356 lines
25 KiB
Diff
356 lines
25 KiB
Diff
From fb817d340139822d17414da93853be5bc3bf6086 Mon Sep 17 00:00:00 2001
|
|
From: Rob Crittenden <rcritten@redhat.com>
|
|
Date: Wed, 1 Aug 2012 16:14:11 +0200
|
|
Subject: [PATCH 58/79] Add per-service option to store the types of PAC it
|
|
supports
|
|
|
|
Create a per-service default as well.
|
|
|
|
https://fedorahosted.org/freeipa/ticket/2184
|
|
---
|
|
API.txt | 12 ++++++++----
|
|
install/share/60basev2.ldif | 5 ++++-
|
|
install/share/60basev3.ldif | 1 +
|
|
install/updates/10-60basev3.update | 2 ++
|
|
install/updates/10-selinuxusermap.update | 5 +++++
|
|
install/updates/60-trusts.update | 4 ++++
|
|
ipalib/plugins/config.py | 9 ++++++++-
|
|
ipalib/plugins/service.py | 23 ++++++++++++++++++-----
|
|
tests/test_xmlrpc/test_host_plugin.py | 1 +
|
|
tests/test_xmlrpc/test_service_plugin.py | 13 +++++++++++++
|
|
10 files changed, 64 insertions(+), 11 deletions(-)
|
|
|
|
diff --git a/API.txt b/API.txt
|
|
index 691a9c4dec69f1006e52eafd3a94e351750165b7..e71b79a799837cde2c1e4a5a83c20c8e23fd650f 100644
|
|
--- a/API.txt
|
|
+++ b/API.txt
|
|
@@ -445,7 +445,7 @@ args: 1,0,1
|
|
arg: Str('request_id')
|
|
output: Output('result', None, None)
|
|
command: config_mod
|
|
-args: 0,23,3
|
|
+args: 0,24,3
|
|
option: Int('ipamaxusernamelength', attribute=True, autofill=False, cli_name='maxusername', minvalue=1, multivalue=False, required=False)
|
|
option: IA5Str('ipahomesrootdir', attribute=True, autofill=False, cli_name='homedirectory', multivalue=False, required=False)
|
|
option: Str('ipadefaultloginshell', attribute=True, autofill=False, cli_name='defaultshell', multivalue=False, required=False)
|
|
@@ -462,6 +462,7 @@ option: Int('ipapwdexpadvnotify', attribute=True, autofill=False, cli_name='pwde
|
|
option: StrEnum('ipaconfigstring', attribute=True, autofill=False, cli_name='ipaconfigstring', csv=True, multivalue=True, required=False, values=(u'AllowLMhash', u'AllowNThash', u'KDC:Disable Last Success', u'KDC:Disable Lockout'))
|
|
option: Str('ipaselinuxusermaporder', attribute=True, autofill=False, cli_name='ipaselinuxusermaporder', multivalue=False, required=False)
|
|
option: Str('ipaselinuxusermapdefault', attribute=True, autofill=False, cli_name='ipaselinuxusermapdefault', multivalue=False, required=False)
|
|
+option: StrEnum('ipakrbauthzdata', attribute=True, autofill=False, cli_name='pac_type', csv=True, multivalue=True, required=False, values=(u'MS-PAC', u'PAD'))
|
|
option: Str('setattr*', cli_name='setattr', exclude='webui')
|
|
option: Str('addattr*', cli_name='addattr', exclude='webui')
|
|
option: Str('delattr*', cli_name='delattr', exclude='webui')
|
|
@@ -2726,9 +2727,10 @@ output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), None)
|
|
output: Entry('result', <type 'dict'>, Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None))
|
|
output: Output('value', <type 'unicode'>, None)
|
|
command: service_add
|
|
-args: 1,5,3
|
|
+args: 1,6,3
|
|
arg: Str('krbprincipalname', attribute=True, cli_name='principal', multivalue=False, primary_key=True, required=True)
