subject:"\[Freeipa\-devel\] \[PATCH\] Add support for account unlocking"

[Freeipa-devel] [PATCH] Add support for account unlocking

2011-01-21 Thread Jan Zeleny

This patch adds command ipa user-unlock and some LDAP modifications
which are required by Kerberos for unlocking to work.

Ticket:
https://fedorahosted.org/freeipa/ticket/344

Jan
From 930409cc86c7ae9d15b03396d3a3078ff1255859 Mon Sep 17 00:00:00 2001
From: Jan Zeleny 
Date: Fri, 21 Jan 2011 03:07:53 -0500
Subject: [PATCH] Add support for account unlocking

This patch adds command ipa user-unlock and some LDAP modifications
which are required by Kerberos for unlocking to work.

Ticket:
https://fedorahosted.org/freeipa/ticket/344
---
 install/share/60kerberos.ldif  |4 +++-
 install/share/default-aci.ldif |2 +-
 install/share/delegation.ldif  |   10 ++
 ipalib/plugins/user.py |   24 
 4 files changed, 38 insertions(+), 2 deletions(-)

diff --git a/install/share/60kerberos.ldif b/install/share/60kerberos.ldif
index f08329c48cbcd00ce9641582a13e8c6c118dac7c..72800d2426b776f2db119159187cad688eb9 100644
--- a/install/share/60kerberos.ldif
+++ b/install/share/60kerberos.ldif
@@ -254,6 +254,8 @@ attributetypes: ( 2.16.840.1.113719.1.301.4.52.1 NAME 'krbObjectReferences' EQUA
 # the additional principal objects and stand alone principal 
 # objects (krbPrincipal) can be created.
 attributetypes: ( 2.16.840.1.113719.1.301.4.53.1 NAME 'krbPrincContainerRef' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12)
+# The time at which administrator unlocked the account
+attributetypes: ( 1.3.6.1.4.1.5322.21.2.5 NAME 'krbLastAdminUnlock' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE)
 
 
 # 		Object Class Definitions   #
@@ -282,7 +284,7 @@ objectClasses: ( 2.16.840.1.113719.1.301.6.4.1 NAME 'krbKdcService' SUP ( krbSer
 objectClasses: ( 2.16.840.1.113719.1.301.6.5.1 NAME 'krbPwdService' SUP ( krbService ) )
 ## The principal data auxiliary class. Holds principal information
 ## and is used to store principal information for Person, Service objects.
-objectClasses: ( 2.16.840.1.113719.1.301.6.8.1 NAME 'krbPrincipalAux' AUXILIARY MAY ( krbPrincipalName $ krbCanonicalName $ krbUPEnabled $ krbPrincipalKey $ krbTicketPolicyReference $ krbPrincipalExpiration $ krbPasswordExpiration $ krbPwdPolicyReference $ krbPrincipalType $ krbPwdHistory $ krbLastPwdChange $ krbPrincipalAliases $ krbLastSuccessfulAuth $ krbLastFailedAuth $ krbLoginFailedCount $ krbExtraData ) )
+objectClasses: ( 2.16.840.1.113719.1.301.6.8.1 NAME 'krbPrincipalAux' AUXILIARY MAY ( krbPrincipalName $ krbCanonicalName $ krbUPEnabled $ krbPrincipalKey $ krbTicketPolicyReference $ krbPrincipalExpiration $ krbPasswordExpiration $ krbPwdPolicyReference $ krbPrincipalType $ krbPwdHistory $ krbLastPwdChange $ krbPrincipalAliases $ krbLastSuccessfulAuth $ krbLastFailedAuth $ krbLoginFailedCount $ krbExtraData $ krbLastAdminUnlock ) )
 ## This class is used to create additional principals and stand alone principals.
 objectClasses: ( 2.16.840.1.113719.1.301.6.9.1 NAME 'krbPrincipal' SUP ( top ) MUST ( krbPrincipalName ) MAY ( krbObjectReferences ) )
 ## The principal references auxiliary class. Holds all principals referred
diff --git a/install/share/default-aci.ldif b/install/share/default-aci.ldif
index ff0e5aec0af551a34f53e46c85c95bb97a509dc2..35665154fbc29f9f60874adf45f3052010659bba 100644
--- a/install/share/default-aci.ldif
+++ b/install/share/default-aci.ldif
@@ -9,7 +9,7 @@ aci: (targetattr = "userpassword || krbprincipalkey || sambalmpassword || samban
 aci: (targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "Admins can write passwords"; allow (add,delete,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";;)
 aci: (targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "Password change service can read/write passwords"; allow (read, write) userdn="ldap:///krbprincipalname=kadmin/changepw@$REALM,cn=$REALM,cn=kerberos,$SUFFIX";;)
 aci: (targetattr = "userPassword || krbPrincipalKey || krbPasswordExpiration || sambaLMPassword || sambaNTPassword || passwordHistory || krbExtraData")(version 3.0; acl "KDC System Account can access passwords"; allow (all) userdn="ldap:///uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX";;)
-aci: (targetattr = "krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount")(version 3.0; acl "KDC System Account can update some fields"; allow (write) userdn="ldap:///uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX";;)
+aci: (targetattr = "krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || krbLastAdminUnlock")(version 3.0; acl "KDC System Account can update some fields"; allow (read,write) userdn="ldap:///uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX";;)
 aci: (targetattr = "krbPrincipalName || krbCan

