websms/freeipa
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Imported Upstream version 4.0.5

Browse Source
This commit is contained in:
Mario Fetka
2021-07-25 07:50:50 +02:00
parent 8ff3be4216
commit 3bfaa6e020
2049 changed files with 317193 additions and 1632423 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
ipaclient/remote_plugins/2_49/__init__.py
View File

@@ -1,15 +0,0 @@
#
# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
#
from ..compat import CompatCommand, CompatMethod, CompatObject
Object = CompatObject
class Command(CompatCommand):
api_version = u'2.49'
class Method(Command, CompatMethod):
pass

811
ipaclient/remote_plugins/2_49/aci.py
View File

@@ -1,811 +0,0 @@
#
# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
#
# pylint: disable=unused-import
import six
from . import Command, Method, Object
from ipalib import api, parameters, output
from ipalib.parameters import DefaultFrom
from ipalib.plugable import Registry
from ipalib.text import _
from ipapython.dn import DN
from ipapython.dnsutil import DNSName
if six.PY3:
unicode = str
__doc__ = _("""
Directory Server Access Control Instructions (ACIs)
ACIs are used to allow or deny access to information. This module is
currently designed to allow, not deny, access.
The aci commands are designed to grant permissions that allow updating
existing entries or adding or deleting new ones. The goal of the ACIs
that ship with IPA is to provide a set of low-level permissions that
grant access to special groups called taskgroups. These low-level
permissions can be combined into roles that grant broader access. These
roles are another type of group, roles.
For example, if you have taskgroups that allow adding and modifying users you
could create a role, useradmin. You would assign users to the useradmin
role to allow them to do the operations defined by the taskgroups.
You can create ACIs that delegate permission so users in group A can write
attributes on group B.
The type option is a map that applies to all entries in the users, groups or
host location. It is primarily designed to be used when granting add
permissions (to write new entries).
An ACI consists of three parts:
1. target
2. permissions
3. bind rules
The target is a set of rules that define which LDAP objects are being
targeted. This can include a list of attributes, an area of that LDAP
tree or an LDAP filter.
The targets include:
- attrs: list of attributes affected
- type: an object type (user, group, host, service, etc)
- memberof: members of a group
- targetgroup: grant access to modify a specific group. This is primarily
designed to enable users to add or remove members of a specific group.
- filter: A legal LDAP filter used to narrow the scope of the target.
- subtree: Used to apply a rule across an entire set of objects. For example,
to allow adding users you need to grant "add" permission to the subtree
ldap://uid=*,cn=users,cn=accounts,dc=example,dc=com. The subtree option
is a fail-safe for objects that may not be covered by the type option.
The permissions define what the ACI is allowed to do, and are one or
more of:
1. write - write one or more attributes
2. read - read one or more attributes
3. add - add a new entry to the tree
4. delete - delete an existing entry
5. all - all permissions are granted
Note the distinction between attributes and entries. The permissions are
independent, so being able to add a user does not mean that the user will
be editable.
The bind rule defines who this ACI grants permissions to. The LDAP server
allows this to be any valid LDAP entry but we encourage the use of
taskgroups so that the rights can be easily shared through roles.
For a more thorough description of access controls see
http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Managing_Access_Control.html
EXAMPLES:
NOTE: ACIs are now added via the permission plugin. These examples are to
demonstrate how the various options work but this is done via the permission
command-line now (see last example).
Add an ACI so that the group "secretaries" can update the address on any user:
ipa group-add --desc="Office secretaries" secretaries
ipa aci-add --attrs=streetAddress --memberof=ipausers --group=secretaries --permissions=write --prefix=none "Secretaries write addresses"
Show the new ACI:
ipa aci-show --prefix=none "Secretaries write addresses"
Add an ACI that allows members of the "addusers" permission to add new users:
ipa aci-add --type=user --permission=addusers --permissions=add --prefix=none "Add new users"
Add an ACI that allows members of the editors manage members of the admins group:
ipa aci-add --permissions=write --attrs=member --targetgroup=admins --group=editors --prefix=none "Editors manage admins"
Add an ACI that allows members of the admins group to manage the street and zip code of those in the editors group:
ipa aci-add --permissions=write --memberof=editors --group=admins --attrs=street,postalcode --prefix=none "admins edit the address of editors"
Add an ACI that allows the admins group manage the street and zipcode of those who work for the boss:
ipa aci-add --permissions=write --group=admins --attrs=street,postalcode --filter="(manager=uid=boss,cn=users,cn=accounts,dc=example,dc=com)" --prefix=none "Edit the address of those who work for the boss"
Add an entirely new kind of record to IPA that isn't covered by any of the --type options, creating a permission:
ipa permission-add --permissions=add --subtree="cn=*,cn=orange,cn=accounts,dc=example,dc=com" --desc="Add Orange Entries" add_orange
The show command shows the raw 389-ds ACI.
IMPORTANT: When modifying the target attributes of an existing ACI you
must include all existing attributes as well. When doing an aci-mod the
targetattr REPLACES the current attributes, it does not add to them.
""")
register = Registry()
@register()
class aci(Object):
takes_params = (
parameters.Str(
'aciname',
primary_key=True,
label=_(u'ACI name'),
),
parameters.Str(
'permission',
required=False,
label=_(u'Permission'),
doc=_(u'Permission ACI grants access to'),
),
parameters.Str(
'group',
required=False,
label=_(u'User group'),
doc=_(u'User group ACI grants access to'),
),
parameters.Str(
'permissions',
multivalue=True,
label=_(u'Permissions'),
doc=_(u'comma-separated list of permissions to grant(read, write, add, delete, all)'),
),
parameters.Str(
'attrs',
required=False,
multivalue=True,
label=_(u'Attributes'),
doc=_(u'Comma-separated list of attributes'),
),
parameters.Str(
'type',
required=False,
label=_(u'Type'),
doc=_(u'type of IPA object (user, group, host, hostgroup, service, netgroup)'),
),
parameters.Str(
'memberof',
required=False,
label=_(u'Member of'),
doc=_(u'Member of a group'),
),
parameters.Str(
'filter',
required=False,
label=_(u'Filter'),
doc=_(u'Legal LDAP filter (e.g. ou=Engineering)'),
),
parameters.Str(
'subtree',
required=False,
label=_(u'Subtree'),
doc=_(u'Subtree to apply ACI to'),
),
parameters.Str(
'targetgroup',
required=False,
label=_(u'Target group'),
doc=_(u'Group to apply ACI to'),
),
parameters.Flag(
'selfaci',
required=False,
label=_(u'Target your own entry (self)'),
doc=_(u'Apply ACI to your own entry (self)'),
),
)
@register()
class aci_add(Method):
__doc__ = _("Create new ACI.")
NO_CLI = True
takes_args = (
parameters.Str(
'aciname',
cli_name='name',
label=_(u'ACI name'),
),
)
takes_options = (
parameters.Str(
'permission',
required=False,
label=_(u'Permission'),
doc=_(u'Permission ACI grants access to'),
),
parameters.Str(
'group',
required=False,
label=_(u'User group'),
doc=_(u'User group ACI grants access to'),
),
parameters.Str(
'permissions',
multivalue=True,
label=_(u'Permissions'),
doc=_(u'comma-separated list of permissions to grant(read, write, add, delete, all)'),
no_convert=True,
),
parameters.Str(
'attrs',
required=False,
multivalue=True,
label=_(u'Attributes'),
doc=_(u'Comma-separated list of attributes'),
),
parameters.Str(
'type',
required=False,
cli_metavar="['user', 'group', 'host', 'service', 'hostgroup', 'netgroup', 'dnsrecord']",
label=_(u'Type'),
doc=_(u'type of IPA object (user, group, host, hostgroup, service, netgroup)'),
),
parameters.Str(
'memberof',
required=False,
label=_(u'Member of'),
doc=_(u'Member of a group'),
),
parameters.Str(
'filter',
required=False,
label=_(u'Filter'),
doc=_(u'Legal LDAP filter (e.g. ou=Engineering)'),
),
parameters.Str(
'subtree',
required=False,
label=_(u'Subtree'),
doc=_(u'Subtree to apply ACI to'),
),
parameters.Str(
'targetgroup',
required=False,
label=_(u'Target group'),
doc=_(u'Group to apply ACI to'),
),
parameters.Flag(
'selfaci',
required=False,
cli_name='self',
label=_(u'Target your own entry (self)'),
doc=_(u'Apply ACI to your own entry (self)'),
default=False,
autofill=True,
),
parameters.Str(
'aciprefix',
cli_name='prefix',
cli_metavar="['permission', 'delegation', 'selfservice', 'none']",
label=_(u'ACI prefix'),
doc=_(u'Prefix used to distinguish ACI types (permission, delegation, selfservice, none)'),
),
parameters.Flag(
'test',
required=False,
doc=_(u"Test the ACI syntax but don't write anything"),
default=False,
autofill=True,
),
parameters.Flag(
'all',
doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Flag(
'raw',
doc=_(u'Print entries as stored on the server. Only affects output format.'),
exclude=('webui',),
default=False,
autofill=True,
),
)
has_output = (
output.Output(
'summary',
(unicode, type(None)),
doc=_(u'User-friendly description of action performed'),
),
output.Entry(
'result',
),
output.Output(
'value',
unicode,
doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
),
)
@register()
class aci_del(Method):
__doc__ = _("Delete ACI.")
NO_CLI = True
takes_args = (
parameters.Str(
'aciname',
cli_name='name',
label=_(u'ACI name'),
),
)
takes_options = (
parameters.Str(
'aciprefix',
cli_name='prefix',
cli_metavar="['permission', 'delegation', 'selfservice', 'none']",
label=_(u'ACI prefix'),
doc=_(u'Prefix used to distinguish ACI types (permission, delegation, selfservice, none)'),
),
)
has_output = (
output.Output(
'summary',
(unicode, type(None)),
doc=_(u'User-friendly description of action performed'),
),
output.Output(
'result',
bool,
doc=_(u'True means the operation was successful'),
),
output.Output(
'value',
unicode,
doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
),
)
@register()
class aci_find(Method):
__doc__ = _("""
Search for ACIs.
Returns a list of ACIs
EXAMPLES:
To find all ACIs that apply directly to members of the group ipausers:
ipa aci-find --memberof=ipausers
To find all ACIs that grant add access:
ipa aci-find --permissions=add
Note that the find command only looks for the given text in the set of
ACIs, it does not evaluate the ACIs to see if something would apply.
For example, searching on memberof=ipausers will find all ACIs that
have ipausers as a memberof. There may be other ACIs that apply to
members of that group indirectly.
""")
NO_CLI = True
takes_args = (
parameters.Str(
'criteria',
required=False,
),
)
takes_options = (
parameters.Str(
'aciname',
required=False,
cli_name='name',
label=_(u'ACI name'),
),
parameters.Str(
'permission',
required=False,
label=_(u'Permission'),
doc=_(u'Permission ACI grants access to'),
),
parameters.Str(
'group',
required=False,
label=_(u'User group'),
doc=_(u'User group ACI grants access to'),
),
parameters.Str(
'permissions',
required=False,
multivalue=True,
label=_(u'Permissions'),
doc=_(u'comma-separated list of permissions to grant(read, write, add, delete, all)'),
no_convert=True,
),
parameters.Str(
'attrs',
required=False,
multivalue=True,
label=_(u'Attributes'),
doc=_(u'Comma-separated list of attributes'),
),
parameters.Str(
'type',
required=False,
cli_metavar="['user', 'group', 'host', 'service', 'hostgroup', 'netgroup', 'dnsrecord']",
label=_(u'Type'),
doc=_(u'type of IPA object (user, group, host, hostgroup, service, netgroup)'),
),
parameters.Str(
'memberof',
required=False,
label=_(u'Member of'),
doc=_(u'Member of a group'),
),
parameters.Str(
'filter',
required=False,
label=_(u'Filter'),
doc=_(u'Legal LDAP filter (e.g. ou=Engineering)'),
),
parameters.Str(
'subtree',
required=False,
label=_(u'Subtree'),
doc=_(u'Subtree to apply ACI to'),
),
parameters.Str(
'targetgroup',
required=False,
label=_(u'Target group'),
doc=_(u'Group to apply ACI to'),
),
parameters.Bool(
'selfaci',
required=False,
cli_name='self',
label=_(u'Target your own entry (self)'),
doc=_(u'Apply ACI to your own entry (self)'),
default=False,
),
parameters.Str(
'aciprefix',
required=False,
cli_name='prefix',
cli_metavar="['permission', 'delegation', 'selfservice', 'none']",
label=_(u'ACI prefix'),
doc=_(u'Prefix used to distinguish ACI types (permission, delegation, selfservice, none)'),
),
parameters.Flag(
'pkey_only',
required=False,
label=_(u'Primary key only'),
doc=_(u'Results should contain primary key attribute only ("name")'),
default=False,
autofill=True,
),
parameters.Flag(
'all',
doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Flag(
'raw',
doc=_(u'Print entries as stored on the server. Only affects output format.'),
exclude=('webui',),
default=False,
autofill=True,
),
)
has_output = (
output.Output(
'summary',
(unicode, type(None)),
doc=_(u'User-friendly description of action performed'),
),
output.ListOfEntries(
'result',
),
output.Output(
'count',
int,
doc=_(u'Number of entries returned'),
),
output.Output(
'truncated',
bool,
doc=_(u'True if not all results were returned'),
),
)
@register()
class aci_mod(Method):
__doc__ = _("Modify ACI.")
NO_CLI = True
takes_args = (
parameters.Str(
'aciname',
cli_name='name',
label=_(u'ACI name'),
),
)
takes_options = (
parameters.Str(
'permission',
required=False,
label=_(u'Permission'),
doc=_(u'Permission ACI grants access to'),
),
parameters.Str(
'group',
required=False,
label=_(u'User group'),
doc=_(u'User group ACI grants access to'),
),
parameters.Str(
'permissions',
required=False,
multivalue=True,
label=_(u'Permissions'),
doc=_(u'comma-separated list of permissions to grant(read, write, add, delete, all)'),
no_convert=True,
),
parameters.Str(
'attrs',
required=False,
multivalue=True,
label=_(u'Attributes'),
doc=_(u'Comma-separated list of attributes'),
),
parameters.Str(
'type',
required=False,
cli_metavar="['user', 'group', 'host', 'service', 'hostgroup', 'netgroup', 'dnsrecord']",
label=_(u'Type'),
doc=_(u'type of IPA object (user, group, host, hostgroup, service, netgroup)'),
),
parameters.Str(
'memberof',
required=False,
label=_(u'Member of'),
doc=_(u'Member of a group'),
),
parameters.Str(
'filter',
required=False,
label=_(u'Filter'),
doc=_(u'Legal LDAP filter (e.g. ou=Engineering)'),
),
parameters.Str(
'subtree',
required=False,
label=_(u'Subtree'),
doc=_(u'Subtree to apply ACI to'),
),
parameters.Str(
'targetgroup',
required=False,
label=_(u'Target group'),
doc=_(u'Group to apply ACI to'),
),
parameters.Flag(
'selfaci',
required=False,
cli_name='self',
label=_(u'Target your own entry (self)'),
doc=_(u'Apply ACI to your own entry (self)'),
default=False,
autofill=True,
),
parameters.Str(
'aciprefix',
cli_name='prefix',
cli_metavar="['permission', 'delegation', 'selfservice', 'none']",
label=_(u'ACI prefix'),
doc=_(u'Prefix used to distinguish ACI types (permission, delegation, selfservice, none)'),
),
parameters.Flag(
'all',
doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Flag(
'raw',
doc=_(u'Print entries as stored on the server. Only affects output format.'),
exclude=('webui',),
default=False,
autofill=True,
),
)
has_output = (
output.Output(
'summary',
(unicode, type(None)),
doc=_(u'User-friendly description of action performed'),
),
output.Entry(
'result',
),
output.Output(
'value',
unicode,
doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
),
)
@register()
class aci_rename(Method):
__doc__ = _("Rename an ACI.")
NO_CLI = True
takes_args = (
parameters.Str(
'aciname',
cli_name='name',
label=_(u'ACI name'),
),
)
takes_options = (
parameters.Str(
'permission',
required=False,
label=_(u'Permission'),
doc=_(u'Permission ACI grants access to'),
),
parameters.Str(
'group',
required=False,
label=_(u'User group'),
doc=_(u'User group ACI grants access to'),
),
parameters.Str(
'permissions',
required=False,
multivalue=True,
label=_(u'Permissions'),
doc=_(u'comma-separated list of permissions to grant(read, write, add, delete, all)'),
no_convert=True,
),
parameters.Str(
'attrs',
required=False,
multivalue=True,
label=_(u'Attributes'),
doc=_(u'Comma-separated list of attributes'),
),
parameters.Str(
'type',
required=False,
cli_metavar="['user', 'group', 'host', 'service', 'hostgroup', 'netgroup', 'dnsrecord']",
label=_(u'Type'),
doc=_(u'type of IPA object (user, group, host, hostgroup, service, netgroup)'),
),
parameters.Str(
'memberof',
required=False,
label=_(u'Member of'),
doc=_(u'Member of a group'),
),
parameters.Str(
'filter',
required=False,
label=_(u'Filter'),
doc=_(u'Legal LDAP filter (e.g. ou=Engineering)'),
),
parameters.Str(
'subtree',
required=False,
label=_(u'Subtree'),
doc=_(u'Subtree to apply ACI to'),
),
parameters.Str(
'targetgroup',
required=False,
label=_(u'Target group'),
doc=_(u'Group to apply ACI to'),
),
parameters.Flag(
'selfaci',
required=False,
cli_name='self',
label=_(u'Target your own entry (self)'),
doc=_(u'Apply ACI to your own entry (self)'),
default=False,
autofill=True,
),
parameters.Str(
'aciprefix',
cli_name='prefix',
cli_metavar="['permission', 'delegation', 'selfservice', 'none']",
label=_(u'ACI prefix'),
doc=_(u'Prefix used to distinguish ACI types (permission, delegation, selfservice, none)'),
),
parameters.Str(
'newname',
doc=_(u'New ACI name'),
),
parameters.Flag(
'all',
doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Flag(
'raw',
doc=_(u'Print entries as stored on the server. Only affects output format.'),
exclude=('webui',),
default=False,
autofill=True,
),
)
has_output = (
output.Output(
'summary',
(unicode, type(None)),
doc=_(u'User-friendly description of action performed'),
),
output.Entry(
'result',
),
output.Output(
'value',
unicode,
doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
),
)
@register()
class aci_show(Method):
__doc__ = _("Display a single ACI given an ACI name.")
NO_CLI = True
takes_args = (
parameters.Str(
'aciname',
cli_name='name',
label=_(u'ACI name'),
),
)
takes_options = (
parameters.Str(
'aciprefix',
cli_name='prefix',
cli_metavar="['permission', 'delegation', 'selfservice', 'none']",
label=_(u'ACI prefix'),
doc=_(u'Prefix used to distinguish ACI types (permission, delegation, selfservice, none)'),
),
parameters.Flag(
'all',
doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Flag(
'raw',
doc=_(u'Print entries as stored on the server. Only affects output format.'),
exclude=('webui',),
default=False,
autofill=True,
),
)
has_output = (
output.Output(
'summary',
(unicode, type(None)),
doc=_(u'User-friendly description of action performed'),
),
output.Entry(
'result',
),
output.Output(
'value',
unicode,
doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
),
)

758
ipaclient/remote_plugins/2_49/automember.py
View File

@@ -1,758 +0,0 @@
#
# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
#
# pylint: disable=unused-import
import six
from . import Command, Method, Object
from ipalib import api, parameters, output
from ipalib.parameters import DefaultFrom
from ipalib.plugable import Registry
from ipalib.text import _
from ipapython.dn import DN
from ipapython.dnsutil import DNSName
if six.PY3:
unicode = str
__doc__ = _("""
Auto Membership Rule.
Bring clarity to the membership of hosts and users by configuring inclusive
or exclusive regex patterns, you can automatically assign a new entries into
a group or hostgroup based upon attribute information.
A rule is directly associated with a group by name, so you cannot create
a rule without an accompanying group or hostgroup.
A condition is a regular expression used by 389-ds to match a new incoming
entry with an automember rule. If it matches an inclusive rule then the
entry is added to the appropriate group or hostgroup.
A default group or hostgroup could be specified for entries that do not
match any rule. In case of user entries this group will be a fallback group
because all users are by default members of group specified in IPA config.
EXAMPLES:
Add the initial group or hostgroup:
ipa hostgroup-add --desc="Web Servers" webservers
ipa group-add --desc="Developers" devel
Add the initial rule:
ipa automember-add --type=hostgroup webservers
ipa automember-add --type=group devel
Add a condition to the rule:
ipa automember-add-condition --key=fqdn --type=hostgroup --inclusive-regex=^web[1-9]+\.example\.com webservers
ipa automember-add-condition --key=manager --type=group --inclusive-regex=^uid=mscott devel
Add an exclusive condition to the rule to prevent auto assignment:
ipa automember-add-condition --key=fqdn --type=hostgroup --exclusive-regex=^web5\.example\.com webservers
Add a host:
ipa host-add web1.example.com
Add a user:
ipa user-add --first=Tim --last=User --password tuser1 --manager=mscott
Verify automembership:
ipa hostgroup-show webservers
Host-group: webservers
Description: Web Servers
Member hosts: web1.example.com
ipa group-show devel
Group name: devel
Description: Developers
GID: 1004200000
Member users: tuser
Remove a condition from the rule:
ipa automember-remove-condition --key=fqdn --type=hostgroup --inclusive-regex=^web[1-9]+\.example\.com webservers
Modify the automember rule:
ipa automember-mod
Set the default (fallback) target group:
ipa automember-default-group-set --default-group=webservers --type=hostgroup
ipa automember-default-group-set --default-group=ipausers --type=group
Remove the default (fallback) target group:
ipa automember-default-group-remove --type=hostgroup
ipa automember-default-group-remove --type=group
Show the default (fallback) target group:
ipa automember-default-group-show --type=hostgroup
ipa automember-default-group-show --type=group
Find all of the automember rules:
ipa automember-find
Display a automember rule:
ipa automember-show --type=hostgroup webservers
ipa automember-show --type=group devel
Delete an automember rule:
ipa automember-del --type=hostgroup webservers
ipa automember-del --type=group devel
""")
register = Registry()
@register()
class automember(Object):
takes_params = (
parameters.Str(
'description',
required=False,
label=_(u'Description'),
doc=_(u'A description of this auto member rule'),
),
parameters.Str(
'automemberdefaultgroup',
required=False,
label=_(u'Default (fallback) Group'),
doc=_(u'Default group for entries to land'),
),
)
@register()
class automember_add(Method):
__doc__ = _("Add an automember rule.")
takes_args = (
parameters.Str(
'cn',
cli_name='automember_rule',
label=_(u'Automember Rule'),
no_convert=True,
),
)
takes_options = (
parameters.Str(
'description',
required=False,
cli_name='desc',
label=_(u'Description'),
doc=_(u'A description of this auto member rule'),
),
parameters.Str(
'setattr',
required=False,
multivalue=True,
doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
exclude=('webui',),
),
parameters.Str(
'addattr',
required=False,
multivalue=True,
doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
exclude=('webui',),
),
parameters.Str(
'type',
cli_metavar="['group', 'hostgroup']",
label=_(u'Grouping Type'),
doc=_(u'Grouping to which the rule applies'),
),
parameters.Flag(
'all',
doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Flag(
'raw',
doc=_(u'Print entries as stored on the server. Only affects output format.'),
exclude=('webui',),
default=False,
autofill=True,
),
)
has_output = (
output.Output(
'summary',
(unicode, type(None)),
doc=_(u'User-friendly description of action performed'),
),
output.Entry(
'result',
),
output.Output(
'value',
unicode,
doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
),
)
@register()
class automember_add_condition(Method):
__doc__ = _("Add conditions to an automember rule.")
takes_args = (
parameters.Str(
'cn',
cli_name='automember_rule',
label=_(u'Automember Rule'),
no_convert=True,
),
)
takes_options = (
parameters.Str(
'description',
required=False,
cli_name='desc',
label=_(u'Description'),
doc=_(u'A description of this auto member rule'),
),
parameters.Str(
'automemberinclusiveregex',
required=False,
multivalue=True,
cli_name='inclusive_regex',
label=_(u'Inclusive Regex'),
alwaysask=True,
),
parameters.Str(
'automemberexclusiveregex',
required=False,
multivalue=True,
cli_name='exclusive_regex',
label=_(u'Exclusive Regex'),
alwaysask=True,
),
parameters.Str(
'key',
label=_(u'Attribute Key'),
doc=_(u'Attribute to filter via regex. For example fqdn for a host, or manager for a user'),
),
parameters.Str(
'type',
cli_metavar="['group', 'hostgroup']",
label=_(u'Grouping Type'),
doc=_(u'Grouping to which the rule applies'),
),
parameters.Flag(
'all',
doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Flag(
'raw',
doc=_(u'Print entries as stored on the server. Only affects output format.'),
exclude=('webui',),
default=False,
autofill=True,
),
)
has_output = (
output.Output(
'summary',
(unicode, type(None)),
doc=_(u'User-friendly description of action performed'),
),
output.Entry(
'result',
),
output.Output(
'value',
unicode,
doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
),
output.Output(
'failed',
dict,
doc=_(u'Conditions that could not be added'),
),
output.Output(
'completed',
int,
doc=_(u'Number of conditions added'),
),
)
@register()
class automember_default_group_remove(Method):
__doc__ = _("Remove default (fallback) group for all unmatched entries.")
takes_options = (
parameters.Str(
'description',
required=False,
cli_name='desc',
label=_(u'Description'),
doc=_(u'A description of this auto member rule'),
),
parameters.Str(
'type',
cli_metavar="['group', 'hostgroup']",
label=_(u'Grouping Type'),
doc=_(u'Grouping to which the rule applies'),
),
parameters.Flag(
'all',
doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Flag(
'raw',
doc=_(u'Print entries as stored on the server. Only affects output format.'),
exclude=('webui',),
default=False,
autofill=True,
),
)
has_output = (
output.Output(
'summary',
(unicode, type(None)),
doc=_(u'User-friendly description of action performed'),
),
output.Entry(
'result',
),
output.Output(
'value',
unicode,
doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
),
)
@register()
class automember_default_group_set(Method):
__doc__ = _("Set default (fallback) group for all unmatched entries.")
takes_options = (
parameters.Str(
'description',
required=False,
cli_name='desc',
label=_(u'Description'),
doc=_(u'A description of this auto member rule'),
),
parameters.Str(
'automemberdefaultgroup',
cli_name='default_group',
label=_(u'Default (fallback) Group'),
doc=_(u'Default (fallback) group for entries to land'),
),
parameters.Str(
'type',
cli_metavar="['group', 'hostgroup']",
label=_(u'Grouping Type'),
doc=_(u'Grouping to which the rule applies'),
),
parameters.Flag(
'all',
doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Flag(
'raw',
doc=_(u'Print entries as stored on the server. Only affects output format.'),
exclude=('webui',),
default=False,
autofill=True,
),
)
has_output = (
output.Output(
'summary',
(unicode, type(None)),
doc=_(u'User-friendly description of action performed'),
),
output.Entry(
'result',
),
output.Output(
'value',
unicode,
doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
),
)
@register()
class automember_default_group_show(Method):
__doc__ = _("Display information about the default (fallback) automember groups.")
takes_options = (
parameters.Str(
'type',
cli_metavar="['group', 'hostgroup']",
label=_(u'Grouping Type'),
doc=_(u'Grouping to which the rule applies'),
),
parameters.Flag(
'all',
doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Flag(
'raw',
doc=_(u'Print entries as stored on the server. Only affects output format.'),
exclude=('webui',),
default=False,
autofill=True,
),
)
has_output = (
output.Output(
'summary',
(unicode, type(None)),
doc=_(u'User-friendly description of action performed'),
),
output.Entry(
'result',
),
output.Output(
'value',
unicode,
doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
),
)
@register()
class automember_del(Method):
__doc__ = _("Delete an automember rule.")
takes_args = (
parameters.Str(
'cn',
cli_name='automember_rule',
label=_(u'Automember Rule'),
no_convert=True,
),
)
takes_options = (
parameters.Str(
'type',
cli_metavar="['group', 'hostgroup']",
label=_(u'Grouping Type'),
doc=_(u'Grouping to which the rule applies'),
),
)
has_output = (
output.Output(
'summary',
(unicode, type(None)),
doc=_(u'User-friendly description of action performed'),
),
output.Output(
'result',
dict,
doc=_(u'List of deletions that failed'),
),
output.Output(
'value',
unicode,
doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
),
)
@register()
class automember_find(Method):
__doc__ = _("Search for automember rules.")
takes_args = (
parameters.Str(
'criteria',
required=False,
doc=_(u'A string searched in all relevant object attributes'),
),
)
takes_options = (
parameters.Str(
'description',
required=False,
cli_name='desc',
label=_(u'Description'),
doc=_(u'A description of this auto member rule'),
),
parameters.Str(
'type',
cli_metavar="['group', 'hostgroup']",
label=_(u'Grouping Type'),
doc=_(u'Grouping to which the rule applies'),
),
parameters.Flag(
'all',
doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Flag(
'raw',
doc=_(u'Print entries as stored on the server. Only affects output format.'),
exclude=('webui',),
default=False,
autofill=True,
),
)
has_output = (
output.Output(
'summary',
(unicode, type(None)),
doc=_(u'User-friendly description of action performed'),
),
output.ListOfEntries(
'result',
),
output.Output(
'count',
int,
doc=_(u'Number of entries returned'),
),
output.Output(
'truncated',
bool,
doc=_(u'True if not all results were returned'),
),
)
@register()
class automember_mod(Method):
__doc__ = _("Modify an automember rule.")
takes_args = (
parameters.Str(
'cn',
cli_name='automember_rule',
label=_(u'Automember Rule'),
no_convert=True,
),
)
takes_options = (
parameters.Str(
'description',
required=False,
cli_name='desc',
label=_(u'Description'),
doc=_(u'A description of this auto member rule'),
),
parameters.Str(
'setattr',
required=False,
multivalue=True,
doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
exclude=('webui',),
),
parameters.Str(
'addattr',
required=False,
multivalue=True,
doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
exclude=('webui',),
),
parameters.Str(
'delattr',
required=False,
multivalue=True,
doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'),
exclude=('webui',),
),
parameters.Flag(
'rights',
label=_(u'Rights'),
doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
default=False,
autofill=True,
),
parameters.Str(
'type',
cli_metavar="['group', 'hostgroup']",
label=_(u'Grouping Type'),
doc=_(u'Grouping to which the rule applies'),
),
parameters.Flag(
'all',
doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Flag(
'raw',
doc=_(u'Print entries as stored on the server. Only affects output format.'),
exclude=('webui',),
default=False,
autofill=True,
),
)
has_output = (
output.Output(
'summary',
(unicode, type(None)),
doc=_(u'User-friendly description of action performed'),
),
output.Entry(
'result',
),
output.Output(
'value',
unicode,
doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
),
)
@register()
class automember_remove_condition(Method):
__doc__ = _("Remove conditions from an automember rule.")
takes_args = (
parameters.Str(
'cn',
cli_name='automember_rule',
label=_(u'Automember Rule'),
no_convert=True,
),
)
takes_options = (
parameters.Str(
'description',
required=False,
cli_name='desc',
label=_(u'Description'),
doc=_(u'A description of this auto member rule'),
),
parameters.Str(
'automemberinclusiveregex',
required=False,
multivalue=True,
cli_name='inclusive_regex',
label=_(u'Inclusive Regex'),
alwaysask=True,
),
parameters.Str(
'automemberexclusiveregex',
required=False,
multivalue=True,
cli_name='exclusive_regex',
label=_(u'Exclusive Regex'),
alwaysask=True,
),
parameters.Str(
'key',
label=_(u'Attribute Key'),
doc=_(u'Attribute to filter via regex. For example fqdn for a host, or manager for a user'),
),
parameters.Str(
'type',
cli_metavar="['group', 'hostgroup']",
label=_(u'Grouping Type'),
doc=_(u'Grouping to which the rule applies'),
),
parameters.Flag(
'all',
doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Flag(
'raw',
doc=_(u'Print entries as stored on the server. Only affects output format.'),
exclude=('webui',),
default=False,
autofill=True,
),
)
has_output = (
output.Output(
'summary',
(unicode, type(None)),
doc=_(u'User-friendly description of action performed'),
),
output.Entry(
'result',
),
output.Output(
'value',
unicode,
doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
),
output.Output(
'failed',
dict,
doc=_(u'Conditions that could not be removed'),
),
output.Output(
'completed',
int,
doc=_(u'Number of conditions removed'),
),
)
@register()
class automember_show(Method):
__doc__ = _("Display information about an automember rule.")
takes_args = (
parameters.Str(
'cn',
cli_name='automember_rule',
label=_(u'Automember Rule'),
no_convert=True,
),
)
takes_options = (
parameters.Str(
'type',
cli_metavar="['group', 'hostgroup']",
label=_(u'Grouping Type'),
doc=_(u'Grouping to which the rule applies'),
),
parameters.Flag(
'all',
doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Flag(
'raw',
doc=_(u'Print entries as stored on the server. Only affects output format.'),
exclude=('webui',),
default=False,
autofill=True,
),
)
has_output = (
output.Output(
'summary',
(unicode, type(None)),
doc=_(u'User-friendly description of action performed'),
),
output.Entry(
'result',
),
output.Output(
'value',
unicode,
doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
),
)

1225
ipaclient/remote_plugins/2_49/automount.py
View File

File diff suppressed because it is too large Load Diff

69
ipaclient/remote_plugins/2_49/batch.py
View File

@@ -1,69 +0,0 @@
#
# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
#
# pylint: disable=unused-import
import six
from . import Command, Method, Object
from ipalib import api, parameters, output
from ipalib.parameters import DefaultFrom
from ipalib.plugable import Registry
from ipalib.text import _
from ipapython.dn import DN
from ipapython.dnsutil import DNSName
if six.PY3:
unicode = str
__doc__ = _("""
Plugin to make multiple ipa calls via one remote procedure call
To run this code in the lite-server
curl -H "Content-Type:application/json" -H "Accept:application/json" -H "Accept-Language:en" --negotiate -u : --cacert /etc/ipa/ca.crt -d @batch_request.json -X POST http://localhost:8888/ipa/json
where the contents of the file batch_request.json follow the below example
{"method":"batch","params":[[
{"method":"group_find","params":[[],{}]},
{"method":"user_find","params":[[],{"whoami":"true","all":"true"}]},
{"method":"user_show","params":[["admin"],{"all":true}]}
],{}],"id":1}
The format of the response is nested the same way. At the top you will see
"error": null,
"id": 1,
"result": {
"count": 3,
"results": [
And then a nested response for each IPA command method sent in the request
""")
register = Registry()
@register()
class batch(Command):
NO_CLI = True
takes_args = (
parameters.Any(
'methods',
required=False,
multivalue=True,
doc=_(u'Nested Methods to execute'),
),
)
has_output = (
output.Output(
'count',
int,
),
output.Output(
'results',
(list, tuple),
),
)

