Re: [Freeipa-devel] [PATCH 0096] Add authentication indicators support to Host objects

Thu, 30 Jun 2016 04:44:28 -0700 

On 06/29/2016 04:40 PM, Stanislav Laznicka wrote:
> On 06/29/2016 04:02 PM, Stanislav Laznicka wrote:
>> On 06/29/2016 03:53 PM, Martin Basti wrote:
>>>
>>>
>>> On 29.06.2016 15:52, Stanislav Laznicka wrote:
>>>> On 06/24/2016 03:14 PM, Martin Basti wrote:
>>>>>
>>>>>
>>>>> On 24.06.2016 15:11, Sumit Bose wrote:
>>>>>> On Tue, Jun 21, 2016 at 02:25:49PM -0400, Nathaniel McCallum wrote:
>>>>>>> https://fedorahosted.org/freeipa/ticket/433
>>>>>> The patch works for me as expected, but the API.txt update is
>>>>>> missing in
>>>>>> the patch.
>>>>>>
>>>>>> bye,
>>>>>> Sumit
>>>>>
>>>>> There are no updated managed permissions for krbprincipalauthind
>>>>> attribute in hosts.py, is this omitted on purpose?
>>>>> Martin^2
>>>>>
>>>> The attached patch adds them should these be required.
>>>>
>>>>
>>>
>>> Then we also needs patch for services.py, because there are missing
>>> ACIs too
>>>
>>> Martin^2
>>
>> It was already included but let me separate it in two patches, then.
>>
>>
> Good catch from Petr Vobornik - the rebuilt ACI.txt should also be
> included.
> 

Attaching new version of Nathnaniel's patch with API.txt and VERSION
updated.

ACK for 0096-2

Pushed to master
* 0855b014b1edcb1632a41e380220abd7bb5e481a Add authentication indicators
support to Host objects.

The  "{Service|Host} {Read|Modify} " permissions looks good to me. ACK
if Nathaniel agrees that it doesn't deserved it's own permission for
modify.
-- 
Petr Vobornik

From 3de08f354a8714a752b567850968b57ffc44553d Mon Sep 17 00:00:00 2001
From: Nathaniel McCallum <npmccal...@redhat.com>
Date: Tue, 21 Jun 2016 14:19:03 -0400
Subject: [PATCH] Add authentication indicators support to Host objects

https://fedorahosted.org/freeipa/ticket/433
---
 API.txt                   |  9 ++++++---
 VERSION                   |  4 ++--
 ipaserver/plugins/host.py | 17 ++++++++++++++++-
 3 files changed, 24 insertions(+), 6 deletions(-)