Re: [Freeipa-devel] [PATCH] Add support for account unlocking

2011-01-26 Thread Jan Zelený

Jan Zeleny  wrote:
> This patch adds command ipa user-unlock and some LDAP modifications
> which are required by Kerberos for unlocking to work.
> 
> Ticket:
> https://fedorahosted.org/freeipa/ticket/344
> 
> Jan

Just a reminder that this patch needs a review.

Thanks
Jan

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] Add support for account unlocking

2011-01-27 Thread Rob Crittenden


Jan Zelený wrote:

Jan Zeleny  wrote:

This patch adds command ipa user-unlock and some LDAP modifications
which are required by Kerberos for unlocking to work.

Ticket:
https://fedorahosted.org/freeipa/ticket/344

Jan


Just a reminder that this patch needs a review.

Thanks
Jan


This doesn't apply against master due to some changes to delegations. 
Can you rebase and set the aci name to 'permission:Unlock user accounts".


I did manage to test this and it works as expected, I just don't want to 
mangle the rebase.


rob

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] Add support for account unlocking

2011-01-28 Thread Jan Zelený

Rob Crittenden  wrote:
> Jan Zelený wrote:
> > Jan Zeleny  wrote:
> >> This patch adds command ipa user-unlock and some LDAP modifications
> >> which are required by Kerberos for unlocking to work.
> >> 
> >> Ticket:
> >> https://fedorahosted.org/freeipa/ticket/344
> >> 
> >> Jan
> > 
> > Just a reminder that this patch needs a review.
> > 
> > Thanks
> > Jan
> 
> This doesn't apply against master due to some changes to delegations.
> Can you rebase and set the aci name to 'permission:Unlock user accounts".
> 
> I did manage to test this and it works as expected, I just don't want to
> mangle the rebase.
> 
> rob

The patch is rebased, I also added the change to API.txt

Jan
From 3844e0d8fba330948e150e5938b72758ee252207 Mon Sep 17 00:00:00 2001
From: Jan Zeleny 
Date: Fri, 21 Jan 2011 03:07:53 -0500
Subject: [PATCH] Add support for account unlocking

This patch adds command ipa user-unlock and some LDAP modifications
which are required by Kerberos for unlocking to work.

Ticket:
https://fedorahosted.org/freeipa/ticket/344
---
 API.txt|6 ++
 install/share/60kerberos.ldif  |4 +++-
 install/share/default-aci.ldif |2 +-
 install/share/delegation.ldif  |   10 ++
 ipalib/plugins/user.py |   24 
 5 files changed, 44 insertions(+), 2 deletions(-)

