Re: [Freeipa-devel] [PATCH 0096] Add authentication indicators support to Host objects
On 06/30/2016 03:55 PM, Nathaniel McCallum wrote: > On Thu, 2016-06-30 at 13:42 +0200, Petr Vobornik wrote: >> On 06/29/2016 04:40 PM, Stanislav Laznicka wrote: >>> >>> On 06/29/2016 04:02 PM, Stanislav Laznicka wrote: On 06/29/2016 03:53 PM, Martin Basti wrote: > > > > On 29.06.2016 15:52, Stanislav Laznicka wrote: >> >> On 06/24/2016 03:14 PM, Martin Basti wrote: >>> >>> >>> >>> On 24.06.2016 15:11, Sumit Bose wrote: On Tue, Jun 21, 2016 at 02:25:49PM -0400, Nathaniel McCallum wrote: > > https://fedorahosted.org/freeipa/ticket/433 The patch works for me as expected, but the API.txt update is missing in the patch. bye, Sumit >>> >>> There are no updated managed permissions for >>> krbprincipalauthind >>> attribute in hosts.py, is this omitted on purpose? >>> Martin^2 >>> >> The attached patch adds them should these be required. >> >> > > Then we also needs patch for services.py, because there are > missing > ACIs too > > Martin^2 It was already included but let me separate it in two patches, then. >>> Good catch from Petr Vobornik - the rebuilt ACI.txt should also be >>> included. >>> >> >> Attaching new version of Nathnaniel's patch with API.txt and VERSION >> updated. >> >> ACK for 0096-2 >> >> Pushed to master >> * 0855b014b1edcb1632a41e380220abd7bb5e481a Add authentication >> indicators >> support to Host objects. >> >> The "{Service|Host} {Read|Modify} " permissions looks good to me. >> ACK >> if Nathaniel agrees that it doesn't deserved it's own permission for >> modify. > > I agree. We can add it later if someone needs it. > pushed to master: * 97db87b383b1ae4639bdb51793354bad30adf5a9 host: Added permissions for auth. indicators read/modify * 235b19ba7f9807ecf10436d1a5b28518b4475a70 service: Added permissions for auth. indicators read/modify -- Petr Vobornik -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0096] Add authentication indicators support to Host objects
On Thu, 2016-06-30 at 13:42 +0200, Petr Vobornik wrote: > On 06/29/2016 04:40 PM, Stanislav Laznicka wrote: > > > > On 06/29/2016 04:02 PM, Stanislav Laznicka wrote: > > > > > > On 06/29/2016 03:53 PM, Martin Basti wrote: > > > > > > > > > > > > > > > > On 29.06.2016 15:52, Stanislav Laznicka wrote: > > > > > > > > > > On 06/24/2016 03:14 PM, Martin Basti wrote: > > > > > > > > > > > > > > > > > > > > > > > > On 24.06.2016 15:11, Sumit Bose wrote: > > > > > > > > > > > > > > On Tue, Jun 21, 2016 at 02:25:49PM -0400, Nathaniel > > > > > > > McCallum wrote: > > > > > > > > > > > > > > > > https://fedorahosted.org/freeipa/ticket/433 > > > > > > > The patch works for me as expected, but the API.txt > > > > > > > update is > > > > > > > missing in > > > > > > > the patch. > > > > > > > > > > > > > > bye, > > > > > > > Sumit > > > > > > > > > > > > There are no updated managed permissions for > > > > > > krbprincipalauthind > > > > > > attribute in hosts.py, is this omitted on purpose? > > > > > > Martin^2 > > > > > > > > > > > The attached patch adds them should these be required. > > > > > > > > > > > > > > > > > > Then we also needs patch for services.py, because there are > > > > missing > > > > ACIs too > > > > > > > > Martin^2 > > > > > > It was already included but let me separate it in two patches, > > > then. > > > > > > > > Good catch from Petr Vobornik - the rebuilt ACI.txt should also be > > included. > > > > Attaching new version of Nathnaniel's patch with API.txt and VERSION > updated. > > ACK for 0096-2 > > Pushed to master > * 0855b014b1edcb1632a41e380220abd7bb5e481a Add authentication > indicators > support to Host objects. > > The "{Service|Host} {Read|Modify} " permissions looks good to me. > ACK > if Nathaniel agrees that it doesn't deserved it's own permission for > modify. I agree. We can add it later if someone needs it. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0096] Add authentication indicators support to Host objects