diff --git a/API.txt b/API.txt
index 76e58aeec4301577952f919b17a58b777771c06a..19922660ad1787d87337b37e099c7fd9475eda53 100644
--- a/API.txt
+++ b/API.txt
@@ -2257,7 +2257,7 @@ output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>])
 output: Output('value', type=[<type 'bool'>])
 output: Output('warning', type=[<type 'list'>, <type 'tuple'>, <type 'NoneType'>])
 command: host_add/1
-args: 1,23,3
+args: 1,24,3
 arg: Str('fqdn', cli_name='hostname')
 option: Str('addattr*', cli_name='addattr')
 option: Flag('all', autofill=True, cli_name='all', default=False)
@@ -2268,6 +2268,7 @@ option: Str('ipaassignedidview?')
 option: Bool('ipakrbokasdelegate?', cli_name='ok_as_delegate')
 option: Bool('ipakrbrequirespreauth?', cli_name='requires_pre_auth')
 option: Str('ipasshpubkey*', cli_name='sshpubkey')
+option: Str('krbprincipalauthind*', cli_name='auth_ind')
 option: Str('l?', cli_name='locality')
 option: Str('macaddress*')
 option: Flag('no_members', autofill=True, default=False)
@@ -2380,7 +2381,7 @@ output: Output('completed', type=[<type 'int'>])
 output: Output('failed', type=[<type 'dict'>])
 output: Entry('result')
 command: host_find/1
-args: 1,34,4
+args: 1,35,4
 arg: Str('criteria?')
 option: Flag('all', autofill=True, cli_name='all', default=False)
 option: Str('description?', autofill=False, cli_name='desc')
@@ -2392,6 +2393,7 @@ option: Str('in_netgroup*', cli_name='in_netgroups')
 option: Str('in_role*', cli_name='in_roles')
 option: Str('in_sudorule*', cli_name='in_sudorules')
 option: Str('ipaassignedidview?', autofill=False)
+option: Str('krbprincipalauthind*', autofill=False, cli_name='auth_ind')
 option: Str('l?', autofill=False, cli_name='locality')
 option: Str('macaddress*', autofill=False)
 option: Str('man_by_host*', cli_name='man_by_hosts')
@@ -2421,7 +2423,7 @@ output: ListOfEntries('result')
 output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>])
 output: Output('truncated', type=[<type 'bool'>])
 command: host_mod/1
-args: 1,24,3
+args: 1,25,3
 arg: Str('fqdn', cli_name='hostname')
 option: Str('addattr*', cli_name='addattr')
 option: Flag('all', autofill=True, cli_name='all', default=False)
@@ -2431,6 +2433,7 @@ option: Str('ipaassignedidview?', autofill=False)
 option: Bool('ipakrbokasdelegate?', autofill=False, cli_name='ok_as_delegate')
 option: Bool('ipakrbrequirespreauth?', autofill=False, cli_name='requires_pre_auth')
 option: Str('ipasshpubkey*', autofill=False, cli_name='sshpubkey')
+option: Str('krbprincipalauthind*', autofill=False, cli_name='auth_ind')
 option: Str('krbprincipalname?', cli_name='principalname')
 option: Str('l?', autofill=False, cli_name='locality')
 option: Str('macaddress*', autofill=False)
diff --git a/VERSION b/VERSION
index d4d7228edb1e29c8655c058e1e4fb727950aeabc..5c3aef2e40415b869978cb9aa59bf940e0bcfb85 100644
--- a/VERSION
+++ b/VERSION
@@ -90,5 +90,5 @@ IPA_DATA_VERSION=20100614120000
 #                                                      #
 ########################################################
 IPA_API_VERSION_MAJOR=2
-IPA_API_VERSION_MINOR=202
-# Last change: schema: support plugin versioning
+IPA_API_VERSION_MINOR=203
+# Last change: host: added authentication indicators
diff --git a/ipaserver/plugins/host.py b/ipaserver/plugins/host.py
index 0072431de3f130d09066100f12d9fcb34e9fb96b..1091f85748d675c479285ad73465aa9541c61b45 100644
--- a/ipaserver/plugins/host.py
+++ b/ipaserver/plugins/host.py
@@ -295,7 +295,7 @@ class host(LDAPObject):
         'fqdn', 'description', 'l', 'nshostlocation', 'krbprincipalname',
         'nshardwareplatform', 'nsosversion', 'usercertificate', 'memberof',
         'managedby', 'memberofindirect', 'macaddress',
-        'userclass', 'ipaallowedtoperform', 'ipaassignedidview',
+        'userclass', 'ipaallowedtoperform', 'ipaassignedidview', 'krbprincipalauthind'
     ]
     uuid_attribute = 'ipauniqueid'
     attribute_members = {
@@ -530,6 +530,14 @@ class host(LDAPObject):
             label=_('Assigned ID View'),
             flags=['no_option'],
         ),
+        Str('krbprincipalauthind*',
+            cli_name='auth_ind',
+            label=_('Authentication Indicators'),
+            doc=_("Defines a whitelist for Authentication Indicators."
+                  " Use 'otp' to allow OTP-based 2FA authentications."
+                  " Use 'radius' to allow RADIUS-based 2FA authentications."
+                  " Other values may be used for custom configurations."),
+        ),
     ) + ticket_flags_params
 
     def get_dn(self, *keys, **options):
@@ -912,6 +920,13 @@ class host_mod(LDAPUpdate):
             if 'krbticketpolicyaux' not in entry_attrs['objectclass']:
                 entry_attrs['objectclass'].append('krbticketpolicyaux')
 
+        if 'krbprincipalauthind' in entry_attrs:
+            if 'objectclass' not in entry_attrs:
+                entry_attrs_old = ldap.get_entry(dn, ['objectclass'])
+                entry_attrs['objectclass'] = entry_attrs_old['objectclass']
+            if 'krbprincipalaux' not in entry_attrs['objectclass']:
+                entry_attrs['objectclass'].append('krbprincipalaux')
+
         add_sshpubkey_to_attrs_pre(self.context, attrs_list)
 
         return dn
-- 
2.5.5


-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to