209
ipaclient/remote_plugins/2_49/cert.py
View File

@@ -1,209 +0,0 @@
#
# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
#
# pylint: disable=unused-import
import six
from . import Command, Method, Object
from ipalib import api, parameters, output
from ipalib.parameters import DefaultFrom
from ipalib.plugable import Registry
from ipalib.text import _
from ipapython.dn import DN
from ipapython.dnsutil import DNSName
if six.PY3:
unicode = str
__doc__ = _("""
IPA certificate operations
Implements a set of commands for managing server SSL certificates.
Certificate requests exist in the form of a Certificate Signing Request (CSR)
in PEM format.
If using the selfsign back end then the subject in the CSR needs to match
the subject configured in the server. The dogtag CA uses just the CN
value of the CSR and forces the rest of the subject.
A certificate is stored with a service principal and a service principal
needs a host.
In order to request a certificate:
* The host must exist
* The service must exist (or you use the --add option to automatically add it)
EXAMPLES:
Request a new certificate and add the principal:
ipa cert-request --add --principal=HTTP/lion.example.com example.csr
Retrieve an existing certificate:
ipa cert-show 1032
Revoke a certificate (see RFC 5280 for reason details):
ipa cert-revoke --revocation-reason=6 1032
Remove a certificate from revocation hold status:
ipa cert-remove-hold 1032
Check the status of a signing request:
ipa cert-status 10
IPA currently immediately issues (or declines) all certificate requests so
the status of a request is not normally useful. This is for future use
or the case where a CA does not immediately issue a certificate.
The following revocation reasons are supported:
* 0 - unspecified
* 1 - keyCompromise
* 2 - cACompromise
* 3 - affiliationChanged
* 4 - superseded
* 5 - cessationOfOperation
* 6 - certificateHold
* 8 - removeFromCRL
* 9 - privilegeWithdrawn
* 10 - aACompromise
Note that reason code 7 is not used. See RFC 5280 for more details:
http://www.ietf.org/rfc/rfc5280.txt
""")
register = Registry()
@register()
class cert_remove_hold(Command):
__doc__ = _("Take a revoked certificate off hold.")
takes_args = (
parameters.Str(
'serial_number',
label=_(u'Serial number'),
doc=_(u'Serial number in decimal or if prefixed with 0x in hexadecimal'),
no_convert=True,
),
)
has_output = (
output.Output(
'result',
),
)
@register()
class cert_request(Command):
__doc__ = _("Submit a certificate signing request.")
takes_args = (
parameters.Str(
'csr',
cli_name='csr_file',
label=_(u'CSR'),
no_convert=True,
),
)
takes_options = (
parameters.Str(
'principal',
label=_(u'Principal'),
doc=_(u'Service principal for this certificate (e.g. HTTP/test.example.com)'),
),
parameters.Str(
'request_type',
default=u'pkcs10',
autofill=True,
),
parameters.Flag(
'add',
doc=_(u"automatically add the principal if it doesn't exist"),
default=False,
autofill=True,
),
)
has_output = (
output.Output(
'result',
dict,
doc=_(u'Dictionary mapping variable name to value'),
),
)
@register()
class cert_revoke(Command):
__doc__ = _("Revoke a certificate.")
takes_args = (
parameters.Str(
'serial_number',
label=_(u'Serial number'),
doc=_(u'Serial number in decimal or if prefixed with 0x in hexadecimal'),
no_convert=True,
),
)
takes_options = (
parameters.Int(
'revocation_reason',
label=_(u'Reason'),
doc=_(u'Reason for revoking the certificate (0-10)'),
default=0,
autofill=True,
),
)
has_output = (
output.Output(
'result',
),
)
@register()
class cert_show(Command):
__doc__ = _("Retrieve an existing certificate.")
takes_args = (
parameters.Str(
'serial_number',
label=_(u'Serial number'),
doc=_(u'Serial number in decimal or if prefixed with 0x in hexadecimal'),
no_convert=True,
),
)
takes_options = (
parameters.Str(
'out',
required=False,
label=_(u'Output filename'),
doc=_(u'File to store the certificate in.'),
exclude=('webui',),
),
)
has_output = (
output.Output(
'result',
),
)
@register()
class cert_status(Command):
__doc__ = _("Check the status of a certificate signing request.")
takes_args = (
parameters.Str(
'request_id',
label=_(u'Request id'),
),
)
has_output = (
output.Output(
'result',
),
)

394
ipaclient/remote_plugins/2_49/config.py
View File

@@ -1,394 +0,0 @@
#
# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
#
# pylint: disable=unused-import
import six
from . import Command, Method, Object
from ipalib import api, parameters, output
from ipalib.parameters import DefaultFrom
from ipalib.plugable import Registry
from ipalib.text import _
from ipapython.dn import DN
from ipapython.dnsutil import DNSName
if six.PY3:
unicode = str
__doc__ = _("""
Server configuration
Manage the default values that IPA uses and some of its tuning parameters.
NOTES:
The password notification value (--pwdexpnotify) is stored here so it will
be replicated. It is not currently used to notify users in advance of an
expiring password.
Some attributes are read-only, provided only for information purposes. These
include:
Certificate Subject base: the configured certificate subject base,
e.g. O=EXAMPLE.COM. This is configurable only at install time.
Password plug-in features: currently defines additional hashes that the
password will generate (there may be other conditions).
When setting the order list for mapping SELinux users you may need to
quote the value so it isn't interpreted by the shell.
EXAMPLES:
Show basic server configuration:
ipa config-show
Show all configuration options:
ipa config-show --all
Change maximum username length to 99 characters:
ipa config-mod --maxusername=99
Increase default time and size limits for maximum IPA server search:
ipa config-mod --searchtimelimit=10 --searchrecordslimit=2000
Set default user e-mail domain:
ipa config-mod --emaildomain=example.com
Enable migration mode to make "ipa migrate-ds" command operational:
ipa config-mod --enable-migration=TRUE
Define SELinux user map order:
ipa config-mod --ipaselinuxusermaporder='guest_u:s0$xguest_u:s0$user_u:s0-s0:c0.c1023$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023'
""")
register = Registry()
@register()
class config(Object):
takes_params = (
parameters.Int(
'ipamaxusernamelength',
label=_(u'Maximum username length'),
),
parameters.Str(
'ipahomesrootdir',
label=_(u'Home directory base'),
doc=_(u'Default location of home directories'),
),
parameters.Str(
'ipadefaultloginshell',
label=_(u'Default shell'),
doc=_(u'Default shell for new users'),
),
parameters.Str(
'ipadefaultprimarygroup',
label=_(u'Default users group'),
doc=_(u'Default group for new users'),
),
parameters.Str(
'ipadefaultemaildomain',
required=False,
label=_(u'Default e-mail domain'),
),
parameters.Int(
'ipasearchtimelimit',
label=_(u'Search time limit'),
doc=_(u'Maximum amount of time (seconds) for a search (> 0, or -1 for unlimited)'),
),
parameters.Int(
'ipasearchrecordslimit',
label=_(u'Search size limit'),
doc=_(u'Maximum number of records to search (-1 is unlimited)'),
),
parameters.Str(
'ipausersearchfields',
label=_(u'User search fields'),
doc=_(u'A comma-separated list of fields to search in when searching for users'),
),
parameters.Str(
'ipagroupsearchfields',
label=_(u'Group search fields'),
doc=_(u'A comma-separated list of fields to search in when searching for groups'),
),
parameters.Bool(
'ipamigrationenabled',
label=_(u'Enable migration mode'),
),
parameters.DNParam(
'ipacertificatesubjectbase',
label=_(u'Certificate Subject base'),
doc=_(u'Base for certificate subjects (OU=Test,O=Example)'),
),
parameters.Str(
'ipagroupobjectclasses',
multivalue=True,
label=_(u'Default group objectclasses'),
doc=_(u'Default group objectclasses (comma-separated list)'),
),
parameters.Str(
'ipauserobjectclasses',
multivalue=True,
label=_(u'Default user objectclasses'),
doc=_(u'Default user objectclasses (comma-separated list)'),
),
parameters.Int(
'ipapwdexpadvnotify',
label=_(u'Password Expiration Notification (days)'),
doc=_(u"Number of days's notice of impending password expiration"),
),
parameters.Str(
'ipaconfigstring',
required=False,
multivalue=True,
label=_(u'Password plugin features'),
doc=_(u'Extra hashes to generate in password plug-in'),
),
parameters.Str(
'ipaselinuxusermaporder',
label=_(u'SELinux user map order'),
doc=_(u'Order in increasing priority of SELinux users, delimited by $'),
),
parameters.Str(
'ipaselinuxusermapdefault',
required=False,
label=_(u'Default SELinux user'),
doc=_(u'Default SELinux user when no match is found in SELinux map rule'),
),
parameters.Str(
'ipakrbauthzdata',
required=False,
multivalue=True,
label=_(u'Default PAC types'),
doc=_(u'Default types of PAC supported for services'),
),
)
@register()
class config_mod(Method):
__doc__ = _("Modify configuration options.")
takes_options = (
parameters.Int(
'ipamaxusernamelength',
required=False,
cli_name='maxusername',
label=_(u'Maximum username length'),
),
parameters.Str(
'ipahomesrootdir',
required=False,
cli_name='homedirectory',
label=_(u'Home directory base'),
doc=_(u'Default location of home directories'),
),
parameters.Str(
'ipadefaultloginshell',
required=False,
cli_name='defaultshell',
label=_(u'Default shell'),
doc=_(u'Default shell for new users'),
),
parameters.Str(
'ipadefaultprimarygroup',
required=False,
cli_name='defaultgroup',
label=_(u'Default users group'),
doc=_(u'Default group for new users'),
),
parameters.Str(
'ipadefaultemaildomain',
required=False,
cli_name='emaildomain',
label=_(u'Default e-mail domain'),
),
parameters.Int(
'ipasearchtimelimit',
required=False,
cli_name='searchtimelimit',
label=_(u'Search time limit'),
doc=_(u'Maximum amount of time (seconds) for a search (> 0, or -1 for unlimited)'),
),
parameters.Int(
'ipasearchrecordslimit',
required=False,
cli_name='searchrecordslimit',
label=_(u'Search size limit'),
doc=_(u'Maximum number of records to search (-1 is unlimited)'),
),
parameters.Str(
'ipausersearchfields',
required=False,
cli_name='usersearch',
label=_(u'User search fields'),
doc=_(u'A comma-separated list of fields to search in when searching for users'),
),
parameters.Str(
'ipagroupsearchfields',
required=False,
cli_name='groupsearch',
label=_(u'Group search fields'),
doc=_(u'A comma-separated list of fields to search in when searching for groups'),
),
parameters.Bool(
'ipamigrationenabled',
required=False,
cli_name='enable_migration',
label=_(u'Enable migration mode'),
),
parameters.Str(
'ipagroupobjectclasses',
required=False,
multivalue=True,
cli_name='groupobjectclasses',
label=_(u'Default group objectclasses'),
doc=_(u'Default group objectclasses (comma-separated list)'),
),
parameters.Str(
'ipauserobjectclasses',
required=False,
multivalue=True,
cli_name='userobjectclasses',
label=_(u'Default user objectclasses'),
doc=_(u'Default user objectclasses (comma-separated list)'),
),
parameters.Int(
'ipapwdexpadvnotify',
required=False,
cli_name='pwdexpnotify',
label=_(u'Password Expiration Notification (days)'),
doc=_(u"Number of days's notice of impending password expiration"),
),
parameters.Str(
'ipaconfigstring',
required=False,
multivalue=True,
cli_metavar="['AllowLMhash', 'AllowNThash', 'KDC:Disable Last Success', 'KDC:Disable Lockout']",
label=_(u'Password plugin features'),
doc=_(u'Extra hashes to generate in password plug-in'),
),
parameters.Str(
'ipaselinuxusermaporder',
required=False,
label=_(u'SELinux user map order'),
doc=_(u'Order in increasing priority of SELinux users, delimited by $'),
),
parameters.Str(
'ipaselinuxusermapdefault',
required=False,
label=_(u'Default SELinux user'),
doc=_(u'Default SELinux user when no match is found in SELinux map rule'),
),
parameters.Str(
'ipakrbauthzdata',
required=False,
multivalue=True,
cli_name='pac_type',
cli_metavar="['MS-PAC', 'PAD']",
label=_(u'Default PAC types'),
doc=_(u'Default types of PAC supported for services'),
),
parameters.Str(
'setattr',
required=False,
multivalue=True,
doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
exclude=('webui',),
),
parameters.Str(
'addattr',
required=False,
multivalue=True,
doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
exclude=('webui',),
),
parameters.Str(
'delattr',
required=False,
multivalue=True,
doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'),
exclude=('webui',),
),
parameters.Flag(
'rights',
label=_(u'Rights'),
doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
default=False,
autofill=True,
),
parameters.Flag(
'all',
doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Flag(
'raw',
doc=_(u'Print entries as stored on the server. Only affects output format.'),
exclude=('webui',),
default=False,
autofill=True,
),
)
has_output = (
output.Output(
'summary',
(unicode, type(None)),
doc=_(u'User-friendly description of action performed'),
),
output.Entry(
'result',
),
output.Output(
'value',
unicode,
doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
),
)
@register()
class config_show(Method):
__doc__ = _("Show the current configuration.")
takes_options = (
parameters.Flag(
'rights',
label=_(u'Rights'),
doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
default=False,
autofill=True,
),
parameters.Flag(
'all',
doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Flag(
'raw',
doc=_(u'Print entries as stored on the server. Only affects output format.'),
exclude=('webui',),
default=False,
autofill=True,
),
)
has_output = (
output.Output(
'summary',
(unicode, type(None)),
doc=_(u'User-friendly description of action performed'),
),
output.Entry(
'result',
),
output.Output(
'value',
unicode,
doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
),
)

384
ipaclient/remote_plugins/2_49/delegation.py
View File

@@ -1,384 +0,0 @@
#
# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
#
# pylint: disable=unused-import
import six
from . import Command, Method, Object
from ipalib import api, parameters, output
from ipalib.parameters import DefaultFrom
from ipalib.plugable import Registry
from ipalib.text import _
from ipapython.dn import DN
from ipapython.dnsutil import DNSName
if six.PY3:
unicode = str
__doc__ = _("""
Group to Group Delegation
A permission enables fine-grained delegation of permissions. Access Control
Rules, or instructions (ACIs), grant permission to permissions to perform
given tasks such as adding a user, modifying a group, etc.
Group to Group Delegations grants the members of one group to update a set
of attributes of members of another group.
EXAMPLES:
Add a delegation rule to allow managers to edit employee's addresses:
ipa delegation-add --attrs=street --group=managers --membergroup=employees "managers edit employees' street"
When managing the list of attributes you need to include all attributes
in the list, including existing ones. Add postalCode to the list:
ipa delegation-mod --attrs=street,postalCode --group=managers --membergroup=employees "managers edit employees' street"
Display our updated rule:
ipa delegation-show "managers edit employees' street"
Delete a rule:
ipa delegation-del "managers edit employees' street"
""")
register = Registry()
@register()
class delegation(Object):
takes_params = (
parameters.Str(
'aciname',
primary_key=True,
label=_(u'Delegation name'),
),
parameters.Str(
'permissions',
required=False,
multivalue=True,
label=_(u'Permissions'),
doc=_(u'Comma-separated list of permissions to grant (read, write). Default is write.'),
),
parameters.Str(
'attrs',
multivalue=True,
label=_(u'Attributes'),
doc=_(u'Comma-separated list of attributes'),
),
parameters.Str(
'memberof',
label=_(u'Member user group'),
doc=_(u'User group to apply delegation to'),
),
parameters.Str(
'group',
label=_(u'User group'),
doc=_(u'User group ACI grants access to'),
),
)
@register()
class delegation_add(Method):
__doc__ = _("Add a new delegation.")
takes_args = (
parameters.Str(
'aciname',
cli_name='name',
label=_(u'Delegation name'),
),
)
takes_options = (
parameters.Str(
'permissions',
required=False,
multivalue=True,
label=_(u'Permissions'),
doc=_(u'Comma-separated list of permissions to grant (read, write). Default is write.'),
),
parameters.Str(
'attrs',
multivalue=True,
label=_(u'Attributes'),
doc=_(u'Comma-separated list of attributes'),
no_convert=True,
),
parameters.Str(
'memberof',
cli_name='membergroup',
label=_(u'Member user group'),
doc=_(u'User group to apply delegation to'),
),
parameters.Str(
'group',
label=_(u'User group'),
doc=_(u'User group ACI grants access to'),
),
parameters.Flag(
'all',
doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Flag(
'raw',
doc=_(u'Print entries as stored on the server. Only affects output format.'),
exclude=('webui',),
default=False,
autofill=True,
),
)
has_output = (
output.Output(
'summary',
(unicode, type(None)),
doc=_(u'User-friendly description of action performed'),
),
output.Entry(
'result',
),
output.Output(
'value',
unicode,
doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
),
)
@register()
class delegation_del(Method):
__doc__ = _("Delete a delegation.")
takes_args = (
parameters.Str(
'aciname',
cli_name='name',
label=_(u'Delegation name'),
),
)
has_output = (
output.Output(
'summary',
(unicode, type(None)),
doc=_(u'User-friendly description of action performed'),
),
output.Output(
'result',
bool,
doc=_(u'True means the operation was successful'),
),
output.Output(
'value',
unicode,
doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
),
)
@register()
class delegation_find(Method):
__doc__ = _("Search for delegations.")
takes_args = (
parameters.Str(
'criteria',
required=False,
),
)
takes_options = (
parameters.Str(
'aciname',
required=False,
cli_name='name',
label=_(u'Delegation name'),
),
parameters.Str(
'permissions',
required=False,
multivalue=True,
label=_(u'Permissions'),
doc=_(u'Comma-separated list of permissions to grant (read, write). Default is write.'),
),
parameters.Str(
'attrs',
required=False,
multivalue=True,
label=_(u'Attributes'),
doc=_(u'Comma-separated list of attributes'),
no_convert=True,
),
parameters.Str(
'memberof',
required=False,
cli_name='membergroup',
label=_(u'Member user group'),
doc=_(u'User group to apply delegation to'),
),
parameters.Str(
'group',
required=False,
label=_(u'User group'),
doc=_(u'User group ACI grants access to'),
),
parameters.Flag(
'pkey_only',
required=False,
label=_(u'Primary key only'),
doc=_(u'Results should contain primary key attribute only ("name")'),
default=False,
autofill=True,
),
parameters.Flag(
'all',
doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Flag(
'raw',
doc=_(u'Print entries as stored on the server. Only affects output format.'),
exclude=('webui',),
default=False,
autofill=True,
),
)
has_output = (
output.Output(
'summary',
(unicode, type(None)),
doc=_(u'User-friendly description of action performed'),
),
output.ListOfEntries(
'result',
),
output.Output(
'count',
int,
doc=_(u'Number of entries returned'),
),
output.Output(
'truncated',
bool,
doc=_(u'True if not all results were returned'),
),
)
@register()
class delegation_mod(Method):
__doc__ = _("Modify a delegation.")
takes_args = (
parameters.Str(
'aciname',
cli_name='name',
label=_(u'Delegation name'),
),
)
takes_options = (
parameters.Str(
'permissions',
required=False,
multivalue=True,
label=_(u'Permissions'),
doc=_(u'Comma-separated list of permissions to grant (read, write). Default is write.'),
),
parameters.Str(
'attrs',
required=False,
multivalue=True,
label=_(u'Attributes'),
doc=_(u'Comma-separated list of attributes'),
no_convert=True,
),
parameters.Str(
'memberof',
required=False,
cli_name='membergroup',
label=_(u'Member user group'),
doc=_(u'User group to apply delegation to'),
),
parameters.Str(
'group',
required=False,
label=_(u'User group'),
doc=_(u'User group ACI grants access to'),
),
parameters.Flag(
'all',
doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Flag(
'raw',
doc=_(u'Print entries as stored on the server. Only affects output format.'),
exclude=('webui',),
default=False,
autofill=True,
),
)
has_output = (
output.Output(
'summary',
(unicode, type(None)),
doc=_(u'User-friendly description of action performed'),
),
output.Entry(
'result',
),
output.Output(
'value',
unicode,
doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
),
)
@register()
class delegation_show(Method):
__doc__ = _("Display information about a delegation.")
takes_args = (
parameters.Str(
'aciname',
cli_name='name',
label=_(u'Delegation name'),
),
)
takes_options = (
parameters.Flag(
'all',
doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Flag(
'raw',
doc=_(u'Print entries as stored on the server. Only affects output format.'),
exclude=('webui',),
default=False,
autofill=True,
),
)
has_output = (
output.Output(
'summary',
(unicode, type(None)),
doc=_(u'User-friendly description of action performed'),
),
output.Entry(
'result',
),
output.Output(
'value',
unicode,
doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
),
)

5063
ipaclient/remote_plugins/2_49/dns.py
View File

File diff suppressed because it is too large Load Diff

383
ipaclient/remote_plugins/2_49/entitle.py
View File

@@ -1,383 +0,0 @@
#
# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
#
# pylint: disable=unused-import
import six
from . import Command, Method, Object
from ipalib import api, parameters, output
from ipalib.parameters import DefaultFrom
from ipalib.plugable import Registry
from ipalib.text import _
from ipapython.dn import DN
from ipapython.dnsutil import DNSName
if six.PY3:
unicode = str
__doc__ = _("""
Entitlements
Manage entitlements for client machines
Entitlements can be managed either by registering with an entitlement
server with a username and password or by manually importing entitlement
certificates. An entitlement certificate contains embedded information
such as the product being entitled, the quantity and the validity dates.
An entitlement server manages the number of client entitlements available.
To mark these entitlements as used by the IPA server you provide a quantity
and they are marked as consumed on the entitlement server.
Register with an entitlement server:
ipa entitle-register consumer
Import an entitlement certificate:
ipa entitle-import /home/user/ipaclient.pem
Display current entitlements:
ipa entitle-status
Retrieve details on entitlement certificates:
ipa entitle-get
Consume some entitlements from the entitlement server:
ipa entitle-consume 50
The registration ID is a Unique Identifier (UUID). This ID will be
IMPORTED if you have used entitle-import.
Changes to /etc/rhsm/rhsm.conf require a restart of the httpd service.
""")
register = Registry()
@register()
class entitle(Object):
takes_params = (
)
@register()
class entitle_consume(Method):
__doc__ = _("Consume an entitlement.")
takes_args = (
parameters.Int(
'quantity',
label=_(u'Quantity'),
),
)
takes_options = (
parameters.Int(
'hidden',
label=_(u'Quantity'),
exclude=('cli', 'webui'),
default=1,
autofill=True,
),
parameters.Flag(
'all',
doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Flag(
'raw',
doc=_(u'Print entries as stored on the server. Only affects output format.'),
exclude=('webui',),
default=False,
autofill=True,
),
)
has_output = (
output.Output(
'summary',
(unicode, type(None)),
doc=_(u'User-friendly description of action performed'),
),
output.Entry(
'result',
),
output.Output(
'value',
unicode,
doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
),
)
@register()
class entitle_find(Method):
__doc__ = _("Search for entitlement accounts.")
takes_args = (
parameters.Str(
'criteria',
required=False,
doc=_(u'A string searched in all relevant object attributes'),
),
)
takes_options = (
parameters.Int(
'timelimit',
required=False,
label=_(u'Time Limit'),
doc=_(u'Time limit of search in seconds'),
),
parameters.Int(
'sizelimit',
required=False,
label=_(u'Size Limit'),
doc=_(u'Maximum number of entries returned'),
),
parameters.Flag(
'all',
doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Flag(
'raw',
doc=_(u'Print entries as stored on the server. Only affects output format.'),
exclude=('webui',),
default=False,
autofill=True,
),
)
has_output = (
output.Output(
'summary',
(unicode, type(None)),
doc=_(u'User-friendly description of action performed'),
),
output.ListOfEntries(
'result',
),
output.Output(
'count',
int,
doc=_(u'Number of entries returned'),
),
output.Output(
'truncated',
bool,
doc=_(u'True if not all results were returned'),
),
)
@register()
class entitle_get(Command):
__doc__ = _("Retrieve the entitlement certs.")
takes_options = (
parameters.Flag(
'all',
doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Flag(
'raw',
doc=_(u'Print entries as stored on the server. Only affects output format.'),
exclude=('webui',),
default=False,
autofill=True,
),
)
has_output = (
output.Output(
'summary',
(unicode, type(None)),
doc=_(u'User-friendly description of action performed'),
),
output.ListOfEntries(
'result',
),
output.Output(
'count',
int,
doc=_(u'Number of entries returned'),
),
output.Output(
'truncated',
bool,
doc=_(u'True if not all results were returned'),
),
)
@register()
class entitle_import(Method):
__doc__ = _("Import an entitlement certificate.")
takes_args = (
parameters.Str(
'usercertificate',
required=False,
multivalue=True,
cli_name='certificate_file',
),
)
takes_options = (
parameters.Str(
'setattr',
required=False,
multivalue=True,
doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
exclude=('webui',),
),
parameters.Str(
'addattr',
required=False,
multivalue=True,
doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
exclude=('webui',),
),
parameters.Str(
'uuid',
required=False,
label=_(u'UUID'),
doc=_(u'Enrollment UUID'),
default=u'IMPORTED',
autofill=True,
),
)
has_output = (
output.Output(
'result',
dict,
doc=_(u'Dictionary mapping variable name to value'),
),
)
@register()
class entitle_register(Method):
__doc__ = _("Register to the entitlement system.")
takes_args = (
parameters.Str(
'username',
label=_(u'Username'),
),
)
takes_options = (
parameters.Str(
'setattr',
required=False,
multivalue=True,
doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
exclude=('webui',),
),
parameters.Str(
'addattr',
required=False,
multivalue=True,
doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
exclude=('webui',),
),
parameters.Str(
'ipaentitlementid',
required=False,
label=_(u'UUID'),
doc=_(u'Enrollment UUID (not implemented)'),
),
parameters.Password(
'password',
label=_(u'Password'),
doc=_(u'Registration password'),
),
parameters.Flag(
'all',
doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Flag(
'raw',
doc=_(u'Print entries as stored on the server. Only affects output format.'),
exclude=('webui',),
default=False,
autofill=True,
),
)
has_output = (
output.Output(
'summary',
(unicode, type(None)),
doc=_(u'User-friendly description of action performed'),
),
output.Entry(
'result',
),
output.Output(
'value',
unicode,
doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
),
)
@register()
class entitle_status(Command):
__doc__ = _("Display current entitlements.")
has_output = (
output.Output(
'result',
dict,
doc=_(u'Dictionary mapping variable name to value'),
),
)
@register()
class entitle_sync(Method):
__doc__ = _("Re-sync the local entitlement cache with the entitlement server.")
takes_options = (
parameters.Int(
'hidden',
label=_(u'Quantity'),
exclude=('cli', 'webui'),
default=1,
autofill=True,
),
parameters.Flag(
'all',
doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Flag(
'raw',
doc=_(u'Print entries as stored on the server. Only affects output format.'),
exclude=('webui',),
default=False,
autofill=True,
),
)
has_output = (
output.Output(
'summary',
(unicode, type(None)),
doc=_(u'User-friendly description of action performed'),
),
output.Entry(
'result',
),
output.Output(
'value',
unicode,
doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
),
)

854
ipaclient/remote_plugins/2_49/group.py
View File

@@ -1,854 +0,0 @@
#
# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
#
# pylint: disable=unused-import
import six
from . import Command, Method, Object
from ipalib import api, parameters, output
from ipalib.parameters import DefaultFrom
from ipalib.plugable import Registry
from ipalib.text import _
from ipapython.dn import DN
from ipapython.dnsutil import DNSName
if six.PY3:
unicode = str
__doc__ = _("""
Groups of users
Manage groups of users. By default, new groups are POSIX groups. You
can add the --nonposix option to the group-add command to mark a new group
as non-POSIX. You can use the --posix argument with the group-mod command
to convert a non-POSIX group into a POSIX group. POSIX groups cannot be
converted to non-POSIX groups.
Every group must have a description.
POSIX groups must have a Group ID (GID) number. Changing a GID is
supported but can have an impact on your file permissions. It is not necessary
to supply a GID when creating a group. IPA will generate one automatically
if it is not provided.
EXAMPLES:
Add a new group:
ipa group-add --desc='local administrators' localadmins
Add a new non-POSIX group:
ipa group-add --nonposix --desc='remote administrators' remoteadmins
Convert a non-POSIX group to posix:
ipa group-mod --posix remoteadmins
Add a new POSIX group with a specific Group ID number:
ipa group-add --gid=500 --desc='unix admins' unixadmins
Add a new POSIX group and let IPA assign a Group ID number:
ipa group-add --desc='printer admins' printeradmins
Remove a group:
ipa group-del unixadmins
To add the "remoteadmins" group to the "localadmins" group:
ipa group-add-member --groups=remoteadmins localadmins
Add a list of users to the "localadmins" group:
ipa group-add-member --users=test1,test2 localadmins
Remove a user from the "localadmins" group:
ipa group-remove-member --users=test2 localadmins
Display information about a named group.
ipa group-show localadmins
External group membership is designed to allow users from trusted domains
to be mapped to local POSIX groups in order to actually use IPA resources.
External members should be added to groups that specifically created as
external and non-POSIX. Such group later should be included into one of POSIX
groups.
An external group member is currently a Security Identifier (SID) as defined by
the trusted domain. When adding external group members, it is possible to
specify them in either SID, or DOM\name, or name@domain format. IPA will attempt
to resolve passed name to SID with the use of Global Catalog of the trusted domain.
Example:
1. Create group for the trusted domain admins' mapping and their local POSIX group:
ipa group-add --desc='<ad.domain> admins external map' ad_admins_external --external
ipa group-add --desc='<ad.domain> admins' ad_admins
2. Add security identifier of Domain Admins of the <ad.domain> to the ad_admins_external
group:
ipa group-add-member ad_admins_external --external 'AD\Domain Admins'
3. Allow members of ad_admins_external group to be associated with ad_admins POSIX group:
ipa group-add-member ad_admins --groups ad_admins_external
4. List members of external members of ad_admins_external group to see their SIDs:
ipa group-show ad_admins_external
""")
register = Registry()
@register()
class group(Object):
takes_params = (
parameters.Str(
'cn',
primary_key=True,
label=_(u'Group name'),
),
parameters.Str(
'description',
label=_(u'Description'),
doc=_(u'Group description'),
),
parameters.Int(
'gidnumber',
required=False,
label=_(u'GID'),
doc=_(u'GID (use this option to set it manually)'),
),
parameters.Str(
'member_user',
required=False,
label=_(u'Member users'),
),
parameters.Str(
'member_group',
required=False,
label=_(u'Member groups'),
),
parameters.Str(
'memberof_group',
required=False,
label=_(u'Member of groups'),
),
parameters.Str(
'memberof_role',
required=False,
label=_(u'Roles'),
),
parameters.Str(
'memberof_netgroup',
required=False,
label=_(u'Member of netgroups'),
),
parameters.Str(
'memberof_sudorule',
required=False,
label=_(u'Member of Sudo rule'),
),
parameters.Str(
'memberof_hbacrule',
required=False,
label=_(u'Member of HBAC rule'),
),
parameters.Str(
'memberindirect_user',
required=False,
label=_(u'Indirect Member users'),
),
parameters.Str(
'memberindirect_group',
required=False,
label=_(u'Indirect Member groups'),
),
parameters.Str(
'memberofindirect_group',
required=False,
label=_(u'Indirect Member of group'),
),
parameters.Str(
'memberofindirect_netgroup',
required=False,
label=_(u'Indirect Member of netgroup'),
),
parameters.Str(
'memberofindirect_role',
required=False,
label=_(u'Indirect Member of role'),
),
parameters.Str(
'memberofindirect_sudorule',
required=False,
label=_(u'Indirect Member of Sudo rule'),
),
parameters.Str(
'memberofindirect_hbacrule',
required=False,
label=_(u'Indirect Member of HBAC rule'),
),
)
@register()
class group_add(Method):
__doc__ = _("Create a new group.")
takes_args = (
parameters.Str(
'cn',
cli_name='group_name',
label=_(u'Group name'),
no_convert=True,
),
)
takes_options = (
parameters.Str(
'description',
cli_name='desc',
label=_(u'Description'),
doc=_(u'Group description'),
),
parameters.Int(
'gidnumber',
required=False,
cli_name='gid',
label=_(u'GID'),
doc=_(u'GID (use this option to set it manually)'),
),
parameters.Str(
'setattr',
required=False,
multivalue=True,
doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
exclude=('webui',),
),
parameters.Str(
'addattr',
required=False,
multivalue=True,
doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
exclude=('webui',),
),
parameters.Flag(
'nonposix',
doc=_(u'Create as a non-POSIX group'),
default=False,
autofill=True,
),
parameters.Flag(
'external',
doc=_(u'Allow adding external non-IPA members from trusted domains'),
default=False,
autofill=True,
),
parameters.Flag(
'all',
doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Flag(
'raw',
doc=_(u'Print entries as stored on the server. Only affects output format.'),
exclude=('webui',),
default=False,
autofill=True,
),
)
has_output = (
output.Output(
'summary',
(unicode, type(None)),
doc=_(u'User-friendly description of action performed'),
),
output.Entry(
'result',
),
output.Output(
'value',
unicode,
doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
),
)
@register()
class group_add_member(Method):
__doc__ = _("Add members to a group.")
takes_args = (
parameters.Str(
'cn',
cli_name='group_name',
label=_(u'Group name'),
no_convert=True,
),
)
takes_options = (
parameters.Str(
'ipaexternalmember',
required=False,
multivalue=True,
cli_name='external',
label=_(u'External member'),
doc=_(u'comma-separated list of members of a trusted domain in DOM\\name or name@domain form'),
),
parameters.Flag(
'all',
doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Flag(
'raw',
doc=_(u'Print entries as stored on the server. Only affects output format.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Str(
'user',
required=False,
multivalue=True,
cli_name='users',
label=_(u'member user'),
doc=_(u'comma-separated list of users to add'),
alwaysask=True,
),
parameters.Str(
'group',
required=False,
multivalue=True,
cli_name='groups',
label=_(u'member group'),
doc=_(u'comma-separated list of groups to add'),
alwaysask=True,
),
)
has_output = (
output.Entry(
'result',
),
output.Output(
'failed',
dict,
doc=_(u'Members that could not be added'),
),
output.Output(
'completed',
int,
doc=_(u'Number of members added'),
),
)
@register()
class group_del(Method):
__doc__ = _("Delete group.")
takes_args = (
parameters.Str(
'cn',
multivalue=True,
cli_name='group_name',
label=_(u'Group name'),
no_convert=True,
),
)
takes_options = (
parameters.Flag(
'continue',
doc=_(u"Continuous mode: Don't stop on errors."),
default=False,
autofill=True,
),
)
has_output = (
output.Output(
'summary',
(unicode, type(None)),
doc=_(u'User-friendly description of action performed'),
),
output.Output(
'result',
dict,
doc=_(u'List of deletions that failed'),
),
output.Output(
'value',
unicode,
doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
),
)
@register()
class group_detach(Method):
__doc__ = _("Detach a managed group from a user.")
takes_args = (
parameters.Str(
'cn',
cli_name='group_name',
label=_(u'Group name'),
no_convert=True,
),
)
has_output = (
output.Output(
'summary',
(unicode, type(None)),
doc=_(u'User-friendly description of action performed'),
),
output.Output(
'result',
bool,
doc=_(u'True means the operation was successful'),
),
output.Output(
'value',
unicode,
doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
),
)
@register()
class group_find(Method):
__doc__ = _("Search for groups.")
takes_args = (
parameters.Str(
'criteria',
required=False,
doc=_(u'A string searched in all relevant object attributes'),
),
)
takes_options = (
parameters.Str(
'cn',
required=False,
cli_name='group_name',
label=_(u'Group name'),
no_convert=True,
),
parameters.Str(
'description',
required=False,
cli_name='desc',
label=_(u'Description'),
doc=_(u'Group description'),
),
parameters.Int(
'gidnumber',
required=False,
cli_name='gid',
label=_(u'GID'),
doc=_(u'GID (use this option to set it manually)'),
),
parameters.Int(
'timelimit',
required=False,
label=_(u'Time Limit'),
doc=_(u'Time limit of search in seconds'),
),
parameters.Int(
'sizelimit',
required=False,
label=_(u'Size Limit'),
doc=_(u'Maximum number of entries returned'),
),
parameters.Flag(
'private',
doc=_(u'search for private groups'),
default=False,
autofill=True,
),
parameters.Flag(
'all',
doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Flag(
'raw',
doc=_(u'Print entries as stored on the server. Only affects output format.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Flag(
'pkey_only',
required=False,
label=_(u'Primary key only'),
doc=_(u'Results should contain primary key attribute only ("group-name")'),
default=False,
autofill=True,
),
parameters.Str(
'user',
required=False,
multivalue=True,
cli_name='users',
label=_(u'user'),
doc=_(u'Search for groups with these member users.'),
),
parameters.Str(
'no_user',
required=False,
multivalue=True,
cli_name='no_users',
label=_(u'user'),
doc=_(u'Search for groups without these member users.'),
),
parameters.Str(
'group',
required=False,
multivalue=True,
cli_name='groups',
label=_(u'group'),
doc=_(u'Search for groups with these member groups.'),
),
parameters.Str(
'no_group',
required=False,
multivalue=True,
cli_name='no_groups',
label=_(u'group'),
doc=_(u'Search for groups without these member groups.'),
),
parameters.Str(
'in_group',
required=False,
multivalue=True,
cli_name='in_groups',
label=_(u'group'),
doc=_(u'Search for groups with these member of groups.'),
),
parameters.Str(
'not_in_group',
required=False,
multivalue=True,
cli_name='not_in_groups',
label=_(u'group'),
doc=_(u'Search for groups without these member of groups.'),
),
parameters.Str(
'in_netgroup',
required=False,
multivalue=True,
cli_name='in_netgroups',
label=_(u'netgroup'),
doc=_(u'Search for groups with these member of netgroups.'),
),
parameters.Str(
'not_in_netgroup',
required=False,
multivalue=True,
cli_name='not_in_netgroups',
label=_(u'netgroup'),
doc=_(u'Search for groups without these member of netgroups.'),
),
parameters.Str(
'in_role',
required=False,
multivalue=True,
cli_name='in_roles',
label=_(u'role'),
doc=_(u'Search for groups with these member of roles.'),
),
parameters.Str(
'not_in_role',
required=False,
multivalue=True,
cli_name='not_in_roles',
label=_(u'role'),
doc=_(u'Search for groups without these member of roles.'),
),
parameters.Str(
'in_hbacrule',
required=False,
multivalue=True,
cli_name='in_hbacrules',
label=_(u'HBAC rule'),
doc=_(u'Search for groups with these member of HBAC rules.'),
),
parameters.Str(
'not_in_hbacrule',
required=False,
multivalue=True,
cli_name='not_in_hbacrules',
label=_(u'HBAC rule'),
doc=_(u'Search for groups without these member of HBAC rules.'),
),
parameters.Str(
'in_sudorule',
required=False,
multivalue=True,
cli_name='in_sudorules',
label=_(u'sudo rule'),
doc=_(u'Search for groups with these member of sudo rules.'),
),
parameters.Str(
'not_in_sudorule',
required=False,
multivalue=True,
cli_name='not_in_sudorules',
label=_(u'sudo rule'),
doc=_(u'Search for groups without these member of sudo rules.'),
),
)
has_output = (
output.Output(
'summary',
(unicode, type(None)),
doc=_(u'User-friendly description of action performed'),
),
output.ListOfEntries(
'result',
),
output.Output(
'count',
int,
doc=_(u'Number of entries returned'),
),
output.Output(
'truncated',
bool,
doc=_(u'True if not all results were returned'),
),
)
@register()
class group_mod(Method):
__doc__ = _("Modify a group.")
takes_args = (
parameters.Str(
'cn',
cli_name='group_name',
label=_(u'Group name'),
no_convert=True,
),
)
takes_options = (
parameters.Str(
'description',
required=False,
cli_name='desc',
label=_(u'Description'),
doc=_(u'Group description'),
),
parameters.Int(
'gidnumber',
required=False,
cli_name='gid',
label=_(u'GID'),
doc=_(u'GID (use this option to set it manually)'),
),
parameters.Str(
'setattr',
required=False,
multivalue=True,
doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
exclude=('webui',),
),
parameters.Str(
'addattr',
required=False,
multivalue=True,
doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
exclude=('webui',),
),
parameters.Str(
'delattr',
required=False,
multivalue=True,
doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'),
exclude=('webui',),
),
parameters.Flag(
'rights',
label=_(u'Rights'),
doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
default=False,
autofill=True,
),
parameters.Flag(
'posix',
doc=_(u'change to a POSIX group'),
default=False,
autofill=True,
),
parameters.Flag(
'external',
doc=_(u'change to support external non-IPA members from trusted domains'),
default=False,
autofill=True,
),
parameters.Flag(
'all',
doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Flag(
'raw',
doc=_(u'Print entries as stored on the server. Only affects output format.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Str(
'rename',
required=False,
label=_(u'Rename'),
doc=_(u'Rename the group object'),
no_convert=True,
),
)
has_output = (
output.Output(
'summary',
(unicode, type(None)),
doc=_(u'User-friendly description of action performed'),
),
output.Entry(
'result',
),
output.Output(
'value',
unicode,
doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
),
)
@register()
class group_remove_member(Method):
__doc__ = _("Remove members from a group.")
takes_args = (
parameters.Str(
'cn',
cli_name='group_name',
label=_(u'Group name'),
no_convert=True,
),
)
takes_options = (
parameters.Str(
'ipaexternalmember',
required=False,
multivalue=True,
cli_name='external',
label=_(u'External member'),
doc=_(u'comma-separated list of members of a trusted domain in DOM\\name or name@domain form'),
),
parameters.Flag(
'all',
doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Flag(
'raw',
doc=_(u'Print entries as stored on the server. Only affects output format.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Str(
'user',
required=False,
multivalue=True,
cli_name='users',
label=_(u'member user'),
doc=_(u'comma-separated list of users to remove'),
alwaysask=True,
),
parameters.Str(
'group',
required=False,
multivalue=True,
cli_name='groups',
label=_(u'member group'),
doc=_(u'comma-separated list of groups to remove'),
alwaysask=True,
),
)
has_output = (
output.Entry(
'result',
),
output.Output(
'failed',
dict,
doc=_(u'Members that could not be removed'),
),
output.Output(
'completed',
int,
doc=_(u'Number of members removed'),
),
)
@register()
class group_show(Method):
__doc__ = _("Display information about a named group.")
takes_args = (
parameters.Str(
'cn',
cli_name='group_name',
label=_(u'Group name'),
no_convert=True,
),
)
takes_options = (
parameters.Flag(
'rights',
label=_(u'Rights'),
doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
default=False,
autofill=True,
),
parameters.Flag(
'all',
doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Flag(
'raw',
doc=_(u'Print entries as stored on the server. Only affects output format.'),
exclude=('webui',),
default=False,
autofill=True,
),
)
has_output = (
output.Output(
'summary',
(unicode, type(None)),
doc=_(u'User-friendly description of action performed'),
),
output.Entry(
'result',
),
output.Output(
'value',
unicode,
doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
),
)