diff --git a/API.txt b/API.txt
index 42ba61f48dad4bdcaaa8e28c84e62c2607017ed6..703978f576986eed868e4eb4b3956938cd58b470 100644
--- a/API.txt
+++ b/API.txt
@@ -2614,3 +2614,9 @@ option: Str('version?', exclude='webui', flags=['no_option', 'no_output'])
 output: Output('summary', (, ), 'User-friendly description of action performed')
 output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None))
 output: Output('value', , "The primary_key value of the entry, e.g. 'jdoe' for a user")
+command: user_unlock
+args: 1,0,3
+arg: Str('uid', attribute=True, cli_name='login', default_from=DefaultFrom(, 'givenname', 'sn'), label=Gettext('User login', domain='ipa', localedir=None), maxlength=255, multivalue=False, normalizer=, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?$', pattern_errmsg='may only include letters, numbers, _, -, . and $', primary_key=True, query=True, required=True)
+output: Output('summary', (, ), 'User-friendly description of action performed')
+output: Output('result', , 'True means the operation was successful')
+output: Output('value', , "The primary_key value of the entry, e.g. 'jdoe' for a user")
diff --git a/install/share/60kerberos.ldif b/install/share/60kerberos.ldif
index f08329c48cbcd00ce9641582a13e8c6c118dac7c..72800d2426b776f2db119159187cad688eb9 100644
--- a/install/share/60kerberos.ldif
+++ b/install/share/60kerberos.ldif
@@ -254,6 +254,8 @@ attributetypes: ( 2.16.840.1.113719.1.301.4.52.1 NAME 'krbObjectReferences' EQUA
 # the additional principal objects and stand alone principal 
 # objects (krbPrincipal) can be created.
 attributetypes: ( 2.16.840.1.113719.1.301.4.53.1 NAME 'krbPrincContainerRef' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12)
+# The time at which administrator unlocked the account
+attributetypes: ( 1.3.6.1.4.1.5322.21.2.5 NAME 'krbLastAdminUnlock' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE)
 
 
 # 		Object Class Definitions   #
@@ -282,7 +284,7 @@ objectClasses: ( 2.16.840.1.113719.1.301.6.4.1 NAME 'krbKdcService' SUP ( krbSer
 objectClasses: ( 2.16.840.1.113719.1.301.6.5.1 NAME 'krbPwdService' SUP ( krbService ) )
 ## The principal data auxiliary class. Holds principal information
 ## and is used to store principal information for Person, Service objects.
-objectClasses: ( 2.16.840.1.113719.1.301.6.8.1 NAME 'krbPrincipalAux' AUXILIARY MAY ( krbPrincipalName $ krbCanonicalName $ krbUPEnabled $ krbPrincipalKey $ krbTicketPolicyReference $ krbPrincipalExpiration $ krbPasswordExpiration $ krbPwdPolicyReference $ krbPrincipalType $ krbPwdHistory $ krbLastPwdChange $ krbPrincipalAliases $ krbLastSuccessfulAuth $ krbLastFailedAuth $ krbLoginFailedCount $ krbExtraData ) )
+objectClasses: ( 2.16.840.1.113719.1.301.6.8.1 NAME 'krbPrincipalAux' AUXILIARY MAY ( krbPrincipalName $ krbCanonicalName $ krbUPEnabled $ krbPrincipalKey $ krbTicketPolicyReference $ krbPrincipalExpiration $ krbPasswordExpiration $ krbPwdPolicyReference $ krbPrincipalType $ krbPwdHistory $ krbLastPwdChange $ krbPrincipalAliases $ krbLastSuccessfulAuth $ krbLastFailedAuth $ krbLoginFailedCount $ krbExtraData $ krbLastAdminUnlock ) )
 ## This class is used to create additional principals and stand alone principals.
 objectClasses: ( 2.16.840.1.113719.1.301.6.9.1 NAME 'krbPrincipal' SUP ( top ) MUST ( krbPrincipalName ) MAY ( krbObjectReferences ) )
 ## The principal ref

Re: [Freeipa-devel] [PATCH] Add support for account unlocking

2011-01-28 Thread Rob Crittenden


Jan Zelený wrote:

Rob Crittenden  wrote:

Jan Zelený wrote:

Jan Zeleny   wrote:

This patch adds command ipa user-unlock and some LDAP modifications
which are required by Kerberos for unlocking to work.

Ticket:
https://fedorahosted.org/freeipa/ticket/344

Jan


Just a reminder that this patch needs a review.

Thanks
Jan


This doesn't apply against master due to some changes to delegations.
Can you rebase and set the aci name to 'permission:Unlock user accounts".

I did manage to test this and it works as expected, I just don't want to
mangle the rebase.

rob


The patch is rebased, I also added the change to API.txt

Jan


ack, pushed to master

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH] Add support for account unlocking

Re: [Freeipa-devel] [PATCH] Add support for account unlocking

Re: [Freeipa-devel] [PATCH] Add support for account unlocking

Re: [Freeipa-devel] [PATCH] Add support for account unlocking

Re: [Freeipa-devel] [PATCH] Add support for account unlocking

5 matches

Site Navigation

Mail list logo

Footer information