|
 |
403b09 |
From 4d7f256b83522de2046bcf783cd6bb2a4a025b29 Mon Sep 17 00:00:00 2001
|
|
|
99b6f7 |
From: Martin Kosek <mkosek@redhat.com>
|
|
|
e3ffab |
Date: Fri, 5 Sep 2014 11:26:18 +0200
|
|
|
e3ffab |
Subject: [PATCH] Remove pkinit plugin
|
|
|
99b6f7 |
|
|
|
99b6f7 |
This patch completely removes any signs of pkinit in the IPA package. It
|
|
|
99b6f7 |
should be used only as addition to the first patch attached to the
|
|
|
99b6f7 |
ticket.
|
|
|
99b6f7 |
|
|
|
99b6f7 |
Rebased patch by Jan Zeleny and Rob Crittenden.
|
|
|
99b6f7 |
|
|
|
99b6f7 |
https://fedorahosted.org/freeipa/ticket/616
|
|
|
99b6f7 |
---
|
|
|
403b09 |
API.txt | 7 ---
|
|
|
403b09 |
ipaserver/plugins/pkinit.py | 105 --------------------------------------------
|
|
|
403b09 |
2 files changed, 112 deletions(-)
|
|
|
403b09 |
delete mode 100644 ipaserver/plugins/pkinit.py
|
|
|
99b6f7 |
|
|
|
99b6f7 |
diff --git a/API.txt b/API.txt
|
|
|
403b09 |
index fb5bf83cea0633130217cf1327481c8e9b11c4fc..ab2262966d113fd91d13f36f73e691ce5178b50f 100644
|
|
|
99b6f7 |
--- a/API.txt
|
|
|
99b6f7 |
+++ b/API.txt
|
|
|
403b09 |
@@ -3583,11 +3583,6 @@ command: ping/1
|
|
|
99b6f7 |
args: 0,1,1
|
|
|
403b09 |
option: Str('version?')
|
|
|
403b09 |
output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>])
|
|
|
403b09 |
-command: pkinit_anonymous/1
|
|
|
99b6f7 |
-args: 1,1,1
|
|
|
99b6f7 |
-arg: Str('action')
|
|
|
403b09 |
-option: Str('version?')
|
|
|
403b09 |
-output: Output('result')
|
|
|
403b09 |
command: plugins/1
|
|
|
99b6f7 |
args: 0,3,3
|
|
|
403b09 |
option: Flag('all', autofill=True, cli_name='all', default=True)
|
|
|
403b09 |
@@ -6526,8 +6521,6 @@ default: permission_mod/1
|
|
|
403b09 |
default: permission_remove_member/1
|
|
|
403b09 |
default: permission_show/1
|
|
|
403b09 |
default: ping/1
|
|
|
403b09 |
-default: pkinit/1
|
|
|
403b09 |
-default: pkinit_anonymous/1
|
|
|
403b09 |
default: plugins/1
|
|
|
403b09 |
default: privilege/1
|
|
|
403b09 |
default: privilege_add/1
|
|
|
403b09 |
diff --git a/ipaserver/plugins/pkinit.py b/ipaserver/plugins/pkinit.py
|
|
|
99b6f7 |
deleted file mode 100644
|
|
|
403b09 |
index 9aa101063705f54509d3de42c1acd23ca96f4a37..0000000000000000000000000000000000000000
|
|
|
403b09 |
--- a/ipaserver/plugins/pkinit.py
|
|
|
99b6f7 |
+++ /dev/null
|
|
|
e3ffab |
@@ -1,105 +0,0 @@
|
|
|
99b6f7 |
-# Authors:
|
|
|
99b6f7 |
-# Simo Sorce <ssorce@redhat.com>
|
|
|
99b6f7 |
-#
|
|
|
99b6f7 |
-# Copyright (C) 2010 Red Hat
|
|
|
99b6f7 |
-# see file 'COPYING' for use and warranty information
|
|
|
99b6f7 |
-#
|
|
|
99b6f7 |
-# This program is free software; you can redistribute it and/or modify
|
|
|
99b6f7 |
-# it under the terms of the GNU General Public License as published by
|
|
|
99b6f7 |
-# the Free Software Foundation, either version 3 of the License, or
|
|
|
99b6f7 |
-# (at your option) any later version.
|
|
|
99b6f7 |
-#
|
|
|
99b6f7 |
-# This program is distributed in the hope that it will be useful,
|
|
|
99b6f7 |
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
99b6f7 |
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
99b6f7 |
-# GNU General Public License for more details.
|
|
|
99b6f7 |
-#
|
|
|
99b6f7 |
-# You should have received a copy of the GNU General Public License
|
|
|
99b6f7 |
-# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
|
99b6f7 |
-
|
|
|
99b6f7 |
-from ipalib import api, errors
|
|
|
403b09 |
-from ipalib import Str
|
|
|
99b6f7 |
-from ipalib import Object, Command
|
|
|
99b6f7 |
-from ipalib import _
|
|
|
e3ffab |
-from ipalib.plugable import Registry
|
|
|
99b6f7 |
-from ipapython.dn import DN
|
|
|
99b6f7 |
-
|
|
|
99b6f7 |
-__doc__ = _("""
|
|
|
99b6f7 |
-Kerberos pkinit options
|
|
|
99b6f7 |
-
|
|
|
99b6f7 |
-Enable or disable anonymous pkinit using the principal
|
|
|
99b6f7 |
-WELLKNOWN/ANONYMOUS@REALM. The server must have been installed with
|
|
|
99b6f7 |
-pkinit support.
