usercertificate', 'managedby']
+ search_attributes = ['krbprincipalname', 'managedby', 'ipakrbauthzdata']
+ default_attributes = ['krbprincipalname', 'usercertificate', 'managedby',
+ 'ipakrbauthzdata',]
uuid_attribute = 'ipauniqueid'
attribute_members = {
'managedby': ['host'],
@@ -251,7 +252,14 @@ class service(LDAPObject):
label=_('Certificate'),
doc=_('Base-64 encoded server certificate'),
flags=['no_search',],
- )
+ ),
+ StrEnum('ipakrbauthzdata*',
+ cli_name='pac_type',
+ label=_('PAC type'),
+ doc=_('Types of PAC this service supports'),
+ values=(u'MS-PAC', u'PAD'),
+ csv=True,
+ ),
)
api.register(service)
@@ -291,7 +299,12 @@ class service_add(LDAPCreate):
# don't exist in DNS.
util.validate_host_dns(self.log, hostname)
if not 'managedby' in entry_attrs:
- entry_attrs['managedby'] = hostresult['dn']
+ entry_attrs['managedby'] = hostresult['dn']
+ if 'ipakrbauthzdata' not in entry_attrs:
+ config = ldap.get_ipa_config()[1]
+ default_pac_type = config.get('ipakrbauthzdata', [])
+ if default_pac_type:
+ entry_attrs['ipakrbauthzdata'] = default_pac_type
# Enforce ipaKrbPrincipalAlias to aid case-insensitive searches
# as krbPrincipalName/krbCanonicalName are case-sensitive in Kerberos
diff --git a/tests/test_xmlrpc/test_host_plugin.py b/tests/test_xmlrpc/test_host_plugin.py
index 019152586cf129e501875437f97cb358545bd9b7..03aa089a2739486f6033a9d1870d7567bfdf1f5a 100644
--- a/tests/test_xmlrpc/test_host_plugin.py
+++ b/tests/test_xmlrpc/test_host_plugin.py
@@ -615,6 +615,7 @@ class test_host(Declarative):
krbprincipalname=[service1],
objectclass=objectclasses.service,
managedby_host=[fqdn1],
+ ipakrbauthzdata=[u'MS-PAC'],
ipauniqueid=[fuzzy_uuid],
),
),
diff --git a/tests/test_xmlrpc/test_service_plugin.py b/tests/test_xmlrpc/test_service_plugin.py
index 5f089fbbb9099761a4552e0df83a3700b452d7df..28c6bb663429e2ca0336d9597d3d386c1c8d6da5 100644
--- a/tests/test_xmlrpc/test_service_plugin.py
+++ b/tests/test_xmlrpc/test_service_plugin.py
@@ -179,6 +179,7 @@ class test_service(Declarative):
krbprincipalname=[service1],
objectclass=objectclasses.service,
ipauniqueid=[fuzzy_uuid],
+ ipakrbauthzdata=[u'MS-PAC'],
managedby_host=[fqdn1],
),
),
@@ -207,6 +208,7 @@ class test_service(Declarative):
dn=lambda x: DN(x) == service1dn,
krbprincipalname=[service1],
has_keytab=False,
+ ipakrbauthzdata=[u'MS-PAC'],
managedby_host=[fqdn1],
),
),
@@ -226,6 +228,7 @@ class test_service(Declarative):
objectclass=objectclasses.service,
ipauniqueid=[fuzzy_uuid],
managedby_host=[fqdn1],
+ ipakrbauthzdata=[u'MS-PAC'],
has_keytab=False
),
),
@@ -244,6 +247,7 @@ class test_service(Declarative):
dn=lambda x: DN(x) == service1dn,
krbprincipalname=[service1],
managedby_host=[fqdn1],
+ ipakrbauthzdata=[u'MS-PAC'],
has_keytab=False,
),
],
@@ -265,6 +269,7 @@ class test_service(Declarative):
ipakrbprincipalalias=[service1],
objectclass=objectclasses.service,
ipauniqueid=[fuzzy_uuid],
+ ipakrbauthzdata=[u'MS-PAC'],
has_keytab=False,
managedby_host=[fqdn1],
),
@@ -282,6 +287,7 @@ class test_service(Declarative):
result=dict(
dn=lambda x: DN(x) == service1dn,
krbprincipalname=[service1],
+ ipakrbauthzdata=[u'MS-PAC'],
managedby_host=[fqdn1],
),
),
@@ -297,6 +303,7 @@ class test_service(Declarative):
result=dict(
dn=lambda x: DN(x) == service1dn,
krbprincipalname=[service1],
+ ipakrbauthzdata=[u'MS-PAC'],
managedby_host=[fqdn1],
),
),
@@ -312,6 +319,7 @@ class test_service(Declarative):
result=dict(
dn=lambda x: DN(x) == service1dn,
krbprincipalname=[service1],
+ ipakrbauthzdata=[u'MS-PAC'],
managedby_host=[fqdn1, fqdn2],
),
),
@@ -327,6 +335,7 @@ class test_service(Declarative):
result=dict(
dn=lambda x: DN(x) == service1dn,
krbprincipalname=[service1],
+ ipakrbauthzdata=[u'MS-PAC'],
managedby_host=[fqdn1],
),
),
@@ -342,6 +351,7 @@ class test_service(Declarative):
result=dict(
dn=lambda x: DN(x) == service1dn,
krbprincipalname=[service1],
+ ipakrbauthzdata=[u'MS-PAC'],
managedby_host=[fqdn1, fqdn3.lower()],
),
),
@@ -357,6 +367,7 @@ class test_service(Declarative):
result=dict(
dn=lambda x: DN(x) == service1dn,
krbprincipalname=[service1],
+ ipakrbauthzdata=[u'MS-PAC'],
managedby_host=[fqdn1],
),
),
@@ -381,6 +392,7 @@ class test_service(Declarative):
result=dict(
usercertificate=[base64.b64decode(servercert)],
krbprincipalname=[service1],
+ ipakrbauthzdata=[u'MS-PAC'],
managedby_host=[fqdn1],
valid_not_before=fuzzy_date,
valid_not_after=fuzzy_date,
@@ -408,6 +420,7 @@ class test_service(Declarative):
krbprincipalname=[service1],
has_keytab=False,
managedby_host=[fqdn1],
+ ipakrbauthzdata=[u'MS-PAC'],
# These values come from the servercert that is in this
# test case.
valid_not_before=fuzzy_date,
--
1.7.11.2
Reference in New Issue Copy Permalink