From fb817d340139822d17414da93853be5bc3bf6086 Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: Wed, 1 Aug 2012 16:14:11 +0200 Subject: [PATCH 58/79] Add per-service option to store the types of PAC it supports Create a per-service default as well. https://fedorahosted.org/freeipa/ticket/2184 --- API.txt | 12 ++++++++---- install/share/60basev2.ldif | 5 ++++- install/share/60basev3.ldif | 1 + install/updates/10-60basev3.update | 2 ++ install/updates/10-selinuxusermap.update | 5 +++++ install/updates/60-trusts.update | 4 ++++ ipalib/plugins/config.py | 9 ++++++++- ipalib/plugins/service.py | 23 ++++++++++++++++++----- tests/test_xmlrpc/test_host_plugin.py | 1 + tests/test_xmlrpc/test_service_plugin.py | 13 +++++++++++++ 10 files changed, 64 insertions(+), 11 deletions(-) diff --git a/API.txt b/API.txt index 691a9c4dec69f1006e52eafd3a94e351750165b7..e71b79a799837cde2c1e4a5a83c20c8e23fd650f 100644 --- a/API.txt +++ b/API.txt @@ -445,7 +445,7 @@ args: 1,0,1 arg: Str('request_id') output: Output('result', None, None) command: config_mod -args: 0,23,3 +args: 0,24,3 option: Int('ipamaxusernamelength', attribute=True, autofill=False, cli_name='maxusername', minvalue=1, multivalue=False, required=False) option: IA5Str('ipahomesrootdir', attribute=True, autofill=False, cli_name='homedirectory', multivalue=False, required=False) option: Str('ipadefaultloginshell', attribute=True, autofill=False, cli_name='defaultshell', multivalue=False, required=False) @@ -462,6 +462,7 @@ option: Int('ipapwdexpadvnotify', attribute=True, autofill=False, cli_name='pwde option: StrEnum('ipaconfigstring', attribute=True, autofill=False, cli_name='ipaconfigstring', csv=True, multivalue=True, required=False, values=(u'AllowLMhash', u'AllowNThash', u'KDC:Disable Last Success', u'KDC:Disable Lockout')) option: Str('ipaselinuxusermaporder', attribute=True, autofill=False, cli_name='ipaselinuxusermaporder', multivalue=False, required=False) option: Str('ipaselinuxusermapdefault', attribute=True, autofill=False, cli_name='ipaselinuxusermapdefault', multivalue=False, required=False) +option: StrEnum('ipakrbauthzdata', attribute=True, autofill=False, cli_name='pac_type', csv=True, multivalue=True, required=False, values=(u'MS-PAC', u'PAD')) option: Str('setattr*', cli_name='setattr', exclude='webui') option: Str('addattr*', cli_name='addattr', exclude='webui') option: Str('delattr*', cli_name='delattr', exclude='webui') @@ -2726,9 +2727,10 @@ output: Output('summary', (, ), None) output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) output: Output('value', , None) command: service_add -args: 1,5,3 +args: 1,6,3 arg: Str('krbprincipalname', attribute=True, cli_name='principal', multivalue=False, primary_key=True, required=True) option: Bytes('usercertificate', attribute=True, cli_name='certificate', multivalue=False, required=False) +option: StrEnum('ipakrbauthzdata', attribute=True, cli_name='pac_type', csv=True, multivalue=True, required=False, values=(u'MS-PAC', u'PAD')) option: Flag('force', autofill=True, default=False) option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') @@ -2760,9 +2762,10 @@ output: Output('summary', (, ), None) output: Output('result', , None) output: Output('value', , None) command: service_find -args: 1,9,4 +args: 1,10,4 arg: Str('criteria?', noextrawhitespace=False) option: Str('krbprincipalname', attribute=True, autofill=False, cli_name='principal', multivalue=False, primary_key=True, query=True, required=False) +option: