ipaserver.plugins.host.host¶
- class ipaserver.plugins.host.host(api)[source]¶
Bases:
ipaserver.plugins.baseldap.LDAPObject
Host object.
Public Data Attributes:
Inherited from
LDAPObject
Inherited from
Object
Public Methods:
get_dn
(*keys, **options)Construct an LDAP DN.
suppress_netgroup_memberof
(ldap, entry_attrs)We don't want to show managed netgroups so remove them from the memberofindirect list.
Inherited from
LDAPObject
get_dn
(*keys, **options)Construct an LDAP DN.
get_dn_if_exists
(*keys, **kwargs)has_objectclass
(classes, objectclass)convert_attribute_members
(entry_attrs, ...)get_indirect_members
(entry_attrs, attrs_list)get_memberindirect
(group_entry)Get indirect members
get_memberofindirect
(entry)get_password_attributes
(ldap, dn, entry_attrs)Search on the entry to determine if it has a password or keytab set.
handle_not_found
(*keys)Handle NotFound exception
handle_duplicate_entry
(*keys)__json__
()Inherited from
Object
params_minus
(*names)Yield all Param whose name is not in
names
.get_dn
(*keys, **options)Construct an LDAP DN.
This method gets called by HasParam._create_param_namespace().
__json__
()Inherited from
Plugin
__init__
(api)finalize
()Finalize plugin initialization.
Finalize plugin initialization if it has not yet been finalized.
__repr__
()Return 'module_name.class_name()' representation.
Inherited from
ReadOnly
__lock__
()Put this instance into a read-only state.
Return True if instance is locked, otherwise False.
__setattr__
(name, value)If unlocked, set attribute named
name
tovalue
.__delattr__
(name)If unlocked, delete attribute named
name
.Private Data Attributes:
Inherited from
ReadOnly
_ReadOnly__locked
Private Methods:
Inherited from
Object
Do custom finalization.
_Object__get_attrs
(name)Inherited from
HasParam
_get_param_iterable
(name[, verb])Return an iterable of params defined by the attribute named
name
._filter_param_by_context
(name[, env])Filter params on attribute named
name
by environmentenv
._create_param_namespace
(name[, env])Inherited from
Plugin
_Plugin__name_getter
()_Plugin__full_name_getter
()_Plugin__bases_getter
()_Plugin__doc_getter
()_Plugin__summary_getter
()Do custom finalization.
- property Backend¶
- property Command¶
- NO_CLI = False¶
- __annotations__ = {}¶
- __delattr__(name)¶
If unlocked, delete attribute named
name
.If this instance is locked, an AttributeError will be raised.
- Parameters
name – Name of attribute to delete.
- __dict__ = mappingproxy({'__module__': 'ipaserver.plugins.host', '__doc__': '\n Host object.\n ', 'container_dn': ipapython.dn.DN('cn=computers,cn=accounts'), 'object_name': Gettext('host', domain='ipa', localedir=None), 'object_name_plural': Gettext('hosts', domain='ipa', localedir=None), 'object_class': ['ipaobject', 'nshost', 'ipahost', 'pkiuser', 'ipaservice'], 'possible_objectclasses': ['ipaallowedoperations'], 'permission_filter_objectclasses': ['ipahost'], 'search_attributes': ['fqdn', 'description', 'l', 'nshostlocation', 'krbcanonicalname', 'krbprincipalname', 'nshardwareplatform', 'nsosversion', 'managedby'], 'default_attributes': ['fqdn', 'description', 'l', 'nshostlocation', 'krbcanonicalname', 'krbprincipalname', 'nshardwareplatform', 'nsosversion', 'usercertificate', 'memberof', 'managedby', 'memberofindirect', 'macaddress', 'userclass', 'ipaallowedtoperform', 'ipaassignedidview', 'krbprincipalauthind'], 'uuid_attribute': 'ipauniqueid', 'attribute_members': {'enrolledby': ['user'], 'memberof': ['hostgroup', 'netgroup', 'role', 'hbacrule', 'sudorule'], 'managedby': ['host'], 'managing': ['host'], 'memberofindirect': ['hostgroup', 'netgroup', 'role', 'hbacrule', 'sudorule'], 'ipaallowedtoperform_read_keys': ['user', 'group', 'host', 'hostgroup'], 'ipaallowedtoperform_write_keys': ['user', 'group', 'host', 'hostgroup']}, 'bindable': True, 