On 06/29/2016 04:40 PM, Stanislav Laznicka wrote: > On 06/29/2016 04:02 PM, Stanislav Laznicka wrote: >> On 06/29/2016 03:53 PM, Martin Basti wrote: >>> >>> >>> On 29.06.2016 15:52, Stanislav Laznicka wrote: On 06/24/2016 03:14 PM, Martin Basti wrote: > > > On 24.06.2016 15:11, Sumit Bose wrote: >> On Tue, Jun 21, 2016 at 02:25:49PM -0400, Nathaniel McCallum wrote: >>> https://fedorahosted.org/freeipa/ticket/433 >> The patch works for me as expected, but the API.txt update is >> missing in >> the patch. >> >> bye, >> Sumit > > There are no updated managed permissions for krbprincipalauthind > attribute in hosts.py, is this omitted on purpose? > Martin^2 > The attached patch adds them should these be required. >>> >>> Then we also needs patch for services.py, because there are missing >>> ACIs too >>> >>> Martin^2 >> >> It was already included but let me separate it in two patches, then. >> >> > Good catch from Petr Vobornik - the rebuilt ACI.txt should also be > included. > Attaching new version of Nathnaniel's patch with API.txt and VERSION updated. ACK for 0096-2 Pushed to master * 0855b014b1edcb1632a41e380220abd7bb5e481a Add authentication indicators support to Host objects. The "{Service|Host} {Read|Modify} " permissions looks good to me. ACK if Nathaniel agrees that it doesn't deserved it's own permission for modify. -- Petr Vobornik From 3de08f354a8714a752b567850968b57ffc44553d Mon Sep 17 00:00:00 2001 From: Nathaniel McCallum Date: Tue, 21 Jun 2016 14:19:03 -0400 Subject: [PATCH] Add authentication indicators support to Host objects https://fedorahosted.org/freeipa/ticket/433 --- API.txt | 9 ++--- VERSION | 4 ++-- ipaserver/plugins/host.py | 17 - 3 files changed, 24 insertions(+), 6 deletions(-) diff --git a/API.txt b/API.txt index 76e58aeec4301577952f919b17a58b71c06a..19922660ad1787d87337b37e099c7fd9475eda53 100644 --- a/API.txt +++ b/API.txt @@ -2257,7 +2257,7 @@ output: Output('summary', type=[, ]) output: Output('value', type=[]) output: Output('warning', type=[, , ]) command: host_add/1 -args: 1,23,3 +args: 1,24,3 arg: Str('fqdn', cli_name='hostname') option: Str('addattr*', cli_name='addattr') option: Flag('all', autofill=True, cli_name='all', default=False) @@ -2268,6 +2268,7 @@ option: Str('ipaassignedidview?') option: Bool('ipakrbokasdelegate?', cli_name='ok_as_delegate') option: Bool('ipakrbrequirespreauth?', cli_name='requires_pre_auth') option: Str('ipasshpubkey*', cli_name='sshpubkey') +option: Str('krbprincipalauthind*', cli_name='auth_ind') option: Str('l?', cli_name='locality') option: Str('macaddress*') option: Flag('no_members', autofill=True, default=False) @@ -2380,7 +2381,7 @@ output: Output('completed', type=[]) output: Output('failed', type=[]) output: Entry('result') command: host_find/1 -args: 1,34,4 +args: 1,35,4 arg: Str('criteria?') option: Flag('all', autofill=True, cli_name='all', default=False) option: Str('description?', autofill=False, cli_name='desc') @@ -2392,6 +2393,7 @@ option: Str('in_netgroup*', cli_name='in_netgroups') option: Str('in_role*', cli_name='in_roles') option: Str('in_sudorule*', cli_name='in_sudorules') option: Str('ipaassignedidview?', autofill=False) +option: Str('krbprincipalauthind*', autofill=False, cli_name='auth_ind') option: Str('l?', autofill=False, cli_name='locality') option: Str('macaddress*', autofill=False) option: Str('man_by_host*', cli_name='man_by_hosts') @@ -2421,7 +2423,7 @@ output: ListOfEntries('result') output: Output('summary', type=[, ]) output: Output('truncated', type=[]) command: host_mod/1 -args: 1,24,3 +args: 1,25,3 arg: Str('fqdn', cli_name='hostname') option: Str('addattr*', cli_name='addattr') option: Flag('all', autofill=True, cli_name='all', default=False) @@ -2431,6 +2433,7 @@ option: Str('ipaassignedidview?', autofill=False) option: Bool('ipakrbokasdelegate?', autofill=False, cli_name='ok_as_delegate') option: Bool('ipakrbrequirespreauth?', autofill=False, cli_name='requires_pre_auth') option: Str('ipasshpubkey*', autofill=False, cli_name='sshpubkey') +option: Str('krbprincipalauthind*', autofill=False, cli_name='auth_ind') option: Str('krbprincipalname?', cli_name='principalname') option: Str('l?', autofill=False, cli_name='locality') option: Str('macaddress*', autofill=False) diff --git a/VERSION b/VERSION index d4d7228edb1e29c8655c058e1e4fb727950aeabc..5c3aef2e40415b869978cb9aa59bf940e0bcfb85 100644 --- a/VERSION +++ b/VERSION @@ -90,5 +90,5 @@ IPA_DATA_VERSION=2010061412 # # IPA_API_VERSION_MAJOR=2 -IPA_API_VERSION_MINOR=202 -# Last change: schema: support plugin versioning +IPA_API_VERSION_MINOR=203 +# Last change: host: added authentication indicators diff --git a/ipaserver/plugins/host.py b/ipaserv
Re: [Freeipa-devel] [PATCH 0096] Add authentication indicators support to Host objects
On 06/29/2016 04:02 PM, Stanislav Laznicka wrote: On 06/29/2016 03:53 PM, Martin Basti wrote: On 29.06.2016 15:52, Stanislav Laznicka wrote: On 06/24/2016 03:14 PM, Martin Basti wrote: On 24.06.2016 15:11, Sumit Bose wrote: On Tue, Jun 21, 2016 at 02:25:49PM -0400, Nathaniel McCallum wrote: https://fedorahosted.org/freeipa/ticket/433 The patch works for me as expected, but the API.txt update is missing in the patch. bye, Sumit There are no updated managed permissions for krbprincipalauthind attribute in hosts.py, is this omitted on purpose? Martin^2 The attached patch adds them should these be required. Then we also needs patch for services.py, because there are missing ACIs too Martin^2 It was already included but let me separate it in two patches, then. Good catch from Petr Vobornik - the rebuilt ACI.txt should also be included. From 9a80066123e8e97fb9c9daed4f339a5d5368faf3 Mon Sep 17 00:00:00 2001 From: Stanislav Laznicka Date: Wed, 29 Jun 2016 15:56:55 +0200 Subject: [PATCH 1/2] host: Added permissions for auth. indicators read/modify Added permissions for Kerberos authentication indicators reading and modifying to host objects. https://fedorahosted.org/freeipa/ticket/433 --- ACI.txt | 4 ++-- ipaserver/plugins/host.py | 3 ++- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/ACI.txt b/ACI.txt index 98566de..86955c5 100644 --- a/ACI.txt +++ b/ACI.txt @@ -137,13 +137,13 @@ aci: (targetattr = "createtimestamp || entryusn || ipaallowedtoperform;read_keys dn: cn=computers,cn=accounts,dc=ipa,dc=example aci: (targetattr = "ipasshpubkey")(targetfilter = "(objectclass=ipahost)")(version 3.0;acl "permission:System: Manage Host SSH Public Keys";allow (write) groupdn = "ldap:///cn=System: Manage Host SSH Public Keys,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: cn=computers,cn=accounts,dc=ipa,dc=example -aci: (targetattr = "description || ipaassignedidview || l || macaddress || nshardwareplatform || nshostlocation || nsosversion || userclass")(targetfilter = "(objectclass=ipahost)")(version 3.0;acl "permission:System: Modify Hosts";allow (write) groupdn = "ldap:///cn=System: Modify Hosts,cn=permissions,cn=pbac,dc=ipa,dc=example";) +aci: (targetattr = "description || ipaassignedidview || krbprincipalauthind || l || macaddress || nshardwareplatform || nshostlocation || nsosversion || userclass")(targetfilter = "(objectclass=ipahost)")(version 3.0;acl "permission:System: Modify Hosts";allow (write) groupdn = "ldap:///cn=System: Modify