StrEnum('ipakrbauthzdata', attribute=True, autofill=False, cli_name='pac_type', csv=True, multivalue=True, query=True, required=False, values=(u'MS-PAC', u'PAD')) option: Int('timelimit?', autofill=False, minvalue=0) option: Int('sizelimit?', autofill=False, minvalue=0) option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') @@ -2776,9 +2779,10 @@ output: ListOfEntries('result', (, ), Gettext('A list output: Output('count', , None) output: Output('truncated', , None) command: service_mod -args: 1,8,3 +args: 1,9,3 arg: Str('krbprincipalname', attribute=True, cli_name='principal', multivalue=False, primary_key=True, query=True, required=True) option: Bytes('usercertificate', attribute=True, autofill=False, cli_name='certificate', multivalue=False, required=False) +option: StrEnum('ipakrbauthzdata', attribute=True, autofill=False, cli_name='pac_type', csv=True, multivalue=True, required=False, values=(u'MS-PAC', u'PAD')) option: Str('setattr*', cli_name='setattr', exclude='webui') option: Str('addattr*', cli_name='addattr', exclude='webui') option: Str('delattr*', cli_name='delattr', exclude='webui') diff --git a/install/share/60basev2.ldif b/install/share/60basev2.ldif index a299904e958b28d78fe0de912747bb6eb9b4554f..3b05e370147f6cace12913e695e02eb6550c6010 100644 --- a/install/share/60basev2.ldif +++ b/install/share/60basev2.ldif @@ -10,11 +10,14 @@ attributeTypes: (2.16.840.1.113730.3.8.3.3 NAME 'enrolledBy' DESC 'DN of adminis attributeTypes: (2.16.840.1.113730.3.8.3.4 NAME 'fqdn' DESC 'FQDN' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v2' ) attributeTypes: (2.16.840.1.113730.3.8.3.18 NAME 'managedBy' DESC 'DNs of entries allowed to manage' SUP distinguishedName X-ORIGIN 'IPA v2') attributeTypes: (2.16.840.1.113730.3.8.3.24 NAME 'ipaEntitlementId' DESC 'Entitlement Unique identifier' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v2' ) +# ipaKrbAuthzData added here. Even though it is a v3 attribute it is updating +# a v2 objectClass so needs to be here. +attributeTypes: (2.16.840.1.113730.3.8.11.37 NAME 'ipaKrbAuthzData' DESC 'type of PAC preferred by a service' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v3' ) objectClasses: (2.16.840.1.113730.3.8.4.1 NAME 'ipaHost' AUXILIARY MUST ( fqdn ) MAY ( userPassword $ ipaClientVersion $ enrolledBy $ memberOf) X-ORIGIN 'IPA v2' ) objectClasses: (2.16.840.1.113730.3.8.4.12 NAME 'ipaObject' DESC 'IPA objectclass' AUXILIARY MUST ( ipaUniqueId ) X-ORIGIN 'IPA v2' ) objectClasses: (2.16.840.1.113730.3.8.4.14 NAME 'ipaEntitlement' DESC 'IPA Entitlement object' AUXILIARY MUST ( ipaEntitlementId ) MAY ( userPKCS12 $ userCertificate ) X-ORIGIN 'IPA v2' ) objectClasses: (2.16.840.1.113730.3.8.4.15 NAME 'ipaPermission' DESC 'IPA Permission objectclass' AUXILIARY MAY ( ipaPermissionType ) X-ORIGIN 'IPA v2' ) -objectClasses: (2.16.840.1.113730.3.8.4.2 NAME 'ipaService' DESC 'IPA service objectclass' AUXILIARY MAY ( memberOf $ managedBy ) X-ORIGIN 'IPA v2' ) +objectClasses: (2.16.840.1.113730.3.8.4.2 NAME 'ipaService' DESC 'IPA service objectclass' AUXILIARY MAY ( memberOf $ managedBy $ ipaKrbAuthzData) X-ORIGIN 'IPA v2' ) objectClasses: (2.16.840.1.113730.3.8.4.3 NAME 'nestedGroup' DESC 'Group that supports nesting' SUP groupOfNames STRUCTURAL MAY memberOf X-ORIGIN 'IPA v2' ) objectClasses: (2.16.840.1.113730.3.8.4.4 NAME 'ipaUserGroup' DESC 'IPA user group object class' SUP