On 06/29/2016 04:40 PM, Stanislav Laznicka wrote: > On 06/29/2016 04:02 PM, Stanislav Laznicka wrote: >> On 06/29/2016 03:53 PM, Martin Basti wrote: >>> >>> >>> On 29.06.2016 15:52, Stanislav Laznicka wrote: >>>> On 06/24/2016 03:14 PM, Martin Basti wrote: >>>>> >>>>> >>>>> On 24.06.2016 15:11, Sumit Bose wrote: >>>>>> On Tue, Jun 21, 2016 at 02:25:49PM -0400, Nathaniel McCallum wrote: >>>>>>> https://fedorahosted.org/freeipa/ticket/433 >>>>>> The patch works for me as expected, but the API.txt update is >>>>>> missing in >>>>>> the patch. >>>>>> >>>>>> bye, >>>>>> Sumit >>>>> >>>>> There are no updated managed permissions for krbprincipalauthind >>>>> attribute in hosts.py, is this omitted on purpose? >>>>> Martin^2 >>>>> >>>> The attached patch adds them should these be required. >>>> >>>> >>> >>> Then we also needs patch for services.py, because there are missing >>> ACIs too >>> >>> Martin^2 >> >> It was already included but let me separate it in two patches, then. >> >> > Good catch from Petr Vobornik - the rebuilt ACI.txt should also be > included. >
Attaching new version of Nathnaniel's patch with API.txt and VERSION updated. ACK for 0096-2 Pushed to master * 0855b014b1edcb1632a41e380220abd7bb5e481a Add authentication indicators support to Host objects. The "{Service|Host} {Read|Modify} " permissions looks good to me. ACK if Nathaniel agrees that it doesn't deserved it's own permission for modify. -- Petr Vobornik
From 3de08f354a8714a752b567850968b57ffc44553d Mon Sep 17 00:00:00 2001 From: Nathaniel McCallum <npmccal...@redhat.com> Date: Tue, 21 Jun 2016 14:19:03 -0400 Subject: [PATCH] Add authentication indicators support to Host objects https://fedorahosted.org/freeipa/ticket/433 --- API.txt | 9 ++++++--- VERSION | 4 ++-- ipaserver/plugins/host.py | 17 ++++++++++++++++- 3 files changed, 24 insertions(+), 6 deletions(-) diff --git a/API.txt b/API.txt index 76e58aeec4301577952f919b17a58b777771c06a..19922660ad1787d87337b37e099c7fd9475eda53 100644 --- a/API.txt +++ b/API.txt @@ -2257,7 +2257,7 @@ output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>]) output: Output('value', type=[<type 'bool'>]) output: Output('warning', type=[<type 'list'>, <type 'tuple'>, <type 'NoneType'>]) command: host_add/1 -args: 1,23,3 +args: 1,24,3 arg: Str('fqdn', cli_name='hostname') option: Str('addattr*', cli_name='addattr') option: Flag('all', autofill=True, cli_name='all', default=False) @@ -2268,6 +2268,7 @@ option: Str('ipaassignedidview?') option: Bool('ipakrbokasdelegate?', cli_name='ok_as_delegate') option: Bool('ipakrbrequirespreauth?', cli_name='requires_pre_auth') option: Str('ipasshpubkey*', cli_name='sshpubkey') +option: Str('krbprincipalauthind*', cli_name='auth_ind') option: Str('l?', cli_name='locality') option: Str('macaddress*') option: Flag('no_members', autofill=True, default=False) @@ -2380,7 +2381,7 @@ output: Output('completed', type=[<type 'int'>]) output: Output('failed', type=[<type 'dict'>]) output: Entry('result') command: host_find/1 -args: 1,34,4 +args: 1,35,4 arg: Str('criteria?') option: Flag('all', autofill=True, cli_name='all', default=False) option: Str('description?', autofill=False, cli_name='desc') @@ -2392,6 +2393,7 @@ option: Str('in_netgroup*', cli_name='in_netgroups') option: Str('in_role*', cli_name='in_roles') option: Str('in_sudorule*', cli_name='in_sudorules') option: Str('ipaassignedidview?', autofill=False) +option: Str('krbprincipalauthind*', autofill=False, cli_name='auth_ind') option: Str('l?', autofill=False, cli_name='locality') option: Str('macaddress*', autofill=False) option: Str('man_by_host*', cli_name='man_by_hosts') @@ -2421,7 +2423,7 @@ output: ListOfEntries('result') output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>]) output: Output('truncated', type=[<type 'bool'>]) command: host_mod/1 -args: 1,24,3 +args: 1,25,3 arg: Str('fqdn', cli_name='hostname') option: Str('addattr*', cli_name='addattr') option: Flag('all', autofill=True, cli_name='all', default=False) @@ -2431,6 +2433,7 @@ option: Str('ipaassignedidview?', autofill=False) option: Bool('ipakrbokasdelegate?', autofill=False, cli_name='ok_as_delegate') option: Bool('ipakrbrequirespreauth?', autofill=False, cli_name='requires_pre_auth') option: Str('ipasshpubkey*', autofill=False, cli_name='sshpubkey') +option: Str('krbprincipalauthind*', autofill=False, cli_name='auth_ind') option: Str('krbprincipalname?', cli_name='principalname') option: Str('l?', autofill=False, cli_name='locality') option: Str('macaddress*', autofill=False) diff --git a/VERSION b/VERSION index d4d7228edb1e29c8655c058e1e4fb727950aeabc..5c3aef2e40415b869978cb9aa59bf940e0bcfb85 100644 --- a/VERSION +++ b/VERSION @@ -90,5 +90,5 @@ IPA_DATA_VERSION=20100614120000 # # ######################################################## IPA_API_VERSION_MAJOR=2 -IPA_API_VERSION_MINOR=202 -# Last change: schema: support plugin versioning +IPA_API_VERSION_MINOR=203 +# Last change: host: added authentication indicators diff --git a/ipaserver/plugins/host.py b/ipaserver/plugins/host.py index 0072431de3f130d09066100f12d9fcb34e9fb96b..1091f85748d675c479285ad73465aa9541c61b45 100644 --- a/ipaserver/plugins/host.py +++ b/ipaserver/plugins/host.py @@ -295,7 +295,7 @@ class host(LDAPObject): 'fqdn', 'description', 'l', 'nshostlocation', 'krbprincipalname', 'nshardwareplatform', 'nsosversion', 'usercertificate', 'memberof', 'managedby', 'memberofindirect', 'macaddress', - 'userclass', 'ipaallowedtoperform', 'ipaassignedidview', + 'userclass', 'ipaallowedtoperform', 'ipaassignedidview', 'krbprincipalauthind' ] uuid_attribute = 'ipauniqueid' attribute_members = { @@ -530,6 +530,14 @@ class host(LDAPObject): label=_('Assigned ID View'), flags=['no_option'], ), + Str('krbprincipalauthind*', + cli_name='auth_ind', + label=_('Authentication Indicators'), + doc=_("Defines a whitelist for Authentication Indicators." + " Use 'otp' to allow OTP-based 2FA authentications." + " Use 'radius' to allow RADIUS-based 2FA authentications." + " Other values may be used for custom configurations."), + ), ) + ticket_flags_params def get_dn(self, *keys, **options): @@ -912,6 +920,13 @@ class host_mod(LDAPUpdate): if 'krbticketpolicyaux' not in entry_attrs['objectclass']: entry_attrs['objectclass'].append('krbticketpolicyaux') + if 'krbprincipalauthind' in entry_attrs: + if 'objectclass' not in entry_attrs: + entry_attrs_old = ldap.get_entry(dn, ['objectclass']) + entry_attrs['objectclass'] = entry_attrs_old['objectclass'] + if 'krbprincipalaux' not in entry_attrs['objectclass']: + entry_attrs['objectclass'].append('krbprincipalaux') + add_sshpubkey_to_attrs_pre(self.context, attrs_list) return dn -- 2.5.5
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code