|
 |
7d56d3 |
From b6100f0c19e2caf73ab70bbc572d3e47e6066b48 Mon Sep 17 00:00:00 2001
|
|
|
7d56d3 |
From: Thomas Woerner <twoerner@redhat.com>
|
|
|
7d56d3 |
Date: Tue, 17 Dec 2019 14:04:43 +0100
|
|
|
7d56d3 |
Subject: [PATCH] ipahost: Fix choices of auth_ind parameter, allow to reset
|
|
|
7d56d3 |
parameter
|
|
|
7d56d3 |
|
|
|
7d56d3 |
The choices for the auth_ind parameter have been wrong. The choices are now
|
|
|
7d56d3 |
['radius', 'otp', 'pkinit', 'hardened', '']. The empty string has been added
|
|
|
7d56d3 |
to be able to rest auth_ind for the host entry.
|
|
|
7d56d3 |
---
|
|
|
7d56d3 |
README-host.md | 2 +-
|
|
|
7d56d3 |
plugins/modules/ipahost.py | 15 ++++++++++++---
|
|
|
7d56d3 |
2 files changed, 13 insertions(+), 4 deletions(-)
|
|
|
7d56d3 |
|
|
|
7d56d3 |
diff --git a/README-host.md b/README-host.md
|
|
|
7d56d3 |
index edec8d9..be5ad79 100644
|
|
|
7d56d3 |
--- a/README-host.md
|
|
|
7d56d3 |
+++ b/README-host.md
|
|
|
7d56d3 |
@@ -280,7 +280,7 @@ Variable | Description | Required
|
|
|
7d56d3 |
`mac_address` \| `macaddress` | List of hardware MAC addresses. | no
|
|
|
7d56d3 |
`sshpubkey` \| `ipasshpubkey` | List of SSH public keys | no
|
|
|
7d56d3 |
`userclass` \| `class` | Host category (semantics placed on this attribute are for local interpretation) | no
|
|
|
7d56d3 |
-`auth_ind` \| `krbprincipalauthind` | Defines a whitelist for Authentication Indicators. Use 'otp' to allow OTP-based 2FA authentications. Use 'radius' to allow RADIUS-based 2FA authentications. Other values may be used for custom configurations. choices: ["radius", "otp", "pkinit", "hardened"] | no
|
|
|
7d56d3 |
+`auth_ind` \| `krbprincipalauthind` | Defines a whitelist for Authentication Indicators. Use 'otp' to allow OTP-based 2FA authentications. Use 'radius' to allow RADIUS-based 2FA authentications. Use empty string to reset auth_ind to the initial value. Other values may be used for custom configurations. choices: ["radius", "otp", "pkinit", "hardened", ""] | no
|
|
|
7d56d3 |
`requires_pre_auth` \| `ipakrbrequirespreauth` | Pre-authentication is required for the service (bool) | no
|
|
|
7d56d3 |
`ok_as_delegate` \| `ipakrbokasdelegate` | Client credentials may be delegated to the service (bool) | no
|
|
|
7d56d3 |
`ok_to_auth_as_delegate` \| `ipakrboktoauthasdelegate` | The service is allowed to authenticate on behalf of a client (bool) | no
|
|
|
7d56d3 |
diff --git a/plugins/modules/ipahost.py b/plugins/modules/ipahost.py
|
|
|
7d56d3 |
index ec5e196..b130395 100644
|
|
|
7d56d3 |
--- a/plugins/modules/ipahost.py
|
|
|
7d56d3 |
+++ b/plugins/modules/ipahost.py
|
|
|
7d56d3 |
@@ -147,9 +147,10 @@
|
|
|
7d56d3 |
Defines a whitelist for Authentication Indicators. Use 'otp' to allow
|
|
|
7d56d3 |
OTP-based 2FA authentications. Use 'radius' to allow RADIUS-based 2FA
|
|
|
7d56d3 |
authentications. Other values may be used for custom configurations.
|
|
|
7d56d3 |
+ Use empty string to reset auth_ind to the initial value.
|
|
|
7d56d3 |
type: list
|
|
|
7d56d3 |
aliases: ["krbprincipalauthind"]
|
|
|
7d56d3 |
- choices: ["radius", "otp", "pkinit", "hardened"]
|
|
|
7d56d3 |
+ choices: ["radius", "otp", "pkinit", "hardened", ""]
|
|
|
7d56d3 |
required: false
|
|
|
7d56d3 |
requires_pre_auth:
|
|
|
7d56d3 |
description: Pre-authentication is required for the service
|
|
|
7d56d3 |
@@ -277,9 +278,10 @@
|
|
|
7d56d3 |
Defines a whitelist for Authentication Indicators. Use 'otp' to allow
|
|
|
7d56d3 |
OTP-based 2FA authentications. Use 'radius' to allow RADIUS-based 2FA
|
|
|
7d56d3 |
authentications. Other values may be used for custom configurations.
|
|
|
7d56d3 |
+ Use empty string to reset auth_ind to the initial value.
|
|
|
7d56d3 |
type: list
|
|
|
7d56d3 |
aliases: ["krbprincipalauthind"]
|
|
|
7d56d3 |
- choices: ["radius", "otp", "pkinit", "hardened"]
|
|
|
7d56d3 |
+ choices: ["radius", "otp", "pkinit", "hardened", ""]
|
|
|
7d56d3 |
required: false
|
|
|
7d56d3 |
requires_pre_auth:
|
|
|
7d56d3 |
description: Pre-authentication is required for the service
|
|
|
7d56d3 |
@@ -590,7 +592,7 @@ def main():
|
|
|
7d56d3 |
default=None),
|
|
|
7d56d3 |
auth_ind=dict(type='list', aliases=["krbprincipalauthind"],
|
|
|
7d56d3 |
default=None,
|
|
|
7d56d3 |
- choices=['password', 'radius', 'otp']),
|
|
|
7d56d3 |
+ choices=['radius', 'otp', 'pkinit', 'hardened', '']),
|
|
|
7d56d3 |
requires_pre_auth=dict(type="bool", aliases=["ipakrbrequirespreauth"],
|
|
|
7d56d3 |
default=None),
|
|
|
7d56d3 |
ok_as_delegate=dict(type="bool", aliases=["ipakrbokasdelegate"],
|
|
|
7d56d3 |
@@ -835,6 +837,13 @@ def main():
|
|
|
7d56d3 |
if x in args:
|
|
|
7d56d3 |
del args[x]
|
|
|
7d56d3 |
|
|
|
7d56d3 |
+ # Ignore auth_ind if it is empty (for resetting)
|
|
|
7d56d3 |
+ # and not set in for the host
|
|
|
7d56d3 |
+ if "krbprincipalauthind" not in res_find and \
|
|
|
7d56d3 |
+ "krbprincipalauthind" in args and \
|
|
|
7d56d3 |
+ args["krbprincipalauthind"] == ['']:
|
|
|
7d56d3 |
+ del args["krbprincipalauthind"]
|
|
|
7d56d3 |
+
|
|
|
7d56d3 |
# For all settings is args, check if there are
|
|
|
7d56d3 |
# different settings in the find result.
|
|
|
7d56d3 |
# If yes: modify
|