|
|
option: Bytes('usercertificate', attribute=True, cli_name='certificate', multivalue=False, required=False)
|
|
+option: StrEnum('ipakrbauthzdata', attribute=True, cli_name='pac_type', csv=True, multivalue=True, required=False, values=(u'MS-PAC', u'PAD'))
|
|
option: Flag('force', autofill=True, default=False)
|
|
option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui')
|
|
option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui')
|
|
@@ -2760,9 +2762,10 @@ output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), None)
|
|
output: Output('result', <type 'bool'>, None)
|
|
output: Output('value', <type 'unicode'>, None)
|
|
command: service_find
|
|
-args: 1,9,4
|
|
+args: 1,10,4
|
|
arg: Str('criteria?', noextrawhitespace=False)
|
|
option: Str('krbprincipalname', attribute=True, autofill=False, cli_name='principal', multivalue=False, primary_key=True, query=True, required=False)
|
|
+option: StrEnum('ipakrbauthzdata', attribute=True, autofill=False, cli_name='pac_type', csv=True, multivalue=True, query=True, required=False, values=(u'MS-PAC', u'PAD'))
|
|
option: Int('timelimit?', autofill=False, minvalue=0)
|
|
option: Int('sizelimit?', autofill=False, minvalue=0)
|
|
option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui')
|
|
@@ -2776,9 +2779,10 @@ output: ListOfEntries('result', (<type 'list'>, <type 'tuple'>), Gettext('A list
|
|
output: Output('count', <type 'int'>, None)
|
|
output: Output('truncated', <type 'bool'>, None)
|
|
command: service_mod
|
|
-args: 1,8,3
|
|
+args: 1,9,3
|
|
arg: Str('krbprincipalname', attribute=True, cli_name='principal', multivalue=False, primary_key=True, query=True, required=True)
|
|
option: Bytes('usercertificate', attribute=True, autofill=False, cli_name='certificate', multivalue=False, required=False)
|
|
+option: StrEnum('ipakrbauthzdata', attribute=True, autofill=False, cli_name='pac_type', csv=True, multivalue=True, required=False, values=(u'MS-PAC', u'PAD'))
|
|
option: Str('setattr*', cli_name='setattr', exclude='webui')
|
|
option: Str('addattr*', cli_name='addattr', exclude='webui')
|
|
option: Str('delattr*', cli_name='delattr', exclude='webui')
|
|
diff --git a/install/share/60basev2.ldif b/install/share/60basev2.ldif
|
|
index a299904e958b28d78fe0de912747bb6eb9b4554f..3b05e370147f6cace12913e695e02eb6550c6010 100644
|
|
--- a/install/share/60basev2.ldif
|
|
+++ b/install/share/60basev2.ldif
|
|
@@ -10,11 +10,14 @@ attributeTypes: (2.16.840.1.113730.3.8.3.3 NAME 'enrolledBy' DESC 'DN of adminis
|
|
attributeTypes: (2.16.840.1.113730.3.8.3.4 NAME 'fqdn' DESC 'FQDN' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v2' )
|
|
attributeTypes: (2.16.840.1.113730.3.8.3.18 NAME 'managedBy' DESC 'DNs of entries allowed to manage' SUP distinguishedName X-ORIGIN 'IPA v2')
|
|
attributeTypes: (2.16.840.1.113730.3.8.3.24 NAME 'ipaEntitlementId' DESC 'Entitlement Unique identifier' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v2' )
|
|
+# ipaKrbAuthzData added here. Even though it is a v3 attribute it is updating