1198
ipaclient/remote_plugins/2_49/hbacrule.py
View File

File diff suppressed because it is too large Load Diff

390
ipaclient/remote_plugins/2_49/hbacsvc.py
View File

@@ -1,390 +0,0 @@
#
# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
#
# pylint: disable=unused-import
import six
from . import Command, Method, Object
from ipalib import api, parameters, output
from ipalib.parameters import DefaultFrom
from ipalib.plugable import Registry
from ipalib.text import _
from ipapython.dn import DN
from ipapython.dnsutil import DNSName
if six.PY3:
unicode = str
__doc__ = _("""
HBAC Services
The PAM services that HBAC can control access to. The name used here
must match the service name that PAM is evaluating.
EXAMPLES:
Add a new HBAC service:
ipa hbacsvc-add tftp
Modify an existing HBAC service:
ipa hbacsvc-mod --desc="TFTP service" tftp
Search for HBAC services. This example will return two results, the FTP
service and the newly-added tftp service:
ipa hbacsvc-find ftp
Delete an HBAC service:
ipa hbacsvc-del tftp
""")
register = Registry()
@register()
class hbacsvc(Object):
takes_params = (
parameters.Str(
'cn',
primary_key=True,
label=_(u'Service name'),
doc=_(u'HBAC service'),
),
parameters.Str(
'description',
required=False,
label=_(u'Description'),
doc=_(u'HBAC service description'),
),
parameters.Str(
'memberof_hbacsvcgroup',
required=False,
label=_(u'Member of HBAC service groups'),
),
)
@register()
class hbacsvc_add(Method):
__doc__ = _("Add a new HBAC service.")
takes_args = (
parameters.Str(
'cn',
cli_name='service',
label=_(u'Service name'),
doc=_(u'HBAC service'),
no_convert=True,
),
)
takes_options = (
parameters.Str(
'description',
required=False,
cli_name='desc',
label=_(u'Description'),
doc=_(u'HBAC service description'),
),
parameters.Str(
'setattr',
required=False,
multivalue=True,
doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
exclude=('webui',),
),
parameters.Str(
'addattr',
required=False,
multivalue=True,
doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
exclude=('webui',),
),
parameters.Flag(
'all',
doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Flag(
'raw',
doc=_(u'Print entries as stored on the server. Only affects output format.'),
exclude=('webui',),
default=False,
autofill=True,
),
)
has_output = (
output.Output(
'summary',
(unicode, type(None)),
doc=_(u'User-friendly description of action performed'),
),
output.Entry(
'result',
),
output.Output(
'value',
unicode,
doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
),
)
@register()
class hbacsvc_del(Method):
__doc__ = _("Delete an existing HBAC service.")
takes_args = (
parameters.Str(
'cn',
multivalue=True,
cli_name='service',
label=_(u'Service name'),
doc=_(u'HBAC service'),
no_convert=True,
),
)
takes_options = (
parameters.Flag(
'continue',
doc=_(u"Continuous mode: Don't stop on errors."),
default=False,
autofill=True,
),
)
has_output = (
output.Output(
'summary',
(unicode, type(None)),
doc=_(u'User-friendly description of action performed'),
),
output.Output(
'result',
dict,
doc=_(u'List of deletions that failed'),
),
output.Output(
'value',
unicode,
doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
),
)
@register()
class hbacsvc_find(Method):
__doc__ = _("Search for HBAC services.")
takes_args = (
parameters.Str(
'criteria',
required=False,
doc=_(u'A string searched in all relevant object attributes'),
),
)
takes_options = (
parameters.Str(
'cn',
required=False,
cli_name='service',
label=_(u'Service name'),
doc=_(u'HBAC service'),
no_convert=True,
),
parameters.Str(
'description',
required=False,
cli_name='desc',
label=_(u'Description'),
doc=_(u'HBAC service description'),
),
parameters.Int(
'timelimit',
required=False,
label=_(u'Time Limit'),
doc=_(u'Time limit of search in seconds'),
),
parameters.Int(
'sizelimit',
required=False,
label=_(u'Size Limit'),
doc=_(u'Maximum number of entries returned'),
),
parameters.Flag(
'all',
doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Flag(
'raw',
doc=_(u'Print entries as stored on the server. Only affects output format.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Flag(
'pkey_only',
required=False,
label=_(u'Primary key only'),
doc=_(u'Results should contain primary key attribute only ("service")'),
default=False,
autofill=True,
),
)
has_output = (
output.Output(
'summary',
(unicode, type(None)),
doc=_(u'User-friendly description of action performed'),
),
output.ListOfEntries(
'result',
),
output.Output(
'count',
int,
doc=_(u'Number of entries returned'),
),
output.Output(
'truncated',
bool,
doc=_(u'True if not all results were returned'),
),
)
@register()
class hbacsvc_mod(Method):
__doc__ = _("Modify an HBAC service.")
takes_args = (
parameters.Str(
'cn',
cli_name='service',
label=_(u'Service name'),
doc=_(u'HBAC service'),
no_convert=True,
),
)
takes_options = (
parameters.Str(
'description',
required=False,
cli_name='desc',
label=_(u'Description'),
doc=_(u'HBAC service description'),
),
parameters.Str(
'setattr',
required=False,
multivalue=True,
doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
exclude=('webui',),
),
parameters.Str(
'addattr',
required=False,
multivalue=True,
doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
exclude=('webui',),
),
parameters.Str(
'delattr',
required=False,
multivalue=True,
doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'),
exclude=('webui',),
),
parameters.Flag(
'rights',
label=_(u'Rights'),
doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
default=False,
autofill=True,
),
parameters.Flag(
'all',
doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Flag(
'raw',
doc=_(u'Print entries as stored on the server. Only affects output format.'),
exclude=('webui',),
default=False,
autofill=True,
),
)
has_output = (
output.Output(
'summary',
(unicode, type(None)),
doc=_(u'User-friendly description of action performed'),
),
output.Entry(
'result',
),
output.Output(
'value',
unicode,
doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
),
)
@register()
class hbacsvc_show(Method):
__doc__ = _("Display information about an HBAC service.")
takes_args = (
parameters.Str(
'cn',
cli_name='service',
label=_(u'Service name'),
doc=_(u'HBAC service'),
no_convert=True,
),
)
takes_options = (
parameters.Flag(
'rights',
label=_(u'Rights'),
doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
default=False,
autofill=True,
),
parameters.Flag(
'all',
doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Flag(
'raw',
doc=_(u'Print entries as stored on the server. Only affects output format.'),
exclude=('webui',),
default=False,
autofill=True,
),
)
has_output = (
output.Output(
'summary',
(unicode, type(None)),
doc=_(u'User-friendly description of action performed'),
),
output.Entry(
'result',
),
output.Output(
'value',
unicode,
doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
),
)

493
ipaclient/remote_plugins/2_49/hbacsvcgroup.py
View File

@@ -1,493 +0,0 @@
#
# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
#
# pylint: disable=unused-import
import six
from . import Command, Method, Object
from ipalib import api, parameters, output
from ipalib.parameters import DefaultFrom
from ipalib.plugable import Registry
from ipalib.text import _
from ipapython.dn import DN
from ipapython.dnsutil import DNSName
if six.PY3:
unicode = str
__doc__ = _("""
HBAC Service Groups
HBAC service groups can contain any number of individual services,
or "members". Every group must have a description.
EXAMPLES:
Add a new HBAC service group:
ipa hbacsvcgroup-add --desc="login services" login
Add members to an HBAC service group:
ipa hbacsvcgroup-add-member --hbacsvcs=sshd,login login
Display information about a named group:
ipa hbacsvcgroup-show login
Add a new group to the "login" group:
ipa hbacsvcgroup-add --desc="switch users" login
ipa hbacsvcgroup-add-member --hbacsvcs=su,su-l login
Delete an HBAC service group:
ipa hbacsvcgroup-del login
""")
register = Registry()
@register()
class hbacsvcgroup(Object):
takes_params = (
parameters.Str(
'cn',
primary_key=True,
label=_(u'Service group name'),
),
parameters.Str(
'description',
label=_(u'Description'),
doc=_(u'HBAC service group description'),
),
parameters.Str(
'member_hbacsvc',
required=False,
label=_(u'Member HBAC service'),
),
)
@register()
class hbacsvcgroup_add(Method):
__doc__ = _("Add a new HBAC service group.")
takes_args = (
parameters.Str(
'cn',
cli_name='name',
label=_(u'Service group name'),
no_convert=True,
),
)
takes_options = (
parameters.Str(
'description',
cli_name='desc',
label=_(u'Description'),
doc=_(u'HBAC service group description'),
),
parameters.Str(
'setattr',
required=False,
multivalue=True,
doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
exclude=('webui',),
),
parameters.Str(
'addattr',
required=False,
multivalue=True,
doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
exclude=('webui',),
),
parameters.Flag(
'all',
doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Flag(
'raw',
doc=_(u'Print entries as stored on the server. Only affects output format.'),
exclude=('webui',),
default=False,
autofill=True,
),
)
has_output = (
output.Output(
'summary',
(unicode, type(None)),
doc=_(u'User-friendly description of action performed'),
),
output.Entry(
'result',
),
output.Output(
'value',
unicode,
doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
),
)
@register()
class hbacsvcgroup_add_member(Method):
__doc__ = _("Add members to an HBAC service group.")
takes_args = (
parameters.Str(
'cn',
cli_name='name',
label=_(u'Service group name'),
no_convert=True,
),
)
takes_options = (
parameters.Flag(
'all',
doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Flag(
'raw',
doc=_(u'Print entries as stored on the server. Only affects output format.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Str(
'hbacsvc',
required=False,
multivalue=True,
cli_name='hbacsvcs',
label=_(u'member HBAC service'),
doc=_(u'comma-separated list of HBAC services to add'),
alwaysask=True,
),
)
has_output = (
output.Entry(
'result',
),
output.Output(
'failed',
dict,
doc=_(u'Members that could not be added'),
),
output.Output(
'completed',
int,
doc=_(u'Number of members added'),
),
)
@register()
class hbacsvcgroup_del(Method):
__doc__ = _("Delete an HBAC service group.")
takes_args = (
parameters.Str(
'cn',
multivalue=True,
cli_name='name',
label=_(u'Service group name'),
no_convert=True,
),
)
takes_options = (
parameters.Flag(
'continue',
doc=_(u"Continuous mode: Don't stop on errors."),
default=False,
autofill=True,
),
)
has_output = (
output.Output(
'summary',
(unicode, type(None)),
doc=_(u'User-friendly description of action performed'),
),
output.Output(
'result',
dict,
doc=_(u'List of deletions that failed'),
),
output.Output(
'value',
unicode,
doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
),
)
@register()
class hbacsvcgroup_find(Method):
__doc__ = _("Search for an HBAC service group.")
takes_args = (
parameters.Str(
'criteria',
required=False,
doc=_(u'A string searched in all relevant object attributes'),
),
)
takes_options = (
parameters.Str(
'cn',
required=False,
cli_name='name',
label=_(u'Service group name'),
no_convert=True,
),
parameters.Str(
'description',
required=False,
cli_name='desc',
label=_(u'Description'),
doc=_(u'HBAC service group description'),
),
parameters.Int(
'timelimit',
required=False,
label=_(u'Time Limit'),
doc=_(u'Time limit of search in seconds'),
),
parameters.Int(
'sizelimit',
required=False,
label=_(u'Size Limit'),
doc=_(u'Maximum number of entries returned'),
),
parameters.Flag(
'all',
doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Flag(
'raw',
doc=_(u'Print entries as stored on the server. Only affects output format.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Flag(
'pkey_only',
required=False,
label=_(u'Primary key only'),
doc=_(u'Results should contain primary key attribute only ("name")'),
default=False,
autofill=True,
),
)
has_output = (
output.Output(
'summary',
(unicode, type(None)),
doc=_(u'User-friendly description of action performed'),
),
output.ListOfEntries(
'result',
),
output.Output(
'count',
int,
doc=_(u'Number of entries returned'),
),
output.Output(
'truncated',
bool,
doc=_(u'True if not all results were returned'),
),
)
@register()
class hbacsvcgroup_mod(Method):
__doc__ = _("Modify an HBAC service group.")
takes_args = (
parameters.Str(
'cn',
cli_name='name',
label=_(u'Service group name'),
no_convert=True,
),
)
takes_options = (
parameters.Str(
'description',
required=False,
cli_name='desc',
label=_(u'Description'),
doc=_(u'HBAC service group description'),
),
parameters.Str(
'setattr',
required=False,
multivalue=True,
doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
exclude=('webui',),
),
parameters.Str(
'addattr',
required=False,
multivalue=True,
doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
exclude=('webui',),
),
parameters.Str(
'delattr',
required=False,
multivalue=True,
doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'),
exclude=('webui',),
),
parameters.Flag(
'rights',
label=_(u'Rights'),
doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
default=False,
autofill=True,
),
parameters.Flag(
'all',
doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Flag(
'raw',
doc=_(u'Print entries as stored on the server. Only affects output format.'),
exclude=('webui',),
default=False,
autofill=True,
),
)
has_output = (
output.Output(
'summary',
(unicode, type(None)),
doc=_(u'User-friendly description of action performed'),
),
output.Entry(
'result',
),
output.Output(
'value',
unicode,
doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
),
)
@register()
class hbacsvcgroup_remove_member(Method):
__doc__ = _("Remove members from an HBAC service group.")
takes_args = (
parameters.Str(
'cn',
cli_name='name',
label=_(u'Service group name'),
no_convert=True,
),
)
takes_options = (
parameters.Flag(
'all',
doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Flag(
'raw',
doc=_(u'Print entries as stored on the server. Only affects output format.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Str(
'hbacsvc',
required=False,
multivalue=True,
cli_name='hbacsvcs',
label=_(u'member HBAC service'),
doc=_(u'comma-separated list of HBAC services to remove'),
alwaysask=True,
),
)
has_output = (
output.Entry(
'result',
),
output.Output(
'failed',
dict,
doc=_(u'Members that could not be removed'),
),
output.Output(
'completed',
int,
doc=_(u'Number of members removed'),
),
)
@register()
class hbacsvcgroup_show(Method):
__doc__ = _("Display information about an HBAC service group.")
takes_args = (
parameters.Str(
'cn',
cli_name='name',
label=_(u'Service group name'),
no_convert=True,
),
)
takes_options = (
parameters.Flag(
'rights',
label=_(u'Rights'),
doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
default=False,
autofill=True,
),
parameters.Flag(
'all',
doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Flag(
'raw',
doc=_(u'Print entries as stored on the server. Only affects output format.'),
exclude=('webui',),
default=False,
autofill=True,
),
)
has_output = (
output.Output(
'summary',
(unicode, type(None)),
doc=_(u'User-friendly description of action performed'),
),
output.Entry(
'result',
),
output.Output(
'value',
unicode,
doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
),
)

213
ipaclient/remote_plugins/2_49/hbactest.py
View File

@@ -1,213 +0,0 @@
#
# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
#
# pylint: disable=unused-import
import six
from . import Command, Method, Object
from ipalib import api, parameters, output
from ipalib.parameters import DefaultFrom
from ipalib.plugable import Registry
from ipalib.text import _
from ipapython.dn import DN
from ipapython.dnsutil import DNSName
if six.PY3:
unicode = str
__doc__ = _("""
Simulate use of Host-based access controls
HBAC rules control who can access what services on what hosts and from where.
You can use HBAC to control which users or groups can access a service,
or group of services, on a target host.
Since applying HBAC rules implies use of a production environment,
this plugin aims to provide simulation of HBAC rules evaluation without
having access to the production environment.
Test user coming to a service on a named host against
existing enabled rules.
ipa hbactest --user= --host= --service=
[--rules=rules-list] [--nodetail] [--enabled] [--disabled]
[--srchost= ] [--sizelimit= ]
--user, --host, and --service are mandatory, others are optional.
If --rules is specified simulate enabling of the specified rules and test
the login of the user using only these rules.
If --enabled is specified, all enabled HBAC rules will be added to simulation
If --disabled is specified, all disabled HBAC rules will be added to simulation
If --nodetail is specified, do not return information about rules matched/not matched.
If both --rules and --enabled are specified, apply simulation to --rules _and_
all IPA enabled rules.
If no --rules specified, simulation is run against all IPA enabled rules.
By default there is a IPA-wide limit to number of entries fetched, you can change it
with --sizelimit option.
If --srchost is specified, it will be ignored. It is left because of compatibility reasons only.
EXAMPLES:
1. Use all enabled HBAC rules in IPA database to simulate:
$ ipa hbactest --user=a1a --host=bar --service=sshd
--------------------
Access granted: True
--------------------
notmatched: my-second-rule
notmatched: my-third-rule
notmatched: myrule
matched: allow_all
2. Disable detailed summary of how rules were applied:
$ ipa hbactest --user=a1a --host=bar --service=sshd --nodetail
--------------------
Access granted: True
--------------------
3. Test explicitly specified HBAC rules:
$ ipa hbactest --user=a1a --host=bar --service=sshd --rules=my-second-rule,myrule
---------------------
Access granted: False
---------------------
notmatched: my-second-rule
notmatched: myrule
4. Use all enabled HBAC rules in IPA database + explicitly specified rules:
$ ipa hbactest --user=a1a --host=bar --service=sshd --rules=my-second-rule,myrule --enabled
--------------------
Access granted: True
--------------------
notmatched: my-second-rule
notmatched: my-third-rule
notmatched: myrule
matched: allow_all
5. Test all disabled HBAC rules in IPA database:
$ ipa hbactest --user=a1a --host=bar --service=sshd --disabled
---------------------
Access granted: False
---------------------
notmatched: new-rule
6. Test all disabled HBAC rules in IPA database + explicitly specified rules:
$ ipa hbactest --user=a1a --host=bar --service=sshd --rules=my-second-rule,myrule --disabled
---------------------
Access granted: False
---------------------
notmatched: my-second-rule
notmatched: my-third-rule
notmatched: myrule
7. Test all (enabled and disabled) HBAC rules in IPA database:
$ ipa hbactest --user=a1a --host=bar --service=sshd --enabled --disabled
--------------------
Access granted: True
--------------------
notmatched: my-second-rule
notmatched: my-third-rule
notmatched: myrule
notmatched: new-rule
matched: allow_all
""")
register = Registry()
@register()
class hbactest(Command):
__doc__ = _("Simulate use of Host-based access controls")
takes_options = (
parameters.Str(
'user',
label=_(u'User name'),
),
parameters.Str(
'sourcehost',
required=False,
cli_name='srchost',
label=_(u'Source host'),
),
parameters.Str(
'targethost',
cli_name='host',
label=_(u'Target host'),
),
parameters.Str(
'service',
label=_(u'Service'),
),
parameters.Str(
'rules',
required=False,
multivalue=True,
label=_(u'Rules to test. If not specified, --enabled is assumed'),
),
parameters.Flag(
'nodetail',
required=False,
label=_(u'Hide details which rules are matched, not matched, or invalid'),
default=False,
autofill=True,
),
parameters.Flag(
'enabled',
required=False,
label=_(u'Include all enabled IPA rules into test [default]'),
default=False,
autofill=True,
),
parameters.Flag(
'disabled',
required=False,
label=_(u'Include all disabled IPA rules into test'),
default=False,
autofill=True,
),
parameters.Int(
'sizelimit',
required=False,
label=_(u'Size Limit'),
doc=_(u'Maximum number of rules to process when no --rules is specified'),
),
)
has_output = (
output.Output(
'summary',
(unicode, type(None)),
doc=_(u'User-friendly description of action performed'),
),
output.Output(
'warning',
(list, tuple, type(None)),
doc=_(u'Warning'),
),
output.Output(
'matched',
(list, tuple, type(None)),
doc=_(u'Matched rules'),
),
output.Output(
'notmatched',
(list, tuple, type(None)),
doc=_(u'Not matched rules'),
),
output.Output(
'error',
(list, tuple, type(None)),
doc=_(u'Non-existent or invalid rules'),
),
output.Output(
'value',
bool,
doc=_(u'Result of simulation'),
),
)

1030
ipaclient/remote_plugins/2_49/host.py
View File

File diff suppressed because it is too large Load Diff

670
ipaclient/remote_plugins/2_49/hostgroup.py
View File

@@ -1,670 +0,0 @@
#
# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
#
# pylint: disable=unused-import
import six
from . import Command, Method, Object
from ipalib import api, parameters, output
from ipalib.parameters import DefaultFrom
from ipalib.plugable import Registry
from ipalib.text import _
from ipapython.dn import DN
from ipapython.dnsutil import DNSName
if six.PY3:
unicode = str
__doc__ = _("""
Groups of hosts.
Manage groups of hosts. This is useful for applying access control to a
number of hosts by using Host-based Access Control.
EXAMPLES:
Add a new host group:
ipa hostgroup-add --desc="Baltimore hosts" baltimore
Add another new host group:
ipa hostgroup-add --desc="Maryland hosts" maryland
Add members to the hostgroup:
ipa hostgroup-add-member --hosts=box1,box2,box3 baltimore
Add a hostgroup as a member of another hostgroup:
ipa hostgroup-add-member --hostgroups=baltimore maryland
Remove a host from the hostgroup:
ipa hostgroup-remove-member --hosts=box2 baltimore
Display a host group:
ipa hostgroup-show baltimore
Delete a hostgroup:
ipa hostgroup-del baltimore
""")
register = Registry()
@register()
class hostgroup(Object):
takes_params = (
parameters.Str(
'cn',
primary_key=True,
label=_(u'Host-group'),
doc=_(u'Name of host-group'),
),
parameters.Str(
'description',
label=_(u'Description'),
doc=_(u'A description of this host-group'),
),
parameters.Str(
'member_host',
required=False,
label=_(u'Member hosts'),
),
parameters.Str(
'member_hostgroup',
required=False,
label=_(u'Member host-groups'),
),
parameters.Str(
'memberof_hostgroup',
required=False,
label=_(u'Member of host-groups'),
),
parameters.Str(
'memberof_netgroup',
required=False,
label=_(u'Member of netgroups'),
),
parameters.Str(
'memberof_sudorule',
required=False,
label=_(u'Member of Sudo rule'),
),
parameters.Str(
'memberof_hbacrule',
required=False,
label=_(u'Member of HBAC rule'),
),
parameters.Str(
'memberindirect_host',
required=False,
label=_(u'Indirect Member hosts'),
),
parameters.Str(
'memberindirect_hostgroup',
required=False,
label=_(u'Indirect Member host-groups'),
),
parameters.Str(
'memberofindirect_hostgroup',
required=False,
label=_(u'Indirect Member of host-group'),
),
parameters.Str(
'memberofindirect_sudorule',
required=False,
label=_(u'Indirect Member of Sudo rule'),
),
parameters.Str(
'memberofindirect_hbacrule',
required=False,
label=_(u'Indirect Member of HBAC rule'),
),
)
@register()
class hostgroup_add(Method):
__doc__ = _("Add a new hostgroup.")
takes_args = (
parameters.Str(
'cn',
cli_name='hostgroup_name',
label=_(u'Host-group'),
doc=_(u'Name of host-group'),
no_convert=True,
),
)
takes_options = (
parameters.Str(
'description',
cli_name='desc',
label=_(u'Description'),
doc=_(u'A description of this host-group'),
),
parameters.Str(
'setattr',
required=False,
multivalue=True,
doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
exclude=('webui',),
),
parameters.Str(
'addattr',
required=False,
multivalue=True,
doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
exclude=('webui',),
),
parameters.Flag(
'all',
doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Flag(
'raw',
doc=_(u'Print entries as stored on the server. Only affects output format.'),
exclude=('webui',),
default=False,
autofill=True,
),
)
has_output = (
output.Output(
'summary',
(unicode, type(None)),
doc=_(u'User-friendly description of action performed'),
),
output.Entry(
'result',
),
output.Output(
'value',
unicode,
doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
),
)
@register()
class hostgroup_add_member(Method):
__doc__ = _("Add members to a hostgroup.")
takes_args = (
parameters.Str(
'cn',
cli_name='hostgroup_name',
label=_(u'Host-group'),
doc=_(u'Name of host-group'),
no_convert=True,
),
)
takes_options = (
parameters.Flag(
'all',
doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Flag(
'raw',
doc=_(u'Print entries as stored on the server. Only affects output format.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Str(
'host',
required=False,
multivalue=True,
cli_name='hosts',
label=_(u'member host'),
doc=_(u'comma-separated list of hosts to add'),
alwaysask=True,
),
parameters.Str(
'hostgroup',
required=False,
multivalue=True,
cli_name='hostgroups',
label=_(u'member host group'),
doc=_(u'comma-separated list of host groups to add'),
alwaysask=True,
),
)
has_output = (
output.Entry(
'result',
),
output.Output(
'failed',
dict,
doc=_(u'Members that could not be added'),
),
output.Output(
'completed',
int,
doc=_(u'Number of members added'),
),
)
@register()
class hostgroup_del(Method):
__doc__ = _("Delete a hostgroup.")
takes_args = (
parameters.Str(
'cn',
multivalue=True,
cli_name='hostgroup_name',
label=_(u'Host-group'),
doc=_(u'Name of host-group'),
no_convert=True,
),
)
takes_options = (
parameters.Flag(
'continue',
doc=_(u"Continuous mode: Don't stop on errors."),
default=False,
autofill=True,
),
)
has_output = (
output.Output(
'summary',
(unicode, type(None)),
doc=_(u'User-friendly description of action performed'),
),
output.Output(
'result',
dict,
doc=_(u'List of deletions that failed'),
),
output.Output(
'value',
unicode,
doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
),
)
@register()
class hostgroup_find(Method):
__doc__ = _("Search for hostgroups.")
takes_args = (
parameters.Str(
'criteria',
required=False,
doc=_(u'A string searched in all relevant object attributes'),
),
)
takes_options = (
parameters.Str(
'cn',
required=False,
cli_name='hostgroup_name',
label=_(u'Host-group'),
doc=_(u'Name of host-group'),
no_convert=True,
),
parameters.Str(
'description',
required=False,
cli_name='desc',
label=_(u'Description'),
doc=_(u'A description of this host-group'),
),
parameters.Int(
'timelimit',
required=False,
label=_(u'Time Limit'),
doc=_(u'Time limit of search in seconds'),
),
parameters.Int(
'sizelimit',
required=False,
label=_(u'Size Limit'),
doc=_(u'Maximum number of entries returned'),
),
parameters.Flag(
'all',
doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Flag(
'raw',
doc=_(u'Print entries as stored on the server. Only affects output format.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Flag(
'pkey_only',
required=False,
label=_(u'Primary key only'),
doc=_(u'Results should contain primary key attribute only ("hostgroup-name")'),
default=False,
autofill=True,
),
parameters.Str(
'host',
required=False,
multivalue=True,
cli_name='hosts',
label=_(u'host'),
doc=_(u'Search for host groups with these member hosts.'),
),
parameters.Str(
'no_host',
required=False,
multivalue=True,
cli_name='no_hosts',
label=_(u'host'),
doc=_(u'Search for host groups without these member hosts.'),
),
parameters.Str(
'hostgroup',
required=False,
multivalue=True,
cli_name='hostgroups',
label=_(u'host group'),
doc=_(u'Search for host groups with these member host groups.'),
),
parameters.Str(
'no_hostgroup',
required=False,
multivalue=True,
cli_name='no_hostgroups',
label=_(u'host group'),
doc=_(u'Search for host groups without these member host groups.'),
),
parameters.Str(
'in_hostgroup',
required=False,
multivalue=True,
cli_name='in_hostgroups',
label=_(u'host group'),
doc=_(u'Search for host groups with these member of host groups.'),
),
parameters.Str(
'not_in_hostgroup',
required=False,
multivalue=True,
cli_name='not_in_hostgroups',
label=_(u'host group'),
doc=_(u'Search for host groups without these member of host groups.'),
),
parameters.Str(
'in_netgroup',
required=False,
multivalue=True,
cli_name='in_netgroups',
label=_(u'netgroup'),
doc=_(u'Search for host groups with these member of netgroups.'),
),
parameters.Str(
'not_in_netgroup',
required=False,
multivalue=True,
cli_name='not_in_netgroups',
label=_(u'netgroup'),
doc=_(u'Search for host groups without these member of netgroups.'),
),
parameters.Str(
'in_hbacrule',
required=False,
multivalue=True,
cli_name='in_hbacrules',
label=_(u'HBAC rule'),
doc=_(u'Search for host groups with these member of HBAC rules.'),
),
parameters.Str(
'not_in_hbacrule',
required=False,
multivalue=True,
cli_name='not_in_hbacrules',
label=_(u'HBAC rule'),
doc=_(u'Search for host groups without these member of HBAC rules.'),
),
parameters.Str(
'in_sudorule',
required=False,
multivalue=True,
cli_name='in_sudorules',
label=_(u'sudo rule'),
doc=_(u'Search for host groups with these member of sudo rules.'),
),
parameters.Str(
'not_in_sudorule',
required=False,
multivalue=True,
cli_name='not_in_sudorules',
label=_(u'sudo rule'),
doc=_(u'Search for host groups without these member of sudo rules.'),
),
)
has_output = (
output.Output(
'summary',
(unicode, type(None)),
doc=_(u'User-friendly description of action performed'),
),
output.ListOfEntries(
'result',
),
output.Output(
'count',
int,
doc=_(u'Number of entries returned'),
),
output.Output(
'truncated',
bool,
doc=_(u'True if not all results were returned'),
),
)
@register()
class hostgroup_mod(Method):
__doc__ = _("Modify a hostgroup.")
takes_args = (
parameters.Str(
'cn',
cli_name='hostgroup_name',
label=_(u'Host-group'),
doc=_(u'Name of host-group'),
no_convert=True,
),
)
takes_options = (
parameters.Str(
'description',
required=False,
cli_name='desc',
label=_(u'Description'),
doc=_(u'A description of this host-group'),
),
parameters.Str(
'setattr',
required=False,
multivalue=True,
doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
exclude=('webui',),
),
parameters.Str(
'addattr',
required=False,
multivalue=True,
doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
exclude=('webui',),
),
parameters.Str(
'delattr',
required=False,
multivalue=True,
doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'),
exclude=('webui',),
),
parameters.Flag(
'rights',
label=_(u'Rights'),
doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
default=False,
autofill=True,
),
parameters.Flag(
'all',
doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Flag(
'raw',
doc=_(u'Print entries as stored on the server. Only affects output format.'),
exclude=('webui',),
default=False,
autofill=True,
),
)
has_output = (
output.Output(
'summary',
(unicode, type(None)),
doc=_(u'User-friendly description of action performed'),
),
output.Entry(
'result',
),
output.Output(
'value',
unicode,
doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
),
)
@register()
class hostgroup_remove_member(Method):
__doc__ = _("Remove members from a hostgroup.")
takes_args = (
parameters.Str(
'cn',
cli_name='hostgroup_name',
label=_(u'Host-group'),
doc=_(u'Name of host-group'),
no_convert=True,
),
)
takes_options = (
parameters.Flag(
'all',
doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Flag(
'raw',
doc=_(u'Print entries as stored on the server. Only affects output format.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Str(
'host',
required=False,
multivalue=True,
cli_name='hosts',
label=_(u'member host'),
doc=_(u'comma-separated list of hosts to remove'),
alwaysask=True,
),
parameters.Str(
'hostgroup',
required=False,
multivalue=True,
cli_name='hostgroups',
label=_(u'member host group'),
doc=_(u'comma-separated list of host groups to remove'),
alwaysask=True,
),
)
has_output = (
output.Entry(
'result',
),
output.Output(
'failed',
dict,
doc=_(u'Members that could not be removed'),
),
output.Output(
'completed',
int,
doc=_(u'Number of members removed'),
),
)
@register()
class hostgroup_show(Method):
__doc__ = _("Display information about a hostgroup.")
takes_args = (
parameters.Str(
'cn',
cli_name='hostgroup_name',
label=_(u'Host-group'),
doc=_(u'Name of host-group'),
no_convert=True,
),
)
takes_options = (
parameters.Flag(
'rights',
label=_(u'Rights'),
doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
default=False,
autofill=True,
),
parameters.Flag(
'all',
doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Flag(
'raw',
doc=_(u'Print entries as stored on the server. Only affects output format.'),
exclude=('webui',),
default=False,
autofill=True,
),
)
has_output = (
output.Output(
'summary',
(unicode, type(None)),
doc=_(u'User-friendly description of action performed'),
),
output.Entry(
'result',
),
output.Output(
'value',
unicode,
doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
),
)