|
|
|
99b6f7 |
-
|
|
|
99b6f7 |
-EXAMPLES:
|
|
|
99b6f7 |
-
|
|
|
99b6f7 |
- Enable anonymous pkinit:
|
|
|
99b6f7 |
- ipa pkinit-anonymous enable
|
|
|
99b6f7 |
-
|
|
|
99b6f7 |
- Disable anonymous pkinit:
|
|
|
99b6f7 |
- ipa pkinit-anonymous disable
|
|
|
99b6f7 |
-
|
|
|
99b6f7 |
-For more information on anonymous pkinit see:
|
|
|
99b6f7 |
-
|
|
|
99b6f7 |
-http://k5wiki.kerberos.org/wiki/Projects/Anonymous_pkinit
|
|
|
99b6f7 |
-""")
|
|
|
99b6f7 |
-
|
|
|
e3ffab |
-register = Registry()
|
|
|
e3ffab |
-
|
|
|
e3ffab |
-@register()
|
|
|
99b6f7 |
-class pkinit(Object):
|
|
|
99b6f7 |
- """
|
|
|
99b6f7 |
- PKINIT Options
|
|
|
99b6f7 |
- """
|
|
|
99b6f7 |
- object_name = _('pkinit')
|
|
|
99b6f7 |
-
|
|
|
99b6f7 |
- label=_('PKINIT')
|
|
|
99b6f7 |
-
|
|
|
99b6f7 |
-
|
|
|
99b6f7 |
-def valid_arg(ugettext, action):
|
|
|
99b6f7 |
- """
|
|
|
99b6f7 |
- Accepts only Enable/Disable.
|
|
|
99b6f7 |
- """
|
|
|
99b6f7 |
- a = action.lower()
|
|
|
99b6f7 |
- if a != 'enable' and a != 'disable':
|
|
|
99b6f7 |
- raise errors.ValidationError(
|
|
|
99b6f7 |
- name='action',
|
|
|
99b6f7 |
- error=_('Unknown command %s') % action
|
|
|
99b6f7 |
- )
|
|
|
99b6f7 |
-
|
|
|
e3ffab |
-@register()
|
|
|
99b6f7 |
-class pkinit_anonymous(Command):
|
|
|
99b6f7 |
- __doc__ = _('Enable or Disable Anonymous PKINIT.')
|
|
|
99b6f7 |
-
|
|
|
99b6f7 |
- princ_name = 'WELLKNOWN/ANONYMOUS@%s' % api.env.realm
|
|
|
99b6f7 |
- default_dn = DN(('krbprincipalname', princ_name), ('cn', api.env.realm), ('cn', 'kerberos'), api.env.basedn)
|
|
|
99b6f7 |
-
|
|
|
99b6f7 |
- takes_args = (
|
|
|
99b6f7 |
- Str('action', valid_arg),
|
|
|
99b6f7 |
- )
|
|
|
99b6f7 |
-
|
|
|
99b6f7 |
- def execute(self, action, **options):
|
|
|
99b6f7 |
- ldap = self.api.Backend.ldap2
|
|
|
99b6f7 |
- set_lock = False
|
|
|
99b6f7 |
- lock = None
|
|
|
99b6f7 |
-
|
|
|
e3ffab |
- entry_attrs = ldap.get_entry(self.default_dn, ['nsaccountlock'])
|
|
|
99b6f7 |
-
|
|
|
99b6f7 |
- if 'nsaccountlock' in entry_attrs:
|
|
|
99b6f7 |
- lock = entry_attrs['nsaccountlock'][0].lower()
|
|
|
99b6f7 |
-
|
|
|
99b6f7 |
- if action.lower() == 'enable':
|
|
|
99b6f7 |
- if lock == 'true':
|
|
|
99b6f7 |
- set_lock = True
|
|
|
99b6f7 |
- lock = None
|
|
|
99b6f7 |
- elif action.lower() == 'disable':
|
|
|
99b6f7 |
- if lock != 'true':
|
|
|
99b6f7 |
- set_lock = True
|
|
|
99b6f7 |
- lock = 'TRUE'
|
|
|
99b6f7 |
-
|
|
|
99b6f7 |
- if set_lock:
|
|
|
e3ffab |
- entry_attrs['nsaccountlock'] = lock
|
|
|
e3ffab |
- ldap.update_entry(entry_attrs)
|
|
|
99b6f7 |
-
|
|
|
99b6f7 |
- return dict(result=True)
|
|
|
99b6f7 |
-
|
|
|
99b6f7 |
--
|
|
|
403b09 |
2.7.4
|
|
|
99b6f7 |
|