|
|
+# a v2 objectClass so needs to be here.
|
|
+attributeTypes: (2.16.840.1.113730.3.8.11.37 NAME 'ipaKrbAuthzData' DESC 'type of PAC preferred by a service' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v3' )
|
|
objectClasses: (2.16.840.1.113730.3.8.4.1 NAME 'ipaHost' AUXILIARY MUST ( fqdn ) MAY ( userPassword $ ipaClientVersion $ enrolledBy $ memberOf) X-ORIGIN 'IPA v2' )
|
|
objectClasses: (2.16.840.1.113730.3.8.4.12 NAME 'ipaObject' DESC 'IPA objectclass' AUXILIARY MUST ( ipaUniqueId ) X-ORIGIN 'IPA v2' )
|
|
objectClasses: (2.16.840.1.113730.3.8.4.14 NAME 'ipaEntitlement' DESC 'IPA Entitlement object' AUXILIARY MUST ( ipaEntitlementId ) MAY ( userPKCS12 $ userCertificate ) X-ORIGIN 'IPA v2' )
|
|
objectClasses: (2.16.840.1.113730.3.8.4.15 NAME 'ipaPermission' DESC 'IPA Permission objectclass' AUXILIARY MAY ( ipaPermissionType ) X-ORIGIN 'IPA v2' )
|
|
-objectClasses: (2.16.840.1.113730.3.8.4.2 NAME 'ipaService' DESC 'IPA service objectclass' AUXILIARY MAY ( memberOf $ managedBy ) X-ORIGIN 'IPA v2' )
|
|
+objectClasses: (2.16.840.1.113730.3.8.4.2 NAME 'ipaService' DESC 'IPA service objectclass' AUXILIARY MAY ( memberOf $ managedBy $ ipaKrbAuthzData) X-ORIGIN 'IPA v2' )
|
|
objectClasses: (2.16.840.1.113730.3.8.4.3 NAME 'nestedGroup' DESC 'Group that supports nesting' SUP groupOfNames STRUCTURAL MAY memberOf X-ORIGIN 'IPA v2' )
|
|
objectClasses: (2.16.840.1.113730.3.8.4.4 NAME 'ipaUserGroup' DESC 'IPA user group object class' SUP nestedGroup STRUCTURAL X-ORIGIN 'IPA v2' )
|
|
objectClasses: (2.16.840.1.113730.3.8.4.5 NAME 'ipaHostGroup' DESC 'IPA host group object class' SUP nestedGroup STRUCTURAL X-ORIGIN 'IPA v2' )
|
|
diff --git a/install/share/60basev3.ldif b/install/share/60basev3.ldif
|
|
index 03561d13f45768006eb22e3dc00f41f35944dc56..18b23a3d2d00d03424df1c1cd4a5e9ddeba0f6d4 100644
|
|
--- a/install/share/60basev3.ldif
|
|
+++ b/install/share/60basev3.ldif
|
|
@@ -33,6 +33,7 @@ attributeTypes: (2.16.840.1.113730.3.8.11.33 NAME 'ipaBaseID' DESC 'First value
|
|
attributeTypes: (2.16.840.1.113730.3.8.11.34 NAME 'ipaIDRangeSize' DESC 'Size of a Posix ID range' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'IPA v3' )
|
|
attributeTypes: (2.16.840.1.113730.3.8.11.35 NAME 'ipaBaseRID' DESC 'First value of a RID range' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'IPA v3' )
|
|
attributeTypes: (2.16.840.1.113730.3.8.11.36 NAME 'ipaSecondaryBaseRID' DESC 'First value of a secondary RID range' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'IPA v3' )
|
|
+# 2.16.840.1.113730.3.8.11.37 ipaKrbAuthzData
|
|
objectClasses: (2.16.840.1.113730.3.8.12.1 NAME 'ipaExternalGroup' SUP top STRUCTURAL MUST ( cn ) MAY ( ipaExternalMember $ memberOf $ description $ owner) X-ORIGIN 'IPA v3' )
|
|
objectClasses: (2.16.840.1.113730.3.8.12.2 NAME 'ipaNTUserAttrs' SUP top AUXILIARY MUST ( ipaNTSecurityIdentifier ) MAY ( ipaNTHash $ ipaNTLogonScript $ ipaNTProfilePath $ ipaNTHomeDirectory $ ipaNTHomeDirectoryDrive ) X-ORIGIN 'IPA v3' )
|
|