609
ipaclient/remote_plugins/2_49/idrange.py
View File

@@ -1,609 +0,0 @@
#
# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
#
# pylint: disable=unused-import
import six
from . import Command, Method, Object
from ipalib import api, parameters, output
from ipalib.parameters import DefaultFrom
from ipalib.plugable import Registry
from ipalib.text import _
from ipapython.dn import DN
from ipapython.dnsutil import DNSName
if six.PY3:
unicode = str
__doc__ = _("""
ID ranges
Manage ID ranges used to map Posix IDs to SIDs and back.
There are two type of ID ranges which are both handled by this utility:
- the ID ranges of the local domain
- the ID ranges of trusted remote domains
Both types have the following attributes in common:
- base-id: the first ID of the Posix ID range
- range-size: the size of the range
With those two attributes a range object can reserve the Posix IDs starting
with base-id up to but not including base-id+range-size exclusively.
Additionally an ID range of the local domain may set
- rid-base: the first RID(*) of the corresponding RID range
- secondary-rid-base: first RID of the secondary RID range
and an ID range of a trusted domain must set
- rid-base: the first RID of the corresponding RID range
- dom_sid: domain SID of the trusted domain
EXAMPLE: Add a new ID range for a trusted domain
Since there might be more than one trusted domain the domain SID must be given
while creating the ID range.
ipa idrange-add --base-id=1200000 --range-size=200000 --rid-base=0 \
--dom-sid=S-1-5-21-123-456-789 trusted_dom_range
This ID range is then used by the IPA server and the SSSD IPA provider to
assign Posix UIDs to users from the trusted domain.
If e.g. a range for a trusted domain is configured with the following values:
base-id = 1200000
range-size = 200000
rid-base = 0
the RIDs 0 to 199999 are mapped to the Posix ID from 1200000 to 13999999. So
RID 1000 <-> Posix ID 1201000
EXAMPLE: Add a new ID range for the local domain
To create an ID range for the local domain it is not necessary to specify a
domain SID. But since it is possible that a user and a group can have the same
value as Posix ID a second RID interval is needed to handle conflicts.
ipa idrange-add --base-id=1200000 --range-size=200000 --rid-base=1000 \
--secondary-rid-base=1000000 local_range
The data from the ID ranges of the local domain are used by the IPA server
internally to assign SIDs to IPA users and groups. The SID will then be stored
in the user or group objects.
If e.g. the ID range for the local domain is configured with the values from
the example above then a new user with the UID 1200007 will get the RID 1007.
If this RID is already used by a group the RID will be 1000007. This can only
happen if a user or a group object was created with a fixed ID because the
automatic assignment will not assign the same ID twice. Since there are only
users and groups sharing the same ID namespace it is sufficient to have only
one fallback range to handle conflicts.
To find the Posix ID for a given RID from the local domain it has to be
checked first if the RID falls in the primary or secondary RID range and
the rid-base or the secondary-rid-base has to be subtracted, respectively,
and the base-id has to be added to get the Posix ID.
Typically the creation of ID ranges happens behind the scenes and this CLI
must not be used at all. The ID range for the local domain will be created
during installation or upgrade from an older version. The ID range for a
trusted domain will be created together with the trust by 'ipa trust-add ...'.
USE CASES:
Add an ID range from a transitively trusted domain
If the trusted domain (A) trusts another domain (B) as well and this trust
is transitive 'ipa trust-add domain-A' will only create a range for
domain A. The ID range for domain B must be added manually.
Add an additional ID range for the local domain
If the ID range of the local domain is exhausted, i.e. no new IDs can be
assigned to Posix users or groups by the DNA plugin, a new range has to be
created to allow new users and groups to be added. (Currently there is no
connection between this range CLI and the DNA plugin, but a future version
might be able to modify the configuration of the DNS plugin as well)
In general it is not necessary to modify or delete ID ranges. If there is no
other way to achieve a certain configuration than to modify or delete an ID
range it should be done with great care. Because UIDs are stored in the file
system and are used for access control it might be possible that users are
allowed to access files of other users if an ID range got deleted and reused
for a different domain.
(*) The RID is typically the last integer of a user or group SID which follows
the domain SID. E.g. if the domain SID is S-1-5-21-123-456-789 and a user from
this domain has the SID S-1-5-21-123-456-789-1010 then 1010 id the RID of the
user. RIDs are unique in a domain, 32bit values and are used for users and
groups.
WARNING:
DNA plugin in 389-ds will allocate IDs based on the ranges configured for the
local domain. Currently the DNA plugin *cannot* be reconfigured itself based
on the local ranges set via this family of commands.
Manual configuration change has to be done in the DNA plugin configuration for
the new local range. Specifically, The dnaNextRange attribute of 'cn=Posix
IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config' has to be
modified to match the new range.
""")
register = Registry()
@register()
class idrange(Object):
takes_params = (
parameters.Str(
'cn',
primary_key=True,
label=_(u'Range name'),
),
parameters.Int(
'ipabaseid',
label=_(u'First Posix ID of the range'),
),
parameters.Int(
'ipaidrangesize',
label=_(u'Number of IDs in the range'),
),
parameters.Int(
'ipabaserid',
required=False,
label=_(u'First RID of the corresponding RID range'),
),
parameters.Int(
'ipasecondarybaserid',
required=False,
label=_(u'First RID of the secondary RID range'),
),
parameters.Str(
'ipanttrusteddomainsid',
required=False,
label=_(u'Domain SID of the trusted domain'),
),
parameters.Str(
'iparangetype',
required=False,
label=_(u'Range type'),
),
)
@register()
class idrange_add(Method):
__doc__ = _("""
Add new ID range.
To add a new ID range you always have to specify
--base-id
--range-size
Additionally
--rid-base
--secondary-rid-base
may be given for a new ID range for the local domain while
--rid-bas
--dom-sid
must be given to add a new range for a trusted AD domain.
WARNING:
DNA plugin in 389-ds will allocate IDs based on the ranges configured for the
local domain. Currently the DNA plugin *cannot* be reconfigured itself based
on the local ranges set via this family of commands.
Manual configuration change has to be done in the DNA plugin configuration for
the new local range. Specifically, The dnaNextRange attribute of 'cn=Posix
IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config' has to be
modified to match the new range.
""")
takes_args = (
parameters.Str(
'cn',
cli_name='name',
label=_(u'Range name'),
),
)
takes_options = (
parameters.Int(
'ipabaseid',
cli_name='base_id',
label=_(u'First Posix ID of the range'),
),
parameters.Int(
'ipaidrangesize',
cli_name='range_size',
label=_(u'Number of IDs in the range'),
),
parameters.Int(
'ipabaserid',
required=False,
cli_name='rid_base',
label=_(u'First RID of the corresponding RID range'),
),
parameters.Int(
'ipasecondarybaserid',
required=False,
cli_name='secondary_rid_base',
label=_(u'First RID of the secondary RID range'),
),
parameters.Str(
'ipanttrusteddomainsid',
required=False,
cli_name='dom_sid',
label=_(u'Domain SID of the trusted domain'),
),
parameters.Str(
'iparangetype',
required=False,
label=_(u'Range type'),
exclude=('cli', 'webui'),
),
parameters.Str(
'setattr',
required=False,
multivalue=True,
doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
exclude=('webui',),
),
parameters.Str(
'addattr',
required=False,
multivalue=True,
doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
exclude=('webui',),
),
parameters.Flag(
'all',
doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Flag(
'raw',
doc=_(u'Print entries as stored on the server. Only affects output format.'),
exclude=('webui',),
default=False,
autofill=True,
),
)
has_output = (
output.Output(
'summary',
(unicode, type(None)),
doc=_(u'User-friendly description of action performed'),
),
output.Entry(
'result',
),
output.Output(
'value',
unicode,
doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
),
)
@register()
class idrange_del(Method):
__doc__ = _("Delete an ID range.")
takes_args = (
parameters.Str(
'cn',
multivalue=True,
cli_name='name',
label=_(u'Range name'),
),
)
takes_options = (
parameters.Flag(
'continue',
doc=_(u"Continuous mode: Don't stop on errors."),
default=False,
autofill=True,
),
)
has_output = (
output.Output(
'summary',
(unicode, type(None)),
doc=_(u'User-friendly description of action performed'),
),
output.Output(
'result',
dict,
doc=_(u'List of deletions that failed'),
),
output.Output(
'value',
unicode,
doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
),
)
@register()
class idrange_find(Method):
__doc__ = _("Search for ranges.")
takes_args = (
parameters.Str(
'criteria',
required=False,
doc=_(u'A string searched in all relevant object attributes'),
),
)
takes_options = (
parameters.Str(
'cn',
required=False,
cli_name='name',
label=_(u'Range name'),
),
parameters.Int(
'ipabaseid',
required=False,
cli_name='base_id',
label=_(u'First Posix ID of the range'),
),
parameters.Int(
'ipaidrangesize',
required=False,
cli_name='range_size',
label=_(u'Number of IDs in the range'),
),
parameters.Int(
'ipabaserid',
required=False,
cli_name='rid_base',
label=_(u'First RID of the corresponding RID range'),
),
parameters.Int(
'ipasecondarybaserid',
required=False,
cli_name='secondary_rid_base',
label=_(u'First RID of the secondary RID range'),
),
parameters.Str(
'ipanttrusteddomainsid',
required=False,
cli_name='dom_sid',
label=_(u'Domain SID of the trusted domain'),
),
parameters.Str(
'iparangetype',
required=False,
label=_(u'Range type'),
exclude=('cli', 'webui'),
),
parameters.Int(
'timelimit',
required=False,
label=_(u'Time Limit'),
doc=_(u'Time limit of search in seconds'),
),
parameters.Int(
'sizelimit',
required=False,
label=_(u'Size Limit'),
doc=_(u'Maximum number of entries returned'),
),
parameters.Flag(
'all',
doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Flag(
'raw',
doc=_(u'Print entries as stored on the server. Only affects output format.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Flag(
'pkey_only',
required=False,
label=_(u'Primary key only'),
doc=_(u'Results should contain primary key attribute only ("name")'),
default=False,
autofill=True,
),
)
has_output = (
output.Output(
'summary',
(unicode, type(None)),
doc=_(u'User-friendly description of action performed'),
),
output.ListOfEntries(
'result',
),
output.Output(
'count',
int,
doc=_(u'Number of entries returned'),
),
output.Output(
'truncated',
bool,
doc=_(u'True if not all results were returned'),
),
)
@register()
class idrange_mod(Method):
__doc__ = _("Modify ID range.")
takes_args = (
parameters.Str(
'cn',
cli_name='name',
label=_(u'Range name'),
),
)
takes_options = (
parameters.Int(
'ipabaseid',
required=False,
cli_name='base_id',
label=_(u'First Posix ID of the range'),
),
parameters.Int(
'ipaidrangesize',
required=False,
cli_name='range_size',
label=_(u'Number of IDs in the range'),
),
parameters.Int(
'ipabaserid',
required=False,
cli_name='rid_base',
label=_(u'First RID of the corresponding RID range'),
),
parameters.Int(
'ipasecondarybaserid',
required=False,
cli_name='secondary_rid_base',
label=_(u'First RID of the secondary RID range'),
),
parameters.Str(
'ipanttrusteddomainsid',
required=False,
cli_name='dom_sid',
label=_(u'Domain SID of the trusted domain'),
),
parameters.Str(
'iparangetype',
required=False,
label=_(u'Range type'),
exclude=('cli', 'webui'),
),
parameters.Str(
'setattr',
required=False,
multivalue=True,
doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
exclude=('webui',),
),
parameters.Str(
'addattr',
required=False,
multivalue=True,
doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
exclude=('webui',),
),
parameters.Str(
'delattr',
required=False,
multivalue=True,
doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'),
exclude=('webui',),
),
parameters.Flag(
'rights',
label=_(u'Rights'),
doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
default=False,
autofill=True,
),
parameters.Flag(
'all',
doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Flag(
'raw',
doc=_(u'Print entries as stored on the server. Only affects output format.'),
exclude=('webui',),
default=False,
autofill=True,
),
)
has_output = (
output.Output(
'summary',
(unicode, type(None)),
doc=_(u'User-friendly description of action performed'),
),
output.Entry(
'result',
),
output.Output(
'value',
unicode,
doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
),
)
@register()
class idrange_show(Method):
__doc__ = _("Display information about a range.")
takes_args = (
parameters.Str(
'cn',
cli_name='name',
label=_(u'Range name'),
),
)
takes_options = (
parameters.Flag(
'rights',
label=_(u'Rights'),
doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
default=False,
autofill=True,
),
parameters.Flag(
'all',
doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Flag(
'raw',
doc=_(u'Print entries as stored on the server. Only affects output format.'),
exclude=('webui',),
default=False,
autofill=True,
),
)
has_output = (
output.Output(
'summary',
(unicode, type(None)),
doc=_(u'User-friendly description of action performed'),
),
output.Entry(
'result',
),
output.Output(
'value',
unicode,
doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
),
)

90
ipaclient/remote_plugins/2_49/internal.py
View File

@@ -1,90 +0,0 @@
#
# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
#
# pylint: disable=unused-import
import six
from . import Command, Method, Object
from ipalib import api, parameters, output
from ipalib.parameters import DefaultFrom
from ipalib.plugable import Registry
from ipalib.text import _
from ipapython.dn import DN
from ipapython.dnsutil import DNSName
if six.PY3:
unicode = str
__doc__ = _("""
Plugins not accessible directly through the CLI, commands used internally
""")
register = Registry()
@register()
class i18n_messages(Command):
NO_CLI = True
has_output = (
output.Output(
'messages',
dict,
doc=_(u'Dict of I18N messages'),
),
)
@register()
class json_metadata(Command):
__doc__ = _("Export plugin meta-data for the webUI.")
NO_CLI = True
takes_args = (
parameters.Str(
'objname',
required=False,
doc=_(u'Name of object to export'),
),
parameters.Str(
'methodname',
required=False,
doc=_(u'Name of method to export'),
),
)
takes_options = (
parameters.Str(
'object',
required=False,
doc=_(u'Name of object to export'),
),
parameters.Str(
'method',
required=False,
doc=_(u'Name of method to export'),
),
parameters.Str(
'command',
required=False,
doc=_(u'Name of command to export'),
),
)
has_output = (
output.Output(
'objects',
dict,
doc=_(u'Dict of JSON encoded IPA Objects'),
),
output.Output(
'methods',
dict,
doc=_(u'Dict of JSON encoded IPA Methods'),
),
output.Output(
'commands',
dict,
doc=_(u'Dict of JSON encoded IPA Commands'),
),
)

64
ipaclient/remote_plugins/2_49/join.py
View File

@@ -1,64 +0,0 @@
#
# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
#
# pylint: disable=unused-import
import six
from . import Command, Method, Object
from ipalib import api, parameters, output
from ipalib.parameters import DefaultFrom
from ipalib.plugable import Registry
from ipalib.text import _
from ipapython.dn import DN
from ipapython.dnsutil import DNSName
if six.PY3:
unicode = str
__doc__ = _("""
Joining an IPA domain
""")
register = Registry()
@register()
class join(Command):
__doc__ = _("Join an IPA domain")
takes_args = (
parameters.Str(
'cn',
cli_name='hostname',
doc=_(u'The hostname to register as'),
default_from=DefaultFrom(lambda : None),
# FIXME:
# lambda: unicode(installutils.get_fqdn())
autofill=True,
),
)
takes_options = (
parameters.Str(
'realm',
doc=_(u'The IPA realm'),
default_from=DefaultFrom(lambda : None),
# FIXME:
# lambda: get_realm()
autofill=True,
),
parameters.Str(
'nshardwareplatform',
required=False,
cli_name='platform',
doc=_(u'Hardware platform of the host (e.g. Lenovo T61)'),
),
parameters.Str(
'nsosversion',
required=False,
cli_name='os',
doc=_(u'Operating System and version of the host (e.g. Fedora 9)'),
),
)
has_output = (
)

269
ipaclient/remote_plugins/2_49/krbtpolicy.py
View File

@@ -1,269 +0,0 @@
#
# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
#
# pylint: disable=unused-import
import six
from . import Command, Method, Object
from ipalib import api, parameters, output
from ipalib.parameters import DefaultFrom
from ipalib.plugable import Registry
from ipalib.text import _
from ipapython.dn import DN
from ipapython.dnsutil import DNSName
if six.PY3:
unicode = str
__doc__ = _("""
Kerberos ticket policy
There is a single Kerberos ticket policy. This policy defines the
maximum ticket lifetime and the maximum renewal age, the period during
which the ticket is renewable.
You can also create a per-user ticket policy by specifying the user login.
For changes to the global policy to take effect, restarting the KDC service
is required, which can be achieved using:
service krb5kdc restart
Changes to per-user policies take effect immediately for newly requested
tickets (e.g. when the user next runs kinit).
EXAMPLES:
Display the current Kerberos ticket policy:
ipa krbtpolicy-show
Reset the policy to the default:
ipa krbtpolicy-reset
Modify the policy to 8 hours max life, 1-day max renewal:
ipa krbtpolicy-mod --maxlife=28800 --maxrenew=86400
Display effective Kerberos ticket policy for user 'admin':
ipa krbtpolicy-show admin
Reset per-user policy for user 'admin':
ipa krbtpolicy-reset admin
Modify per-user policy for user 'admin':
ipa krbtpolicy-mod admin --maxlife=3600
""")
register = Registry()
@register()
class krbtpolicy(Object):
takes_params = (
parameters.Str(
'uid',
required=False,
primary_key=True,
label=_(u'User name'),
doc=_(u'Manage ticket policy for specific user'),
),
parameters.Int(
'krbmaxticketlife',
required=False,
label=_(u'Max life'),
doc=_(u'Maximum ticket life (seconds)'),
),
parameters.Int(
'krbmaxrenewableage',
required=False,
label=_(u'Max renew'),
doc=_(u'Maximum renewable age (seconds)'),
),
)
@register()
class krbtpolicy_mod(Method):
__doc__ = _("Modify Kerberos ticket policy.")
takes_args = (
parameters.Str(
'uid',
required=False,
cli_name='user',
label=_(u'User name'),
doc=_(u'Manage ticket policy for specific user'),
),
)
takes_options = (
parameters.Int(
'krbmaxticketlife',
required=False,
cli_name='maxlife',
label=_(u'Max life'),
doc=_(u'Maximum ticket life (seconds)'),
),
parameters.Int(
'krbmaxrenewableage',
required=False,
cli_name='maxrenew',
label=_(u'Max renew'),
doc=_(u'Maximum renewable age (seconds)'),
),
parameters.Str(
'setattr',
required=False,
multivalue=True,
doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
exclude=('webui',),
),
parameters.Str(
'addattr',
required=False,
multivalue=True,
doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
exclude=('webui',),
),
parameters.Str(
'delattr',
required=False,
multivalue=True,
doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'),
exclude=('webui',),
),
parameters.Flag(
'rights',
label=_(u'Rights'),
doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
default=False,
autofill=True,
),
parameters.Flag(
'all',
doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Flag(
'raw',
doc=_(u'Print entries as stored on the server. Only affects output format.'),
exclude=('webui',),
default=False,
autofill=True,
),
)
has_output = (
output.Output(
'summary',
(unicode, type(None)),
doc=_(u'User-friendly description of action performed'),
),
output.Entry(
'result',
),
output.Output(
'value',
unicode,
doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
),
)
@register()
class krbtpolicy_reset(Method):
__doc__ = _("Reset Kerberos ticket policy to the default values.")
takes_args = (
parameters.Str(
'uid',
required=False,
cli_name='user',
label=_(u'User name'),
doc=_(u'Manage ticket policy for specific user'),
),
)
takes_options = (
parameters.Flag(
'all',
doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Flag(
'raw',
doc=_(u'Print entries as stored on the server. Only affects output format.'),
exclude=('webui',),
default=False,
autofill=True,
),
)
has_output = (
output.Output(
'summary',
(unicode, type(None)),
doc=_(u'User-friendly description of action performed'),
),
output.Entry(
'result',
),
output.Output(
'value',
unicode,
doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
),
)
@register()
class krbtpolicy_show(Method):
__doc__ = _("Display the current Kerberos ticket policy.")
takes_args = (
parameters.Str(
'uid',
required=False,
cli_name='user',
label=_(u'User name'),
doc=_(u'Manage ticket policy for specific user'),
),
)
takes_options = (
parameters.Flag(
'rights',
label=_(u'Rights'),
doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
default=False,
autofill=True,
),
parameters.Flag(
'all',
doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Flag(
'raw',
doc=_(u'Print entries as stored on the server. Only affects output format.'),
exclude=('webui',),
default=False,
autofill=True,
),
)
has_output = (
output.Output(
'summary',
(unicode, type(None)),
doc=_(u'User-friendly description of action performed'),
),
output.Entry(
'result',
),
output.Output(
'value',
unicode,
doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
),
)

295
ipaclient/remote_plugins/2_49/migration.py
View File

@@ -1,295 +0,0 @@
#
# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
#
# pylint: disable=unused-import
import six
from . import Command, Method, Object
from ipalib import api, parameters, output
from ipalib.parameters import DefaultFrom
from ipalib.plugable import Registry
from ipalib.text import _
from ipapython.dn import DN
from ipapython.dnsutil import DNSName
if six.PY3:
unicode = str
__doc__ = _("""
Migration to IPA
Migrate users and groups from an LDAP server to IPA.
This performs an LDAP query against the remote server searching for
users and groups in a container. In order to migrate passwords you need
to bind as a user that can read the userPassword attribute on the remote
server. This is generally restricted to high-level admins such as
cn=Directory Manager in 389-ds (this is the default bind user).
The default user container is ou=People.
The default group container is ou=Groups.
Users and groups that already exist on the IPA server are skipped.
Two LDAP schemas define how group members are stored: RFC2307 and
RFC2307bis. RFC2307bis uses member and uniquemember to specify group
members, RFC2307 uses memberUid. The default schema is RFC2307bis.
The schema compat feature allows IPA to reformat data for systems that
do not support RFC2307bis. It is recommended that this feature is disabled
during migration to reduce system overhead. It can be re-enabled after
migration. To migrate with it enabled use the "--with-compat" option.
Migrated users do not have Kerberos credentials, they have only their
LDAP password. To complete the migration process, users need to go
to http://ipa.example.com/ipa/migration and authenticate using their
LDAP password in order to generate their Kerberos credentials.
Migration is disabled by default. Use the command ipa config-mod to
enable it:
ipa config-mod --enable-migration=TRUE
If a base DN is not provided with --basedn then IPA will use either
the value of defaultNamingContext if it is set or the first value
in namingContexts set in the root of the remote LDAP server.
Users are added as members to the default user group. This can be a
time-intensive task so during migration this is done in a batch
mode for every 100 users. As a result there will be a window in which
users will be added to IPA but will not be members of the default
user group.
EXAMPLES:
The simplest migration, accepting all defaults:
ipa migrate-ds ldap://ds.example.com:389
Specify the user and group container. This can be used to migrate user
and group data from an IPA v1 server:
ipa migrate-ds --user-container='cn=users,cn=accounts' \
--group-container='cn=groups,cn=accounts' \
ldap://ds.example.com:389
Since IPA v2 server already contain predefined groups that may collide with
groups in migrated (IPA v1) server (for example admins, ipausers), users
having colliding group as their primary group may happen to belong to
an unknown group on new IPA v2 server.
Use --group-overwrite-gid option to overwrite GID of already existing groups
to prevent this issue:
ipa migrate-ds --group-overwrite-gid \
--user-container='cn=users,cn=accounts' \
--group-container='cn=groups,cn=accounts' \
ldap://ds.example.com:389
Migrated users or groups may have object class and accompanied attributes
unknown to the IPA v2 server. These object classes and attributes may be
left out of the migration process:
ipa migrate-ds --user-container='cn=users,cn=accounts' \
--group-container='cn=groups,cn=accounts' \
--user-ignore-objectclass=radiusprofile \
--user-ignore-attribute=radiusgroupname \
ldap://ds.example.com:389
LOGGING
Migration will log warnings and errors to the Apache error log. This
file should be evaluated post-migration to correct or investigate any
issues that were discovered.
For every 100 users migrated an info-level message will be displayed to
give the current progress and duration to make it possible to track
the progress of migration.
If the log level is debug, either by setting debug = True in
/etc/ipa/default.conf or /etc/ipa/server.conf, then an entry will be printed
for each user added plus a summary when the default user group is
updated.
""")
register = Registry()
@register()
class migrate_ds(Command):
__doc__ = _("Migrate users and groups from DS to IPA.")
takes_args = (
parameters.Str(
'ldapuri',
cli_name='ldap_uri',
label=_(u'LDAP URI'),
doc=_(u'LDAP URI of DS server to migrate from'),
),
parameters.Password(
'bindpw',
cli_name='password',
label=_(u'Password'),
doc=_(u'bind password'),
),
)
takes_options = (
parameters.DNParam(
'binddn',
required=False,
cli_name='bind_dn',
label=_(u'Bind DN'),
default=DN(u'cn=directory manager'),
autofill=True,
),
parameters.DNParam(
'usercontainer',
cli_name='user_container',
label=_(u'User container'),
doc=_(u'DN of container for users in DS relative to base DN'),
default=DN(u'ou=people'),
autofill=True,
),
parameters.DNParam(
'groupcontainer',
cli_name='group_container',
label=_(u'Group container'),
doc=_(u'DN of container for groups in DS relative to base DN'),
default=DN(u'ou=groups'),
autofill=True,
),
parameters.Str(
'userobjectclass',
multivalue=True,
cli_name='user_objectclass',
label=_(u'User object class'),
doc=_(u'Comma-separated list of objectclasses used to search for user entries in DS'),
default=(u'person',),
autofill=True,
),
parameters.Str(
'groupobjectclass',
multivalue=True,
cli_name='group_objectclass',
label=_(u'Group object class'),
doc=_(u'Comma-separated list of objectclasses used to search for group entries in DS'),
default=(u'groupOfUniqueNames', u'groupOfNames'),
autofill=True,
),
parameters.Str(
'userignoreobjectclass',
required=False,
multivalue=True,
cli_name='user_ignore_objectclass',
label=_(u'Ignore user object class'),
doc=_(u'Comma-separated list of objectclasses to be ignored for user entries in DS'),
default=(),
autofill=True,
),
parameters.Str(
'userignoreattribute',
required=False,
multivalue=True,
cli_name='user_ignore_attribute',
label=_(u'Ignore user attribute'),
doc=_(u'Comma-separated list of attributes to be ignored for user entries in DS'),
default=(),
autofill=True,
),
parameters.Str(
'groupignoreobjectclass',
required=False,
multivalue=True,
cli_name='group_ignore_objectclass',
label=_(u'Ignore group object class'),
doc=_(u'Comma-separated list of objectclasses to be ignored for group entries in DS'),
default=(),
autofill=True,
),
parameters.Str(
'groupignoreattribute',
required=False,
multivalue=True,
cli_name='group_ignore_attribute',
label=_(u'Ignore group attribute'),
doc=_(u'Comma-separated list of attributes to be ignored for group entries in DS'),
default=(),
autofill=True,
),
parameters.Flag(
'groupoverwritegid',
cli_name='group_overwrite_gid',
label=_(u'Overwrite GID'),
doc=_(u'When migrating a group already existing in IPA domain overwrite the group GID and report as success'),
default=False,
autofill=True,
),
parameters.Str(
'schema',
required=False,
cli_metavar="['RFC2307bis', 'RFC2307']",
label=_(u'LDAP schema'),
doc=_(u'The schema used on the LDAP server. Supported values are RFC2307 and RFC2307bis. The default is RFC2307bis'),
default=u'RFC2307bis',
autofill=True,
),
parameters.Flag(
'continue',
required=False,
label=_(u'Continue'),
doc=_(u'Continuous operation mode. Errors are reported but the process continues'),
default=False,
autofill=True,
),
parameters.DNParam(
'basedn',
required=False,
cli_name='base_dn',
label=_(u'Base DN'),
doc=_(u'Base DN on remote LDAP server'),
),
parameters.Flag(
'compat',
required=False,
cli_name='with_compat',
label=_(u'Ignore compat plugin'),
doc=_(u'Allows migration despite the usage of compat plugin'),
default=False,
autofill=True,
),
parameters.Str(
'exclude_groups',
required=False,
multivalue=True,
doc=_(u'comma-separated list of groups to exclude from migration'),
default=(),
autofill=True,
),
parameters.Str(
'exclude_users',
required=False,
multivalue=True,
doc=_(u'comma-separated list of users to exclude from migration'),
default=(),
autofill=True,
),
)
has_output = (
output.Output(
'result',
dict,
doc=_(u'Lists of objects migrated; categorized by type.'),
),
output.Output(
'failed',
dict,
doc=_(u'Lists of objects that could not be migrated; categorized by type.'),
),
output.Output(
'enabled',
bool,
doc=_(u'False if migration mode was disabled.'),
),
output.Output(
'compat',
bool,
doc=_(u'False if migration fails because the compatibility plug-in is enabled.'),
),
)

113
ipaclient/remote_plugins/2_49/misc.py
View File

@@ -1,113 +0,0 @@
#
# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
#
# pylint: disable=unused-import
import six
from . import Command, Method, Object
from ipalib import api, parameters, output
from ipalib.parameters import DefaultFrom
from ipalib.plugable import Registry
from ipalib.text import _
from ipapython.dn import DN
from ipapython.dnsutil import DNSName
if six.PY3:
unicode = str
__doc__ = _("""
Misc plug-ins
""")
register = Registry()
@register()
class env(Command):
__doc__ = _("Show environment variables.")
takes_args = (
parameters.Str(
'variables',
required=False,
multivalue=True,
),
)
takes_options = (
parameters.Flag(
'server',
required=False,
doc=_(u'Forward to server instead of running locally'),
default=False,
autofill=True,
),
parameters.Flag(
'all',
doc=_(u'retrieve and print all attributes from the server. Affects command output.'),
exclude=('webui',),
default=True,
autofill=True,
),
)
has_output = (
output.Output(
'result',
dict,
doc=_(u'Dictionary mapping variable name to value'),
),
output.Output(
'total',
int,
doc=_(u'Total number of variables env (>= count)'),
),
output.Output(
'count',
int,
doc=_(u'Number of variables returned (<= total)'),
),
output.Output(
'summary',
(unicode, type(None)),
doc=_(u'User-friendly description of action performed'),
),
)
@register()
class plugins(Command):
__doc__ = _("Show all loaded plugins.")
takes_options = (
parameters.Flag(
'server',
required=False,
doc=_(u'Forward to server instead of running locally'),
default=False,
autofill=True,
),
parameters.Flag(
'all',
doc=_(u'retrieve and print all attributes from the server. Affects command output.'),
exclude=('webui',),
default=True,
autofill=True,
),
)
has_output = (
output.Output(
'result',
dict,
doc=_(u'Dictionary mapping plugin names to bases'),
),
output.Output(
'count',
int,
doc=_(u'Number of plugins loaded'),
),
output.Output(
'summary',
(unicode, type(None)),
doc=_(u'User-friendly description of action performed'),
),
)