Hosts,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: dc=ipa,dc=example aci: (targetattr = "cn || createtimestamp || entryusn || macaddress || modifytimestamp || objectclass")(target = "ldap:///cn=computers,cn=compat,dc=ipa,dc=example";)(version 3.0;acl "permission:System: Read Host Compat Tree";allow (compare,read,search) userdn = "ldap:///anyone";;) dn: cn=computers,cn=accounts,dc=ipa,dc=example aci: (targetattr = "memberof")(targetfilter = "(objectclass=ipahost)")(version 3.0;acl "permission:System: Read Host Membership";allow (compare,read,search) userdn = "ldap:///all";;) dn: cn=computers,cn=accounts,dc=ipa,dc=example -aci: (targetattr = "cn || createtimestamp || description || enrolledby || entryusn || fqdn || ipaassignedidview || ipaclientversion || ipakrbauthzdata || ipasshpubkey || ipauniqueid || krbcanonicalname || krblastpwdchange || krbpasswordexpiration || krbprincipalaliases || krbprincipalexpiration || krbprincipalname || l || macaddress || managedby || modifytimestamp || nshardwareplatform || nshostlocation || nsosversion || objectclass || serverhostname || usercertificate || userclass")(targetfilter = "(objectclass=ipahost)")(version 3.0;acl "permission:System: Read Hosts";allow (compare,read,search) userdn = "ldap:///all";;) +aci: (targetattr = "cn || createtimestamp || description || enrolledby || entryusn || fqdn || ipaassignedidview || ipaclientversion || ipakrbauthzdata || ipasshpubkey || ipauniqueid || krbcanonicalname || krblastpwdchange || krbpasswordexpiration || krbprincipalaliases || krbprincipalauthind || krbprincipalexpiration || krbprincipalname || l || macaddress || managedby || modifytimestamp || nshardwareplatform || nshostlocation || nsosversion || objectclass || serverhostname || usercertificate || userclass")(targetfilter = "(objectclass=ipahost)")(version 3.0;acl "permission:System: Read Hosts";allow (compare,read,search) userdn = "ldap:///all";;) dn: cn=computers,cn=accounts,dc=ipa,dc=example aci: (targetfilter = "(objectclass=ipahost)")(version 3.0;acl "permission:System: Remove Hosts";allow (delete) groupdn = "ldap:///cn=System: Remove Hosts,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: cn=hostgroups,cn=accounts,dc=ipa,dc=example diff --git a/ipaserver/plugins/host.py b/ipaserver/plugins/host.py index 0072431..c54439e 100644 --- a/ipaserver/plugins/host.py +++ b/ipaserver/plugins/host.py @@ -333,7 +333,7 @@ class host(LDAPObject): 'enrolledby', '
Re: [Freeipa-devel] [PATCH 0096] Add authentication indicators support to Host objects
On 06/29/2016 03:53 PM, Martin Basti wrote: On 29.06.2016 15:52, Stanislav Laznicka wrote: On 06/24/2016 03:14 PM, Martin Basti wrote: On 24.06.2016 15:11, Sumit Bose wrote: On Tue, Jun 21, 2016 at 02:25:49PM -0400, Nathaniel McCallum wrote: https://fedorahosted.org/freeipa/ticket/433 The patch works for me as expected, but the API.txt update is missing in the patch. bye, Sumit There are no updated managed permissions for krbprincipalauthind attribute in hosts.py, is this omitted on purpose? Martin^2 The attached patch adds them should these be required. Then we also needs patch for services.py, because there are missing ACIs too Martin^2 It was already included but let me separate it in two patches, then. From d05969e29aa190602ae9f90c6e6161e517b0ad0d Mon Sep 17 00:00:00 2001 From: Stanislav Laznicka Date: Wed, 29 Jun 2016 15:56:55 +0200 Subject: [PATCH 1/2] host: Added permissions for auth. indicators read/modify Added permissions for Kerberos authentication indicators reading and modifying to host objects. https://fedorahosted.org/freeipa/ticket/433 --- ipaserver/plugins/host.