nestedGroup STRUCTURAL X-ORIGIN 'IPA v2' ) objectClasses: (2.16.840.1.113730.3.8.4.5 NAME 'ipaHostGroup' DESC 'IPA host group object class' SUP nestedGroup STRUCTURAL X-ORIGIN 'IPA v2' ) diff --git a/install/share/60basev3.ldif b/install/share/60basev3.ldif index 03561d13f45768006eb22e3dc00f41f35944dc56..18b23a3d2d00d03424df1c1cd4a5e9ddeba0f6d4 100644 --- a/install/share/60basev3.ldif +++ b/install/share/60basev3.ldif @@ -33,6 +33,7 @@ attributeTypes: (2.16.840.1.113730.3.8.11.33 NAME 'ipaBaseID' DESC 'First value attributeTypes: (2.16.840.1.113730.3.8.11.34 NAME 'ipaIDRangeSize' DESC 'Size of a Posix ID range' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'IPA v3' ) attributeTypes: (2.16.840.1.113730.3.8.11.35 NAME 'ipaBaseRID' DESC 'First value of a RID range' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'IPA v3' ) attributeTypes: (2.16.840.1.113730.3.8.11.36 NAME 'ipaSecondaryBaseRID' DESC 'First value of a secondary RID range' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'IPA v3' ) +# 2.16.840.1.113730.3.8.11.37 ipaKrbAuthzData objectClasses: (2.16.840.1.113730.3.8.12.1 NAME 'ipaExternalGroup' SUP top STRUCTURAL MUST ( cn ) MAY ( ipaExternalMember $ memberOf $ description $ owner) X-ORIGIN 'IPA v3' ) objectClasses: (2.16.840.1.113730.3.8.12.2 NAME 'ipaNTUserAttrs' SUP top AUXILIARY MUST ( ipaNTSecurityIdentifier ) MAY ( ipaNTHash $ ipaNTLogonScript $ ipaNTProfilePath $ ipaNTHomeDirectory $ ipaNTHomeDirectoryDrive ) X-ORIGIN 'IPA v3' ) objectClasses: (2.16.840.1.113730.3.8.12.3 NAME 'ipaNTGroupAttrs' SUP top AUXILIARY MUST ( ipaNTSecurityIdentifier ) X-ORIGIN 'IPA v3' ) diff --git a/install/updates/10-60basev3.update b/install/updates/10-60basev3.update index 96d012c14d26133b07a503e78fa1e8b33d2a56d9..dbd68581e7321b3d544a918bc8154e6f2ecda946 100644 --- a/install/updates/10-60basev3.update +++ b/install/updates/10-60basev3.update @@ -5,4 +5,6 @@ add:attributeTypes: ( 2.16.840.1.113730.3.8.11.22 NAME 'ipaAllowedTarget' DESC ' add:objectClasses: (2.16.840.1.113730.3.8.12.6 NAME 'groupOfPrincipals' SUP top AUXILIARY MUST ( cn ) MAY ( memberPrincipal ) X-ORIGIN 'IPA v3' ) add:objectClasses: (2.16.840.1.113730.3.8.12.7 NAME 'ipaKrb5DelegationACL' SUP groupOfPrincipals STRUCTURAL MAY ( ipaAllowToImpersonate $$ ipaAllowedTarget ) X-ORIGIN 'IPA v3' ) add:attributeTypes: (2.16.840.1.113730.3.8.11.32 NAME 'ipaKrbPrincipalAlias' DESC 'IPA principal alias' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'IPA v3') +add:attributeTypes: (2.16.840.1.113730.3.8.11.37 NAME 'ipaKrbAuthzData' DESC 'type of PAC preferred by a service' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v3') add:objectClasses: (2.16.840.1.113730.3.8.12.8 NAME 'ipaKrbPrincipal' SUP krbPrincipalAux AUXILIARY MUST ( krbPrincipalName $$ ipaKrbPrincipalAlias ) X-ORIGIN 'IPA v3' ) +replace:objectClasses: ( 2.16.840.1.113730.3.8.4.2 NAME 'ipaService' DESC 'IPA service objectclass' AUXILIARY MAY ( memberOf $$ managedBy ) X-ORIGIN 'IPA v2' )::( 2.16.840.1.113730.3.8.4.2 NAME 'ipaService' DESC 'IPA service objectclass' AUXILIARY MAY ( memberOf $$ managedBy $$ ipaKrbAuthzData) X-ORIGIN 'IPA v2' ) diff --git a/install/updates/10-selinuxusermap.update b/install/updates/10-selinuxusermap.update index 431477adf87d2fd9aaf5ed288c8c9eaba7ca35f1..f9af01fadb219094ce4a748b417cd25635d1774e 100644 --- a/install/updates/10-selinuxusermap.update +++ b/install/updates/10-selinuxusermap.update @@ -21,6 +21,11 @@ add:attributeTypes: X-ORIGIN 'IPA v3') replace:objectClasses:( 2.16.840.1.113730.3.8.2.1 NAME 'ipaGuiConfig' AUXILIARY MAY ( ipaUserSearchFields $$ ipaGroupSearchFields $$ ipaSearchTimeLimit $$ ipaSearchRecordsLimit $$ ipaCustomFields $$ ipaHomesRootDir $$ ipaDefaultLoginShell $$ ipaDefaultPrimaryGroup $$ ipaMaxUsernameLength $$ ipaPwdExpAdvNotify $$ ipaUserObjectClasses $$ ipaGroupObjectClasses $$ ipaDefaultEmailDomain $$ ipaMigrationEnabled $$ ipaCertificateSubjectBase ) )::( 2.16.840.1.113730.3.8.2.1 NAME 'ipaGuiConfig' AUXILIARY MAY ( ipaUserSearchFields $$ ipaGroupSearchFields $$ ipaSearchTimeLimit $$ ipaSearchRecordsLimit $$ ipaCustomFields $$ ipaHomesRootDir $$ ipaDefaultLoginShell $$ ipaDefaultPrimaryGroup $$ ipaMaxUsernameLength $$ ipaPwdExpAdvNotify $$ ipaUserObjectClasses $$ ipaGroupObjectClasses $$ ipaDefaultEmailDomain $$ ipaMigrationEnabled $$ ipaCertificateSubjectBase $$ ipaSELinuxUserMapDefault $$ ipaSELinuxUserMapOrder) ) +# Add the default PAC service type relies on the new SELinux user map +# values being there so add it here. +dn: cn=schema +replace:objectClasses:( 2.16.840.1.113730.3.8.2.1 NAME 'ipaGuiConfig' AUXILIARY MAY ( ipaUserSearchFields $$ ipaGroupSearchFields $$ ipaSearchTimeLimit $$ ipaSearchRecordsLimit $$ ipaCustomFields $$ ipaHomesRootDir $$ ipaDefaultLoginShell $$ ipaDefaultPrimaryGroup $$ ipaMaxUsernameLength $$ ipaPwdExpAdvNotify $$ ipaUserObjectClasses $$ ipaGroupObjectClasses $$ ipaDefaultEmailDomain $$ ipaMigrationEnabled $$ ipaCertificateSubjectBase $$ ipaSELinuxUserMapDefault $$ ipaSELinuxUserMapOrder ) )::( 2.16.840.1.113730.3.8.2.1 NAME 'ipaGuiConfig' AUXILIARY MAY ( ipaUserSearchFields $$ ipaGroupSearchFields $$ ipaSearchTimeLimit $$ ipaSearchRecordsLimit $$ ipaCustomFields $$ ipaHomesRootDir $$ ipaDefaultLoginShell $$ ipaDefaultPrimaryGroup $$ ipaMaxUsernameLength $$ ipaPwdExpAdvNotify $$ ipaUserObjectClasses $$ ipaGroupObjectClasses $$ ipaDefaultEmailDomain $$ ipaMigrationEnabled $$ ipaCertificateSubjectBase $$ ipaSELinuxUserMapDefault $$ ipaSELinuxUserMapOrder $$ ipaKrbAuthzData) ) + # Add the SELinux User map schema add:attributeTypes: ( 2.16.840.1.113730.3.8.11.30 diff --git a/install/updates/60-trusts.update b/install/updates/60-trusts.update index 577bed27f449ced1160b5ee2aad5ae85ed2440fb..0e40ca4d16133f0c1e93300fc13a08dd5ba4ddf7 100644 --- a/install/updates/60-trusts.update +++ b/install/updates/60-trusts.update @@ -65,3 +65,7 @@ replace:aci:'(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword replace:aci:'(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbUPEnabled || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || krbTicketFlags || ipaUniqueId || memberOf || serverHostName || enrolledBy")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)::(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbUPEnabled || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || krbTicketFlags || ipaUniqueId || memberOf || serverHostName || enrolledBy || ipaNTHash")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)' replace:aci:'(targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "Admins can write passwords"; allow (add,delete,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)::(targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || ipaNTHash")(version 3.0; acl "Admins can write passwords"; allow (add,delete,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)' replace:aci:'(targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "Password