826
ipaclient/remote_plugins/2_49/netgroup.py
View File

@@ -1,826 +0,0 @@
#
# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
#
# pylint: disable=unused-import
import six
from . import Command, Method, Object
from ipalib import api, parameters, output
from ipalib.parameters import DefaultFrom
from ipalib.plugable import Registry
from ipalib.text import _
from ipapython.dn import DN
from ipapython.dnsutil import DNSName
if six.PY3:
unicode = str
__doc__ = _("""
Netgroups
A netgroup is a group used for permission checking. It can contain both
user and host values.
EXAMPLES:
Add a new netgroup:
ipa netgroup-add --desc="NFS admins" admins
Add members to the netgroup:
ipa netgroup-add-member --users=tuser1,tuser2 admins
Remove a member from the netgroup:
ipa netgroup-remove-member --users=tuser2 admins
Display information about a netgroup:
ipa netgroup-show admins
Delete a netgroup:
ipa netgroup-del admins
""")
register = Registry()
@register()
class netgroup(Object):
takes_params = (
parameters.Str(
'cn',
primary_key=True,
label=_(u'Netgroup name'),
),
parameters.Str(
'description',
label=_(u'Description'),
doc=_(u'Netgroup description'),
),
parameters.Str(
'nisdomainname',
required=False,
label=_(u'NIS domain name'),
),
parameters.Str(
'ipauniqueid',
required=False,
label=_(u'IPA unique ID'),
doc=_(u'IPA unique ID'),
),
parameters.Str(
'usercategory',
required=False,
label=_(u'User category'),
doc=_(u'User category the rule applies to'),
),
parameters.Str(
'hostcategory',
required=False,
label=_(u'Host category'),
doc=_(u'Host category the rule applies to'),
),
parameters.Str(
'externalhost',
required=False,
multivalue=True,
label=_(u'External host'),
),
parameters.Str(
'member_netgroup',
required=False,
label=_(u'Member netgroups'),
),
parameters.Str(
'memberof_netgroup',
required=False,
label=_(u'Member of netgroups'),
),
parameters.Str(
'memberindirect_netgroup',
required=False,
label=_(u'Indirect Member netgroups'),
),
parameters.Str(
'memberuser_user',
required=False,
label=_(u'Member User'),
),
parameters.Str(
'memberuser_group',
required=False,
label=_(u'Member Group'),
),
parameters.Str(
'memberhost_host',
required=False,
label=_(u'Member Host'),
),
parameters.Str(
'memberhost_hostgroup',
required=False,
label=_(u'Member Hostgroup'),
),
)
@register()
class netgroup_add(Method):
__doc__ = _("Add a new netgroup.")
takes_args = (
parameters.Str(
'cn',
cli_name='name',
label=_(u'Netgroup name'),
no_convert=True,
),
)
takes_options = (
parameters.Str(
'description',
cli_name='desc',
label=_(u'Description'),
doc=_(u'Netgroup description'),
),
parameters.Str(
'nisdomainname',
required=False,
cli_name='nisdomain',
label=_(u'NIS domain name'),
),
parameters.Str(
'usercategory',
required=False,
cli_name='usercat',
cli_metavar="['all']",
label=_(u'User category'),
doc=_(u'User category the rule applies to'),
),
parameters.Str(
'hostcategory',
required=False,
cli_name='hostcat',
cli_metavar="['all']",
label=_(u'Host category'),
doc=_(u'Host category the rule applies to'),
),
parameters.Str(
'externalhost',
required=False,
multivalue=True,
label=_(u'External host'),
exclude=('cli', 'webui'),
),
parameters.Str(
'setattr',
required=False,
multivalue=True,
doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
exclude=('webui',),
),
parameters.Str(
'addattr',
required=False,
multivalue=True,
doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
exclude=('webui',),
),
parameters.Flag(
'all',
doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Flag(
'raw',
doc=_(u'Print entries as stored on the server. Only affects output format.'),
exclude=('webui',),
default=False,
autofill=True,
),
)
has_output = (
output.Output(
'summary',
(unicode, type(None)),
doc=_(u'User-friendly description of action performed'),
),
output.Entry(
'result',
),
output.Output(
'value',
unicode,
doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
),
)
@register()
class netgroup_add_member(Method):
__doc__ = _("Add members to a netgroup.")
takes_args = (
parameters.Str(
'cn',
cli_name='name',
label=_(u'Netgroup name'),
no_convert=True,
),
)
takes_options = (
parameters.Flag(
'all',
doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Flag(
'raw',
doc=_(u'Print entries as stored on the server. Only affects output format.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Str(
'user',
required=False,
multivalue=True,
cli_name='users',
label=_(u'member user'),
doc=_(u'comma-separated list of users to add'),
alwaysask=True,
),
parameters.Str(
'group',
required=False,
multivalue=True,
cli_name='groups',
label=_(u'member group'),
doc=_(u'comma-separated list of groups to add'),
alwaysask=True,
),
parameters.Str(
'host',
required=False,
multivalue=True,
cli_name='hosts',
label=_(u'member host'),
doc=_(u'comma-separated list of hosts to add'),
alwaysask=True,
),
parameters.Str(
'hostgroup',
required=False,
multivalue=True,
cli_name='hostgroups',
label=_(u'member host group'),
doc=_(u'comma-separated list of host groups to add'),
alwaysask=True,
),
parameters.Str(
'netgroup',
required=False,
multivalue=True,
cli_name='netgroups',
label=_(u'member netgroup'),
doc=_(u'comma-separated list of netgroups to add'),
alwaysask=True,
),
)
has_output = (
output.Entry(
'result',
),
output.Output(
'failed',
dict,
doc=_(u'Members that could not be added'),
),
output.Output(
'completed',
int,
doc=_(u'Number of members added'),
),
)
@register()
class netgroup_del(Method):
__doc__ = _("Delete a netgroup.")
takes_args = (
parameters.Str(
'cn',
multivalue=True,
cli_name='name',
label=_(u'Netgroup name'),
no_convert=True,
),
)
takes_options = (
parameters.Flag(
'continue',
doc=_(u"Continuous mode: Don't stop on errors."),
default=False,
autofill=True,
),
)
has_output = (
output.Output(
'summary',
(unicode, type(None)),
doc=_(u'User-friendly description of action performed'),
),
output.Output(
'result',
dict,
doc=_(u'List of deletions that failed'),
),
output.Output(
'value',
unicode,
doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
),
)
@register()
class netgroup_find(Method):
__doc__ = _("Search for a netgroup.")
takes_args = (
parameters.Str(
'criteria',
required=False,
doc=_(u'A string searched in all relevant object attributes'),
),
)
takes_options = (
parameters.Str(
'cn',
required=False,
cli_name='name',
label=_(u'Netgroup name'),
no_convert=True,
),
parameters.Str(
'description',
required=False,
cli_name='desc',
label=_(u'Description'),
doc=_(u'Netgroup description'),
),
parameters.Str(
'nisdomainname',
required=False,
cli_name='nisdomain',
label=_(u'NIS domain name'),
),
parameters.Str(
'ipauniqueid',
required=False,
cli_name='uuid',
label=_(u'IPA unique ID'),
doc=_(u'IPA unique ID'),
),
parameters.Str(
'usercategory',
required=False,
cli_name='usercat',
cli_metavar="['all']",
label=_(u'User category'),
doc=_(u'User category the rule applies to'),
),
parameters.Str(
'hostcategory',
required=False,
cli_name='hostcat',
cli_metavar="['all']",
label=_(u'Host category'),
doc=_(u'Host category the rule applies to'),
),
parameters.Str(
'externalhost',
required=False,
multivalue=True,
label=_(u'External host'),
exclude=('cli', 'webui'),
),
parameters.Int(
'timelimit',
required=False,
label=_(u'Time Limit'),
doc=_(u'Time limit of search in seconds'),
),
parameters.Int(
'sizelimit',
required=False,
label=_(u'Size Limit'),
doc=_(u'Maximum number of entries returned'),
),
parameters.Flag(
'private',
exclude=('webui', 'cli'),
default=False,
autofill=True,
),
parameters.Flag(
'managed',
doc=_(u'search for managed groups'),
default=False,
default_from=DefaultFrom(lambda private: private),
autofill=True,
),
parameters.Flag(
'all',
doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Flag(
'raw',
doc=_(u'Print entries as stored on the server. Only affects output format.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Flag(
'pkey_only',
required=False,
label=_(u'Primary key only'),
doc=_(u'Results should contain primary key attribute only ("name")'),
default=False,
autofill=True,
),
parameters.Str(
'netgroup',
required=False,
multivalue=True,
cli_name='netgroups',
label=_(u'netgroup'),
doc=_(u'Search for netgroups with these member netgroups.'),
),
parameters.Str(
'no_netgroup',
required=False,
multivalue=True,
cli_name='no_netgroups',
label=_(u'netgroup'),
doc=_(u'Search for netgroups without these member netgroups.'),
),
parameters.Str(
'user',
required=False,
multivalue=True,
cli_name='users',
label=_(u'user'),
doc=_(u'Search for netgroups with these member users.'),
),
parameters.Str(
'no_user',
required=False,
multivalue=True,
cli_name='no_users',
label=_(u'user'),
doc=_(u'Search for netgroups without these member users.'),
),
parameters.Str(
'group',
required=False,
multivalue=True,
cli_name='groups',
label=_(u'group'),
doc=_(u'Search for netgroups with these member groups.'),
),
parameters.Str(
'no_group',
required=False,
multivalue=True,
cli_name='no_groups',
label=_(u'group'),
doc=_(u'Search for netgroups without these member groups.'),
),
parameters.Str(
'host',
required=False,
multivalue=True,
cli_name='hosts',
label=_(u'host'),
doc=_(u'Search for netgroups with these member hosts.'),
),
parameters.Str(
'no_host',
required=False,
multivalue=True,
cli_name='no_hosts',
label=_(u'host'),
doc=_(u'Search for netgroups without these member hosts.'),
),
parameters.Str(
'hostgroup',
required=False,
multivalue=True,
cli_name='hostgroups',
label=_(u'host group'),
doc=_(u'Search for netgroups with these member host groups.'),
),
parameters.Str(
'no_hostgroup',
required=False,
multivalue=True,
cli_name='no_hostgroups',
label=_(u'host group'),
doc=_(u'Search for netgroups without these member host groups.'),
),
parameters.Str(
'in_netgroup',
required=False,
multivalue=True,
cli_name='in_netgroups',
label=_(u'netgroup'),
doc=_(u'Search for netgroups with these member of netgroups.'),
),
parameters.Str(
'not_in_netgroup',
required=False,
multivalue=True,
cli_name='not_in_netgroups',
label=_(u'netgroup'),
doc=_(u'Search for netgroups without these member of netgroups.'),
),
)
has_output = (
output.Output(
'summary',
(unicode, type(None)),
doc=_(u'User-friendly description of action performed'),
),
output.ListOfEntries(
'result',
),
output.Output(
'count',
int,
doc=_(u'Number of entries returned'),
),
output.Output(
'truncated',
bool,
doc=_(u'True if not all results were returned'),
),
)
@register()
class netgroup_mod(Method):
__doc__ = _("Modify a netgroup.")
takes_args = (
parameters.Str(
'cn',
cli_name='name',
label=_(u'Netgroup name'),
no_convert=True,
),
)
takes_options = (
parameters.Str(
'description',
required=False,
cli_name='desc',
label=_(u'Description'),
doc=_(u'Netgroup description'),
),
parameters.Str(
'nisdomainname',
required=False,
cli_name='nisdomain',
label=_(u'NIS domain name'),
),
parameters.Str(
'usercategory',
required=False,
cli_name='usercat',
cli_metavar="['all']",
label=_(u'User category'),
doc=_(u'User category the rule applies to'),
),
parameters.Str(
'hostcategory',
required=False,
cli_name='hostcat',
cli_metavar="['all']",
label=_(u'Host category'),
doc=_(u'Host category the rule applies to'),
),
parameters.Str(
'externalhost',
required=False,
multivalue=True,
label=_(u'External host'),
exclude=('cli', 'webui'),
),
parameters.Str(
'setattr',
required=False,
multivalue=True,
doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
exclude=('webui',),
),
parameters.Str(
'addattr',
required=False,
multivalue=True,
doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
exclude=('webui',),
),
parameters.Str(
'delattr',
required=False,
multivalue=True,
doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'),
exclude=('webui',),
),
parameters.Flag(
'rights',
label=_(u'Rights'),
doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
default=False,
autofill=True,
),
parameters.Flag(
'all',
doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Flag(
'raw',
doc=_(u'Print entries as stored on the server. Only affects output format.'),
exclude=('webui',),
default=False,
autofill=True,
),
)
has_output = (
output.Output(
'summary',
(unicode, type(None)),
doc=_(u'User-friendly description of action performed'),
),
output.Entry(
'result',
),
output.Output(
'value',
unicode,
doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
),
)
@register()
class netgroup_remove_member(Method):
__doc__ = _("Remove members from a netgroup.")
takes_args = (
parameters.Str(
'cn',
cli_name='name',
label=_(u'Netgroup name'),
no_convert=True,
),
)
takes_options = (
parameters.Flag(
'all',
doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Flag(
'raw',
doc=_(u'Print entries as stored on the server. Only affects output format.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Str(
'user',
required=False,
multivalue=True,
cli_name='users',
label=_(u'member user'),
doc=_(u'comma-separated list of users to remove'),
alwaysask=True,
),
parameters.Str(
'group',
required=False,
multivalue=True,
cli_name='groups',
label=_(u'member group'),
doc=_(u'comma-separated list of groups to remove'),
alwaysask=True,
),
parameters.Str(
'host',
required=False,
multivalue=True,
cli_name='hosts',
label=_(u'member host'),
doc=_(u'comma-separated list of hosts to remove'),
alwaysask=True,
),
parameters.Str(
'hostgroup',
required=False,
multivalue=True,
cli_name='hostgroups',
label=_(u'member host group'),
doc=_(u'comma-separated list of host groups to remove'),
alwaysask=True,
),
parameters.Str(
'netgroup',
required=False,
multivalue=True,
cli_name='netgroups',
label=_(u'member netgroup'),
doc=_(u'comma-separated list of netgroups to remove'),
alwaysask=True,
),
)
has_output = (
output.Entry(
'result',
),
output.Output(
'failed',
dict,
doc=_(u'Members that could not be removed'),
),
output.Output(
'completed',
int,
doc=_(u'Number of members removed'),
),
)
@register()
class netgroup_show(Method):
__doc__ = _("Display information about a netgroup.")
takes_args = (
parameters.Str(
'cn',
cli_name='name',
label=_(u'Netgroup name'),
no_convert=True,
),
)
takes_options = (
parameters.Flag(
'rights',
label=_(u'Rights'),
doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
default=False,
autofill=True,
),
parameters.Flag(
'all',
doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Flag(
'raw',
doc=_(u'Print entries as stored on the server. Only affects output format.'),
exclude=('webui',),
default=False,
autofill=True,
),
)
has_output = (
output.Output(
'summary',
(unicode, type(None)),
doc=_(u'User-friendly description of action performed'),
),
output.Entry(
'result',
),
output.Output(
'value',
unicode,
doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
),
)

86
ipaclient/remote_plugins/2_49/passwd.py
View File

@@ -1,86 +0,0 @@
#
# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
#
# pylint: disable=unused-import
import six
from . import Command, Method, Object
from ipalib import api, parameters, output
from ipalib.parameters import DefaultFrom
from ipalib.plugable import Registry
from ipalib.text import _
from ipapython.dn import DN
from ipapython.dnsutil import DNSName
if six.PY3:
unicode = str
__doc__ = _("""
Set a user's password
If someone other than a user changes that user's password (e.g., Helpdesk
resets it) then the password will need to be changed the first time it
is used. This is so the end-user is the only one who knows the password.
The IPA password policy controls how often a password may be changed,
what strength requirements exist, and the length of the password history.
EXAMPLES:
To reset your own password:
ipa passwd
To change another user's password:
ipa passwd tuser1
""")
register = Registry()
@register()
class passwd(Command):
__doc__ = _("Set a user's password.")
takes_args = (
parameters.Str(
'principal',
cli_name='user',
label=_(u'User name'),
default_from=DefaultFrom(lambda : None),
# FIXME:
# lambda: util.get_current_principal()
autofill=True,
no_convert=True,
),
parameters.Password(
'password',
label=_(u'New Password'),
confirm=True,
),
parameters.Password(
'current_password',
label=_(u'Current Password'),
default_from=DefaultFrom(lambda principal: None, 'principal'),
# FIXME:
# lambda principal: get_current_password(principal)
autofill=True,
),
)
has_output = (
output.Output(
'summary',
(unicode, type(None)),
doc=_(u'User-friendly description of action performed'),
),
output.Output(
'result',
bool,
doc=_(u'True means the operation was successful'),
),
output.Output(
'value',
unicode,
doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
),
)

751
ipaclient/remote_plugins/2_49/permission.py
View File

@@ -1,751 +0,0 @@
#
# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
#
# pylint: disable=unused-import
import six
from . import Command, Method, Object
from ipalib import api, parameters, output
from ipalib.parameters import DefaultFrom
from ipalib.plugable import Registry
from ipalib.text import _
from ipapython.dn import DN
from ipapython.dnsutil import DNSName
if six.PY3:
unicode = str
__doc__ = _("""
Permissions
A permission enables fine-grained delegation of rights. A permission is
a human-readable form of a 389-ds Access Control Rule, or instruction (ACI).
A permission grants the right to perform a specific task such as adding a
user, modifying a group, etc.
A permission may not contain other permissions.
* A permission grants access to read, write, add or delete.
* A privilege combines similar permissions (for example all the permissions
needed to add a user).
* A role grants a set of privileges to users, groups, hosts or hostgroups.
A permission is made up of a number of different parts:
1. The name of the permission.
2. The target of the permission.
3. The rights granted by the permission.
Rights define what operations are allowed, and may be one or more
of the following:
1. write - write one or more attributes
2. read - read one or more attributes
3. add - add a new entry to the tree
4. delete - delete an existing entry
5. all - all permissions are granted
Read permission is granted for most attributes by default so the read
permission is not expected to be used very often.
Note the distinction between attributes and entries. The permissions are
independent, so being able to add a user does not mean that the user will
be editable.
There are a number of allowed targets:
1. type: a type of object (user, group, etc).
2. memberof: a member of a group or hostgroup
3. filter: an LDAP filter
4. subtree: an LDAP filter specifying part of the LDAP DIT. This is a
super-set of the "type" target.
5. targetgroup: grant access to modify a specific group (such as granting
the rights to manage group membership)
EXAMPLES:
Add a permission that grants the creation of users:
ipa permission-add --type=user --permissions=add "Add Users"
Add a permission that grants the ability to manage group membership:
ipa permission-add --attrs=member --permissions=write --type=group "Manage Group Members"
""")
register = Registry()
@register()
class permission(Object):
takes_params = (
parameters.Str(
'cn',
primary_key=True,
label=_(u'Permission name'),
),
parameters.Str(
'permissions',
multivalue=True,
label=_(u'Permissions'),
doc=_(u'Comma-separated list of permissions to grant (read, write, add, delete, all)'),
),
parameters.Str(
'attrs',
required=False,
multivalue=True,
label=_(u'Attributes'),
doc=_(u'Comma-separated list of attributes'),
),
parameters.Str(
'type',
required=False,
label=_(u'Type'),
doc=_(u'Type of IPA object (user, group, host, hostgroup, service, netgroup, dns)'),
),
parameters.Str(
'memberof',
required=False,
label=_(u'Member of group'),
doc=_(u'Target members of a group'),
),
parameters.Str(
'filter',
required=False,
label=_(u'Filter'),
doc=_(u'Legal LDAP filter (e.g. ou=Engineering)'),
),
parameters.Str(
'subtree',
required=False,
label=_(u'Subtree'),
doc=_(u'Subtree to apply permissions to'),
),
parameters.Str(
'targetgroup',
required=False,
label=_(u'Target group'),
doc=_(u'User group to apply permissions to'),
),
parameters.Str(
'member_privilege',
required=False,
label=_(u'Granted to Privilege'),
),
parameters.Str(
'memberindirect_role',
required=False,
label=_(u'Indirect Member of roles'),
),
)
@register()
class permission_add(Method):
__doc__ = _("Add a new permission.")
takes_args = (
parameters.Str(
'cn',
cli_name='name',
label=_(u'Permission name'),
),
)
takes_options = (
parameters.Str(
'permissions',
multivalue=True,
label=_(u'Permissions'),
doc=_(u'Comma-separated list of permissions to grant (read, write, add, delete, all)'),
),
parameters.Str(
'attrs',
required=False,
multivalue=True,
label=_(u'Attributes'),
doc=_(u'Comma-separated list of attributes'),
alwaysask=True,
no_convert=True,
),
parameters.Str(
'type',
required=False,
cli_metavar="['user', 'group', 'host', 'service', 'hostgroup', 'netgroup', 'dnsrecord']",
label=_(u'Type'),
doc=_(u'Type of IPA object (user, group, host, hostgroup, service, netgroup, dns)'),
alwaysask=True,
),
parameters.Str(
'memberof',
required=False,
label=_(u'Member of group'),
doc=_(u'Target members of a group'),
alwaysask=True,
),
parameters.Str(
'filter',
required=False,
label=_(u'Filter'),
doc=_(u'Legal LDAP filter (e.g. ou=Engineering)'),
alwaysask=True,
),
parameters.Str(
'subtree',
required=False,
label=_(u'Subtree'),
doc=_(u'Subtree to apply permissions to'),
alwaysask=True,
),
parameters.Str(
'targetgroup',
required=False,
label=_(u'Target group'),
doc=_(u'User group to apply permissions to'),
alwaysask=True,
),
parameters.Str(
'setattr',
required=False,
multivalue=True,
doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
exclude=('webui',),
),
parameters.Str(
'addattr',
required=False,
multivalue=True,
doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
exclude=('webui',),
),
parameters.Flag(
'all',
doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Flag(
'raw',
doc=_(u'Print entries as stored on the server. Only affects output format.'),
exclude=('webui',),
default=False,
autofill=True,
),
)
has_output = (
output.Output(
'summary',
(unicode, type(None)),
doc=_(u'User-friendly description of action performed'),
),
output.Entry(
'result',
),
output.Output(
'value',
unicode,
doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
),
)
@register()
class permission_add_member(Method):
__doc__ = _("Add members to a permission.")
NO_CLI = True
takes_args = (
parameters.Str(
'cn',
cli_name='name',
label=_(u'Permission name'),
),
)
takes_options = (
parameters.Flag(
'all',
doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Flag(
'raw',
doc=_(u'Print entries as stored on the server. Only affects output format.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Str(
'privilege',
required=False,
multivalue=True,
cli_name='privileges',
label=_(u'member privilege'),
doc=_(u'comma-separated list of privileges to add'),
alwaysask=True,
),
)
has_output = (
output.Entry(
'result',
),
output.Output(
'failed',
dict,
doc=_(u'Members that could not be added'),
),
output.Output(
'completed',
int,
doc=_(u'Number of members added'),
),
)
@register()
class permission_add_noaci(Method):
__doc__ = _("Add a system permission without an ACI")
NO_CLI = True
takes_args = (
parameters.Str(
'cn',
cli_name='name',
label=_(u'Permission name'),
),
)
takes_options = (
parameters.Str(
'permissiontype',
required=False,
cli_metavar="['SYSTEM']",
label=_(u'Permission type'),
),
parameters.Flag(
'all',
doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Flag(
'raw',
doc=_(u'Print entries as stored on the server. Only affects output format.'),
exclude=('webui',),
default=False,
autofill=True,
),
)
has_output = (
output.Output(
'summary',
(unicode, type(None)),
doc=_(u'User-friendly description of action performed'),
),
output.Entry(
'result',
),
output.Output(
'value',
unicode,
doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
),
)
@register()
class permission_del(Method):
__doc__ = _("Delete a permission.")
takes_args = (
parameters.Str(
'cn',
multivalue=True,
cli_name='name',
label=_(u'Permission name'),
),
)
takes_options = (
parameters.Flag(
'continue',
doc=_(u"Continuous mode: Don't stop on errors."),
default=False,
autofill=True,
),
parameters.Flag(
'force',
label=_(u'Force'),
doc=_(u'force delete of SYSTEM permissions'),
exclude=('cli', 'webui'),
default=False,
autofill=True,
),
)
has_output = (
output.Output(
'summary',
(unicode, type(None)),
doc=_(u'User-friendly description of action performed'),
),
output.Output(
'result',
dict,
doc=_(u'List of deletions that failed'),
),
output.Output(
'value',
unicode,
doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
),
)
@register()
class permission_find(Method):
__doc__ = _("Search for permissions.")
takes_args = (
parameters.Str(
'criteria',
required=False,
doc=_(u'A string searched in all relevant object attributes'),
),
)
takes_options = (
parameters.Str(
'cn',
required=False,
cli_name='name',
label=_(u'Permission name'),
),
parameters.Str(
'permissions',
required=False,
multivalue=True,
label=_(u'Permissions'),
doc=_(u'Comma-separated list of permissions to grant (read, write, add, delete, all)'),
),
parameters.Str(
'attrs',
required=False,
multivalue=True,
label=_(u'Attributes'),
doc=_(u'Comma-separated list of attributes'),
no_convert=True,
),
parameters.Str(
'type',
required=False,
cli_metavar="['user', 'group', 'host', 'service', 'hostgroup', 'netgroup', 'dnsrecord']",
label=_(u'Type'),
doc=_(u'Type of IPA object (user, group, host, hostgroup, service, netgroup, dns)'),
),
parameters.Str(
'memberof',
required=False,
label=_(u'Member of group'),
doc=_(u'Target members of a group'),
),
parameters.Str(
'filter',
required=False,
label=_(u'Filter'),
doc=_(u'Legal LDAP filter (e.g. ou=Engineering)'),
),
parameters.Str(
'subtree',
required=False,
label=_(u'Subtree'),
doc=_(u'Subtree to apply permissions to'),
),
parameters.Str(
'targetgroup',
required=False,
label=_(u'Target group'),
doc=_(u'User group to apply permissions to'),
),
parameters.Int(
'timelimit',
required=False,
label=_(u'Time Limit'),
doc=_(u'Time limit of search in seconds'),
),
parameters.Int(
'sizelimit',
required=False,
label=_(u'Size Limit'),
doc=_(u'Maximum number of entries returned'),
),
parameters.Flag(
'all',
doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Flag(
'raw',
doc=_(u'Print entries as stored on the server. Only affects output format.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Flag(
'pkey_only',
required=False,
label=_(u'Primary key only'),
doc=_(u'Results should contain primary key attribute only ("name")'),
default=False,
autofill=True,
),
)
has_output = (
output.Output(
'summary',
(unicode, type(None)),
doc=_(u'User-friendly description of action performed'),
),
output.ListOfEntries(
'result',
),
output.Output(
'count',
int,
doc=_(u'Number of entries returned'),
),
output.Output(
'truncated',
bool,
doc=_(u'True if not all results were returned'),
),
)
@register()
class permission_mod(Method):
__doc__ = _("Modify a permission.")
takes_args = (
parameters.Str(
'cn',
cli_name='name',
label=_(u'Permission name'),
),
)
takes_options = (
parameters.Str(
'permissions',
required=False,
multivalue=True,
label=_(u'Permissions'),
doc=_(u'Comma-separated list of permissions to grant (read, write, add, delete, all)'),
),
parameters.Str(
'attrs',
required=False,
multivalue=True,
label=_(u'Attributes'),
doc=_(u'Comma-separated list of attributes'),
no_convert=True,
),
parameters.Str(
'type',
required=False,
cli_metavar="['user', 'group', 'host', 'service', 'hostgroup', 'netgroup', 'dnsrecord']",
label=_(u'Type'),
doc=_(u'Type of IPA object (user, group, host, hostgroup, service, netgroup, dns)'),
),
parameters.Str(
'memberof',
required=False,
label=_(u'Member of group'),
doc=_(u'Target members of a group'),
),
parameters.Str(
'filter',
required=False,
label=_(u'Filter'),
doc=_(u'Legal LDAP filter (e.g. ou=Engineering)'),
),
parameters.Str(
'subtree',
required=False,
label=_(u'Subtree'),
doc=_(u'Subtree to apply permissions to'),
),
parameters.Str(
'targetgroup',
required=False,
label=_(u'Target group'),
doc=_(u'User group to apply permissions to'),
),
parameters.Str(
'setattr',
required=False,
multivalue=True,
doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
exclude=('webui',),
),
parameters.Str(
'addattr',
required=False,
multivalue=True,
doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
exclude=('webui',),
),
parameters.Str(
'delattr',
required=False,
multivalue=True,
doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'),
exclude=('webui',),
),
parameters.Flag(
'rights',
label=_(u'Rights'),
doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
default=False,
autofill=True,
),
parameters.Flag(
'all',
doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Flag(
'raw',
doc=_(u'Print entries as stored on the server. Only affects output format.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Str(
'rename',
required=False,
label=_(u'Rename'),
doc=_(u'Rename the permission object'),
),
)
has_output = (
output.Output(
'summary',
(unicode, type(None)),
doc=_(u'User-friendly description of action performed'),
),
output.Entry(
'result',
),
output.Output(
'value',
unicode,
doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
),
)
@register()
class permission_remove_member(Method):
__doc__ = _("Remove members from a permission.")
NO_CLI = True
takes_args = (
parameters.Str(
'cn',
cli_name='name',
label=_(u'Permission name'),
),
)
takes_options = (
parameters.Flag(
'all',
doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Flag(
'raw',
doc=_(u'Print entries as stored on the server. Only affects output format.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Str(
'privilege',
required=False,
multivalue=True,
cli_name='privileges',
label=_(u'member privilege'),
doc=_(u'comma-separated list of privileges to remove'),
alwaysask=True,
),
)
has_output = (
output.Entry(
'result',
),
output.Output(
'failed',
dict,
doc=_(u'Members that could not be removed'),
),
output.Output(
'completed',
int,
doc=_(u'Number of members removed'),
),
)
@register()
class permission_show(Method):
__doc__ = _("Display information about a permission.")
takes_args = (
parameters.Str(
'cn',
cli_name='name',
label=_(u'Permission name'),
),
)
takes_options = (
parameters.Flag(
'rights',
label=_(u'Rights'),
doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
default=False,
autofill=True,
),
parameters.Flag(
'all',
doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Flag(
'raw',
doc=_(u'Print entries as stored on the server. Only affects output format.'),
exclude=('webui',),
default=False,
autofill=True,
),
)
has_output = (
output.Output(
'summary',
(unicode, type(None)),
doc=_(u'User-friendly description of action performed'),
),
output.Entry(
'result',
),
output.Output(
'value',
unicode,
doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
),
)

60
ipaclient/remote_plugins/2_49/ping.py
View File

@@ -1,60 +0,0 @@
#
# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
#
# pylint: disable=unused-import
import six
from . import Command, Method, Object
from ipalib import api, parameters, output
from ipalib.parameters import DefaultFrom
from ipalib.plugable import Registry
from ipalib.text import _
from ipapython.dn import DN
from ipapython.dnsutil import DNSName
if six.PY3:
unicode = str
__doc__ = _("""
Ping the remote IPA server to ensure it is running.
The ping command sends an echo request to an IPA server. The server
returns its version information. This is used by an IPA client
to confirm that the server is available and accepting requests.
The server from xmlrpc_uri in /etc/ipa/default.conf is contacted first.
If it does not respond then the client will contact any servers defined
by ldap SRV records in DNS.
EXAMPLES:
Ping an IPA server:
ipa ping
------------------------------------------
IPA server version 2.1.9. API version 2.20
------------------------------------------
Ping an IPA server verbosely:
ipa -v ping
ipa: INFO: trying https://ipa.example.com/ipa/xml
ipa: INFO: Forwarding 'ping' to server u'https://ipa.example.com/ipa/xml'
-----------------------------------------------------
IPA server version 2.1.9. API version 2.20
-----------------------------------------------------
""")
register = Registry()
@register()
class ping(Command):
__doc__ = _("Ping a remote server.")
has_output = (
output.Output(
'summary',
(unicode, type(None)),
doc=_(u'User-friendly description of action performed'),
),
)

61
ipaclient/remote_plugins/2_49/pkinit.py
View File

@@ -1,61 +0,0 @@
#
# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
#
# pylint: disable=unused-import
import six
from . import Command, Method, Object
from ipalib import api, parameters, output
from ipalib.parameters import DefaultFrom
from ipalib.plugable import Registry
from ipalib.text import _
from ipapython.dn import DN
from ipapython.dnsutil import DNSName
if six.PY3:
unicode = str
__doc__ = _("""
Kerberos pkinit options
Enable or disable anonymous pkinit using the principal
WELLKNOWN/ANONYMOUS@REALM. The server must have been installed with
pkinit support.
EXAMPLES:
Enable anonymous pkinit:
ipa pkinit-anonymous enable
Disable anonymous pkinit:
ipa pkinit-anonymous disable
For more information on anonymous pkinit see:
http://k5wiki.kerberos.org/wiki/Projects/Anonymous_pkinit
""")
register = Registry()
@register()
class pkinit(Object):
takes_params = (
)
@register()
class pkinit_anonymous(Command):
__doc__ = _("Enable or Disable Anonymous PKINIT.")
takes_args = (
parameters.Str(
'action',
),
)
has_output = (
output.Output(
'result',
),
)

603
ipaclient/remote_plugins/2_49/privilege.py
View File

@@ -1,603 +0,0 @@
#
# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
#
# pylint: disable=unused-import
import six
from . import Command, Method, Object
from ipalib import api, parameters, output
from ipalib.parameters import DefaultFrom
from ipalib.plugable import Registry
from ipalib.text import _
from ipapython.dn import DN
from ipapython.dnsutil import DNSName
if six.PY3:
unicode = str
__doc__ = _("""
Privileges
A privilege combines permissions into a logical task. A permission provides
the rights to do a single task. There are some IPA operations that require
multiple permissions to succeed. A privilege is where permissions are
combined in order to perform a specific task.
For example, adding a user requires the following permissions:
* Creating a new user entry
* Resetting a user password
* Adding the new user to the default IPA users group
Combining these three low-level tasks into a higher level task in the
form of a privilege named "Add User" makes it easier to manage Roles.
A privilege may not contain other privileges.
See role and permission for additional information.
""")
register = Registry()
@register()
class privilege(Object):
takes_params = (
parameters.Str(
'cn',
primary_key=True,
label=_(u'Privilege name'),
),
parameters.Str(
'description',
label=_(u'Description'),
doc=_(u'Privilege description'),
),
parameters.Str(
'memberof_permission',
required=False,
label=_(u'Permissions'),
),
parameters.Str(
'member_role',
required=False,
label=_(u'Granting privilege to roles'),
),
)
@register()
class privilege_add(Method):
__doc__ = _("Add a new privilege.")
takes_args = (
parameters.Str(
'cn',
cli_name='name',
label=_(u'Privilege name'),
),
)
takes_options = (
parameters.Str(
'description',
cli_name='desc',
label=_(u'Description'),
doc=_(u'Privilege description'),
),
parameters.Str(
'setattr',
required=False,
multivalue=True,
doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
exclude=('webui',),
),
parameters.Str(
'addattr',
required=False,
multivalue=True,
doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
exclude=('webui',),
),
parameters.Flag(
'all',
doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Flag(
'raw',
doc=_(u'Print entries as stored on the server. Only affects output format.'),
exclude=('webui',),
default=False,
autofill=True,
),
)
has_output = (
output.Output(
'summary',
(unicode, type(None)),
doc=_(u'User-friendly description of action performed'),
),
output.Entry(
'result',
),
output.Output(
'value',
unicode,
doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
),
)
@register()
class privilege_add_member(Method):
__doc__ = _("Add members to a privilege.")
NO_CLI = True
takes_args = (
parameters.Str(
'cn',
cli_name='name',
label=_(u'Privilege name'),
),
)
takes_options = (
parameters.Flag(
'all',
doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Flag(
'raw',
doc=_(u'Print entries as stored on the server. Only affects output format.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Str(
'role',
required=False,
multivalue=True,
cli_name='roles',
label=_(u'member role'),
doc=_(u'comma-separated list of roles to add'),
alwaysask=True,
),
)
has_output = (
output.Entry(
'result',
),
output.Output(
'failed',
dict,
doc=_(u'Members that could not be added'),
),
output.Output(
'completed',
int,
doc=_(u'Number of members added'),
),
)
@register()
class privilege_add_permission(Method):
__doc__ = _("Add permissions to a privilege.")
takes_args = (
parameters.Str(
'cn',
cli_name='name',
label=_(u'Privilege name'),
),
)
takes_options = (
parameters.Flag(
'all',
doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Flag(
'raw',
doc=_(u'Print entries as stored on the server. Only affects output format.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Str(
'permission',
required=False,
multivalue=True,
cli_name='permissions',
label=_(u'permission'),
doc=_(u'comma-separated list of permissions'),
alwaysask=True,
),
)
has_output = (
output.Entry(
'result',
),
output.Output(
'failed',
dict,
doc=_(u'Members that could not be added'),
),
output.Output(
'completed',
int,
doc=_(u'Number of permissions added'),
),
)
@register()
class privilege_del(Method):
__doc__ = _("Delete a privilege.")
takes_args = (
parameters.Str(
'cn',
multivalue=True,
cli_name='name',
label=_(u'Privilege name'),
),
)
takes_options = (
parameters.Flag(
'continue',
doc=_(u"Continuous mode: Don't stop on errors."),
default=False,
autofill=True,
),
)
has_output = (
output.Output(
'summary',
(unicode, type(None)),
doc=_(u'User-friendly description of action performed'),
),
output.Output(
'result',
dict,
doc=_(u'List of deletions that failed'),
),
output.Output(
'value',
unicode,
doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
),
)
@register()
class privilege_find(Method):
__doc__ = _("Search for privileges.")
takes_args = (
parameters.Str(
'criteria',
required=False,
doc=_(u'A string searched in all relevant object attributes'),
),
)
takes_options = (
parameters.Str(
'cn',
required=False,
cli_name='name',
label=_(u'Privilege name'),
),
parameters.Str(
'description',
required=False,
cli_name='desc',
label=_(u'Description'),
doc=_(u'Privilege description'),
),
parameters.Int(
'timelimit',
required=False,
label=_(u'Time Limit'),
doc=_(u'Time limit of search in seconds'),
),
parameters.Int(
'sizelimit',
required=False,
label=_(u'Size Limit'),
doc=_(u'Maximum number of entries returned'),
),
parameters.Flag(
'all',
doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Flag(
'raw',
doc=_(u'Print entries as stored on the server. Only affects output format.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Flag(
'pkey_only',
required=False,
label=_(u'Primary key only'),
doc=_(u'Results should contain primary key attribute only ("name")'),
default=False,
autofill=True,
),
)
has_output = (
output.Output(
'summary',
(unicode, type(None)),
doc=_(u'User-friendly description of action performed'),
),
output.ListOfEntries(
'result',
),
output.Output(
'count',
int,
doc=_(u'Number of entries returned'),
),
output.Output(
'truncated',
bool,
doc=_(u'True if not all results were returned'),
),
)
@register()
class privilege_mod(Method):
__doc__ = _("Modify a privilege.")
takes_args = (
parameters.Str(
'cn',
cli_name='name',
label=_(u'Privilege name'),
),
)
takes_options = (
parameters.Str(
'description',
required=False,
cli_name='desc',
label=_(u'Description'),
doc=_(u'Privilege description'),
),
parameters.Str(
'setattr',
required=False,
multivalue=True,
doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
exclude=('webui',),
),
parameters.Str(
'addattr',
required=False,
multivalue=True,
doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
exclude=('webui',),
),
parameters.Str(
'delattr',
required=False,
multivalue=True,
doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'),
exclude=('webui',),
),
parameters.Flag(
'rights',
label=_(u'Rights'),
doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
default=False,
autofill=True,
),
parameters.Flag(
'all',
doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Flag(
'raw',
doc=_(u'Print entries as stored on the server. Only affects output format.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Str(
'rename',
required=False,
label=_(u'Rename'),
doc=_(u'Rename the privilege object'),
),
)
has_output = (
output.Output(
'summary',
(unicode, type(None)),
doc=_(u'User-friendly description of action performed'),
),
output.Entry(
'result',
),
output.Output(
'value',
unicode,
doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
),
)
@register()
class privilege_remove_member(Method):
__doc__ = _("Remove members from a privilege")
NO_CLI = True
takes_args = (
parameters.Str(
'cn',
cli_name='name',
label=_(u'Privilege name'),
),
)
takes_options = (
parameters.Flag(
'all',
doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Flag(
'raw',
doc=_(u'Print entries as stored on the server. Only affects output format.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Str(
'role',
required=False,
multivalue=True,
cli_name='roles',
label=_(u'member role'),
doc=_(u'comma-separated list of roles to remove'),
alwaysask=True,
),
)
has_output = (
output.Entry(
'result',
),
output.Output(
'failed',
dict,
doc=_(u'Members that could not be removed'),
),
output.Output(
'completed',
int,
doc=_(u'Number of members removed'),
),
)
@register()
class privilege_remove_permission(Method):
__doc__ = _("Remove permissions from a privilege.")
takes_args = (
parameters.Str(
'cn',
cli_name='name',
label=_(u'Privilege name'),
),
)
takes_options = (
parameters.Flag(
'all',
doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Flag(
'raw',
doc=_(u'Print entries as stored on the server. Only affects output format.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Str(
'permission',
required=False,
multivalue=True,
cli_name='permissions',
label=_(u'permission'),
doc=_(u'comma-separated list of permissions'),
alwaysask=True,
),
)
has_output = (
output.Entry(
'result',
),
output.Output(
'failed',
dict,
doc=_(u'Members that could not be added'),
),
output.Output(
'completed',
int,
doc=_(u'Number of permissions removed'),
),
)
@register()
class privilege_show(Method):
__doc__ = _("Display information about a privilege.")
takes_args = (
parameters.Str(
'cn',
cli_name='name',
label=_(u'Privilege name'),
),
)
takes_options = (
parameters.Flag(
'rights',
label=_(u'Rights'),
doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
default=False,
autofill=True,
),
parameters.Flag(
'all',
doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Flag(
'raw',
doc=_(u'Print entries as stored on the server. Only affects output format.'),
exclude=('webui',),
default=False,
autofill=True,
),
)
has_output = (
output.Output(
'summary',
(unicode, type(None)),
doc=_(u'User-friendly description of action performed'),
),
output.Entry(
'result',
),
output.Output(
'value',
unicode,
doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
),
)