objectClasses: (2.16.840.1.113730.3.8.12.3 NAME 'ipaNTGroupAttrs' SUP top AUXILIARY MUST ( ipaNTSecurityIdentifier ) X-ORIGIN 'IPA v3' )
|
|
diff --git a/install/updates/10-60basev3.update b/install/updates/10-60basev3.update
|
|
index 96d012c14d26133b07a503e78fa1e8b33d2a56d9..dbd68581e7321b3d544a918bc8154e6f2ecda946 100644
|
|
--- a/install/updates/10-60basev3.update
|
|
+++ b/install/updates/10-60basev3.update
|
|
@@ -5,4 +5,6 @@ add:attributeTypes: ( 2.16.840.1.113730.3.8.11.22 NAME 'ipaAllowedTarget' DESC '
|
|
add:objectClasses: (2.16.840.1.113730.3.8.12.6 NAME 'groupOfPrincipals' SUP top AUXILIARY MUST ( cn ) MAY ( memberPrincipal ) X-ORIGIN 'IPA v3' )
|
|
add:objectClasses: (2.16.840.1.113730.3.8.12.7 NAME 'ipaKrb5DelegationACL' SUP groupOfPrincipals STRUCTURAL MAY ( ipaAllowToImpersonate $$ ipaAllowedTarget ) X-ORIGIN 'IPA v3' )
|
|
add:attributeTypes: (2.16.840.1.113730.3.8.11.32 NAME 'ipaKrbPrincipalAlias' DESC 'IPA principal alias' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'IPA v3')
|
|
+add:attributeTypes: (2.16.840.1.113730.3.8.11.37 NAME 'ipaKrbAuthzData' DESC 'type of PAC preferred by a service' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v3')
|
|
add:objectClasses: (2.16.840.1.113730.3.8.12.8 NAME 'ipaKrbPrincipal' SUP krbPrincipalAux AUXILIARY MUST ( krbPrincipalName $$ ipaKrbPrincipalAlias ) X-ORIGIN 'IPA v3' )
|
|
+replace:objectClasses: ( 2.16.840.1.113730.3.8.4.2 NAME 'ipaService' DESC 'IPA service objectclass' AUXILIARY MAY ( memberOf $$ managedBy ) X-ORIGIN 'IPA v2' )::( 2.16.840.1.113730.3.8.4.2 NAME 'ipaService' DESC 'IPA service objectclass' AUXILIARY MAY ( memberOf $$ managedBy $$ ipaKrbAuthzData) X-ORIGIN 'IPA v2' )
|
|
diff --git a/install/updates/10-selinuxusermap.update b/install/updates/10-selinuxusermap.update
|
|
index 431477adf87d2fd9aaf5ed288c8c9eaba7ca35f1..f9af01fadb219094ce4a748b417cd25635d1774e 100644
|
|
--- a/install/updates/10-selinuxusermap.update
|
|
+++ b/install/updates/10-selinuxusermap.update
|
|
@@ -21,6 +21,11 @@ add:attributeTypes:
|
|
X-ORIGIN 'IPA v3')
|
|
replace:objectClasses:( 2.16.840.1.113730.3.8.2.1 NAME 'ipaGuiConfig' AUXILIARY MAY ( ipaUserSearchFields $$ ipaGroupSearchFields $$ ipaSearchTimeLimit $$ ipaSearchRecordsLimit $$ ipaCustomFields $$ ipaHomesRootDir $$ ipaDefaultLoginShell $$ ipaDefaultPrimaryGroup $$ ipaMaxUsernameLength $$ ipaPwdExpAdvNotify $$ ipaUserObjectClasses $$ ipaGroupObjectClasses $$ ipaDefaultEmailDomain $$ ipaMigrationEnabled $$ ipaCertificateSubjectBase ) )::( 2.16.840.1.113730.3.8.2.1 NAME 'ipaGuiConfig' AUXILIARY MAY ( ipaUserSearchFields $$ ipaGroupSearchFields $$ ipaSearchTimeLimit $$ ipaSearchRecordsLimit $$ ipaCustomFields $$ ipaHomesRootDir $$ ipaDefaultLoginShell $$ ipaDefaultPrimaryGroup $$ ipaMaxUsernameLength $$ ipaPwdExpAdvNotify $$ ipaUserObjectClasses $$ ipaGroupObjectClasses $$ ipaDefaultEmailDomain $$ ipaMigrationEnabled $$ ipaCertificateSubjectBase $$ ipaSELinuxUserMapDefault $$ ipaSELinuxUserMapOrder) )
|
|
|
|
+# Add the default PAC service type relies on the new SELinux user map
|
|
+# values being there so add it here.