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/ipaserver/plugins/host.py b/ipaserver/plugins/host.py index 0072431de3f130d09066100f12d9fcb34e9fb96b..c54439e9b55de85d871241083ccb512cc1a88f29 100644 --- a/ipaserver/plugins/host.py +++ b/ipaserver/plugins/host.py @@ -333,7 +333,7 @@ class host(LDAPObject): 'enrolledby', 'managedby', 'ipaassignedidview', 'krbprincipalname', 'krbcanonicalname', 'krbprincipalaliases', 'krbprincipalexpiration', 'krbpasswordexpiration', -'krblastpwdchange', +'krblastpwdchange', 'krbprincipalauthind', }, }, 'System: Read Host Membership': { @@ -411,6 +411,7 @@ class host(LDAPObject): 'ipapermdefaultattr': { 'description', 'l', 'nshardwareplatform', 'nshostlocation', 'nsosversion', 'macaddress', 'userclass', 'ipaassignedidview', +'krbprincipalauthind', }, 'replaces': [ '(targetattr = "description || l || nshostlocation || nshardwareplatform || nsosversion")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX";)(version 3.0;acl "permission:Modify Hosts";allow (write) groupdn = "ldap:///cn=Modify Hosts,cn=permissions,cn=pbac,$SUFFIX";)', -- 2.5.5 From 3a503b91680b49afc5bc0ba39ec5451f5b0352a1 Mon Sep 17 00:00:00 2001 From: Stanislav Laznicka Date: Wed, 29 Jun 2016 15:58:07 +0200 Subject: [PATCH 2/2] service: Added permissions for auth. indicators read/modify Added permissions for Kerberos authentication indicators reading and modifying to service objects. --- ipaserver/plugins/service.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ipaserver/plugins/service.py b/ipaserver/plugins/service.py index 701314f8d9f2ac14c2b92fea1b75c7bf1754dac3..bc5bf529b45568d63e2a5b99906a7755d4ac8d40 100644 --- a/ipaserver/plugins/service.py +++ b/ipaserver/plugins/service.py @@ -437,7 +437,7 @@ class service(LDAPObject): 'krbprincipalname', 'krbcanonicalname', 'krbprincipalaliases', 'krbprincipalexpiration', 'krbpasswordexpiration', 'krblastpwdchange', 'ipakrbauthzdata', 'ipakrbprincipalalias', -'krbobjectreferences', +'krbobjectreferences', 'krbprincipalauthind', }, }, 'System: Add Services': { @@ -465,7 +465,7 @@ class service(LDAPObject): }, 'System: Modify Services': { 'ipapermright': {'write'}, -'ipapermdefaultattr': {'usercertificate'}, +'ipapermdefaultattr': {'usercertificate', 'krbprincipalauthind'}, 'replaces': [ '(targetattr = "usercertificate")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,$SUFFIX";)(version 3.0;acl "permission:Modify Services";allow (write) groupdn = "ldap:///cn=Modify Services,cn=permissions,cn=pbac,$SUFFIX";)', ], -- 2.5.5 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0096] Add authentication indicators support to Host objects
On 06/24/2016 03:14 PM, Martin Basti wrote: On 24.06.2016 15:11, Sumit Bose wrote: On Tue, Jun 21, 2016 at 02:25:49PM -0400, Nathaniel McCallum wrote: https://fedorahosted.org/freeipa/ticket/433 The patch works for me as expected, but the API.txt update is missing in the patch. bye, Sumit There are no updated managed permissions for krbprincipalauthind attribute in hosts.py, is this omitted on purpose? Martin^2 The attached patch adds them should these be required. From becd1e2d284dcd98a2ba35fcd68e0f9354f0a365 Mon Sep 17 00:00:00 2001 From: Stanislav Laznicka Date: Wed, 29 Jun 2016 15:45:28 +0200 Subject: [PATCH] Added permissions for auth. indicators read/modify Added permissions for Kerberos authentication indicators reading and modifying to host and service objects. https://fedorahosted.org/freeipa/ticket/433 --- ipaserver/plugins/host.py| 3 ++- ipaserver/plugins/service.py | 4 ++-- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/ipaserver/plugins/host.py b/ipaserver/plugins/host.py index 1091f85748d675c479285ad73465aa9541c61b45..be4a1711f3d6b7ee3bc12cbee1c705a9067f73b2 100644 --- a/ipaserver/plugins/host.py +++ b/ipaserver/plugins/host.py @@ -333,7 +333,7 @@ class host(LDAPObject): 'enrolledby', 'managedby', 