change service can read/write passwords"; allow (read, write) userdn="ldap:///krbprincipalname=kadmin/changepw@$REALM,cn=$REALM,cn=kerberos,$SUFFIX";)::(targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || ipaNTHash")(version 3.0; acl "Password change service can read/write passwords"; allow (read, write) userdn="ldap:///krbprincipalname=kadmin/changepw@$REALM,cn=$REALM,cn=kerberos,$SUFFIX";)' + +# Add the default PAC type to configuration +dn: cn=ipaConfig,cn=etc,$SUFFIX +addifnew: ipaKrbAuthzData: MS-PAC diff --git a/ipalib/plugins/config.py b/ipalib/plugins/config.py index d632e2edf964919c4f99ee509b31e3bea7d373a3..9573bbb65dbaf8fb0b9c5c3bcc69b02c83db915b 100644 --- a/ipalib/plugins/config.py +++ b/ipalib/plugins/config.py @@ -90,7 +90,7 @@ class config(LDAPObject): 'ipasearchrecordslimit', 'ipausersearchfields', 'ipagroupsearchfields', 'ipamigrationenabled', 'ipacertificatesubjectbase', 'ipapwdexpadvnotify', 'ipaselinuxusermaporder', - 'ipaselinuxusermapdefault', 'ipaconfigstring', + 'ipaselinuxusermapdefault', 'ipaconfigstring', 'ipakrbauthzdata', ] label = _('Configuration') @@ -189,6 +189,13 @@ class config(LDAPObject): label=_('Default SELinux user'), doc=_('Default SELinux user when no match is found in SELinux map rule'), ), + StrEnum('ipakrbauthzdata*', + cli_name='pac_type', + label=_('PAC type'), + doc=_('Default types of PAC for new services'), + values=(u'MS-PAC', u'PAD'), + csv=True, + ), ) def get_dn(self, *keys, **kwargs): diff --git a/ipalib/plugins/service.py b/ipalib/plugins/service.py index 60035bf6d8d53a498c6565fef6d3097a85263d20..4f3051aa4d5ba6dfc1768190f3662180353a5006 100644 --- a/ipalib/plugins/service.py +++ b/ipalib/plugins/service.py @@ -23,7 +23,7 @@ import base64 import os from ipalib import api, errors, util -from ipalib import Str, Flag, Bytes +from ipalib import Str, Flag, Bytes, StrEnum from ipalib.plugins.baseldap import * from ipalib import x509 from ipalib import _, ngettext @@ -223,8 +223,9 @@ class service(LDAPObject): 'krbprincipal', 'krbprincipalaux', 'krbticketpolicyaux', 'ipaobject', 'ipaservice', 'pkiuser', 'ipakrbprincipal' ] - search_attributes = ['krbprincipalname', 'managedby'] - default_attributes = ['krbprincipalname', 'usercertificate', 'managedby'] + search_attributes = ['krbprincipalname', 'managedby', 'ipakrbauthzdata'] + default_attributes = ['krbprincipalname', 'usercertificate', 'managedby', + 'ipakrbauthzdata',] uuid_attribute = 'ipauniqueid' attribute_members = { 'managedby': ['host'], @@ -251,7 +252,14 @@ class service(LDAPObject): label=_('Certificate'), doc=_('Base-64 encoded server certificate'), flags=['no_search',], - ) + ), + StrEnum('ipakrbauthzdata*', + cli_name='pac_type', + label=_('PAC type'), + doc=_('Types of PAC this service supports'), + values=(u'MS-PAC', u'PAD'), + csv=True, + ), ) api.register(service) @@ -291,7 +299,12 @@ class service_add(LDAPCreate): # don't exist in DNS. util.validate_host_dns(self.log, hostname) if not 'managedby' in entry_attrs: - entry_attrs['managedby'] = hostresult['dn'] + entry_attrs['managedby'] = hostresult['dn'] + if 'ipakrbauthzdata' not in entry_attrs: + config = ldap.get_ipa_config()[1] + default_pac_type = config.get('ipakrbauthzdata', []) + if default_pac_type: + entry_attrs['ipakrbauthzdata'] = default_pac_type # Enforce ipaKrbPrincipalAlias to aid case-insensitive searches # as krbPrincipalName/krbCanonicalName are case-sensitive in Kerberos diff --git a/tests/test_xmlrpc/test_host_plugin.py b/tests/test_xmlrpc/test_host_plugin.py index 019152586cf129e501875437f97cb358545bd9b7..03aa089a2739486f6033a9d1870d7567bfdf1f5a 100644 --- a/tests/test_xmlrpc/test_host_plugin.py +++ b/tests/test_xmlrpc/test_host_plugin.py @@ -615,6 +615,7 @@ class test_host(Declarative): krbprincipalname=[service1], objectclass=objectclasses.service, managedby_host=[fqdn1], + ipakrbauthzdata=[u'MS-PAC'], ipauniqueid=[fuzzy_uuid], ), ), diff --git a/tests/test_xmlrpc/test_service_plugin.py b/tests/test_xmlrpc/test_service_plugin.py index 5f089fbbb9099761a4552e0df83a3700b452d7df..28c6bb663429e2ca0336d9597d3d386c1c8d6da5 100644 --- a/tests/test_xmlrpc/test_service_plugin.py +++ b/tests/test_xmlrpc/test_service_plugin.py @@ -179,6 +179,7 @@ class test_service(Declarative): krbprincipalname=[service1], objectclass=objectclasses.service, ipauniqueid=[fuzzy_uuid], + ipakrbauthzdata=[u'MS-PAC'], managedby_host=[fqdn1], ), ), @@ -207,6 +208,7 @@ class test_service(Declarative): dn=lambda x: DN(x) == service1dn, krbprincipalname=[service1], has_keytab=False, + ipakrbauthzdata=[u'MS-PAC'], managedby_host=[fqdn1], ), ), @@ -226,6 +228,7 @@ class test_service(Declarative): objectclass=objectclasses.service, ipauniqueid=[fuzzy_uuid], managedby_host=[fqdn1], + ipakrbauthzdata=[u'MS-PAC'], has_keytab=False ), ), @@ -244,6 +247,7 @@ class test_service(Declarative): dn=lambda x: DN(x) == service1dn, krbprincipalname=[service1], managedby_host=[fqdn1], + ipakrbauthzdata=[u'MS-PAC'], has_keytab=False, ), ], @@ -265,6 +269,7 @@ class test_service(Declarative): ipakrbprincipalalias=[service1], objectclass=objectclasses.service, ipauniqueid=[fuzzy_uuid], + ipakrbauthzdata=[u'MS-PAC'], has_keytab=False, managedby_host=[fqdn1], ), @@ -282,6 +287,7 @@ class test_service(Declarative): result=dict( dn=lambda x: DN(x) == service1dn, krbprincipalname=[service1], + ipakrbauthzdata=[u'MS-PAC'], managedby_host=[fqdn1], ), ), @@ -297,6 +303,7 @@ class test_service(Declarative): result=dict( dn=lambda x: DN(x) == service1dn, krbprincipalname=[service1], + ipakrbauthzdata=[u'MS-PAC'], managedby_host=[fqdn1], ), ), @@ -312,6 +319,7 @@ class test_service(Declarative): result=dict( dn=lambda x: DN(x) == service1dn, krbprincipalname=[service1], + ipakrbauthzdata=[u'MS-PAC'], managedby_host=[fqdn1, fqdn2], ), ), @@ -327,6 +335,7 @@ class test_service(Declarative): result=dict( dn=lambda x: DN(x) == service1dn, krbprincipalname=[service1], + ipakrbauthzdata=[u'MS-PAC'], managedby_host=[fqdn1], ), ), @@ -342,6 +351,7 @@ class test_service(Declarative): result=dict( dn=lambda x: DN(x) == service1dn, krbprincipalname=[service1], + ipakrbauthzdata=[u'MS-PAC'], managedby_host=[fqdn1, fqdn3.lower()], ), ), @@ -357,6 +367,7 @@ class test_service(Declarative): result=dict( dn=lambda x: DN(x) == service1dn, krbprincipalname=[service1], + ipakrbauthzdata=[u'MS-PAC'], managedby_host=[fqdn1], ), ), @@ -381,6 +392,7 @@ class test_service(Declarative): result=dict( usercertificate=[base64.b64decode(servercert)], krbprincipalname=[service1], + ipakrbauthzdata=[u'MS-PAC'], managedby_host=[fqdn1], valid_not_before=fuzzy_date, valid_not_after=fuzzy_date, @@ -408,6 +420,7 @@ class test_service(Declarative): krbprincipalname=[service1], has_keytab=False, managedby_host=[fqdn1], + ipakrbauthzdata=[u'MS-PAC'], # These values come from the servercert that is in this # test case. valid_not_before=fuzzy_date, -- 1.7.11.2