|
|
+dn: cn=schema
|
|
+replace:objectClasses:( 2.16.840.1.113730.3.8.2.1 NAME 'ipaGuiConfig' AUXILIARY MAY ( ipaUserSearchFields $$ ipaGroupSearchFields $$ ipaSearchTimeLimit $$ ipaSearchRecordsLimit $$ ipaCustomFields $$ ipaHomesRootDir $$ ipaDefaultLoginShell $$ ipaDefaultPrimaryGroup $$ ipaMaxUsernameLength $$ ipaPwdExpAdvNotify $$ ipaUserObjectClasses $$ ipaGroupObjectClasses $$ ipaDefaultEmailDomain $$ ipaMigrationEnabled $$ ipaCertificateSubjectBase $$ ipaSELinuxUserMapDefault $$ ipaSELinuxUserMapOrder ) )::( 2.16.840.1.113730.3.8.2.1 NAME 'ipaGuiConfig' AUXILIARY MAY ( ipaUserSearchFields $$ ipaGroupSearchFields $$ ipaSearchTimeLimit $$ ipaSearchRecordsLimit $$ ipaCustomFields $$ ipaHomesRootDir $$ ipaDefaultLoginShell $$ ipaDefaultPrimaryGroup $$ ipaMaxUsernameLength $$ ipaPwdExpAdvNotify $$ ipaUserObjectClasses $$ ipaGroupObjectClasses $$ ipaDefaultEmailDomain $$ ipaMigrationEnabled $$ ipaCertificateSubjectBase $$ ipaSELinuxUserMapDefault $$ ipaSELinuxUserMapOrder $$ ipaKrbAuthzData) )
|
|
+
|
|
# Add the SELinux User map schema
|
|
add:attributeTypes:
|
|
( 2.16.840.1.113730.3.8.11.30
|
|
diff --git a/install/updates/60-trusts.update b/install/updates/60-trusts.update
|
|
index 577bed27f449ced1160b5ee2aad5ae85ed2440fb..0e40ca4d16133f0c1e93300fc13a08dd5ba4ddf7 100644
|
|
--- a/install/updates/60-trusts.update
|
|
+++ b/install/updates/60-trusts.update
|
|
@@ -65,3 +65,7 @@ replace:aci:'(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword
|
|
replace:aci:'(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbUPEnabled || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || krbTicketFlags || ipaUniqueId || memberOf || serverHostName || enrolledBy")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)::(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbUPEnabled || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || krbTicketFlags || ipaUniqueId || memberOf || serverHostName || enrolledBy || ipaNTHash")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)'
|
|
replace:aci:'(targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "Admins can write passwords"; allow (add,delete,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)::(targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || ipaNTHash")(version 3.0; acl "Admins can write passwords"; allow (add,delete,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)'
|
|
replace:aci:'(targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "Password change service can read/write passwords"; allow (read, write) userdn="ldap:///krbprincipalname=kadmin/changepw@$REALM,cn=$REALM,cn=kerberos,$SUFFIX";)::(targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || ipaNTHash")(version 3.0; acl "Password change service can read/write passwords"; allow (read, write) userdn="ldap:///krbprincipalname=kadmin/changepw@$REALM,cn=$REALM,cn=kerberos,$SUFFIX";)'
|
|
+
|
|
+# Add the default PAC type to configuration
|
|
+dn: cn=ipaConfig,cn=etc,$SUFFIX
|
|
+addifnew: ipaKrbAuthzData: MS-PAC
|
|
diff --git a/ipalib/plugins/config.py b/ipalib/plugins/config.py
|
|
index d632e2edf964919c4f99ee509b31e3bea7d373a3..9573bbb65dbaf8fb0b9c5c3bcc69b02c83db915b 100644
|
|
--- a/ipalib/plugins/config.py
|
|
+++ b/ipalib/plugins/config.py
|
|
@@ -90,7 +90,7 @@ class config(LDAPObject):
|
|
'ipasearchrecordslimit', 'ipausersearchfields', 'ipagroupsearchfields',
|
|