947
ipaclient/remote_plugins/2_49/pwpolicy.py
View File

@@ -1,947 +0,0 @@
#
# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
#
# pylint: disable=unused-import
import six
from . import Command, Method, Object
from ipalib import api, parameters, output
from ipalib.parameters import DefaultFrom
from ipalib.plugable import Registry
from ipalib.text import _
from ipapython.dn import DN
from ipapython.dnsutil import DNSName
if six.PY3:
unicode = str
__doc__ = _("""
Password policy
A password policy sets limitations on IPA passwords, including maximum
lifetime, minimum lifetime, the number of passwords to save in
history, the number of character classes required (for stronger passwords)
and the minimum password length.
By default there is a single, global policy for all users. You can also
create a password policy to apply to a group. Each user is only subject
to one password policy, either the group policy or the global policy. A
group policy stands alone; it is not a super-set of the global policy plus
custom settings.
Each group password policy requires a unique priority setting. If a user
is in multiple groups that have password policies, this priority determines
which password policy is applied. A lower value indicates a higher priority
policy.
Group password policies are automatically removed when the groups they
are associated with are removed.
EXAMPLES:
Modify the global policy:
ipa pwpolicy-mod --minlength=10
Add a new group password policy:
ipa pwpolicy-add --maxlife=90 --minlife=1 --history=10 --minclasses=3 --minlength=8 --priority=10 localadmins
Display the global password policy:
ipa pwpolicy-show
Display a group password policy:
ipa pwpolicy-show localadmins
Display the policy that would be applied to a given user:
ipa pwpolicy-show --user=tuser1
Modify a group password policy:
ipa pwpolicy-mod --minclasses=2 localadmins
""")
register = Registry()
@register()
class cosentry(Object):
takes_params = (
parameters.Str(
'cn',
primary_key=True,
),
parameters.DNParam(
'krbpwdpolicyreference',
),
parameters.Int(
'cospriority',
),
)
@register()
class pwpolicy(Object):
takes_params = (
parameters.Str(
'cn',
required=False,
primary_key=True,
label=_(u'Group'),
doc=_(u'Manage password policy for specific group'),
),
parameters.Int(
'krbmaxpwdlife',
required=False,
label=_(u'Max lifetime (days)'),
doc=_(u'Maximum password lifetime (in days)'),
),
parameters.Int(
'krbminpwdlife',
required=False,
label=_(u'Min lifetime (hours)'),
doc=_(u'Minimum password lifetime (in hours)'),
),
parameters.Int(
'krbpwdhistorylength',
required=False,
label=_(u'History size'),
doc=_(u'Password history size'),
),
parameters.Int(
'krbpwdmindiffchars',
required=False,
label=_(u'Character classes'),
doc=_(u'Minimum number of character classes'),
),
parameters.Int(
'krbpwdminlength',
required=False,
label=_(u'Min length'),
doc=_(u'Minimum length of password'),
),
parameters.Int(
'cospriority',
label=_(u'Priority'),
doc=_(u'Priority of the policy (higher number means lower priority'),
),
parameters.Int(
'krbpwdmaxfailure',
required=False,
label=_(u'Max failures'),
doc=_(u'Consecutive failures before lockout'),
),
parameters.Int(
'krbpwdfailurecountinterval',
required=False,
label=_(u'Failure reset interval'),
doc=_(u'Period after which failure count will be reset (seconds)'),
),
parameters.Int(
'krbpwdlockoutduration',
required=False,
label=_(u'Lockout duration'),
doc=_(u'Period for which lockout is enforced (seconds)'),
),
)
@register()
class cosentry_add(Method):
NO_CLI = True
takes_args = (
parameters.Str(
'cn',
),
)
takes_options = (
parameters.DNParam(
'krbpwdpolicyreference',
),
parameters.Int(
'cospriority',
),
parameters.Str(
'setattr',
required=False,
multivalue=True,
doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
exclude=('webui',),
),
parameters.Str(
'addattr',
required=False,
multivalue=True,
doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
exclude=('webui',),
),
parameters.Flag(
'all',
doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Flag(
'raw',
doc=_(u'Print entries as stored on the server. Only affects output format.'),
exclude=('webui',),
default=False,
autofill=True,
),
)
has_output = (
output.Output(
'summary',
(unicode, type(None)),
doc=_(u'User-friendly description of action performed'),
),
output.Entry(
'result',
),
output.Output(
'value',
unicode,
doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
),
)
@register()
class cosentry_del(Method):
NO_CLI = True
takes_args = (
parameters.Str(
'cn',
multivalue=True,
),
)
takes_options = (
parameters.Flag(
'continue',
doc=_(u"Continuous mode: Don't stop on errors."),
default=False,
autofill=True,
),
)
has_output = (
output.Output(
'summary',
(unicode, type(None)),
doc=_(u'User-friendly description of action performed'),
),
output.Output(
'result',
dict,
doc=_(u'List of deletions that failed'),
),
output.Output(
'value',
unicode,
doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
),
)
@register()
class cosentry_find(Method):
NO_CLI = True
takes_args = (
parameters.Str(
'criteria',
required=False,
doc=_(u'A string searched in all relevant object attributes'),
),
)
takes_options = (
parameters.Str(
'cn',
required=False,
),
parameters.DNParam(
'krbpwdpolicyreference',
required=False,
),
parameters.Int(
'cospriority',
required=False,
),
parameters.Int(
'timelimit',
required=False,
label=_(u'Time Limit'),
doc=_(u'Time limit of search in seconds'),
),
parameters.Int(
'sizelimit',
required=False,
label=_(u'Size Limit'),
doc=_(u'Maximum number of entries returned'),
),
parameters.Flag(
'all',
doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Flag(
'raw',
doc=_(u'Print entries as stored on the server. Only affects output format.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Flag(
'pkey_only',
required=False,
label=_(u'Primary key only'),
doc=_(u'Results should contain primary key attribute only ("cn")'),
default=False,
autofill=True,
),
)
has_output = (
output.Output(
'summary',
(unicode, type(None)),
doc=_(u'User-friendly description of action performed'),
),
output.ListOfEntries(
'result',
),
output.Output(
'count',
int,
doc=_(u'Number of entries returned'),
),
output.Output(
'truncated',
bool,
doc=_(u'True if not all results were returned'),
),
)
@register()
class cosentry_mod(Method):
NO_CLI = True
takes_args = (
parameters.Str(
'cn',
),
)
takes_options = (
parameters.DNParam(
'krbpwdpolicyreference',
required=False,
),
parameters.Int(
'cospriority',
required=False,
),
parameters.Str(
'setattr',
required=False,
multivalue=True,
doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
exclude=('webui',),
),
parameters.Str(
'addattr',
required=False,
multivalue=True,
doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
exclude=('webui',),
),
parameters.Str(
'delattr',
required=False,
multivalue=True,
doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'),
exclude=('webui',),
),
parameters.Flag(
'rights',
label=_(u'Rights'),
doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
default=False,
autofill=True,
),
parameters.Flag(
'all',
doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Flag(
'raw',
doc=_(u'Print entries as stored on the server. Only affects output format.'),
exclude=('webui',),
default=False,
autofill=True,
),
)
has_output = (
output.Output(
'summary',
(unicode, type(None)),
doc=_(u'User-friendly description of action performed'),
),
output.Entry(
'result',
),
output.Output(
'value',
unicode,
doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
),
)
@register()
class cosentry_show(Method):
NO_CLI = True
takes_args = (
parameters.Str(
'cn',
),
)
takes_options = (
parameters.Flag(
'rights',
label=_(u'Rights'),
doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
default=False,
autofill=True,
),
parameters.Flag(
'all',
doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Flag(
'raw',
doc=_(u'Print entries as stored on the server. Only affects output format.'),
exclude=('webui',),
default=False,
autofill=True,
),
)
has_output = (
output.Output(
'summary',
(unicode, type(None)),
doc=_(u'User-friendly description of action performed'),
),
output.Entry(
'result',
),
output.Output(
'value',
unicode,
doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
),
)
@register()
class pwpolicy_add(Method):
__doc__ = _("Add a new group password policy.")
takes_args = (
parameters.Str(
'cn',
cli_name='group',
label=_(u'Group'),
doc=_(u'Manage password policy for specific group'),
),
)
takes_options = (
parameters.Int(
'krbmaxpwdlife',
required=False,
cli_name='maxlife',
label=_(u'Max lifetime (days)'),
doc=_(u'Maximum password lifetime (in days)'),
),
parameters.Int(
'krbminpwdlife',
required=False,
cli_name='minlife',
label=_(u'Min lifetime (hours)'),
doc=_(u'Minimum password lifetime (in hours)'),
),
parameters.Int(
'krbpwdhistorylength',
required=False,
cli_name='history',
label=_(u'History size'),
doc=_(u'Password history size'),
),
parameters.Int(
'krbpwdmindiffchars',
required=False,
cli_name='minclasses',
label=_(u'Character classes'),
doc=_(u'Minimum number of character classes'),
),
parameters.Int(
'krbpwdminlength',
required=False,
cli_name='minlength',
label=_(u'Min length'),
doc=_(u'Minimum length of password'),
),
parameters.Int(
'cospriority',
cli_name='priority',
label=_(u'Priority'),
doc=_(u'Priority of the policy (higher number means lower priority'),
),
parameters.Int(
'krbpwdmaxfailure',
required=False,
cli_name='maxfail',
label=_(u'Max failures'),
doc=_(u'Consecutive failures before lockout'),
),
parameters.Int(
'krbpwdfailurecountinterval',
required=False,
cli_name='failinterval',
label=_(u'Failure reset interval'),
doc=_(u'Period after which failure count will be reset (seconds)'),
),
parameters.Int(
'krbpwdlockoutduration',
required=False,
cli_name='lockouttime',
label=_(u'Lockout duration'),
doc=_(u'Period for which lockout is enforced (seconds)'),
),
parameters.Str(
'setattr',
required=False,
multivalue=True,
doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
exclude=('webui',),
),
parameters.Str(
'addattr',
required=False,
multivalue=True,
doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
exclude=('webui',),
),
parameters.Flag(
'all',
doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Flag(
'raw',
doc=_(u'Print entries as stored on the server. Only affects output format.'),
exclude=('webui',),
default=False,
autofill=True,
),
)
has_output = (
output.Output(
'summary',
(unicode, type(None)),
doc=_(u'User-friendly description of action performed'),
),
output.Entry(
'result',
),
output.Output(
'value',
unicode,
doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
),
)
@register()
class pwpolicy_del(Method):
__doc__ = _("Delete a group password policy.")
takes_args = (
parameters.Str(
'cn',
multivalue=True,
cli_name='group',
label=_(u'Group'),
doc=_(u'Manage password policy for specific group'),
),
)
takes_options = (
parameters.Flag(
'continue',
doc=_(u"Continuous mode: Don't stop on errors."),
default=False,
autofill=True,
),
)
has_output = (
output.Output(
'summary',
(unicode, type(None)),
doc=_(u'User-friendly description of action performed'),
),
output.Output(
'result',
dict,
doc=_(u'List of deletions that failed'),
),
output.Output(
'value',
unicode,
doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
),
)
@register()
class pwpolicy_find(Method):
__doc__ = _("Search for group password policies.")
takes_args = (
parameters.Str(
'criteria',
required=False,
doc=_(u'A string searched in all relevant object attributes'),
),
)
takes_options = (
parameters.Str(
'cn',
required=False,
cli_name='group',
label=_(u'Group'),
doc=_(u'Manage password policy for specific group'),
),
parameters.Int(
'krbmaxpwdlife',
required=False,
cli_name='maxlife',
label=_(u'Max lifetime (days)'),
doc=_(u'Maximum password lifetime (in days)'),
),
parameters.Int(
'krbminpwdlife',
required=False,
cli_name='minlife',
label=_(u'Min lifetime (hours)'),
doc=_(u'Minimum password lifetime (in hours)'),
),
parameters.Int(
'krbpwdhistorylength',
required=False,
cli_name='history',
label=_(u'History size'),
doc=_(u'Password history size'),
),
parameters.Int(
'krbpwdmindiffchars',
required=False,
cli_name='minclasses',
label=_(u'Character classes'),
doc=_(u'Minimum number of character classes'),
),
parameters.Int(
'krbpwdminlength',
required=False,
cli_name='minlength',
label=_(u'Min length'),
doc=_(u'Minimum length of password'),
),
parameters.Int(
'cospriority',
required=False,
cli_name='priority',
label=_(u'Priority'),
doc=_(u'Priority of the policy (higher number means lower priority'),
),
parameters.Int(
'krbpwdmaxfailure',
required=False,
cli_name='maxfail',
label=_(u'Max failures'),
doc=_(u'Consecutive failures before lockout'),
),
parameters.Int(
'krbpwdfailurecountinterval',
required=False,
cli_name='failinterval',
label=_(u'Failure reset interval'),
doc=_(u'Period after which failure count will be reset (seconds)'),
),
parameters.Int(
'krbpwdlockoutduration',
required=False,
cli_name='lockouttime',
label=_(u'Lockout duration'),
doc=_(u'Period for which lockout is enforced (seconds)'),
),
parameters.Int(
'timelimit',
required=False,
label=_(u'Time Limit'),
doc=_(u'Time limit of search in seconds'),
),
parameters.Int(
'sizelimit',
required=False,
label=_(u'Size Limit'),
doc=_(u'Maximum number of entries returned'),
),
parameters.Flag(
'all',
doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Flag(
'raw',
doc=_(u'Print entries as stored on the server. Only affects output format.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Flag(
'pkey_only',
required=False,
label=_(u'Primary key only'),
doc=_(u'Results should contain primary key attribute only ("group")'),
default=False,
autofill=True,
),
)
has_output = (
output.Output(
'summary',
(unicode, type(None)),
doc=_(u'User-friendly description of action performed'),
),
output.ListOfEntries(
'result',
),
output.Output(
'count',
int,
doc=_(u'Number of entries returned'),
),
output.Output(
'truncated',
bool,
doc=_(u'True if not all results were returned'),
),
)
@register()
class pwpolicy_mod(Method):
__doc__ = _("Modify a group password policy.")
takes_args = (
parameters.Str(
'cn',
required=False,
cli_name='group',
label=_(u'Group'),
doc=_(u'Manage password policy for specific group'),
),
)
takes_options = (
parameters.Int(
'krbmaxpwdlife',
required=False,
cli_name='maxlife',
label=_(u'Max lifetime (days)'),
doc=_(u'Maximum password lifetime (in days)'),
),
parameters.Int(
'krbminpwdlife',
required=False,
cli_name='minlife',
label=_(u'Min lifetime (hours)'),
doc=_(u'Minimum password lifetime (in hours)'),
),
parameters.Int(
'krbpwdhistorylength',
required=False,
cli_name='history',
label=_(u'History size'),
doc=_(u'Password history size'),
),
parameters.Int(
'krbpwdmindiffchars',
required=False,
cli_name='minclasses',
label=_(u'Character classes'),
doc=_(u'Minimum number of character classes'),
),
parameters.Int(
'krbpwdminlength',
required=False,
cli_name='minlength',
label=_(u'Min length'),
doc=_(u'Minimum length of password'),
),
parameters.Int(
'cospriority',
required=False,
cli_name='priority',
label=_(u'Priority'),
doc=_(u'Priority of the policy (higher number means lower priority'),
),
parameters.Int(
'krbpwdmaxfailure',
required=False,
cli_name='maxfail',
label=_(u'Max failures'),
doc=_(u'Consecutive failures before lockout'),
),
parameters.Int(
'krbpwdfailurecountinterval',
required=False,
cli_name='failinterval',
label=_(u'Failure reset interval'),
doc=_(u'Period after which failure count will be reset (seconds)'),
),
parameters.Int(
'krbpwdlockoutduration',
required=False,
cli_name='lockouttime',
label=_(u'Lockout duration'),
doc=_(u'Period for which lockout is enforced (seconds)'),
),
parameters.Str(
'setattr',
required=False,
multivalue=True,
doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
exclude=('webui',),
),
parameters.Str(
'addattr',
required=False,
multivalue=True,
doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
exclude=('webui',),
),
parameters.Str(
'delattr',
required=False,
multivalue=True,
doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'),
exclude=('webui',),
),
parameters.Flag(
'rights',
label=_(u'Rights'),
doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
default=False,
autofill=True,
),
parameters.Flag(
'all',
doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Flag(
'raw',
doc=_(u'Print entries as stored on the server. Only affects output format.'),
exclude=('webui',),
default=False,
autofill=True,
),
)
has_output = (
output.Output(
'summary',
(unicode, type(None)),
doc=_(u'User-friendly description of action performed'),
),
output.Entry(
'result',
),
output.Output(
'value',
unicode,
doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
),
)
@register()
class pwpolicy_show(Method):
__doc__ = _("Display information about password policy.")
takes_args = (
parameters.Str(
'cn',
required=False,
cli_name='group',
label=_(u'Group'),
doc=_(u'Manage password policy for specific group'),
),
)
takes_options = (
parameters.Flag(
'rights',
label=_(u'Rights'),
doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
default=False,
autofill=True,
),
parameters.Str(
'user',
required=False,
label=_(u'User'),
doc=_(u'Display effective policy for a specific user'),
),
parameters.Flag(
'all',
doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Flag(
'raw',
doc=_(u'Print entries as stored on the server. Only affects output format.'),
exclude=('webui',),
default=False,
autofill=True,
),
)
has_output = (
output.Output(
'summary',
(unicode, type(None)),
doc=_(u'User-friendly description of action performed'),
),
output.Entry(
'result',
),
output.Output(
'value',
unicode,
doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
),
)

682
ipaclient/remote_plugins/2_49/role.py
View File

@@ -1,682 +0,0 @@
#
# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
#
# pylint: disable=unused-import
import six
from . import Command, Method, Object
from ipalib import api, parameters, output
from ipalib.parameters import DefaultFrom
from ipalib.plugable import Registry
from ipalib.text import _
from ipapython.dn import DN
from ipapython.dnsutil import DNSName
if six.PY3:
unicode = str
__doc__ = _("""
Roles
A role is used for fine-grained delegation. A permission grants the ability
to perform given low-level tasks (add a user, modify a group, etc.). A
privilege combines one or more permissions into a higher-level abstraction
such as useradmin. A useradmin would be able to add, delete and modify users.
Privileges are assigned to Roles.
Users, groups, hosts and hostgroups may be members of a Role.
Roles can not contain other roles.
EXAMPLES:
Add a new role:
ipa role-add --desc="Junior-level admin" junioradmin
Add some privileges to this role:
ipa role-add-privilege --privileges=addusers junioradmin
ipa role-add-privilege --privileges=change_password junioradmin
ipa role-add-privilege --privileges=add_user_to_default_group junioradmin
Add a group of users to this role:
ipa group-add --desc="User admins" useradmins
ipa role-add-member --groups=useradmins junioradmin
Display information about a role:
ipa role-show junioradmin
The result of this is that any users in the group 'junioradmin' can
add users, reset passwords or add a user to the default IPA user group.
""")
register = Registry()
@register()
class role(Object):
takes_params = (
parameters.Str(
'cn',
primary_key=True,
label=_(u'Role name'),
),
parameters.Str(
'description',
label=_(u'Description'),
doc=_(u'A description of this role-group'),
),
parameters.Str(
'member_user',
required=False,
label=_(u'Member users'),
),
parameters.Str(
'member_group',
required=False,
label=_(u'Member groups'),
),
parameters.Str(
'member_host',
required=False,
label=_(u'Member hosts'),
),
parameters.Str(
'member_hostgroup',
required=False,
label=_(u'Member host-groups'),
),
parameters.Str(
'memberof_privilege',
required=False,
label=_(u'Privileges'),
),
)
@register()
class role_add(Method):
__doc__ = _("Add a new role.")
takes_args = (
parameters.Str(
'cn',
cli_name='name',
label=_(u'Role name'),
),
)
takes_options = (
parameters.Str(
'description',
cli_name='desc',
label=_(u'Description'),
doc=_(u'A description of this role-group'),
),
parameters.Str(
'setattr',
required=False,
multivalue=True,
doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
exclude=('webui',),
),
parameters.Str(
'addattr',
required=False,
multivalue=True,
doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
exclude=('webui',),
),
parameters.Flag(
'all',
doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Flag(
'raw',
doc=_(u'Print entries as stored on the server. Only affects output format.'),
exclude=('webui',),
default=False,
autofill=True,
),
)
has_output = (
output.Output(
'summary',
(unicode, type(None)),
doc=_(u'User-friendly description of action performed'),
),
output.Entry(
'result',
),
output.Output(
'value',
unicode,
doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
),
)
@register()
class role_add_member(Method):
__doc__ = _("Add members to a role.")
takes_args = (
parameters.Str(
'cn',
cli_name='name',
label=_(u'Role name'),
),
)
takes_options = (
parameters.Flag(
'all',
doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Flag(
'raw',
doc=_(u'Print entries as stored on the server. Only affects output format.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Str(
'user',
required=False,
multivalue=True,
cli_name='users',
label=_(u'member user'),
doc=_(u'comma-separated list of users to add'),
alwaysask=True,
),
parameters.Str(
'group',
required=False,
multivalue=True,
cli_name='groups',
label=_(u'member group'),
doc=_(u'comma-separated list of groups to add'),
alwaysask=True,
),
parameters.Str(
'host',
required=False,
multivalue=True,
cli_name='hosts',
label=_(u'member host'),
doc=_(u'comma-separated list of hosts to add'),
alwaysask=True,
),
parameters.Str(
'hostgroup',
required=False,
multivalue=True,
cli_name='hostgroups',
label=_(u'member host group'),
doc=_(u'comma-separated list of host groups to add'),
alwaysask=True,
),
)
has_output = (
output.Entry(
'result',
),
output.Output(
'failed',
dict,
doc=_(u'Members that could not be added'),
),
output.Output(
'completed',
int,
doc=_(u'Number of members added'),
),
)
@register()
class role_add_privilege(Method):
__doc__ = _("Add privileges to a role.")
takes_args = (
parameters.Str(
'cn',
cli_name='name',
label=_(u'Role name'),
),
)
takes_options = (
parameters.Flag(
'all',
doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Flag(
'raw',
doc=_(u'Print entries as stored on the server. Only affects output format.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Str(
'privilege',
required=False,
multivalue=True,
cli_name='privileges',
label=_(u'privilege'),
doc=_(u'comma-separated list of privileges'),
alwaysask=True,
),
)
has_output = (
output.Entry(
'result',
),
output.Output(
'failed',
dict,
doc=_(u'Members that could not be added'),
),
output.Output(
'completed',
int,
doc=_(u'Number of privileges added'),
),
)
@register()
class role_del(Method):
__doc__ = _("Delete a role.")
takes_args = (
parameters.Str(
'cn',
multivalue=True,
cli_name='name',
label=_(u'Role name'),
),
)
takes_options = (
parameters.Flag(
'continue',
doc=_(u"Continuous mode: Don't stop on errors."),
default=False,
autofill=True,
),
)
has_output = (
output.Output(
'summary',
(unicode, type(None)),
doc=_(u'User-friendly description of action performed'),
),
output.Output(
'result',
dict,
doc=_(u'List of deletions that failed'),
),
output.Output(
'value',
unicode,
doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
),
)
@register()
class role_find(Method):
__doc__ = _("Search for roles.")
takes_args = (
parameters.Str(
'criteria',
required=False,
doc=_(u'A string searched in all relevant object attributes'),
),
)
takes_options = (
parameters.Str(
'cn',
required=False,
cli_name='name',
label=_(u'Role name'),
),
parameters.Str(
'description',
required=False,
cli_name='desc',
label=_(u'Description'),
doc=_(u'A description of this role-group'),
),
parameters.Int(
'timelimit',
required=False,
label=_(u'Time Limit'),
doc=_(u'Time limit of search in seconds'),
),
parameters.Int(
'sizelimit',
required=False,
label=_(u'Size Limit'),
doc=_(u'Maximum number of entries returned'),
),
parameters.Flag(
'all',
doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Flag(
'raw',
doc=_(u'Print entries as stored on the server. Only affects output format.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Flag(
'pkey_only',
required=False,
label=_(u'Primary key only'),
doc=_(u'Results should contain primary key attribute only ("name")'),
default=False,
autofill=True,
),
)
has_output = (
output.Output(
'summary',
(unicode, type(None)),
doc=_(u'User-friendly description of action performed'),
),
output.ListOfEntries(
'result',
),
output.Output(
'count',
int,
doc=_(u'Number of entries returned'),
),
output.Output(
'truncated',
bool,
doc=_(u'True if not all results were returned'),
),
)
@register()
class role_mod(Method):
__doc__ = _("Modify a role.")
takes_args = (
parameters.Str(
'cn',
cli_name='name',
label=_(u'Role name'),
),
)
takes_options = (
parameters.Str(
'description',
required=False,
cli_name='desc',
label=_(u'Description'),
doc=_(u'A description of this role-group'),
),
parameters.Str(
'setattr',
required=False,
multivalue=True,
doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
exclude=('webui',),
),
parameters.Str(
'addattr',
required=False,
multivalue=True,
doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
exclude=('webui',),
),
parameters.Str(
'delattr',
required=False,
multivalue=True,
doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'),
exclude=('webui',),
),
parameters.Flag(
'rights',
label=_(u'Rights'),
doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
default=False,
autofill=True,
),
parameters.Flag(
'all',
doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Flag(
'raw',
doc=_(u'Print entries as stored on the server. Only affects output format.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Str(
'rename',
required=False,
label=_(u'Rename'),
doc=_(u'Rename the role object'),
),
)
has_output = (
output.Output(
'summary',
(unicode, type(None)),
doc=_(u'User-friendly description of action performed'),
),
output.Entry(
'result',
),
output.Output(
'value',
unicode,
doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
),
)
@register()
class role_remove_member(Method):
__doc__ = _("Remove members from a role.")
takes_args = (
parameters.Str(
'cn',
cli_name='name',
label=_(u'Role name'),
),
)
takes_options = (
parameters.Flag(
'all',
doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Flag(
'raw',
doc=_(u'Print entries as stored on the server. Only affects output format.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Str(
'user',
required=False,
multivalue=True,
cli_name='users',
label=_(u'member user'),
doc=_(u'comma-separated list of users to remove'),
alwaysask=True,
),
parameters.Str(
'group',
required=False,
multivalue=True,
cli_name='groups',
label=_(u'member group'),
doc=_(u'comma-separated list of groups to remove'),
alwaysask=True,
),
parameters.Str(
'host',
required=False,
multivalue=True,
cli_name='hosts',
label=_(u'member host'),
doc=_(u'comma-separated list of hosts to remove'),
alwaysask=True,
),
parameters.Str(
'hostgroup',
required=False,
multivalue=True,
cli_name='hostgroups',
label=_(u'member host group'),
doc=_(u'comma-separated list of host groups to remove'),
alwaysask=True,
),
)
has_output = (
output.Entry(
'result',
),
output.Output(
'failed',
dict,
doc=_(u'Members that could not be removed'),
),
output.Output(
'completed',
int,
doc=_(u'Number of members removed'),
),
)
@register()
class role_remove_privilege(Method):
__doc__ = _("Remove privileges from a role.")
takes_args = (
parameters.Str(
'cn',
cli_name='name',
label=_(u'Role name'),
),
)
takes_options = (
parameters.Flag(
'all',
doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Flag(
'raw',
doc=_(u'Print entries as stored on the server. Only affects output format.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Str(
'privilege',
required=False,
multivalue=True,
cli_name='privileges',
label=_(u'privilege'),
doc=_(u'comma-separated list of privileges'),
alwaysask=True,
),
)
has_output = (
output.Entry(
'result',
),
output.Output(
'failed',
dict,
doc=_(u'Members that could not be added'),
),
output.Output(
'completed',
int,
doc=_(u'Number of privileges removed'),
),
)
@register()
class role_show(Method):
__doc__ = _("Display information about a role.")
takes_args = (
parameters.Str(
'cn',
cli_name='name',
label=_(u'Role name'),
),
)
takes_options = (
parameters.Flag(
'rights',
label=_(u'Rights'),
doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
default=False,
autofill=True,
),
parameters.Flag(
'all',
doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Flag(
'raw',
doc=_(u'Print entries as stored on the server. Only affects output format.'),
exclude=('webui',),
default=False,
autofill=True,
),
)
has_output = (
output.Output(
'summary',
(unicode, type(None)),
doc=_(u'User-friendly description of action performed'),
),
output.Entry(
'result',
),
output.Output(
'value',
unicode,
doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
),
)

337
ipaclient/remote_plugins/2_49/selfservice.py
View File

@@ -1,337 +0,0 @@
#
# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
#
# pylint: disable=unused-import
import six
from . import Command, Method, Object
from ipalib import api, parameters, output
from ipalib.parameters import DefaultFrom
from ipalib.plugable import Registry
from ipalib.text import _
from ipapython.dn import DN
from ipapython.dnsutil import DNSName
if six.PY3:
unicode = str
__doc__ = _("""
Self-service Permissions
A permission enables fine-grained delegation of permissions. Access Control
Rules, or instructions (ACIs), grant permission to permissions to perform
given tasks such as adding a user, modifying a group, etc.
A Self-service permission defines what an object can change in its own entry.
EXAMPLES:
Add a self-service rule to allow users to manage their address:
ipa selfservice-add --permissions=write --attrs=street,postalCode,l,c,st "Users manage their own address"
When managing the list of attributes you need to include all attributes
in the list, including existing ones. Add telephoneNumber to the list:
ipa selfservice-mod --attrs=street,postalCode,l,c,st,telephoneNumber "Users manage their own address"
Display our updated rule:
ipa selfservice-show "Users manage their own address"
Delete a rule:
ipa selfservice-del "Users manage their own address"
""")
register = Registry()
@register()
class selfservice(Object):
takes_params = (
parameters.Str(
'aciname',
primary_key=True,
label=_(u'Self-service name'),
),
parameters.Str(
'permissions',
required=False,
multivalue=True,
label=_(u'Permissions'),
doc=_(u'Comma-separated list of permissions to grant (read, write). Default is write.'),
),
parameters.Str(
'attrs',
multivalue=True,
label=_(u'Attributes'),
doc=_(u'Comma-separated list of attributes'),
),
)
@register()
class selfservice_add(Method):
__doc__ = _("Add a new self-service permission.")
takes_args = (
parameters.Str(
'aciname',
cli_name='name',
label=_(u'Self-service name'),
),
)
takes_options = (
parameters.Str(
'permissions',
required=False,
multivalue=True,
label=_(u'Permissions'),
doc=_(u'Comma-separated list of permissions to grant (read, write). Default is write.'),
),
parameters.Str(
'attrs',
multivalue=True,
label=_(u'Attributes'),
doc=_(u'Comma-separated list of attributes'),
no_convert=True,
),
parameters.Flag(
'all',
doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Flag(
'raw',
doc=_(u'Print entries as stored on the server. Only affects output format.'),
exclude=('webui',),
default=False,
autofill=True,
),
)
has_output = (
output.Output(
'summary',
(unicode, type(None)),
doc=_(u'User-friendly description of action performed'),
),
output.Entry(
'result',
),
output.Output(
'value',
unicode,
doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
),
)
@register()
class selfservice_del(Method):
__doc__ = _("Delete a self-service permission.")
takes_args = (
parameters.Str(
'aciname',
cli_name='name',
label=_(u'Self-service name'),
),
)
has_output = (
output.Output(
'summary',
(unicode, type(None)),
doc=_(u'User-friendly description of action performed'),
),
output.Output(
'result',
bool,
doc=_(u'True means the operation was successful'),
),
output.Output(
'value',
unicode,
doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
),
)
@register()
class selfservice_find(Method):
__doc__ = _("Search for a self-service permission.")
takes_args = (
parameters.Str(
'criteria',
required=False,
),
)
takes_options = (
parameters.Str(
'aciname',
required=False,
cli_name='name',
label=_(u'Self-service name'),
),
parameters.Str(
'permissions',
required=False,
multivalue=True,
label=_(u'Permissions'),
doc=_(u'Comma-separated list of permissions to grant (read, write). Default is write.'),
),
parameters.Str(
'attrs',
required=False,
multivalue=True,
label=_(u'Attributes'),
doc=_(u'Comma-separated list of attributes'),
no_convert=True,
),
parameters.Flag(
'pkey_only',
required=False,
label=_(u'Primary key only'),
doc=_(u'Results should contain primary key attribute only ("name")'),
default=False,
autofill=True,
),
parameters.Flag(
'all',
doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Flag(
'raw',
doc=_(u'Print entries as stored on the server. Only affects output format.'),
exclude=('webui',),
default=False,
autofill=True,
),
)
has_output = (
output.Output(
'summary',
(unicode, type(None)),
doc=_(u'User-friendly description of action performed'),
),
output.ListOfEntries(
'result',
),
output.Output(
'count',
int,
doc=_(u'Number of entries returned'),
),
output.Output(
'truncated',
bool,
doc=_(u'True if not all results were returned'),
),
)
@register()
class selfservice_mod(Method):
__doc__ = _("Modify a self-service permission.")
takes_args = (
parameters.Str(
'aciname',
cli_name='name',
label=_(u'Self-service name'),
),
)
takes_options = (
parameters.Str(
'permissions',
required=False,
multivalue=True,
label=_(u'Permissions'),
doc=_(u'Comma-separated list of permissions to grant (read, write). Default is write.'),
),
parameters.Str(
'attrs',
required=False,
multivalue=True,
label=_(u'Attributes'),
doc=_(u'Comma-separated list of attributes'),
no_convert=True,
),
parameters.Flag(
'all',
doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Flag(
'raw',
doc=_(u'Print entries as stored on the server. Only affects output format.'),
exclude=('webui',),
default=False,
autofill=True,
),
)
has_output = (
output.Output(
'summary',
(unicode, type(None)),
doc=_(u'User-friendly description of action performed'),
),
output.Entry(
'result',
),
output.Output(
'value',
unicode,
doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
),
)
@register()
class selfservice_show(Method):
__doc__ = _("Display information about a self-service permission.")
takes_args = (
parameters.Str(
'aciname',
cli_name='name',
label=_(u'Self-service name'),
),
)
takes_options = (
parameters.Flag(
'all',
doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Flag(
'raw',
doc=_(u'Print entries as stored on the server. Only affects output format.'),
exclude=('webui',),
default=False,
autofill=True,
),
)
has_output = (
output.Output(
'summary',
(unicode, type(None)),
doc=_(u'User-friendly description of action performed'),
),
output.Entry(
'result',
),
output.Output(
'value',
unicode,
doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
),
)

