2
# Simo Sorce <ssorce@redhat.com>
4
# Copyright (C) 2010 Red Hat
5
# see file 'COPYING' for use and warranty information
7
# This program is free software; you can redistribute it and/or modify
8
# it under the terms of the GNU General Public License as published by
9
# the Free Software Foundation, either version 3 of the License, or
10
# (at your option) any later version.
12
# This program is distributed in the hope that it will be useful,
13
# but WITHOUT ANY WARRANTY; without even the implied warranty of
14
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15
# GNU General Public License for more details.
17
# You should have received a copy of the GNU General Public License
18
# along with this program. If not, see <http://www.gnu.org/licenses/>.
20
from ipalib import api, errors
21
from ipalib import Int, Str
22
from ipalib import Object, Command
24
from ipalib.plugable import Registry
25
from ipapython.dn import DN
28
Kerberos pkinit options
30
Enable or disable anonymous pkinit using the principal
31
WELLKNOWN/ANONYMOUS@REALM. The server must have been installed with
36
Enable anonymous pkinit:
37
ipa pkinit-anonymous enable
39
Disable anonymous pkinit:
40
ipa pkinit-anonymous disable
42
For more information on anonymous pkinit see:
44
http://k5wiki.kerberos.org/wiki/Projects/Anonymous_pkinit
54
object_name = _('pkinit')
59
def valid_arg(ugettext, action):
61
Accepts only Enable/Disable.
64
if a != 'enable' and a != 'disable':
65
raise errors.ValidationError(
67
error=_('Unknown command %s') % action
71
class pkinit_anonymous(Command):
72
__doc__ = _('Enable or Disable Anonymous PKINIT.')
74
princ_name = 'WELLKNOWN/ANONYMOUS@%s' % api.env.realm
75
default_dn = DN(('krbprincipalname', princ_name), ('cn', api.env.realm), ('cn', 'kerberos'), api.env.basedn)
78
Str('action', valid_arg),
81
def execute(self, action, **options):
82
ldap = self.api.Backend.ldap2
86
entry_attrs = ldap.get_entry(self.default_dn, ['nsaccountlock'])
88
if 'nsaccountlock' in entry_attrs:
89
lock = entry_attrs['nsaccountlock'][0].lower()
91
if action.lower() == 'enable':
95
elif action.lower() == 'disable':
101
entry_attrs['nsaccountlock'] = lock
102
ldap.update_entry(entry_attrs)
104
return dict(result=True)