'ipamigrationenabled', 'ipacertificatesubjectbase',
|
|
'ipapwdexpadvnotify', 'ipaselinuxusermaporder',
|
|
- 'ipaselinuxusermapdefault', 'ipaconfigstring',
|
|
+ 'ipaselinuxusermapdefault', 'ipaconfigstring', 'ipakrbauthzdata',
|
|
]
|
|
|
|
label = _('Configuration')
|
|
@@ -189,6 +189,13 @@ class config(LDAPObject):
|
|
label=_('Default SELinux user'),
|
|
doc=_('Default SELinux user when no match is found in SELinux map rule'),
|
|
),
|
|
+ StrEnum('ipakrbauthzdata*',
|
|
+ cli_name='pac_type',
|
|
+ label=_('PAC type'),
|
|
+ doc=_('Default types of PAC for new services'),
|
|
+ values=(u'MS-PAC', u'PAD'),
|
|
+ csv=True,
|
|
+ ),
|
|
)
|
|
|
|
def get_dn(self, *keys, **kwargs):
|
|
diff --git a/ipalib/plugins/service.py b/ipalib/plugins/service.py
|
|
index 60035bf6d8d53a498c6565fef6d3097a85263d20..4f3051aa4d5ba6dfc1768190f3662180353a5006 100644
|
|
--- a/ipalib/plugins/service.py
|
|
+++ b/ipalib/plugins/service.py
|
|
@@ -23,7 +23,7 @@ import base64
|
|
import os
|
|
|
|
from ipalib import api, errors, util
|
|
-from ipalib import Str, Flag, Bytes
|
|
+from ipalib import Str, Flag, Bytes, StrEnum
|
|
from ipalib.plugins.baseldap import *
|
|
from ipalib import x509
|
|
from ipalib import _, ngettext
|
|
@@ -223,8 +223,9 @@ class service(LDAPObject):
|
|
'krbprincipal', 'krbprincipalaux', 'krbticketpolicyaux', 'ipaobject',
|
|
'ipaservice', 'pkiuser', 'ipakrbprincipal'
|
|
]
|
|
- search_attributes = ['krbprincipalname', 'managedby']
|
|
- default_attributes = ['krbprincipalname', 'usercertificate', 'managedby']
|
|
+ search_attributes = ['krbprincipalname', 'managedby', 'ipakrbauthzdata']
|
|
+ default_attributes = ['krbprincipalname', 'usercertificate', 'managedby',
|
|
+ 'ipakrbauthzdata',]
|
|
uuid_attribute = 'ipauniqueid'
|
|
attribute_members = {
|
|
'managedby': ['host'],
|
|
@@ -251,7 +252,14 @@ class service(LDAPObject):
|
|
label=_('Certificate'),
|
|
doc=_('Base-64 encoded server certificate'),
|
|
flags=['no_search',],
|
|
- )
|
|
+ ),
|
|
+ StrEnum('ipakrbauthzdata*',
|
|
+ cli_name='pac_type',
|
|
+ label=_('PAC type'),
|
|
+ doc=_('Types of PAC this service supports'),
|
|
+ values=(u'MS-PAC', u'PAD'),
|
|
+ csv=True,
|
|
+ ),
|
|
)
|
|
|
|
api.register(service)
|
|
@@ -291,7 +299,12 @@ class service_add(LDAPCreate):
|
|
# don't exist in DNS.
|
|
util.validate_host_dns(self.log, hostname)
|
|
if not 'managedby' in entry_attrs:
|
|
- entry_attrs['managedby'] = hostresult['dn']
|
|
+ entry_attrs['managedby'] = hostresult['dn']
|
|
+ if 'ipakrbauthzdata' not in entry_attrs:
|
|
+ config = ldap.get_ipa_config()[1]
|
|
+ default_pac_type = config.get('ipakrbauthzdata', [])
|
|
+ if default_pac_type:
|
|
+ entry_attrs['ipakrbauthzdata'] = default_pac_type
|
|
|
|
# Enforce ipaKrbPrincipalAlias to aid case-insensitive searches
|
|
# as krbPrincipalName/krbCanonicalName are case-sensitive in Kerberos
|
|
diff --git a/tests/test_xmlrpc/test_host_plugin.py b/tests/test_xmlrpc/test_host_plugin.py
|
|
index 019152586cf129e501875437f97cb358545bd9b7..03aa089a2739486f6033a9d1870d7567bfdf1f5a 100644
|
|
--- a/tests/test_xmlrpc/test_host_plugin.py
|
|
+++ b/tests/test_xmlrpc/test_host_plugin.py
|
|
@@ -615,6 +615,7 @@ class test_host(Declarative):
|
|
krbprincipalname=[service1],
|
|
objectclass=objectclasses.service,
|
|
managedby_host=[fqdn1],
|
|
+ ipakrbauthzdata=[u'MS-PAC'],
|
|
ipauniqueid=[fuzzy_uuid],
|
|
),
|
|
),
|
|