'ipaassignedidview', 'krbprincipalname', 'krbcanonicalname', 'krbprincipalaliases', 'krbprincipalexpiration', 'krbpasswordexpiration', -'krblastpwdchange', +'krblastpwdchange', 'krbprincipalauthind', }, }, 'System: Read Host Membership': { @@ -411,6 +411,7 @@ class host(LDAPObject): 'ipapermdefaultattr': { 'description', 'l', 'nshardwareplatform', 'nshostlocation', 'nsosversion', 'macaddress', 'userclass', 'ipaassignedidview', +'krbprincipalauthind', }, 'replaces': [ '(targetattr = "description || l || nshostlocation || nshardwareplatform || nsosversion")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX";)(version 3.0;acl "permission:Modify Hosts";allow (write) groupdn = "ldap:///cn=Modify Hosts,cn=permissions,cn=pbac,$SUFFIX";)', diff --git a/ipaserver/plugins/service.py b/ipaserver/plugins/service.py index 701314f8d9f2ac14c2b92fea1b75c7bf1754dac3..bc5bf529b45568d63e2a5b99906a7755d4ac8d40 100644 --- a/ipaserver/plugins/service.py +++ b/ipaserver/plugins/service.py @@ -437,7 +437,7 @@ class service(LDAPObject): 'krbprincipalname', 'krbcanonicalname', 'krbprincipalaliases', 'krbprincipalexpiration', 'krbpasswordexpiration', 'krblastpwdchange', 'ipakrbauthzdata', 'ipakrbprincipalalias', -'krbobjectreferences', +'krbobjectreferences', 'krbprincipalauthind', }, }, 'System: Add Services': { @@ -465,7 +465,7 @@ class service(LDAPObject): }, 'System: Modify Services': { 'ipapermright': {'write'}, -'ipapermdefaultattr': {'usercertificate'}, +'ipapermdefaultattr': {'usercertificate', 'krbprincipalauthind'}, 'replaces': [ '(targetattr = "usercertificate")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,$SUFFIX";)(version 3.0;acl "permission:Modify Services";allow (write) groupdn = "ldap:///cn=Modify Services,cn=permissions,cn=pbac,$SUFFIX";)', ], -- 2.5.5 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0096] Add authentication indicators support to Host objects
On 29.06.2016 15:52, Stanislav Laznicka wrote: On 06/24/2016 03:14 PM, Martin Basti wrote: On 24.06.2016 15:11, Sumit Bose wrote: On Tue, Jun 21, 2016 at 02:25:49PM -0400, Nathaniel McCallum wrote: https://fedorahosted.org/freeipa/ticket/433 The patch works for me as expected, but the API.txt update is missing in the patch. bye, Sumit There are no updated managed permissions for krbprincipalauthind attribute in hosts.py, is this omitted on purpose? Martin^2 The attached patch adds them should these be required. Then we also needs patch for services.py, because there are missing ACIs too Martin^2 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0096] Add authentication indicators support to Host objects
On 24.06.2016 15:11, Sumit Bose wrote: On Tue, Jun 21, 2016 at 02:25:49PM -0400, Nathaniel McCallum wrote: https://fedorahosted.org/freeipa/ticket/433 The patch works for me as expected, but the API.txt update is missing in the patch. bye, Sumit There are no updated managed permissions for krbprincipalauthind attribute in hosts.py, is this omitted on purpose? Martin^2 From c7254a9dd182b34665b50c45c5ece42a3cbc56e2 Mon Sep 17 00:00:00 2001 From: Nathaniel McCallum Date: Tue, 21 Jun 2016 14:19:03 -0400 Subject: [PATCH] Add authentication indicators support to Host objects https://fedorahosted.org/freeipa/ticket/433 --- ipaserver/plugins/host.py | 17 - 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/ipaserver/plugins/host.py b/ipaserver/plugins/host.py index 15805a3d2292dcf176ec52afdd3885563eea1210..905116e9c4d12c9e35bb82a5ff2c7bd8b920e80d 100644 --- a/ipaserver/plugins/host.py +++ b/ipaserver/plugins/host.py @@ -294,7 +294,7 @@ class host(LDAPObject): 'fqdn', 'description', 'l', 'nshostlocation', 'krbprincipalname', 'nshardwareplatform', 'nsosversion', 'usercertificate', 'memberof', 'managedby', 'memberofindirect', 