Re: [Freeipa-devel] [PATCH 0096] Add authentication indicators support to Host objects

[Martin Basti]

On 24.06.2016 15:11, Sumit Bose wrote:
On Tue, Jun 21, 2016 at 02:25:49PM -0400, Nathaniel McCallum wrote:
https://fedorahosted.org/freeipa/ticket/433
The patch works for me as expected, but the API.txt update is missing in
the patch.

bye,
Sumit

There are no updated managed permissions for krbprincipalauthind 
attribute in hosts.py, is this omitted on purpose?
Martin^2

 From c7254a9dd182b34665b50c45c5ece42a3cbc56e2 Mon Sep 17 00:00:00 2001
From: Nathaniel McCallum <npmccal...@redhat.com>
Date: Tue, 21 Jun 2016 14:19:03 -0400
Subject: [PATCH] Add authentication indicators support to Host objects

https://fedorahosted.org/freeipa/ticket/433
---
  ipaserver/plugins/host.py | 17 ++++++++++++++++-
  1 file changed, 16 insertions(+), 1 deletion(-)

diff --git a/ipaserver/plugins/host.py b/ipaserver/plugins/host.py
index 
15805a3d2292dcf176ec52afdd3885563eea1210..905116e9c4d12c9e35bb82a5ff2c7bd8b920e80d
 100644
--- a/ipaserver/plugins/host.py
+++ b/ipaserver/plugins/host.py
@@ -294,7 +294,7 @@ class host(LDAPObject):
          'fqdn', 'description', 'l', 'nshostlocation', 'krbprincipalname',
          'nshardwareplatform', 'nsosversion', 'usercertificate', 'memberof',
          'managedby', 'memberofindirect', 'macaddress',
-        'userclass', 'ipaallowedtoperform', 'ipaassignedidview',
+        'userclass', 'ipaallowedtoperform', 'ipaassignedidview', 
'krbprincipalauthind'
      ]
      uuid_attribute = 'ipauniqueid'
      attribute_members = {
@@ -529,6 +529,14 @@ class host(LDAPObject):
              label=_('Assigned ID View'),
              flags=['no_option'],
          ),
+        Str('krbprincipalauthind*',
+            cli_name='auth_ind',
+            label=_('Authentication Indicators'),
+            doc=_("Defines a whitelist for Authentication Indicators."
+                  " Use 'otp' to allow OTP-based 2FA authentications."
+                  " Use 'radius' to allow RADIUS-based 2FA authentications."
+                  " Other values may be used for custom configurations."),
+        ),
      ) + ticket_flags_params
  
      def get_dn(self, *keys, **options):
@@ -910,6 +918,13 @@ class host_mod(LDAPUpdate):
              if 'krbticketpolicyaux' not in entry_attrs['objectclass']:
                  entry_attrs['objectclass'].append('krbticketpolicyaux')
  
+        if 'krbprincipalauthind' in entry_attrs:
+            if 'objectclass' not in entry_attrs:
+                entry_attrs_old = ldap.get_entry(dn, ['objectclass'])
+                entry_attrs['objectclass'] = entry_attrs_old['objectclass']
+            if 'krbprincipalaux' not in entry_attrs['objectclass']:
+                entry_attrs['objectclass'].append('krbprincipalaux')
+
          add_sshpubkey_to_attrs_pre(self.context, attrs_list)
  
          return dn
--
2.9.0


--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code