diff --git a/tests/test_xmlrpc/test_service_plugin.py b/tests/test_xmlrpc/test_service_plugin.py
|
|
index 5f089fbbb9099761a4552e0df83a3700b452d7df..28c6bb663429e2ca0336d9597d3d386c1c8d6da5 100644
|
|
--- a/tests/test_xmlrpc/test_service_plugin.py
|
|
+++ b/tests/test_xmlrpc/test_service_plugin.py
|
|
@@ -179,6 +179,7 @@ class test_service(Declarative):
|
|
krbprincipalname=[service1],
|
|
objectclass=objectclasses.service,
|
|
ipauniqueid=[fuzzy_uuid],
|
|
+ ipakrbauthzdata=[u'MS-PAC'],
|
|
managedby_host=[fqdn1],
|
|
),
|
|
),
|
|
@@ -207,6 +208,7 @@ class test_service(Declarative):
|
|
dn=lambda x: DN(x) == service1dn,
|
|
krbprincipalname=[service1],
|
|
has_keytab=False,
|
|
+ ipakrbauthzdata=[u'MS-PAC'],
|
|
managedby_host=[fqdn1],
|
|
),
|
|
),
|
|
@@ -226,6 +228,7 @@ class test_service(Declarative):
|
|
objectclass=objectclasses.service,
|
|
ipauniqueid=[fuzzy_uuid],
|
|
managedby_host=[fqdn1],
|
|
+ ipakrbauthzdata=[u'MS-PAC'],
|
|
has_keytab=False
|
|
),
|
|
),
|
|
@@ -244,6 +247,7 @@ class test_service(Declarative):
|
|
dn=lambda x: DN(x) == service1dn,
|
|
krbprincipalname=[service1],
|
|
managedby_host=[fqdn1],
|
|
+ ipakrbauthzdata=[u'MS-PAC'],
|
|
has_keytab=False,
|
|
),
|
|
],
|
|
@@ -265,6 +269,7 @@ class test_service(Declarative):
|
|
ipakrbprincipalalias=[service1],
|
|
objectclass=objectclasses.service,
|
|
ipauniqueid=[fuzzy_uuid],
|
|
+ ipakrbauthzdata=[u'MS-PAC'],
|
|
has_keytab=False,
|
|
managedby_host=[fqdn1],
|
|
),
|
|
@@ -282,6 +287,7 @@ class test_service(Declarative):
|
|
result=dict(
|
|
dn=lambda x: DN(x) == service1dn,
|
|
krbprincipalname=[service1],
|
|
+ ipakrbauthzdata=[u'MS-PAC'],
|
|
managedby_host=[fqdn1],
|
|
),
|
|
),
|
|
@@ -297,6 +303,7 @@ class test_service(Declarative):
|
|
result=dict(
|
|
dn=lambda x: DN(x) == service1dn,
|
|
krbprincipalname=[service1],
|
|
+ ipakrbauthzdata=[u'MS-PAC'],
|
|
managedby_host=[fqdn1],
|
|
),
|
|
),
|
|
@@ -312,6 +319,7 @@ class test_service(Declarative):
|
|
result=dict(
|
|
dn=lambda x: DN(x) == service1dn,
|
|
krbprincipalname=[service1],
|
|
+ ipakrbauthzdata=[u'MS-PAC'],
|
|
managedby_host=[fqdn1, fqdn2],
|
|
),
|
|
),
|
|
@@ -327,6 +335,7 @@ class test_service(Declarative):
|
|
result=dict(
|
|
dn=lambda x: DN(x) == service1dn,
|
|
krbprincipalname=[service1],
|
|
+ ipakrbauthzdata=[u'MS-PAC'],
|
|
managedby_host=[fqdn1],
|
|
),
|
|
),
|
|
@@ -342,6 +351,7 @@ class test_service(Declarative):
|
|
result=dict(
|
|
dn=lambda x: DN(x) == service1dn,
|
|
krbprincipalname=[service1],
|
|
+ ipakrbauthzdata=[u'MS-PAC'],
|
|
managedby_host=[fqdn1, fqdn3.lower()],
|
|
),
|
|
),
|
|
@@ -357,6 +367,7 @@ class test_service(Declarative):
|
|
result=dict(
|
|
dn=lambda x: DN(x) == service1dn,
|
|
krbprincipalname=[service1],
|
|
+ ipakrbauthzdata=[u'MS-PAC'],
|
|
managedby_host=[fqdn1],
|
|
),
|
|
),
|
|
@@ -381,6 +392,7 @@ class test_service(Declarative):
|
|
result=dict(
|
|
usercertificate=[base64.b64decode(servercert)],
|
|
krbprincipalname=[service1],
|
|
+ ipakrbauthzdata=[u'MS-PAC'],
|
|
managedby_host=[fqdn1],
|
|
valid_not_before=fuzzy_date,
|
|
valid_not_after=fuzzy_date,
|
|
@@ -408,6 +420,7 @@ class test_service(Declarative):
|
|
krbprincipalname=[service1],
|
|
has_keytab=False,
|
|
managedby_host=[fqdn1],
|
|
+ ipakrbauthzdata=[u'MS-PAC'],
|
|
# These values come from the servercert that is in this
|
|
# test case.
|
|
valid_not_before=fuzzy_date,
|
|
--
|
|
1.7.11.2
|
|
|