'macaddress', -'userclass', 'ipaallowedtoperform', 'ipaassignedidview', +'userclass', 'ipaallowedtoperform', 'ipaassignedidview', 'krbprincipalauthind' ] uuid_attribute = 'ipauniqueid' attribute_members = { @@ -529,6 +529,14 @@ class host(LDAPObject): label=_('Assigned ID View'), flags=['no_option'], ), +Str('krbprincipalauthind*', +cli_name='auth_ind', +label=_('Authentication Indicators'), +doc=_("Defines a whitelist for Authentication Indicators." + " Use 'otp' to allow OTP-based 2FA authentications." + " Use 'radius' to allow RADIUS-based 2FA authentications." + " Other values may be used for custom configurations."), +), ) + ticket_flags_params def get_dn(self, *keys, **options): @@ -910,6 +918,13 @@ class host_mod(LDAPUpdate): if 'krbticketpolicyaux' not in entry_attrs['objectclass']: entry_attrs['objectclass'].append('krbticketpolicyaux') +if 'krbprincipalauthind' in entry_attrs: +if 'objectclass' not in entry_attrs: +entry_attrs_old = ldap.get_entry(dn, ['objectclass']) +entry_attrs['objectclass'] = entry_attrs_old['objectclass'] +if 'krbprincipalaux' not in entry_attrs['objectclass']: +entry_attrs['objectclass'].append('krbprincipalaux') + add_sshpubkey_to_attrs_pre(self.context, attrs_list) return dn -- 2.9.0 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0096] Add authentication indicators support to Host objects
On Tue, Jun 21, 2016 at 02:25:49PM -0400, Nathaniel McCallum wrote: > https://fedorahosted.org/freeipa/ticket/433 The patch works for me as expected, but the API.txt update is missing in the patch. bye, Sumit > From c7254a9dd182b34665b50c45c5ece42a3cbc56e2 Mon Sep 17 00:00:00 2001 > From: Nathaniel McCallum > Date: Tue, 21 Jun 2016 14:19:03 -0400 > Subject: [PATCH] Add authentication indicators support to Host objects > > https://fedorahosted.org/freeipa/ticket/433 > --- > ipaserver/plugins/host.py | 17 - > 1 file changed, 16 insertions(+), 1 deletion(-) > > diff --git a/ipaserver/plugins/host.py b/ipaserver/plugins/host.py > index > 15805a3d2292dcf176ec52afdd3885563eea1210..905116e9c4d12c9e35bb82a5ff2c7bd8b920e80d > 100644 > --- a/ipaserver/plugins/host.py > +++ b/ipaserver/plugins/host.py > @@ -294,7 +294,7 @@ class host(LDAPObject): > 'fqdn', 'description', 'l', 'nshostlocation', 'krbprincipalname', > 'nshardwareplatform', 'nsosversion', 'usercertificate', 'memberof', > 'managedby', 'memberofindirect', 'macaddress', > -'userclass', 'ipaallowedtoperform', 'ipaassignedidview', > +'userclass', 'ipaallowedtoperform', 'ipaassignedidview', > 'krbprincipalauthind' > ] > uuid_attribute = 'ipauniqueid' > attribute_members = { > @@ -529,6 +529,14 @@ class host(LDAPObject): > label=_('Assigned ID View'), > flags=['no_option'], > ), > +Str('krbprincipalauthind*', > +cli_name='auth_ind', > +label=_('Authentication Indicators'), > +doc=_("Defines a whitelist for Authentication Indicators." > + " Use 'otp' to allow OTP-based 2FA authentications." > + " Use 'radius' to allow RADIUS-based 2FA authentications." > + " Other values may be used for custom configurations."), > +), > ) + ticket_flags_params > > def get_dn(self, *keys, **options): > @@ -910,6 +918,13 @@ class host_mod(LDAPUpdate): > if 'krbticketpolicyaux' not in entry_attrs['objectclass']: > entry_attrs['objectclass'].append('krbticketpolicyaux') > > +if 'krbprincipalauthind' in entry_attrs: > +if 'objectclass' not in entry_attrs: > +entry_attrs_old = ldap.get_entry(dn, ['objectclass']) > +entry_attrs['objectclass'] = entry_attrs_old['objectclass'] > +if 'krbprincipalaux' not in entry_attrs['objectclass']: > +entry_attrs['objectclass'].append('krbprincipalaux') > + > add_sshpubkey_to_attrs_pre(self.context, attrs_list) > > return dn > -- > 2.9.0 > -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code