852
ipaclient/remote_plugins/2_49/selinuxusermap.py
View File

@@ -1,852 +0,0 @@
#
# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
#
# pylint: disable=unused-import
import six
from . import Command, Method, Object
from ipalib import api, parameters, output
from ipalib.parameters import DefaultFrom
from ipalib.plugable import Registry
from ipalib.text import _
from ipapython.dn import DN
from ipapython.dnsutil import DNSName
if six.PY3:
unicode = str
__doc__ = _("""
SELinux User Mapping
Map IPA users to SELinux users by host.
Hosts, hostgroups, users and groups can be either defined within
the rule or it may point to an existing HBAC rule. When using
--hbacrule option to selinuxusermap-find an exact match is made on the
HBAC rule name, so only one or zero entries will be returned.
EXAMPLES:
Create a rule, "test1", that sets all users to xguest_u:s0 on the host "server":
ipa selinuxusermap-add --usercat=all --selinuxuser=xguest_u:s0 test1
ipa selinuxusermap-add-host --hosts=server.example.com test1
Create a rule, "test2", that sets all users to guest_u:s0 and uses an existing HBAC rule for users and hosts:
ipa selinuxusermap-add --usercat=all --hbacrule=webserver --selinuxuser=guest_u:s0 test2
Display the properties of a rule:
ipa selinuxusermap-show test2
Create a rule for a specific user. This sets the SELinux context for
user john to unconfined_u:s0-s0:c0.c1023 on any machine:
ipa selinuxusermap-add --hostcat=all --selinuxuser=unconfined_u:s0-s0:c0.c1023 john_unconfined
ipa selinuxusermap-add-user --users=john john_unconfined
Disable a rule:
ipa selinuxusermap-disable test1
Enable a rule:
ipa selinuxusermap-enable test1
Find a rule referencing a specific HBAC rule:
ipa selinuxusermap-find --hbacrule=allow_some
Remove a rule:
ipa selinuxusermap-del john_unconfined
SEEALSO:
The list controlling the order in which the SELinux user map is applied
and the default SELinux user are available in the config-show command.
""")
register = Registry()
@register()
class selinuxusermap(Object):
takes_params = (
parameters.Str(
'cn',
primary_key=True,
label=_(u'Rule name'),
),
parameters.Str(
'ipaselinuxuser',
label=_(u'SELinux User'),
),
parameters.Str(
'seealso',
required=False,
label=_(u'HBAC Rule'),
doc=_(u'HBAC Rule that defines the users, groups and hostgroups'),
),
parameters.Str(
'usercategory',
required=False,
label=_(u'User category'),
doc=_(u'User category the rule applies to'),
),
parameters.Str(
'hostcategory',
required=False,
label=_(u'Host category'),
doc=_(u'Host category the rule applies to'),
),
parameters.Str(
'description',
required=False,
label=_(u'Description'),
),
parameters.Bool(
'ipaenabledflag',
required=False,
label=_(u'Enabled'),
),
parameters.Str(
'memberuser_user',
required=False,
label=_(u'Users'),
),
parameters.Str(
'memberuser_group',
required=False,
label=_(u'User Groups'),
),
parameters.Str(
'memberhost_host',
required=False,
label=_(u'Hosts'),
),
parameters.Str(
'memberhost_hostgroup',
required=False,
label=_(u'Host Groups'),
),
)
@register()
class selinuxusermap_add(Method):
__doc__ = _("Create a new SELinux User Map.")
takes_args = (
parameters.Str(
'cn',
cli_name='name',
label=_(u'Rule name'),
),
)
takes_options = (
parameters.Str(
'ipaselinuxuser',
cli_name='selinuxuser',
label=_(u'SELinux User'),
),
parameters.Str(
'seealso',
required=False,
cli_name='hbacrule',
label=_(u'HBAC Rule'),
doc=_(u'HBAC Rule that defines the users, groups and hostgroups'),
),
parameters.Str(
'usercategory',
required=False,
cli_name='usercat',
cli_metavar="['all']",
label=_(u'User category'),
doc=_(u'User category the rule applies to'),
),
parameters.Str(
'hostcategory',
required=False,
cli_name='hostcat',
cli_metavar="['all']",
label=_(u'Host category'),
doc=_(u'Host category the rule applies to'),
),
parameters.Str(
'description',
required=False,
cli_name='desc',
label=_(u'Description'),
),
parameters.Bool(
'ipaenabledflag',
required=False,
label=_(u'Enabled'),
exclude=('cli', 'webui'),
),
parameters.Str(
'setattr',
required=False,
multivalue=True,
doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
exclude=('webui',),
),
parameters.Str(
'addattr',
required=False,
multivalue=True,
doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
exclude=('webui',),
),
parameters.Flag(
'all',
doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Flag(
'raw',
doc=_(u'Print entries as stored on the server. Only affects output format.'),
exclude=('webui',),
default=False,
autofill=True,
),
)
has_output = (
output.Output(
'summary',
(unicode, type(None)),
doc=_(u'User-friendly description of action performed'),
),
output.Entry(
'result',
),
output.Output(
'value',
unicode,
doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
),
)
@register()
class selinuxusermap_add_host(Method):
__doc__ = _("Add target hosts and hostgroups to an SELinux User Map rule.")
takes_args = (
parameters.Str(
'cn',
cli_name='name',
label=_(u'Rule name'),
),
)
takes_options = (
parameters.Flag(
'all',
doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Flag(
'raw',
doc=_(u'Print entries as stored on the server. Only affects output format.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Str(
'host',
required=False,
multivalue=True,
cli_name='hosts',
label=_(u'member host'),
doc=_(u'comma-separated list of hosts to add'),
alwaysask=True,
),
parameters.Str(
'hostgroup',
required=False,
multivalue=True,
cli_name='hostgroups',
label=_(u'member host group'),
doc=_(u'comma-separated list of host groups to add'),
alwaysask=True,
),
)
has_output = (
output.Entry(
'result',
),
output.Output(
'failed',
dict,
doc=_(u'Members that could not be added'),
),
output.Output(
'completed',
int,
doc=_(u'Number of members added'),
),
)
@register()
class selinuxusermap_add_user(Method):
__doc__ = _("Add users and groups to an SELinux User Map rule.")
takes_args = (
parameters.Str(
'cn',
cli_name='name',
label=_(u'Rule name'),
),
)
takes_options = (
parameters.Flag(
'all',
doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Flag(
'raw',
doc=_(u'Print entries as stored on the server. Only affects output format.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Str(
'user',
required=False,
multivalue=True,
cli_name='users',
label=_(u'member user'),
doc=_(u'comma-separated list of users to add'),
alwaysask=True,
),
parameters.Str(
'group',
required=False,
multivalue=True,
cli_name='groups',
label=_(u'member group'),
doc=_(u'comma-separated list of groups to add'),
alwaysask=True,
),
)
has_output = (
output.Entry(
'result',
),
output.Output(
'failed',
dict,
doc=_(u'Members that could not be added'),
),
output.Output(
'completed',
int,
doc=_(u'Number of members added'),
),
)
@register()
class selinuxusermap_del(Method):
__doc__ = _("Delete a SELinux User Map.")
takes_args = (
parameters.Str(
'cn',
multivalue=True,
cli_name='name',
label=_(u'Rule name'),
),
)
takes_options = (
parameters.Flag(
'continue',
doc=_(u"Continuous mode: Don't stop on errors."),
default=False,
autofill=True,
),
)
has_output = (
output.Output(
'summary',
(unicode, type(None)),
doc=_(u'User-friendly description of action performed'),
),
output.Output(
'result',
dict,
doc=_(u'List of deletions that failed'),
),
output.Output(
'value',
unicode,
doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
),
)
@register()
class selinuxusermap_disable(Method):
__doc__ = _("Disable an SELinux User Map rule.")
takes_args = (
parameters.Str(
'cn',
cli_name='name',
label=_(u'Rule name'),
),
)
has_output = (
output.Output(
'summary',
(unicode, type(None)),
doc=_(u'User-friendly description of action performed'),
),
output.Output(
'result',
bool,
doc=_(u'True means the operation was successful'),
),
output.Output(
'value',
unicode,
doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
),
)
@register()
class selinuxusermap_enable(Method):
__doc__ = _("Enable an SELinux User Map rule.")
takes_args = (
parameters.Str(
'cn',
cli_name='name',
label=_(u'Rule name'),
),
)
has_output = (
output.Output(
'summary',
(unicode, type(None)),
doc=_(u'User-friendly description of action performed'),
),
output.Output(
'result',
bool,
doc=_(u'True means the operation was successful'),
),
output.Output(
'value',
unicode,
doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
),
)
@register()
class selinuxusermap_find(Method):
__doc__ = _("Search for SELinux User Maps.")
takes_args = (
parameters.Str(
'criteria',
required=False,
doc=_(u'A string searched in all relevant object attributes'),
),
)
takes_options = (
parameters.Str(
'cn',
required=False,
cli_name='name',
label=_(u'Rule name'),
),
parameters.Str(
'ipaselinuxuser',
required=False,
cli_name='selinuxuser',
label=_(u'SELinux User'),
),
parameters.Str(
'seealso',
required=False,
cli_name='hbacrule',
label=_(u'HBAC Rule'),
doc=_(u'HBAC Rule that defines the users, groups and hostgroups'),
),
parameters.Str(
'usercategory',
required=False,
cli_name='usercat',
cli_metavar="['all']",
label=_(u'User category'),
doc=_(u'User category the rule applies to'),
),
parameters.Str(
'hostcategory',
required=False,
cli_name='hostcat',
cli_metavar="['all']",
label=_(u'Host category'),
doc=_(u'Host category the rule applies to'),
),
parameters.Str(
'description',
required=False,
cli_name='desc',
label=_(u'Description'),
),
parameters.Bool(
'ipaenabledflag',
required=False,
label=_(u'Enabled'),
exclude=('cli', 'webui'),
),
parameters.Int(
'timelimit',
required=False,
label=_(u'Time Limit'),
doc=_(u'Time limit of search in seconds'),
),
parameters.Int(
'sizelimit',
required=False,
label=_(u'Size Limit'),
doc=_(u'Maximum number of entries returned'),
),
parameters.Flag(
'all',
doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Flag(
'raw',
doc=_(u'Print entries as stored on the server. Only affects output format.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Flag(
'pkey_only',
required=False,
label=_(u'Primary key only'),
doc=_(u'Results should contain primary key attribute only ("name")'),
default=False,
autofill=True,
),
)
has_output = (
output.Output(
'summary',
(unicode, type(None)),
doc=_(u'User-friendly description of action performed'),
),
output.ListOfEntries(
'result',
),
output.Output(
'count',
int,
doc=_(u'Number of entries returned'),
),
output.Output(
'truncated',
bool,
doc=_(u'True if not all results were returned'),
),
)
@register()
class selinuxusermap_mod(Method):
__doc__ = _("Modify a SELinux User Map.")
takes_args = (
parameters.Str(
'cn',
cli_name='name',
label=_(u'Rule name'),
),
)
takes_options = (
parameters.Str(
'ipaselinuxuser',
required=False,
cli_name='selinuxuser',
label=_(u'SELinux User'),
),
parameters.Str(
'seealso',
required=False,
cli_name='hbacrule',
label=_(u'HBAC Rule'),
doc=_(u'HBAC Rule that defines the users, groups and hostgroups'),
),
parameters.Str(
'usercategory',
required=False,
cli_name='usercat',
cli_metavar="['all']",
label=_(u'User category'),
doc=_(u'User category the rule applies to'),
),
parameters.Str(
'hostcategory',
required=False,
cli_name='hostcat',
cli_metavar="['all']",
label=_(u'Host category'),
doc=_(u'Host category the rule applies to'),
),
parameters.Str(
'description',
required=False,
cli_name='desc',
label=_(u'Description'),
),
parameters.Bool(
'ipaenabledflag',
required=False,
label=_(u'Enabled'),
exclude=('cli', 'webui'),
),
parameters.Str(
'setattr',
required=False,
multivalue=True,
doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
exclude=('webui',),
),
parameters.Str(
'addattr',
required=False,
multivalue=True,
doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
exclude=('webui',),
),
parameters.Str(
'delattr',
required=False,
multivalue=True,
doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'),
exclude=('webui',),
),
parameters.Flag(
'rights',
label=_(u'Rights'),
doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
default=False,
autofill=True,
),
parameters.Flag(
'all',
doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Flag(
'raw',
doc=_(u'Print entries as stored on the server. Only affects output format.'),
exclude=('webui',),
default=False,
autofill=True,
),
)
has_output = (
output.Output(
'summary',
(unicode, type(None)),
doc=_(u'User-friendly description of action performed'),
),
output.Entry(
'result',
),
output.Output(
'value',
unicode,
doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
),
)
@register()
class selinuxusermap_remove_host(Method):
__doc__ = _("Remove target hosts and hostgroups from an SELinux User Map rule.")
takes_args = (
parameters.Str(
'cn',
cli_name='name',
label=_(u'Rule name'),
),
)
takes_options = (
parameters.Flag(
'all',
doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Flag(
'raw',
doc=_(u'Print entries as stored on the server. Only affects output format.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Str(
'host',
required=False,
multivalue=True,
cli_name='hosts',
label=_(u'member host'),
doc=_(u'comma-separated list of hosts to remove'),
alwaysask=True,
),
parameters.Str(
'hostgroup',
required=False,
multivalue=True,
cli_name='hostgroups',
label=_(u'member host group'),
doc=_(u'comma-separated list of host groups to remove'),
alwaysask=True,
),
)
has_output = (
output.Entry(
'result',
),
output.Output(
'failed',
dict,
doc=_(u'Members that could not be removed'),
),
output.Output(
'completed',
int,
doc=_(u'Number of members removed'),
),
)
@register()
class selinuxusermap_remove_user(Method):
__doc__ = _("Remove users and groups from an SELinux User Map rule.")
takes_args = (
parameters.Str(
'cn',
cli_name='name',
label=_(u'Rule name'),
),
)
takes_options = (
parameters.Flag(
'all',
doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Flag(
'raw',
doc=_(u'Print entries as stored on the server. Only affects output format.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Str(
'user',
required=False,
multivalue=True,
cli_name='users',
label=_(u'member user'),
doc=_(u'comma-separated list of users to remove'),
alwaysask=True,
),
parameters.Str(
'group',
required=False,
multivalue=True,
cli_name='groups',
label=_(u'member group'),
doc=_(u'comma-separated list of groups to remove'),
alwaysask=True,
),
)
has_output = (
output.Entry(
'result',
),
output.Output(
'failed',
dict,
doc=_(u'Members that could not be removed'),
),
output.Output(
'completed',
int,
doc=_(u'Number of members removed'),
),
)
@register()
class selinuxusermap_show(Method):
__doc__ = _("Display the properties of a SELinux User Map rule.")
takes_args = (
parameters.Str(
'cn',
cli_name='name',
label=_(u'Rule name'),
),
)
takes_options = (
parameters.Flag(
'rights',
label=_(u'Rights'),
doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
default=False,
autofill=True,
),
parameters.Flag(
'all',
doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Flag(
'raw',
doc=_(u'Print entries as stored on the server. Only affects output format.'),
exclude=('webui',),
default=False,
autofill=True,
),
)
has_output = (
output.Output(
'summary',
(unicode, type(None)),
doc=_(u'User-friendly description of action performed'),
),
output.Entry(
'result',
),
output.Output(
'value',
unicode,
doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
),
)

621
ipaclient/remote_plugins/2_49/service.py
View File

@@ -1,621 +0,0 @@
#
# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
#
# pylint: disable=unused-import
import six
from . import Command, Method, Object
from ipalib import api, parameters, output
from ipalib.parameters import DefaultFrom
from ipalib.plugable import Registry
from ipalib.text import _
from ipapython.dn import DN
from ipapython.dnsutil import DNSName
if six.PY3:
unicode = str
__doc__ = _("""
Services
A IPA service represents a service that runs on a host. The IPA service
record can store a Kerberos principal, an SSL certificate, or both.
An IPA service can be managed directly from a machine, provided that
machine has been given the correct permission. This is true even for
machines other than the one the service is associated with. For example,
requesting an SSL certificate using the host service principal credentials
of the host. To manage a service using host credentials you need to
kinit as the host:
# kinit -kt /etc/krb5.keytab host/ipa.example.com@EXAMPLE.COM
Adding an IPA service allows the associated service to request an SSL
certificate or keytab, but this is performed as a separate step; they
are not produced as a result of adding the service.
Only the public aspect of a certificate is stored in a service record;
the private key is not stored.
EXAMPLES:
Add a new IPA service:
ipa service-add HTTP/web.example.com
Allow a host to manage an IPA service certificate:
ipa service-add-host --hosts=web.example.com HTTP/web.example.com
ipa role-add-member --hosts=web.example.com certadmin
Override a default list of supported PAC types for the service:
ipa service-mod HTTP/web.example.com --pac-type=MS-PAC
Delete an IPA service:
ipa service-del HTTP/web.example.com
Find all IPA services associated with a host:
ipa service-find web.example.com
Find all HTTP services:
ipa service-find HTTP
Disable the service Kerberos key and SSL certificate:
ipa service-disable HTTP/web.example.com
Request a certificate for an IPA service:
ipa cert-request --principal=HTTP/web.example.com example.csr
Generate and retrieve a keytab for an IPA service:
ipa-getkeytab -s ipa.example.com -p HTTP/web.example.com -k /etc/httpd/httpd.keytab
""")
register = Registry()
@register()
class service(Object):
takes_params = (
parameters.Str(
'krbprincipalname',
primary_key=True,
label=_(u'Principal'),
doc=_(u'Service principal'),
),
parameters.Bytes(
'usercertificate',
required=False,
label=_(u'Certificate'),
doc=_(u'Base-64 encoded server certificate'),
),
parameters.Str(
'ipakrbauthzdata',
required=False,
multivalue=True,
label=_(u'PAC type'),
doc=_(u"Override default list of supported PAC types. Use 'NONE' to disable PAC support for this service"),
),
parameters.Flag(
'has_keytab',
label=_(u'Keytab'),
),
parameters.Str(
'managedby_host',
label=_(u'Managed by'),
),
)
@register()
class service_add(Method):
__doc__ = _("Add a new IPA new service.")
takes_args = (
parameters.Str(
'krbprincipalname',
cli_name='principal',
label=_(u'Principal'),
doc=_(u'Service principal'),
no_convert=True,
),
)
takes_options = (
parameters.Bytes(
'usercertificate',
required=False,
cli_name='certificate',
label=_(u'Certificate'),
doc=_(u'Base-64 encoded server certificate'),
),
parameters.Str(
'ipakrbauthzdata',
required=False,
multivalue=True,
cli_name='pac_type',
cli_metavar="['MS-PAC', 'PAD', 'NONE']",
label=_(u'PAC type'),
doc=_(u"Override default list of supported PAC types. Use 'NONE' to disable PAC support for this service"),
),
parameters.Str(
'setattr',
required=False,
multivalue=True,
doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
exclude=('webui',),
),
parameters.Str(
'addattr',
required=False,
multivalue=True,
doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
exclude=('webui',),
),
parameters.Flag(
'force',
label=_(u'Force'),
doc=_(u'force principal name even if not in DNS'),
default=False,
autofill=True,
),
parameters.Flag(
'all',
doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Flag(
'raw',
doc=_(u'Print entries as stored on the server. Only affects output format.'),
exclude=('webui',),
default=False,
autofill=True,
),
)
has_output = (
output.Output(
'summary',
(unicode, type(None)),
doc=_(u'User-friendly description of action performed'),
),
output.Entry(
'result',
),
output.Output(
'value',
unicode,
doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
),
)
@register()
class service_add_host(Method):
__doc__ = _("Add hosts that can manage this service.")
takes_args = (
parameters.Str(
'krbprincipalname',
cli_name='principal',
label=_(u'Principal'),
doc=_(u'Service principal'),
no_convert=True,
),
)
takes_options = (
parameters.Flag(
'all',
doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Flag(
'raw',
doc=_(u'Print entries as stored on the server. Only affects output format.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Str(
'host',
required=False,
multivalue=True,
cli_name='hosts',
label=_(u'member host'),
doc=_(u'comma-separated list of hosts to add'),
alwaysask=True,
),
)
has_output = (
output.Entry(
'result',
),
output.Output(
'failed',
dict,
doc=_(u'Members that could not be added'),
),
output.Output(
'completed',
int,
doc=_(u'Number of members added'),
),
)
@register()
class service_del(Method):
__doc__ = _("Delete an IPA service.")
takes_args = (
parameters.Str(
'krbprincipalname',
multivalue=True,
cli_name='principal',
label=_(u'Principal'),
doc=_(u'Service principal'),
no_convert=True,
),
)
takes_options = (
parameters.Flag(
'continue',
doc=_(u"Continuous mode: Don't stop on errors."),
default=False,
autofill=True,
),
)
has_output = (
output.Output(
'summary',
(unicode, type(None)),
doc=_(u'User-friendly description of action performed'),
),
output.Output(
'result',
dict,
doc=_(u'List of deletions that failed'),
),
output.Output(
'value',
unicode,
doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
),
)
@register()
class service_disable(Method):
__doc__ = _("Disable the Kerberos key and SSL certificate of a service.")
takes_args = (
parameters.Str(
'krbprincipalname',
cli_name='principal',
label=_(u'Principal'),
doc=_(u'Service principal'),
no_convert=True,
),
)
has_output = (
output.Output(
'summary',
(unicode, type(None)),
doc=_(u'User-friendly description of action performed'),
),
output.Output(
'result',
bool,
doc=_(u'True means the operation was successful'),
),
output.Output(
'value',
unicode,
doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
),
)
@register()
class service_find(Method):
__doc__ = _("Search for IPA services.")
takes_args = (
parameters.Str(
'criteria',
required=False,
doc=_(u'A string searched in all relevant object attributes'),
),
)
takes_options = (
parameters.Str(
'krbprincipalname',
required=False,
cli_name='principal',
label=_(u'Principal'),
doc=_(u'Service principal'),
no_convert=True,
),
parameters.Str(
'ipakrbauthzdata',
required=False,
multivalue=True,
cli_name='pac_type',
cli_metavar="['MS-PAC', 'PAD', 'NONE']",
label=_(u'PAC type'),
doc=_(u"Override default list of supported PAC types. Use 'NONE' to disable PAC support for this service"),
),
parameters.Int(
'timelimit',
required=False,
label=_(u'Time Limit'),
doc=_(u'Time limit of search in seconds'),
),
parameters.Int(
'sizelimit',
required=False,
label=_(u'Size Limit'),
doc=_(u'Maximum number of entries returned'),
),
parameters.Flag(
'all',
doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Flag(
'raw',
doc=_(u'Print entries as stored on the server. Only affects output format.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Flag(
'pkey_only',
required=False,
label=_(u'Primary key only'),
doc=_(u'Results should contain primary key attribute only ("principal")'),
default=False,
autofill=True,
),
parameters.Str(
'man_by_host',
required=False,
multivalue=True,
cli_name='man_by_hosts',
label=_(u'host'),
doc=_(u'Search for services with these managed by hosts.'),
),
parameters.Str(
'not_man_by_host',
required=False,
multivalue=True,
cli_name='not_man_by_hosts',
label=_(u'host'),
doc=_(u'Search for services without these managed by hosts.'),
),
)
has_output = (
output.Output(
'summary',
(unicode, type(None)),
doc=_(u'User-friendly description of action performed'),
),
output.ListOfEntries(
'result',
),
output.Output(
'count',
int,
doc=_(u'Number of entries returned'),
),
output.Output(
'truncated',
bool,
doc=_(u'True if not all results were returned'),
),
)
@register()
class service_mod(Method):
__doc__ = _("Modify an existing IPA service.")
takes_args = (
parameters.Str(
'krbprincipalname',
cli_name='principal',
label=_(u'Principal'),
doc=_(u'Service principal'),
no_convert=True,
),
)
takes_options = (
parameters.Bytes(
'usercertificate',
required=False,
cli_name='certificate',
label=_(u'Certificate'),
doc=_(u'Base-64 encoded server certificate'),
),
parameters.Str(
'ipakrbauthzdata',
required=False,
multivalue=True,
cli_name='pac_type',
cli_metavar="['MS-PAC', 'PAD', 'NONE']",
label=_(u'PAC type'),
doc=_(u"Override default list of supported PAC types. Use 'NONE' to disable PAC support for this service"),
),
parameters.Str(
'setattr',
required=False,
multivalue=True,
doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
exclude=('webui',),
),
parameters.Str(
'addattr',
required=False,
multivalue=True,
doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
exclude=('webui',),
),
parameters.Str(
'delattr',
required=False,
multivalue=True,
doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'),
exclude=('webui',),
),
parameters.Flag(
'rights',
label=_(u'Rights'),
doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
default=False,
autofill=True,
),
parameters.Flag(
'all',
doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Flag(
'raw',
doc=_(u'Print entries as stored on the server. Only affects output format.'),
exclude=('webui',),
default=False,
autofill=True,
),
)
has_output = (
output.Output(
'summary',
(unicode, type(None)),
doc=_(u'User-friendly description of action performed'),
),
output.Entry(
'result',
),
output.Output(
'value',
unicode,
doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
),
)
@register()
class service_remove_host(Method):
__doc__ = _("Remove hosts that can manage this service.")
takes_args = (
parameters.Str(
'krbprincipalname',
cli_name='principal',
label=_(u'Principal'),
doc=_(u'Service principal'),
no_convert=True,
),
)
takes_options = (
parameters.Flag(
'all',
doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Flag(
'raw',
doc=_(u'Print entries as stored on the server. Only affects output format.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Str(
'host',
required=False,
multivalue=True,
cli_name='hosts',
label=_(u'member host'),
doc=_(u'comma-separated list of hosts to remove'),
alwaysask=True,
),
)
has_output = (
output.Entry(
'result',
),
output.Output(
'failed',
dict,
doc=_(u'Members that could not be removed'),
),
output.Output(
'completed',
int,
doc=_(u'Number of members removed'),
),
)
@register()
class service_show(Method):
__doc__ = _("Display information about an IPA service.")
takes_args = (
parameters.Str(
'krbprincipalname',
cli_name='principal',
label=_(u'Principal'),
doc=_(u'Service principal'),
no_convert=True,
),
)
takes_options = (
parameters.Flag(
'rights',
label=_(u'Rights'),
doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
default=False,
autofill=True,
),
parameters.Str(
'out',
required=False,
doc=_(u'file to store certificate in'),
),
parameters.Flag(
'all',
doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Flag(
'raw',
doc=_(u'Print entries as stored on the server. Only affects output format.'),
exclude=('webui',),
default=False,
autofill=True,
),
)
has_output = (
output.Output(
'summary',
(unicode, type(None)),
doc=_(u'User-friendly description of action performed'),
),
output.Entry(
'result',
),
output.Output(
'value',
unicode,
doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
),
)

