URL: https://github.com/freeipa/freeipa/pull/621 Author: redhatrises Title: #621: Add --force-password-reset to user_mod in user.py Action: opened
PR body: """ - Allows an admin to easily force a user to expire their password forcing them to change it. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/621/head:pr621 git checkout pr621
From 5916353f6753561b8df660d08ad53391d18320ff Mon Sep 17 00:00:00 2001 From: Gabe <redhatri...@gmail.com> Date: Sat, 18 Mar 2017 09:43:18 -0600 Subject: [PATCH] Add --force-password-reset to user_mod in user.py - Allows an admin to easily force a user to expire their password forcing them to change it. --- ACI.txt | 2 +- API.txt | 3 ++- VERSION.m4 | 4 ++-- ipaserver/plugins/user.py | 13 ++++++++++++- 4 files changed, 17 insertions(+), 5 deletions(-) diff --git a/ACI.txt b/ACI.txt index 9c7996c..185812a 100644 --- a/ACI.txt +++ b/ACI.txt @@ -351,7 +351,7 @@ aci: (targetattr = "member")(target = "ldap:///cn=ipausers,cn=groups,cn=accounts dn: cn=users,cn=accounts,dc=ipa,dc=example aci: (targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Add Users";allow (add) groupdn = "ldap:///cn=System: Add Users,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: cn=users,cn=accounts,dc=ipa,dc=example -aci: (targetattr = "krbprincipalkey || passwordhistory || sambalmpassword || sambantpassword || userpassword")(targetfilter = "(&(!(memberOf=cn=admins,cn=groups,cn=accounts,dc=ipa,dc=example))(objectclass=posixaccount))")(version 3.0;acl "permission:System: Change User password";allow (write) groupdn = "ldap:///cn=System: Change User password,cn=permissions,cn=pbac,dc=ipa,dc=example";) +aci: (targetattr = "krbpasswordexpiration || krbprincipalkey || passwordhistory || sambalmpassword || sambantpassword || userpassword")(targetfilter = "(&(!(memberOf=cn=admins,cn=groups,cn=accounts,dc=ipa,dc=example))(objectclass=posixaccount))")(version 3.0;acl "permission:System: Change User password";allow (write) groupdn = "ldap:///cn=System: Change User password,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: cn=users,cn=accounts,dc=ipa,dc=example aci: (targetattr = "ipacertmapdata || objectclass")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Manage User Certificate Mappings";allow (write) groupdn = "ldap:///cn=System: Manage User Certificate Mappings,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: cn=users,cn=accounts,dc=ipa,dc=example diff --git a/API.txt b/API.txt index f0bd1b6..d673c05 100644 --- a/API.txt +++ b/API.txt @@ -6072,7 +6072,7 @@ output: ListOfEntries('result') output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>]) output: Output('truncated', type=[<type 'bool'>]) command: user_mod/1 -args: 1,47,3 +args: 1,48,3 arg: Str('uid', cli_name='login') option: Str('addattr*', cli_name='addattr') option: Flag('all', autofill=True, cli_name='all', default=False) @@ -6084,6 +6084,7 @@ option: Str('displayname?', autofill=False) option: Str('employeenumber?', autofill=False) option: Str('employeetype?', autofill=False) option: Str('facsimiletelephonenumber*', autofill=False, cli_name='fax') +option: Flag('forcepasswordreset', autofill=True, cli_name='force_password_reset', default=False) option: Str('gecos?', autofill=False) option: Int('gidnumber?', autofill=False) option: Str('givenname?', autofill=False, cli_name='first') diff --git a/VERSION.m4 b/VERSION.m4 index d244641..3af6648 100644 --- a/VERSION.m4 +++ b/VERSION.m4 @@ -73,8 +73,8 @@ define(IPA_DATA_VERSION, 20100614120000) # # ######################################################## define(IPA_API_VERSION_MAJOR, 2) -define(IPA_API_VERSION_MINOR, 223) -# Last change: Add domain resolution order to ID views +define(IPA_API_VERSION_MINOR, 224) +# Last change: Add --force-password-reset to user_mod ######################################################## diff --git a/ipaserver/plugins/user.py b/ipaserver/plugins/user.py index 2d29dfb..2672632 100644 --- a/ipaserver/plugins/user.py +++ b/ipaserver/plugins/user.py @@ -261,7 +261,7 @@ class user(baseuser): ], 'ipapermdefaultattr': { 'krbprincipalkey', 'passwordhistory', 'sambalmpassword', - 'sambantpassword', 'userpassword' + 'sambantpassword', 'userpassword', 'krbpasswordexpiration' }, 'replaces': [ '(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword || passwordhistory")(version 3.0;acl "permission:Change a user password";allow (write) groupdn = "ldap:///cn=Change a user password,cn=permissions,cn=pbac,$SUFFIX";)', @@ -766,6 +766,13 @@ class user_mod(baseuser_mod): has_output_params = baseuser_mod.has_output_params + user_output_params + takes_options = baseuser_mod.takes_options + ( + Flag('forcepasswordreset', + cli_name='force_password_reset', + doc=_('Force a user to change password on the next successful login'), + ), + ) + def get_options(self): for option in super(user_mod, self).get_options(): if option.name == "nsaccountlock": @@ -776,6 +783,10 @@ def get_options(self): def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options): dn = self.obj.get_either_dn(*keys, **options) + + if options.get('forcepasswordreset'): + entry_attrs['krbPasswordExpiration'] = [strftime("%Y%m%d%H%M%SZ", gmtime())] + self.pre_common_callback(ldap, dn, entry_attrs, attrs_list, *keys, **options) validate_nsaccountlock(entry_attrs)
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code