|
 |
403b09 |
From e885fdff4d1bfee23bd41e6e64f64680ae643624 Mon Sep 17 00:00:00 2001
|
|
|
403b09 |
From: Alexander Bokovoy <abokovoy@redhat.com>
|
|
|
403b09 |
Date: Thu, 11 Aug 2016 11:52:05 +0300
|
|
|
403b09 |
Subject: [PATCH] service: add flag to allow S4U2Self
|
|
|
403b09 |
|
|
|
403b09 |
Prerequisite for: https://fedorahosted.org/freeipa/ticket/5764
|
|
|
403b09 |
|
|
|
403b09 |
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
|
|
|
403b09 |
---
|
|
|
403b09 |
API.txt | 12 ++++++++----
|
|
|
403b09 |
VERSION | 4 ++--
|
|
|
403b09 |
ipaserver/plugins/service.py | 7 +++++++
|
|
|
403b09 |
3 files changed, 17 insertions(+), 6 deletions(-)
|
|
|
403b09 |
|
|
|
403b09 |
diff --git a/API.txt b/API.txt
|
|
|
403b09 |
index 535d8ec9a4990395207e2455a09a8c1bdef5529a..5b83bfbd0b457b77e0522ab7d83abfae4df3ebe9 100644
|
|
|
403b09 |
--- a/API.txt
|
|
|
403b09 |
+++ b/API.txt
|
|
|
403b09 |
@@ -2260,7 +2260,7 @@ output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>])
|
|
|
403b09 |
output: Output('value', type=[<type 'bool'>])
|
|
|
403b09 |
output: Output('warning', type=[<type 'list'>, <type 'tuple'>, <type 'NoneType'>])
|
|
|
403b09 |
command: host_add/1
|
|
|
403b09 |
-args: 1,24,3
|
|
|
403b09 |
+args: 1,25,3
|
|
|
403b09 |
arg: Str('fqdn', cli_name='hostname')
|
|
|
403b09 |
option: Str('addattr*', cli_name='addattr')
|
|
|
403b09 |
option: Flag('all', autofill=True, cli_name='all', default=False)
|
|
|
403b09 |
@@ -2269,6 +2269,7 @@ option: Flag('force', autofill=True, default=False)
|
|
|
403b09 |
option: Str('ip_address?')
|
|
|
403b09 |
option: Str('ipaassignedidview?')
|
|
|
403b09 |
option: Bool('ipakrbokasdelegate?', cli_name='ok_as_delegate')
|
|
|
403b09 |
+option: Bool('ipakrboktoauthasdelegate?', cli_name='ok_to_auth_as_delegate')
|
|
|
403b09 |
option: Bool('ipakrbrequirespreauth?', cli_name='requires_pre_auth')
|
|
|
403b09 |
option: Str('ipasshpubkey*', cli_name='sshpubkey')
|
|
|
403b09 |
option: Str('krbprincipalauthind*', cli_name='auth_ind')
|
|
|
403b09 |
@@ -2437,7 +2438,7 @@ output: ListOfEntries('result')
|
|
|
403b09 |
output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>])
|
|
|
403b09 |
output: Output('truncated', type=[<type 'bool'>])
|
|
|
403b09 |
command: host_mod/1
|
|
|
403b09 |
-args: 1,25,3
|
|
|
403b09 |
+args: 1,26,3
|
|
|
403b09 |
arg: Str('fqdn', cli_name='hostname')
|
|
|
403b09 |
option: Str('addattr*', cli_name='addattr')
|
|
|
403b09 |
option: Flag('all', autofill=True, cli_name='all', default=False)
|
|
|
403b09 |
@@ -2445,6 +2446,7 @@ option: Str('delattr*', cli_name='delattr')
|
|
|
403b09 |
option: Str('description?', autofill=False, cli_name='desc')
|
|
|
403b09 |
option: Str('ipaassignedidview?', autofill=False)
|
|
|
403b09 |
option: Bool('ipakrbokasdelegate?', autofill=False, cli_name='ok_as_delegate')
|
|
|
403b09 |
+option: Bool('ipakrboktoauthasdelegate?', autofill=False, cli_name='ok_to_auth_as_delegate')
|
|
|
403b09 |
option: Bool('ipakrbrequirespreauth?', autofill=False, cli_name='requires_pre_auth')
|
|
|
403b09 |
option: Str('ipasshpubkey*', autofill=False, cli_name='sshpubkey')
|
|
|
403b09 |
option: Str('krbprincipalauthind*', autofill=False, cli_name='auth_ind')
|
|
|
403b09 |
@@ -4293,13 +4295,14 @@ output: Entry('result')
|
|
|
403b09 |
output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>])
|
|
|
403b09 |
output: PrimaryKey('value')
|
|
|
403b09 |
command: service_add/1
|
|
|
403b09 |
-args: 1,12,3
|
|
|
403b09 |
+args: 1,13,3
|
|
|
403b09 |
arg: Principal('krbcanonicalname', cli_name='canonical_principal')
|
|
|
403b09 |
option: Str('addattr*', cli_name='addattr')
|
|
|
403b09 |
option: Flag('all', autofill=True, cli_name='all', default=False)