624
ipaclient/remote_plugins/2_49/session.py
View File

@@ -1,624 +0,0 @@
#
# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
#
# pylint: disable=unused-import
import six
from . import Command, Method, Object
from ipalib import api, parameters, output
from ipalib.parameters import DefaultFrom
from ipalib.plugable import Registry
from ipalib.text import _
from ipapython.dn import DN
from ipapython.dnsutil import DNSName
if six.PY3:
unicode = str
__doc__ = _("""
Session Support for IPA
John Dennis <jdennis@redhat.com>
Goals
=====
Provide per-user session data caching which persists between
requests. Desired features are:
* Integrates cleanly with minimum impact on existing infrastructure.
* Provides maximum security balanced against real-world performance
demands.
* Sessions must be able to be revoked (flushed).
* Should be flexible and easy to use for developers.
* Should leverage existing technology and code to the maximum extent
possible to avoid re-invention, excessive implementation time and to
benefit from robustness in field proven components commonly shared
in the open source community.
* Must support multiple independent processes which share session
data.
* System must function correctly if session data is available or not.
* Must be high performance.
* Should not be tied to specific web servers or browsers. Should
integrate with our chosen WSGI model.
Issues
======
Cookies
-------
Most session implementations are based on the use of cookies. Cookies
have some inherent problems.
* User has the option to disable cookies.
* User stored cookie data is not secure. Can be mitigated by setting
flags indicating the cookie is only to be used with SSL secured HTTP
connections to specific web resources and setting the cookie to
expire at session termination. Most modern browsers enforce these.
Where to store session data?
----------------------------
Session data may be stored on either on the client or on the
server. Storing session data on the client addresses the problem of
session data availability when requests are serviced by independent web
servers because the session data travels with the request. However
there are data size limitations. Storing session data on the client
also exposes sensitive data but this can be mitigated by encrypting
the session data such that only the server can decrypt it.
The more conventional approach is to bind session data to a unique
name, the session ID. The session ID is transmitted to the client and
the session data is paired with the session ID on the server in a
associative data store. The session data is retrieved by the server
using the session ID when the receiving the request. This eliminates
exposing sensitive session data on the client along with limitations
on data size. It however introduces the issue of session data
availability when requests are serviced by more than one server
process.
Multi-process session data availability
---------------------------------------
Apache (and other web servers) fork child processes to handle requests
in parallel. Also web servers may be deployed in a farm where requests
are load balanced in round robin fashion across different nodes. In
both cases session data cannot be stored in the memory of a server
process because it is not available to other processes, either sibling
children of a master server process or server processes on distinct
nodes.
Typically this is addressed by storing session data in a SQL
database. When a request is received by a server process containing a
session ID in it's cookie data the session ID is used to perform a SQL
query and the resulting data is then attached to the request as it
proceeds through the request processing pipeline. This of course
introduces coherency issues.
For IPA the introduction of a SQL database dependency is undesired and
should be avoided.
Session data may also be shared by independent processes by storing
the session data in files.
An alternative solution which has gained considerable popularity
recently is the use of a fast memory based caching server. Data is
stored in a single process memory and may be queried and set via a
light weight protocol using standard socket mechanisms, memcached is
one example. A typical use is to optimize SQL queries by storing a SQL
result in shared memory cache avoiding the more expensive SQL
operation. But the memory cache has distinct advantages in non-SQL
situations as well.
Possible implementations for use by IPA
=======================================
Apache Sessions
---------------
Apache has 2.3 has implemented session support via these modules:
mod_session
Overarching session support based on cookies.
See: http://httpd.apache.org/docs/2.3/mod/mod_session.html
mod_session_cookie
Stores session data in the client.
See: http://httpd.apache.org/docs/2.3/mod/mod_session_cookie.html
mod_session_crypto
Encrypts session data for security. Encryption key is shared
configuration parameter visible to all Apache processes and is
stored in a configuration file.
See: http://httpd.apache.org/docs/2.3/mod/mod_session_crypto.html
mod_session_dbd
Stores session data in a SQL database permitting multiple
processes to access and share the same session data.
See: http://httpd.apache.org/docs/2.3/mod/mod_session_dbd.html
Issues with Apache sessions
~~~~~~~~~~~~~~~~~~~~~~~~~~~
Although Apache has implemented generic session support and Apache is
our web server of preference it nonetheless introduces issues for IPA.
* Session support is only available in httpd >= 2.3 which at the
time of this writing is currently only available as a Beta release
from upstream. We currently only ship httpd 2.2, the same is true
for other distributions.
* We could package and ship the sessions modules as a temporary
package in httpd 2.2 environments. But this has the following
consequences:
- The code has to be backported. the module API has changed
slightly between httpd 2.2 and 2.3. The backporting is not
terribly difficult and a proof of concept has been
implemented.
- We would then be on the hook to package and maintain a special
case Apache package. This is maintenance burden as well as a
distribution packaging burden. Both of which would be best
avoided if possible.
* The design of the Apache session modules is such that they can
only be manipulated by other Apache modules. The ability of
consumers of the session data to control the session data is
simplistic, constrained and static during the period the request
is processed. Request handlers which are not native Apache modules
(e.g. IPA via WSGI) can only examine the session data
via request headers and reset it in response headers.
* Shared session data is available exclusively via SQL.
However using the 2.3 Apache session modules would give us robust
session support implemented in C based on standardized Apache
interfaces which are widely used.
Python Web Frameworks
---------------------
Virtually every Python web framework supports cookie based sessions,
e.g. Django, Twisted, Zope, Turbogears etc. Early on in IPA we decided
to avoid the use of these frameworks. Trying to pull in just one part
of these frameworks just to get session support would be problematic
because the code does not function outside it's framework.
IPA implemented sessions
------------------------
Originally it was believed the path of least effort was to utilize
existing session support, most likely what would be provided by
Apache. However there are enough basic modular components available in
native Python and other standard packages it should be possible to
provide session support meeting the aforementioned goals with a modest
implementation effort. Because we're leveraging existing components
the implementation difficulties are subsumed by other components which
have already been field proven and have community support. This is a
smart strategy.
Proposed Solution
=================
Our interface to the web server is via WSGI which invokes a callback
per request passing us an environmental context for the request. For
this discussion we'll name the WSGI callback "application()", a
conventional name in WSGI parlance.
Shared session data will be handled by memcached. We will create one
instance of memcached on each server node dedicated to IPA
exclusively. Communication with memcached will be via a UNIX socket
located in the file system under /var/run/ipa_memcached. It will be
protected by file permissions and optionally SELinux policy.
In application() we examine the request cookies and if there is an IPA
session cookie with a session ID we retrieve the session data from our
memcached instance.
The session data will be a Python dict. IPA components will read or
write their session information by using a pre-agreed upon name
(e.g. key) in the dict. This is a very flexible system and consistent
with how we pass data in most parts of IPA.
If the session data is not available an empty session data dict will
be created.
How does this session data travel with the request in the IPA
pipeline? In IPA we use the HTTP request/response to implement RPC. In
application() we convert the request into a procedure call passing it
arguments derived from the HTTP request. The passed parameters are
specific to the RPC method being invoked. The context the RPC call is
executing in is not passed as an RPC parameter.
How would the contextual information such as session data be bound to
the request and hence the RPC call?
In IPA when a RPC invocation is being prepared from a request we
recognize this will only ever be processed serially by one Python
thread. A thread local dict called "context" is allocated for each
thread. The context dict is cleared in between requests (e.g. RPC method
invocations). The per-thread context dict is populated during the
lifetime of the request and is used as a global data structure unique to
the request that various IPA component can read from and write to with
the assurance the data is unique to the current request and/or method
call.
The session data dict will be written into the context dict under the
session key before the RPC method begins execution. Thus session data
can be read and written by any IPA component by accessing
``context.session``.
When the RPC method finishes execution the session data bound to the
request/method is retrieved from the context and written back to the
memcached instance. The session ID is set in the response sent back to
the client in the ``Set-Cookie`` header along with the flags
controlling it's usage.
Issues and details
------------------
IPA code cannot depend on session data being present, however it
should always update session data with the hope it will be available
in the future. Session data may not be available because:
* This is the first request from the user and no session data has
been created yet.
* The user may have cookies disabled.
* The session data may have been flushed. memcached operates with
a fixed memory allocation and will flush entries on a LRU basis,
like with any cache there is no guarantee of persistence.
Also we may have have deliberately expired or deleted session
data, see below.
Cookie manipulation is done via the standard Python Cookie module.
Session cookies will be set to only persist as long as the browser has
the session open. They will be tagged so the browser only returns
the session ID on SSL secured HTTP requests. They will not be visible
to Javascript in the browser.
Session ID's will be created by using 48 bits of random data and
converted to 12 hexadecimal digits. Newly generated session ID's will
be checked for prior existence to handle the unlikely case the random
number repeats.
memcached will have significantly higher performance than a SQL or file
based storage solution. Communication is effectively though a pipe
(UNIX socket) using a very simple protocol and the data is held
entirely in process memory. memcached also scales easily, it is easy
to add more memcached processes and distribute the load across them.
At this point in time we don't anticipate the need for this.
A very nice feature of the Python memcached module is that when a data
item is written to the cache it is done with standard Python pickling
(pickling is a standard Python mechanism to marshal and unmarshal
Python objects). We adopt the convention the object written to cache
will be a dict to meet our internal data handling conventions. The
pickling code will recursively handle nested objects in the dict. Thus
we gain a lot of flexibility using standard Python data structures to
store and retrieve our session data without having to author and debug
code to marshal and unmarshal the data if some other storage mechanism
had been used. This is a significant implementation win. Of course
some common sense limitations need to observed when deciding on what
is written to the session cache keeping in mind the data is shared
between processes and it should not be excessively large (a
configurable option)
We can set an expiration on memcached entries. We may elect to do that
to force session data to be refreshed periodically. For example we may
wish the client to present fresh credentials on a periodic basis even
if the cached credentials are otherwise within their validity period.
We can explicitly delete session data if for some reason we believe it
is stale, invalid or compromised.
memcached also gives us certain facilities to prevent race conditions
between different processes utilizing the cache. For example you can
check of the entry has been modified since you last read it or use CAS
(Check And Set) semantics. What has to be protected in terms of cache
coherency will likely have to be determined as the session support is
utilized and different data items are added to the cache. This is very
much data and context specific. Fortunately memcached operations are
atomic.
Controlling the memcached process
---------------------------------
We need a mechanism to start the memcached process and secure it so
that only IPA components can access it.
Although memcached ships with both an initscript and systemd unit
files those are for generic instances. We want a memcached instance
dedicated exclusively to IPA usage. To accomplish this we would install
a systemd unit file or an SysV initscript to control the IPA specific
memcached service. ipactl would be extended to know about this
additional service. systemd's cgroup facility would give us additional
mechanisms to integrate the IPA memcached service within a larger IPA
process group.
Protecting the memcached data would be done via file permissions (and
optionally SELinux policy) on the UNIX domain socket. Although recent
implementations of memcached support authentication via SASL this
introduces a performance and complexity burden not warranted when
cached is dedicated to our exclusive use and access controlled by OS
mechanisms.
Conventionally daemons are protected by assigning a system uid and/or
gid to the daemon. A daemon launched by root will drop it's privileges
by assuming the effective uid:gid assigned to it. File system access
is controlled by the OS via the effective identity and SELinux policy
can be crafted based on the identity. Thus the memcached UNIX socket
would be protected by having it owned by a specific system user and/or
membership in a restricted system group (discounting for the moment
SELinux).
Unfortunately we currently do not have an IPA system uid whose
identity our processes operate under nor do we have an IPA system
group. IPA does manage a collection of related processes (daemons) and
historically each has been assigned their own uid. When these
unrelated processes communicate they mutually authenticate via other
mechanisms. We do not have much of a history of using shared file
system objects across identities. When file objects are created they
are typically assigned the identity of daemon needing to access the
object and are not accessed by other daemons, or they carry root
identity.
When our WSGI application runs in Apache it is run as a WSGI
daemon. This means when Apache starts up it forks off WSGI processes
for us and we are independent of other Apache processes. When WSGI is
run in this mode there is the ability to set the uid:gid of the WSGI
process hosting us, however we currently do not take advantage of this
option. WSGI can be run in other modes as well, only in daemon mode
can the uid:gid be independently set from the rest of Apache. All
processes started by Apache can be set to a common uid:gid specified
in the global Apache configuration, by default it's
apache:apache. Thus when our IPA code executes it is running as
apache:apache.
To protect our memcached UNIX socket we can do one of two things:
1. Assign it's uid:gid as apache:apache. This would limit access to
our cache only to processes running under httpd. It's somewhat
restricted but far from ideal. Any code running in the web server
could potentially access our cache. It's difficult to control what the
web server runs and admins may not understand the consequences of
configuring httpd to serve other things besides IPA.
2. Create an IPA specific uid:gid, for example ipa:ipa. We then configure
our WSGI application to run as the ipa:ipa user and group. We also
configure our memcached instance to run as the ipa:ipa user and
group. In this configuration we are now fully protected, only our WSGI
code can read & write to our memcached UNIX socket.
However there may be unforeseen issues by converting our code to run as
something other than apache:apache. This would require some
investigation and testing.
IPA is dependent on other system daemons, specifically Directory
Server (ds) and Certificate Server (cs). Currently we configure ds to
run under the dirsrv:dirsrv user and group, an identity of our
creation. We allow cs to default to it's pkiuser:pkiuser user and
group. Should these other cooperating daemons also run under the
common ipa:ipa user and group identities? At first blush there would
seem to be an advantage to coalescing all process identities under a
common IPA user and group identity. However these other processes do
not depend on user and group permissions when working with external
agents, processes, etc. Rather they are designed to be stand-alone
network services which authenticate their clients via other
mechanisms. They do depend on user and group permission to manage
their own file system objects. If somehow the ipa user and/or group
were compromised or malicious code somehow executed under the ipa
identity there would be an advantage in having the cooperating
processes cordoned off under their own identities providing one extra
layer of protection. (Note, these cooperating daemons may not even be
co-located on the same node in which case the issue is moot)
The UNIX socket behavior (ldapi) with Directory Server is as follows:
* The socket ownership is: root:root
* The socket permissions are: 0666
* When connecting via ldapi you must authenticate as you would
normally with a TCP socket, except ...
* If autobind is enabled and the uid:gid is available via
SO_PEERCRED and the uid:gid can be found in the set of users known
to the Directory Server then that connection will be bound as that
user.
* Otherwise an anonymous bind will occur.
memcached UNIX socket behavior is as follows:
* memcached can be invoked with a user argument, no group may be
specified. The effective uid is the uid of the user argument and
the effective gid is the primary group of the user, let's call
this euid:egid
* The socket ownership is: euid:egid
* The socket permissions are 0700 by default, but this can be
modified by the -a mask command line arg which sets the umask
(defaults to 0700).
Overview of authentication in IPA
=================================
This describes how we currently authenticate and how we plan to
improve authentication performance. First some definitions.
There are 4 major players:
1. client
2. mod_auth_kerb (in Apache process)
3. wsgi handler (in IPA wsgi python process)
4. ds (directory server)
There are several resources:
1. /ipa/ui (unprotected, web UI static resources)
2. /ipa/xml (protected, xmlrpc RPC used by command line clients)
3. /ipa/json (protected, json RPC used by javascript in web UI)
4. ds (protected, wsgi acts as proxy, our LDAP server)
Current Model
-------------
This describes how things work in our current system for the web UI.
1. Client requests /ipa/ui, this is unprotected, is static and
contains no sensitive information. Apache replies with html and
javascript. The javascript requests /ipa/json.
2. Client sends post to /ipa/json.
3. mod_auth_kerb is configured to protect /ipa/json, replies 401
authenticate negotiate.
4. Client resends with credentials
5. mod_auth_kerb validates credentials
a. if invalid replies 403 access denied (stops here)
b. if valid creates temporary ccache, adds KRB5CCNAME to request
headers
6. Request passed to wsgi handler
a. validates request, KRB5CCNAME must be present, referrer, etc.
b. ccache saved and used to bind to ds
c. routes to specified RPC handler.
7. wsgi handler replies to client
Proposed new session based optimization
---------------------------------------
The round trip negotiate and credential validation in steps 3,4,5 is
expensive. This can be avoided if we can cache the client
credentials. With client sessions we can store the client credentials
in the session bound to the client.
A few notes about the session implementation.
* based on session cookies, cookies must be enabled
* session cookie is secure, only passed on secure connections, only
passed to our URL resource, never visible to client javascript
etc.
* session cookie has a session id which is used by wsgi handler to
retrieve client session data from shared multi-process cache.
Changes to Apache's resource protection
---------------------------------------
* /ipa/json is no longer protected by mod_auth_kerb. This is
necessary to avoid the negotiate expense in steps 3,4,5
above. Instead the /ipa/json resource will be protected in our wsgi
handler via the session cookie.
* A new protected URI is introduced, /ipa/login. This resource
does no serve any data, it is used exclusively for authentication.
The new sequence is:
1. Client requests /ipa/ui, this is unprotected. Apache replies with
html and javascript. The javascript requests /ipa/json.
2. Client sends post to /ipa/json, which is unprotected.
3. wsgi handler obtains session data from session cookie.
a. if ccache is present in session data and is valid
- request is further validated
- ccache is established for bind to ds
- request is routed to RPC handler
- wsgi handler eventually replies to client
b. if ccache is not present or not valid processing continues ...
4. wsgi handler replies with 401 Unauthorized
5. client sends request to /ipa/login to obtain session credentials
6. mod_auth_kerb replies 401 negotiate on /ipa/login
7. client sends credentials to /ipa/login
8. mod_auth_kerb validates credentials
a. if valid
- mod_auth_kerb permits access to /ipa/login. wsgi handler is
invoked and does the following:
* establishes session for client
* retrieves the ccache from KRB5CCNAME and stores it
a. if invalid
- mod_auth_kerb sends 403 access denied (processing stops)
9. client now posts the same data again to /ipa/json including
session cookie. Processing repeats starting at step 2 and since
the session data now contains a valid ccache step 3a executes, a
successful reply is sent to client.
Command line client using xmlrpc
--------------------------------
The above describes the web UI utilizing the json RPC mechanism. The
IPA command line tools utilize a xmlrpc RPC mechanism on the same
HTTP server. Access to the xmlrpc is via the /ipa/xml URI. The json
and xmlrpc API's are the same, they differ only on how their procedure
calls are marshalled and unmarshalled.
Under the new scheme /ipa/xml will continue to be Kerberos protected
at all times. Apache's mod_auth_kerb will continue to require the
client provides valid Kerberos credentials.
When the WSGI handler routes to /ipa/xml the Kerberos credentials will
be extracted from the KRB5CCNAME environment variable as provided by
mod_auth_kerb. Everything else remains the same.
""")
register = Registry()
@register()
class session_logout(Command):
__doc__ = _("RPC command used to log the current user out of their session.")
has_output = (
output.Output(
'result',
),
)

371
ipaclient/remote_plugins/2_49/sudocmd.py
View File

@@ -1,371 +0,0 @@
#
# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
#
# pylint: disable=unused-import
import six
from . import Command, Method, Object
from ipalib import api, parameters, output
from ipalib.parameters import DefaultFrom
from ipalib.plugable import Registry
from ipalib.text import _
from ipapython.dn import DN
from ipapython.dnsutil import DNSName
if six.PY3:
unicode = str
__doc__ = _("""
Sudo Commands
Commands used as building blocks for sudo
EXAMPLES:
Create a new command
ipa sudocmd-add --desc='For reading log files' /usr/bin/less
Remove a command
ipa sudocmd-del /usr/bin/less
""")
register = Registry()
@register()
class sudocmd(Object):
takes_params = (
parameters.Str(
'sudocmd',
primary_key=True,
label=_(u'Sudo Command'),
),
parameters.Str(
'description',
required=False,
label=_(u'Description'),
doc=_(u'A description of this command'),
),
parameters.Str(
'memberof_sudocmdgroup',
required=False,
label=_(u'Sudo Command Groups'),
),
)
@register()
class sudocmd_add(Method):
__doc__ = _("Create new Sudo Command.")
takes_args = (
parameters.Str(
'sudocmd',
cli_name='command',
label=_(u'Sudo Command'),
),
)
takes_options = (
parameters.Str(
'description',
required=False,
cli_name='desc',
label=_(u'Description'),
doc=_(u'A description of this command'),
),
parameters.Str(
'setattr',
required=False,
multivalue=True,
doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
exclude=('webui',),
),
parameters.Str(
'addattr',
required=False,
multivalue=True,
doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
exclude=('webui',),
),
parameters.Flag(
'all',
doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Flag(
'raw',
doc=_(u'Print entries as stored on the server. Only affects output format.'),
exclude=('webui',),
default=False,
autofill=True,
),
)
has_output = (
output.Output(
'summary',
(unicode, type(None)),
doc=_(u'User-friendly description of action performed'),
),
output.Entry(
'result',
),
output.Output(
'value',
unicode,
doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
),
)
@register()
class sudocmd_del(Method):
__doc__ = _("Delete Sudo Command.")
takes_args = (
parameters.Str(
'sudocmd',
multivalue=True,
cli_name='command',
label=_(u'Sudo Command'),
),
)
takes_options = (
parameters.Flag(
'continue',
doc=_(u"Continuous mode: Don't stop on errors."),
default=False,
autofill=True,
),
)
has_output = (
output.Output(
'summary',
(unicode, type(None)),
doc=_(u'User-friendly description of action performed'),
),
output.Output(
'result',
dict,
doc=_(u'List of deletions that failed'),
),
output.Output(
'value',
unicode,
doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
),
)
@register()
class sudocmd_find(Method):
__doc__ = _("Search for Sudo Commands.")
takes_args = (
parameters.Str(
'criteria',
required=False,
doc=_(u'A string searched in all relevant object attributes'),
),
)
takes_options = (
parameters.Str(
'sudocmd',
required=False,
cli_name='command',
label=_(u'Sudo Command'),
),
parameters.Str(
'description',
required=False,
cli_name='desc',
label=_(u'Description'),
doc=_(u'A description of this command'),
),
parameters.Int(
'timelimit',
required=False,
label=_(u'Time Limit'),
doc=_(u'Time limit of search in seconds'),
),
parameters.Int(
'sizelimit',
required=False,
label=_(u'Size Limit'),
doc=_(u'Maximum number of entries returned'),
),
parameters.Flag(
'all',
doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Flag(
'raw',
doc=_(u'Print entries as stored on the server. Only affects output format.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Flag(
'pkey_only',
required=False,
label=_(u'Primary key only'),
doc=_(u'Results should contain primary key attribute only ("command")'),
default=False,
autofill=True,
),
)
has_output = (
output.Output(
'summary',
(unicode, type(None)),
doc=_(u'User-friendly description of action performed'),
),
output.ListOfEntries(
'result',
),
output.Output(
'count',
int,
doc=_(u'Number of entries returned'),
),
output.Output(
'truncated',
bool,
doc=_(u'True if not all results were returned'),
),
)
@register()
class sudocmd_mod(Method):
__doc__ = _("Modify Sudo Command.")
takes_args = (
parameters.Str(
'sudocmd',
cli_name='command',
label=_(u'Sudo Command'),
),
)
takes_options = (
parameters.Str(
'description',
required=False,
cli_name='desc',
label=_(u'Description'),
doc=_(u'A description of this command'),
),
parameters.Str(
'setattr',
required=False,
multivalue=True,
doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
exclude=('webui',),
),
parameters.Str(
'addattr',
required=False,
multivalue=True,
doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
exclude=('webui',),
),
parameters.Str(
'delattr',
required=False,
multivalue=True,
doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'),
exclude=('webui',),
),
parameters.Flag(
'rights',
label=_(u'Rights'),
doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
default=False,
autofill=True,
),
parameters.Flag(
'all',
doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Flag(
'raw',
doc=_(u'Print entries as stored on the server. Only affects output format.'),
exclude=('webui',),
default=False,
autofill=True,
),
)
has_output = (
output.Output(
'summary',
(unicode, type(None)),
doc=_(u'User-friendly description of action performed'),
),
output.Entry(
'result',
),
output.Output(
'value',
unicode,
doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
),
)
@register()
class sudocmd_show(Method):
__doc__ = _("Display Sudo Command.")
takes_args = (
parameters.Str(
'sudocmd',
cli_name='command',
label=_(u'Sudo Command'),
),
)
takes_options = (
parameters.Flag(
'rights',
label=_(u'Rights'),
doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
default=False,
autofill=True,
),
parameters.Flag(
'all',
doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Flag(
'raw',
doc=_(u'Print entries as stored on the server. Only affects output format.'),
exclude=('webui',),
default=False,
autofill=True,
),
)
has_output = (
output.Output(
'summary',
(unicode, type(None)),
doc=_(u'User-friendly description of action performed'),
),
output.Entry(
'result',
),
output.Output(
'value',
unicode,
doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
),
)

501
ipaclient/remote_plugins/2_49/sudocmdgroup.py
View File

@@ -1,501 +0,0 @@
#
# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
#
# pylint: disable=unused-import
import six
from . import Command, Method, Object
from ipalib import api, parameters, output
from ipalib.parameters import DefaultFrom
from ipalib.plugable import Registry
from ipalib.text import _
from ipapython.dn import DN
from ipapython.dnsutil import DNSName
if six.PY3:
unicode = str
__doc__ = _("""
Groups of Sudo Commands
Manage groups of Sudo Commands.
EXAMPLES:
Add a new Sudo Command Group:
ipa sudocmdgroup-add --desc='administrators commands' admincmds
Remove a Sudo Command Group:
ipa sudocmdgroup-del admincmds
Manage Sudo Command Group membership, commands:
ipa sudocmdgroup-add-member --sudocmds=/usr/bin/less,/usr/bin/vim admincmds
Manage Sudo Command Group membership, commands:
ipa group-remove-member --sudocmds=/usr/bin/less admincmds
Show a Sudo Command Group:
ipa group-show localadmins
""")
register = Registry()
@register()
class sudocmdgroup(Object):
takes_params = (
parameters.Str(
'cn',
primary_key=True,
label=_(u'Sudo Command Group'),
),
parameters.Str(
'description',
label=_(u'Description'),
doc=_(u'Group description'),
),
parameters.Str(
'membercmd_sudocmd',
required=False,
label=_(u'Commands'),
),
parameters.Str(
'membercmd_sudocmdgroup',
required=False,
label=_(u'Sudo Command Groups'),
),
parameters.Str(
'member_sudocmd',
required=False,
label=_(u'Member Sudo commands'),
),
)
@register()
class sudocmdgroup_add(Method):
__doc__ = _("Create new Sudo Command Group.")
takes_args = (
parameters.Str(
'cn',
cli_name='sudocmdgroup_name',
label=_(u'Sudo Command Group'),
no_convert=True,
),
)
takes_options = (
parameters.Str(
'description',
cli_name='desc',
label=_(u'Description'),
doc=_(u'Group description'),
),
parameters.Str(
'setattr',
required=False,
multivalue=True,
doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
exclude=('webui',),
),
parameters.Str(
'addattr',
required=False,
multivalue=True,
doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
exclude=('webui',),
),
parameters.Flag(
'all',
doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Flag(
'raw',
doc=_(u'Print entries as stored on the server. Only affects output format.'),
exclude=('webui',),
default=False,
autofill=True,
),
)
has_output = (
output.Output(
'summary',
(unicode, type(None)),
doc=_(u'User-friendly description of action performed'),
),
output.Entry(
'result',
),
output.Output(
'value',
unicode,
doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
),
)
@register()
class sudocmdgroup_add_member(Method):
__doc__ = _("Add members to Sudo Command Group.")
takes_args = (
parameters.Str(
'cn',
cli_name='sudocmdgroup_name',
label=_(u'Sudo Command Group'),
no_convert=True,
),
)
takes_options = (
parameters.Flag(
'all',
doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Flag(
'raw',
doc=_(u'Print entries as stored on the server. Only affects output format.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Str(
'sudocmd',
required=False,
multivalue=True,
cli_name='sudocmds',
label=_(u'member sudo command'),
doc=_(u'comma-separated list of sudo commands to add'),
alwaysask=True,
),
)
has_output = (
output.Entry(
'result',
),
output.Output(
'failed',
dict,
doc=_(u'Members that could not be added'),
),
output.Output(
'completed',
int,
doc=_(u'Number of members added'),
),
)
@register()
class sudocmdgroup_del(Method):
__doc__ = _("Delete Sudo Command Group.")
takes_args = (
parameters.Str(
'cn',
multivalue=True,
cli_name='sudocmdgroup_name',
label=_(u'Sudo Command Group'),
no_convert=True,
),
)
takes_options = (
parameters.Flag(
'continue',
doc=_(u"Continuous mode: Don't stop on errors."),
default=False,
autofill=True,
),
)
has_output = (
output.Output(
'summary',
(unicode, type(None)),
doc=_(u'User-friendly description of action performed'),
),
output.Output(
'result',
dict,
doc=_(u'List of deletions that failed'),
),
output.Output(
'value',
unicode,
doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
),
)
@register()
class sudocmdgroup_find(Method):
__doc__ = _("Search for Sudo Command Groups.")
takes_args = (
parameters.Str(
'criteria',
required=False,
doc=_(u'A string searched in all relevant object attributes'),
),
)
takes_options = (
parameters.Str(
'cn',
required=False,
cli_name='sudocmdgroup_name',
label=_(u'Sudo Command Group'),
no_convert=True,
),
parameters.Str(
'description',
required=False,
cli_name='desc',
label=_(u'Description'),
doc=_(u'Group description'),
),
parameters.Int(
'timelimit',
required=False,
label=_(u'Time Limit'),
doc=_(u'Time limit of search in seconds'),
),
parameters.Int(
'sizelimit',
required=False,
label=_(u'Size Limit'),
doc=_(u'Maximum number of entries returned'),
),
parameters.Flag(
'all',
doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Flag(
'raw',
doc=_(u'Print entries as stored on the server. Only affects output format.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Flag(
'pkey_only',
required=False,
label=_(u'Primary key only'),
doc=_(u'Results should contain primary key attribute only ("sudocmdgroup-name")'),
default=False,
autofill=True,
),
)
has_output = (
output.Output(
'summary',
(unicode, type(None)),
doc=_(u'User-friendly description of action performed'),
),
output.ListOfEntries(
'result',
),
output.Output(
'count',
int,
doc=_(u'Number of entries returned'),
),
output.Output(
'truncated',
bool,
doc=_(u'True if not all results were returned'),
),
)
@register()
class sudocmdgroup_mod(Method):
__doc__ = _("Modify Sudo Command Group.")
takes_args = (
parameters.Str(
'cn',
cli_name='sudocmdgroup_name',
label=_(u'Sudo Command Group'),
no_convert=True,
),
)
takes_options = (
parameters.Str(
'description',
required=False,
cli_name='desc',
label=_(u'Description'),
doc=_(u'Group description'),
),
parameters.Str(
'setattr',
required=False,
multivalue=True,
doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
exclude=('webui',),
),
parameters.Str(
'addattr',
required=False,
multivalue=True,
doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
exclude=('webui',),
),
parameters.Str(
'delattr',
required=False,
multivalue=True,
doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'),
exclude=('webui',),
),
parameters.Flag(
'rights',
label=_(u'Rights'),
doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
default=False,
autofill=True,
),
parameters.Flag(
'all',
doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Flag(
'raw',
doc=_(u'Print entries as stored on the server. Only affects output format.'),
exclude=('webui',),
default=False,
autofill=True,
),
)
has_output = (
output.Output(
'summary',
(unicode, type(None)),
doc=_(u'User-friendly description of action performed'),
),
output.Entry(
'result',
),
output.Output(
'value',
unicode,
doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
),
)
@register()
class sudocmdgroup_remove_member(Method):
__doc__ = _("Remove members from Sudo Command Group.")
takes_args = (
parameters.Str(
'cn',
cli_name='sudocmdgroup_name',
label=_(u'Sudo Command Group'),
no_convert=True,
),
)
takes_options = (
parameters.Flag(
'all',
doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Flag(
'raw',
doc=_(u'Print entries as stored on the server. Only affects output format.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Str(
'sudocmd',
required=False,
multivalue=True,
cli_name='sudocmds',
label=_(u'member sudo command'),
doc=_(u'comma-separated list of sudo commands to remove'),
alwaysask=True,
),
)
has_output = (
output.Entry(
'result',
),
output.Output(
'failed',
dict,
doc=_(u'Members that could not be removed'),
),
output.Output(
'completed',
int,
doc=_(u'Number of members removed'),
),
)
@register()
class sudocmdgroup_show(Method):
__doc__ = _("Display Sudo Command Group.")
takes_args = (
parameters.Str(
'cn',
cli_name='sudocmdgroup_name',
label=_(u'Sudo Command Group'),
no_convert=True,
),
)
takes_options = (
parameters.Flag(
'rights',
label=_(u'Rights'),
doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
default=False,
autofill=True,
),
parameters.Flag(
'all',
doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Flag(
'raw',
doc=_(u'Print entries as stored on the server. Only affects output format.'),
exclude=('webui',),
default=False,
autofill=True,
),
)
has_output = (
output.Output(
'summary',
(unicode, type(None)),
doc=_(u'User-friendly description of action performed'),
),
output.Entry(
'result',
),
output.Output(
'value',
unicode,
doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
),
)

1561
ipaclient/remote_plugins/2_49/sudorule.py
View File

File diff suppressed because it is too large Load Diff

685
ipaclient/remote_plugins/2_49/trust.py
View File

@@ -1,685 +0,0 @@
#
# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
#
# pylint: disable=unused-import
import six
from . import Command, Method, Object
from ipalib import api, parameters, output
from ipalib.parameters import DefaultFrom
from ipalib.plugable import Registry
from ipalib.text import _
from ipapython.dn import DN
from ipapython.dnsutil import DNSName
if six.PY3:
unicode = str
__doc__ = _("""
Cross-realm trusts
Manage trust relationship between IPA and Active Directory domains.
In order to allow users from a remote domain to access resources in IPA
domain, trust relationship needs to be established. Currently IPA supports
only trusts between IPA and Active Directory domains under control of Windows
Server 2008 or later, with functional level 2008 or later.
Please note that DNS on both IPA and Active Directory domain sides should be
configured properly to discover each other. Trust relationship relies on
ability to discover special resources in the other domain via DNS records.
Examples:
1. Establish cross-realm trust with Active Directory using AD administrator
credentials:
ipa trust-add --type=ad <ad.domain> --admin <AD domain administrator> --password
2. List all existing trust relationships:
ipa trust-find
3. Show details of the specific trust relationship:
ipa trust-show <ad.domain>
4. Delete existing trust relationship:
ipa trust-del <ad.domain>
Once trust relationship is established, remote users will need to be mapped
to local POSIX groups in order to actually use IPA resources. The mapping should
be done via use of external membership of non-POSIX group and then this group
should be included into one of local POSIX groups.
Example:
1. Create group for the trusted domain admins' mapping and their local POSIX group:
ipa group-add --desc='<ad.domain> admins external map' ad_admins_external --external
ipa group-add --desc='<ad.domain> admins' ad_admins
2. Add security identifier of Domain Admins of the <ad.domain> to the ad_admins_external
group:
ipa group-add-member ad_admins_external --external 'AD\Domain Admins'
3. Allow members of ad_admins_external group to be associated with ad_admins POSIX group:
ipa group-add-member ad_admins --groups ad_admins_external
4. List members of external members of ad_admins_external group to see their SIDs:
ipa group-show ad_admins_external
GLOBAL TRUST CONFIGURATION
When IPA AD trust subpackage is installed and ipa-adtrust-install is run,
a local domain configuration (SID, GUID, NetBIOS name) is generated. These
identifiers are then used when communicating with a trusted domain of the
particular type.
1. Show global trust configuration for Active Directory type of trusts:
ipa trustconfig-show --type ad
2. Modify global configuration for all trusts of Active Directory type and set
a different fallback primary group (fallback primary group GID is used as
a primary user GID if user authenticating to IPA domain does not have any other
primary GID already set):
ipa trustconfig-mod --type ad --fallback-primary-group "alternative AD group"
3. Change primary fallback group back to default hidden group (any group with
posixGroup object class is allowed):
ipa trustconfig-mod --type ad --fallback-primary-group "Default SMB Group"
""")
register = Registry()
@register()
class trust(Object):
takes_params = (
parameters.Str(
'cn',
primary_key=True,
label=_(u'Realm name'),
),
parameters.Str(
'ipantflatname',
label=_(u'Domain NetBIOS name'),
),
parameters.Str(
'ipanttrusteddomainsid',
label=_(u'Domain Security Identifier'),
),
parameters.Str(
'ipantsidblacklistincoming',
required=False,
multivalue=True,
label=_(u'SID blacklist incoming'),
),
parameters.Str(
'ipantsidblacklistoutgoing',
required=False,
multivalue=True,
label=_(u'SID blacklist outgoing'),
),
)
@register()
class trustconfig(Object):
takes_params = (
parameters.Str(
'cn',
label=_(u'Domain'),
),
parameters.Str(
'ipantsecurityidentifier',
label=_(u'Security Identifier'),
),
parameters.Str(
'ipantflatname',
label=_(u'NetBIOS name'),
),
parameters.Str(
'ipantdomainguid',
label=_(u'Domain GUID'),
),
parameters.Str(
'ipantfallbackprimarygroup',
label=_(u'Fallback primary group'),
),
)
@register()
class trust_add(Method):
__doc__ = _("""
Add new trust to use.
This command establishes trust relationship to another domain
which becomes 'trusted'. As result, users of the trusted domain
may access resources of this domain.
Only trusts to Active Directory domains are supported right now.
The command can be safely run multiple times against the same domain,
this will cause change to trust relationship credentials on both
sides.
""")
takes_args = (
parameters.Str(
'cn',
cli_name='realm',
label=_(u'Realm name'),
),
)
takes_options = (
parameters.Str(
'setattr',
required=False,
multivalue=True,
doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
exclude=('webui',),
),
parameters.Str(
'addattr',
required=False,
multivalue=True,
doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
exclude=('webui',),
),
parameters.Str(
'trust_type',
cli_name='type',
cli_metavar="['ad']",
label=_(u'Trust type (ad for Active Directory, default)'),
default=u'ad',
autofill=True,
),
parameters.Str(
'realm_admin',
required=False,
cli_name='admin',
label=_(u'Active Directory domain administrator'),
),
parameters.Password(
'realm_passwd',
required=False,
cli_name='password',
label=_(u"Active directory domain administrator's password"),
),
parameters.Str(
'realm_server',
required=False,
cli_name='server',
label=_(u'Domain controller for the Active Directory domain (optional)'),
),
parameters.Password(
'trust_secret',
required=False,
label=_(u'Shared secret for the trust'),
),
parameters.Int(
'base_id',
required=False,
label=_(u'First Posix ID of the range reserved for the trusted domain'),
),
parameters.Int(
'range_size',
required=False,
label=_(u'Size of the ID range reserved for the trusted domain'),
default=200000,
autofill=True,
),
parameters.Flag(
'all',
doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Flag(
'raw',
doc=_(u'Print entries as stored on the server. Only affects output format.'),
exclude=('webui',),
default=False,
autofill=True,
),
)
has_output = (
output.Output(
'summary',
(unicode, type(None)),
doc=_(u'User-friendly description of action performed'),
),
output.Entry(
'result',
),
output.Output(
'value',
unicode,
doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
),
)
@register()
class trust_del(Method):
__doc__ = _("Delete a trust.")
takes_args = (
parameters.Str(
'cn',
multivalue=True,
cli_name='realm',
label=_(u'Realm name'),
),
)
takes_options = (
parameters.Flag(
'continue',
doc=_(u"Continuous mode: Don't stop on errors."),
default=False,
autofill=True,
),
)
has_output = (
output.Output(
'summary',
(unicode, type(None)),
doc=_(u'User-friendly description of action performed'),
),
output.Output(
'result',
dict,
doc=_(u'List of deletions that failed'),
),
output.Output(
'value',
unicode,
doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
),
)
@register()
class trust_find(Method):
__doc__ = _("Search for trusts.")
takes_args = (
parameters.Str(
'criteria',
required=False,
doc=_(u'A string searched in all relevant object attributes'),
),
)
takes_options = (
parameters.Str(
'cn',
required=False,
cli_name='realm',
label=_(u'Realm name'),
),
parameters.Str(
'ipantflatname',
required=False,
cli_name='flat_name',
label=_(u'Domain NetBIOS name'),
),
parameters.Str(
'ipanttrusteddomainsid',
required=False,
cli_name='sid',
label=_(u'Domain Security Identifier'),
),
parameters.Str(
'ipantsidblacklistincoming',
required=False,
multivalue=True,
cli_name='sid_blacklist_incoming',
label=_(u'SID blacklist incoming'),
),
parameters.Str(
'ipantsidblacklistoutgoing',
required=False,
multivalue=True,
cli_name='sid_blacklist_outgoing',
label=_(u'SID blacklist outgoing'),
),
parameters.Int(
'timelimit',
required=False,
label=_(u'Time Limit'),
doc=_(u'Time limit of search in seconds'),
),
parameters.Int(
'sizelimit',
required=False,
label=_(u'Size Limit'),
doc=_(u'Maximum number of entries returned'),
),
parameters.Flag(
'all',
doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Flag(
'raw',
doc=_(u'Print entries as stored on the server. Only affects output format.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Flag(
'pkey_only',
required=False,
label=_(u'Primary key only'),
doc=_(u'Results should contain primary key attribute only ("realm")'),
default=False,
autofill=True,
),
)
has_output = (
output.Output(
'summary',
(unicode, type(None)),
doc=_(u'User-friendly description of action performed'),
),
output.ListOfEntries(
'result',
),
output.Output(
'count',
int,
doc=_(u'Number of entries returned'),
),
output.Output(
'truncated',
bool,
doc=_(u'True if not all results were returned'),
),
)
@register()
class trust_mod(Method):
__doc__ = _("""
Modify a trust (for future use).
Currently only the default option to modify the LDAP attributes is
available. More specific options will be added in coming releases.
""")
takes_args = (
parameters.Str(
'cn',
cli_name='realm',
label=_(u'Realm name'),
),
)
takes_options = (
parameters.Str(
'ipantsidblacklistincoming',
required=False,
multivalue=True,
cli_name='sid_blacklist_incoming',
label=_(u'SID blacklist incoming'),
),
parameters.Str(
'ipantsidblacklistoutgoing',
required=False,
multivalue=True,
cli_name='sid_blacklist_outgoing',
label=_(u'SID blacklist outgoing'),
),
parameters.Str(
'setattr',
required=False,
multivalue=True,
doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
exclude=('webui',),
),
parameters.Str(
'addattr',
required=False,
multivalue=True,
doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
exclude=('webui',),
),
parameters.Str(
'delattr',
required=False,
multivalue=True,
doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'),
exclude=('webui',),
),
parameters.Flag(
'rights',
label=_(u'Rights'),
doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
default=False,
autofill=True,
),
parameters.Flag(
'all',
doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Flag(
'raw',
doc=_(u'Print entries as stored on the server. Only affects output format.'),
exclude=('webui',),
default=False,
autofill=True,
),
)
has_output = (
output.Output(
'summary',
(unicode, type(None)),
doc=_(u'User-friendly description of action performed'),
),
output.Entry(
'result',
),
output.Output(
'value',
unicode,
doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
),
)
@register()
class trust_show(Method):
__doc__ = _("Display information about a trust.")
takes_args = (
parameters.Str(
'cn',
cli_name='realm',
label=_(u'Realm name'),
),
)
takes_options = (
parameters.Flag(
'rights',
label=_(u'Rights'),
doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
default=False,
autofill=True,
),
parameters.Flag(
'all',
doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Flag(
'raw',
doc=_(u'Print entries as stored on the server. Only affects output format.'),
exclude=('webui',),
default=False,
autofill=True,
),
)
has_output = (
output.Output(
'summary',
(unicode, type(None)),
doc=_(u'User-friendly description of action performed'),
),
output.Entry(
'result',
),
output.Output(
'value',
unicode,
doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
),
)
@register()
class trustconfig_mod(Method):
__doc__ = _("Modify global trust configuration.")
takes_options = (
parameters.Str(
'ipantfallbackprimarygroup',
required=False,
cli_name='fallback_primary_group',
label=_(u'Fallback primary group'),
),
parameters.Str(
'setattr',
required=False,
multivalue=True,
doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
exclude=('webui',),
),
parameters.Str(
'addattr',
required=False,
multivalue=True,
doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
exclude=('webui',),
),
parameters.Str(
'delattr',
required=False,
multivalue=True,
doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'),
exclude=('webui',),
),
parameters.Flag(
'rights',
label=_(u'Rights'),
doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
default=False,
autofill=True,
),
parameters.Str(
'trust_type',
cli_name='type',
cli_metavar="['ad']",
label=_(u'Trust type (ad for Active Directory, default)'),
default=u'ad',
autofill=True,
),
parameters.Flag(
'all',
doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Flag(
'raw',
doc=_(u'Print entries as stored on the server. Only affects output format.'),
exclude=('webui',),
default=False,
autofill=True,
),
)
has_output = (
output.Output(
'summary',
(unicode, type(None)),
doc=_(u'User-friendly description of action performed'),
),
output.Entry(
'result',
),
output.Output(
'value',
unicode,
doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
),
)
@register()
class trustconfig_show(Method):
__doc__ = _("Show global trust configuration.")
takes_options = (
parameters.Flag(
'rights',
label=_(u'Rights'),
doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
default=False,
autofill=True,
),
parameters.Str(
'trust_type',
cli_name='type',
cli_metavar="['ad']",
label=_(u'Trust type (ad for Active Directory, default)'),
default=u'ad',
autofill=True,
),
parameters.Flag(
'all',
doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Flag(
'raw',
doc=_(u'Print entries as stored on the server. Only affects output format.'),
exclude=('webui',),
default=False,
autofill=True,
),
)
has_output = (
output.Output(
'summary',
(unicode, type(None)),
doc=_(u'User-friendly description of action performed'),
),
output.Entry(
'result',
),
output.Output(
'value',
unicode,
doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
),
)

1372
ipaclient/remote_plugins/2_49/user.py
View File

File diff suppressed because it is too large Load Diff