[Freeipa-devel] [PATCH 0096] Add authentication indicators support to Host objects

Martin Basti mbasti at redhat.com
Fri Jun 24 13:14:59 UTC 2016 


On 24.06.2016 15:11, Sumit Bose wrote:
> On Tue, Jun 21, 2016 at 02:25:49PM -0400, Nathaniel McCallum wrote:
>> https://fedorahosted.org/freeipa/ticket/433
> The patch works for me as expected, but the API.txt update is missing in
> the patch.
>
> bye,
> Sumit

There are no updated managed permissions for krbprincipalauthind 
attribute in hosts.py, is this omitted on purpose?
Martin^2
>
>>  From c7254a9dd182b34665b50c45c5ece42a3cbc56e2 Mon Sep 17 00:00:00 2001
>> From: Nathaniel McCallum <npmccallum at redhat.com>
>> Date: Tue, 21 Jun 2016 14:19:03 -0400
>> Subject: [PATCH] Add authentication indicators support to Host objects
>>
>> https://fedorahosted.org/freeipa/ticket/433
>> ---
>>   ipaserver/plugins/host.py | 17 ++++++++++++++++-
>>   1 file changed, 16 insertions(+), 1 deletion(-)
>>
>> diff --git a/ipaserver/plugins/host.py b/ipaserver/plugins/host.py
>> index 15805a3d2292dcf176ec52afdd3885563eea1210..905116e9c4d12c9e35bb82a5ff2c7bd8b920e80d 100644
>> --- a/ipaserver/plugins/host.py
>> +++ b/ipaserver/plugins/host.py
>> @@ -294,7 +294,7 @@ class host(LDAPObject):
>>           'fqdn', 'description', 'l', 'nshostlocation', 'krbprincipalname',
>>           'nshardwareplatform', 'nsosversion', 'usercertificate', 'memberof',
>>           'managedby', 'memberofindirect', 'macaddress',
>> -        'userclass', 'ipaallowedtoperform', 'ipaassignedidview',
>> +        'userclass', 'ipaallowedtoperform', 'ipaassignedidview', 'krbprincipalauthind'
>>       ]
>>       uuid_attribute = 'ipauniqueid'
>>       attribute_members = {
>> @@ -529,6 +529,14 @@ class host(LDAPObject):
>>               label=_('Assigned ID View'),
>>               flags=['no_option'],
>>           ),
>> +        Str('krbprincipalauthind*',
>> +            cli_name='auth_ind',
>> +            label=_('Authentication Indicators'),
>> +            doc=_("Defines a whitelist for Authentication Indicators."
>> +                  " Use 'otp' to allow OTP-based 2FA authentications."
>> +                  " Use 'radius' to allow RADIUS-based 2FA authentications."
>> +                  " Other values may be used for custom configurations."),
>> +        ),
>>       ) + ticket_flags_params
>>   
>>       def get_dn(self, *keys, **options):
>> @@ -910,6 +918,13 @@ class host_mod(LDAPUpdate):
>>               if 'krbticketpolicyaux' not in entry_attrs['objectclass']:
>>                   entry_attrs['objectclass'].append('krbticketpolicyaux')
>>   
>> +        if 'krbprincipalauthind' in entry_attrs:
>> +            if 'objectclass' not in entry_attrs:
>> +                entry_attrs_old = ldap.get_entry(dn, ['objectclass'])
>> +                entry_attrs['objectclass'] = entry_attrs_old['objectclass']
>> +            if 'krbprincipalaux' not in entry_attrs['objectclass']:
>> +                entry_attrs['objectclass'].append('krbprincipalaux')
>> +
>>           add_sshpubkey_to_attrs_pre(self.context, attrs_list)
>>   
>>           return dn
>> -- 
>> 2.9.0
>>

More information about the Freeipa-devel mailing list