|
|
|
403b09 |
option: Flag('force', autofill=True, default=False)
|
|
|
403b09 |
option: StrEnum('ipakrbauthzdata*', cli_name='pac_type', values=[u'MS-PAC', u'PAD', u'NONE'])
|
|
|
403b09 |
option: Bool('ipakrbokasdelegate?', cli_name='ok_as_delegate')
|
|
|
403b09 |
+option: Bool('ipakrboktoauthasdelegate?', cli_name='ok_to_auth_as_delegate')
|
|
|
403b09 |
option: Bool('ipakrbrequirespreauth?', cli_name='requires_pre_auth')
|
|
|
403b09 |
option: Str('krbprincipalauthind*', cli_name='auth_ind')
|
|
|
403b09 |
option: Flag('no_members', autofill=True, default=False)
|
|
|
403b09 |
@@ -4435,13 +4438,14 @@ output: ListOfEntries('result')
|
|
|
403b09 |
output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>])
|
|
|
403b09 |
output: Output('truncated', type=[<type 'bool'>])
|
|
|
403b09 |
command: service_mod/1
|
|
|
403b09 |
-args: 1,14,3
|
|
|
403b09 |
+args: 1,15,3
|
|
|
403b09 |
arg: Principal('krbcanonicalname', cli_name='canonical_principal')
|
|
|
403b09 |
option: Str('addattr*', cli_name='addattr')
|
|
|
403b09 |
option: Flag('all', autofill=True, cli_name='all', default=False)
|
|
|
403b09 |
option: Str('delattr*', cli_name='delattr')
|
|
|
403b09 |
option: StrEnum('ipakrbauthzdata*', autofill=False, cli_name='pac_type', values=[u'MS-PAC', u'PAD', u'NONE'])
|
|
|
403b09 |
option: Bool('ipakrbokasdelegate?', autofill=False, cli_name='ok_as_delegate')
|
|
|
403b09 |
+option: Bool('ipakrboktoauthasdelegate?', autofill=False, cli_name='ok_to_auth_as_delegate')
|
|
|
403b09 |
option: Bool('ipakrbrequirespreauth?', autofill=False, cli_name='requires_pre_auth')
|
|
|
403b09 |
option: Str('krbprincipalauthind*', autofill=False, cli_name='auth_ind')
|
|
|
403b09 |
option: Principal('krbprincipalname*', autofill=False, cli_name='principal')
|
|
|
403b09 |
diff --git a/VERSION b/VERSION
|
|
|
403b09 |
index ca489965050f32d2d8987dfd251ec2b2a0ba1768..a8b89ed305bcfdf2990a7400d005a68d734fa7e8 100644
|
|
|
403b09 |
--- a/VERSION
|
|
|
403b09 |
+++ b/VERSION
|
|
|
403b09 |
@@ -90,5 +90,5 @@ IPA_DATA_VERSION=20100614120000
|
|
|
403b09 |
# #
|
|
|
403b09 |
########################################################
|
|
|
403b09 |
IPA_API_VERSION_MAJOR=2
|
|
|
403b09 |
-IPA_API_VERSION_MINOR=211
|
|
|
403b09 |
-# Last change: mbabinsk: allow 'value' output param in commands without primary key
|
|
|
403b09 |
+IPA_API_VERSION_MINOR=212
|
|
|
403b09 |
+# Last change: ab: service: add flag to allow S4U2Self
|
|
|
403b09 |
diff --git a/ipaserver/plugins/service.py b/ipaserver/plugins/service.py
|
|
|
403b09 |
index a44dcaa5e348d3deedda6c0b4f55760ad873cf49..04d1916fe989a8651bcc4d44f1914c460be1081c 100644
|
|
|
403b09 |
--- a/ipaserver/plugins/service.py
|
|
|
403b09 |
+++ b/ipaserver/plugins/service.py
|
|
|
403b09 |
@@ -171,11 +171,18 @@ ticket_flags_params = (
|
|
|
403b09 |
doc=_('Client credentials may be delegated to the service'),
|
|
|
403b09 |
flags=['virtual_attribute', 'no_search'],
|
|
|
403b09 |
),
|
|
|
403b09 |
+ Bool('ipakrboktoauthasdelegate?',
|
|
|
403b09 |
+ cli_name='ok_to_auth_as_delegate',
|
|
|
403b09 |
+ label=_('Trusted to authenticate as user'),
|
|
|
403b09 |
+ doc=_('The service is allowed to authenticate on behalf of a client'),
|
|
|
403b09 |
+ flags=['virtual_attribute', 'no_search'],
|
|
|
403b09 |
+ ),
|
|
|
403b09 |
)
|
|
|
403b09 |
|
|
|
403b09 |
_ticket_flags_map = {
|
|
|
403b09 |
'ipakrbrequirespreauth': 0x00000080,
|
|
|
403b09 |
'ipakrbokasdelegate': 0x00100000,
|
|
|
403b09 |
+ 'ipakrboktoauthasdelegate': 0x00200000,
|
|
|
403b09 |
}
|
|
|
403b09 |
|
|
|
403b09 |
_ticket_flags_default = _ticket_flags_map['ipakrbrequirespreauth']
|
|
|
403b09 |
--
|
|
|
403b09 |
2.7.4
|
|
|
403b09 |
|