'relationships': {'memberof': ('Member Of', 'in_', 'not_in_'), 'enrolledby': ('Enrolled by', 'enroll_by_', 'not_enroll_by_'), 'managedby': ('Managed by', 'man_by_', 'not_man_by_'), 'managing': ('Managing', 'man_', 'not_man_'), 'ipaallowedtoperform_read_keys': ('Allow to retrieve keytab by', 'retrieve_keytab_by_', 'not_retrieve_keytab_by_'), 'ipaallowedtoperform_write_keys': ('Allow to create keytab by', 'write_keytab_by_', 'not_write_keytab_by')}, 'password_attributes': [('userpassword', 'has_password'), ('krbprincipalkey', 'has_keytab')], 'managed_permissions': {'System: Read Hosts': {'replaces_global_anonymous_aci': True, 'ipapermbindruletype': 'all', 'ipapermright': {'read', 'search', 'compare'}, 'ipapermdefaultattr': {'ipasshpubkey', 'krbpasswordexpiration', 'krbprincipalauthind', 'objectclass', 'krbprincipalexpiration', 'l', 'krbprincipalaliases', 'nshardwareplatform', 'nshostlocation', 'enrolledby', 'userclass', 'macaddress', 'krbcanonicalname', 'usercertificate', 'ipauniqueid', 'serverhostname', 'krbprincipalname', 'ipakrbauthzdata', 'ipaclientversion', 'managedby', 'cn', 'description', 'ipaassignedidview', 'krblastpwdchange', 'nsosversion', 'fqdn'}}, 'System: Read Host Membership': {'replaces_global_anonymous_aci': True, 'ipapermbindruletype': 'all', 'ipapermright': {'read', 'search', 'compare'}, 'ipapermdefaultattr': {'memberof'}}, 'System: Add Hosts': {'ipapermright': {'add'}, 'replaces': ['(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Add Hosts";allow (add) groupdn = "ldap:///cn=Add Hosts,cn=permissions,cn=pbac,$SUFFIX";)'], 'default_privileges': {'Host Administrators'}}, 'System: Add krbPrincipalName to a Host': {'ipapermright': {'write'}, 'ipapermtargetfilter': ['(objectclass=ipahost)', '(!(krbprincipalname=*))'], 'ipapermdefaultattr': {'krbprincipalname'}, 'replaces': ['(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(targetfilter = "(!(krbprincipalname=*))")(targetattr = "krbprincipalname")(version 3.0;acl "permission:Add krbPrincipalName to a host"; allow (write) groupdn = "ldap:///cn=Add krbPrincipalName to a host,cn=permissions,cn=pbac,$SUFFIX";)'], 'default_privileges': {'Host Enrollment', 'Host Administrators'}}, 'System: Enroll a Host': {'ipapermright': {'write'}, 'ipapermdefaultattr': {'objectclass', 'enrolledby', 'nsosversion', 'nshardwareplatform'}, 'replaces': ['(targetattr = "objectclass")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Enroll a host";allow (write) groupdn = "ldap:///cn=Enroll a host,cn=permissions,cn=pbac,$SUFFIX";)', '(targetattr = "enrolledby || objectclass")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Enroll a host";allow (write) groupdn = "ldap:///cn=Enroll a host,cn=permissions,cn=pbac,$SUFFIX";)'], 'default_privileges': {'Host Enrollment', 'Host Administrators'}}, 'System: Manage Host SSH Public Keys': {'ipapermright': {'write'}, 'ipapermdefaultattr': {'ipasshpubkey'}, 'replaces': ['(targetattr = "ipasshpubkey")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Manage Host SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage Host SSH Public Keys,cn=permissions,cn=pbac,$SUFFIX";)'], 'default_privileges': {'Host Administrators'}}, 'System: Manage Host Keytab': {'ipapermright': {'write'}, 'ipapermtargetfilter': ['(objectclass=ipahost)', '(!(memberOf=cn=ipaservers,cn=hostgroups,cn=accounts,dc=ipa,dc=example))'], 'ipapermdefaultattr': {'krbprincipalkey', 'krblastpwdchange'}, 'replaces': ['(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Manage host keytab";allow (write) groupdn = "ldap:///cn=Manage host keytab,cn=permissions,cn=pbac,$SUFFIX";)'], 'default_privileges': {'Host Enrollment', 'Host Administrators'}}, 'System: Manage Host Keytab Permissions': {'ipapermright': {'read', 'search', 'write', 'compare'}, 'ipapermdefaultattr': {'ipaallowedtoperform;write_keys', 'objectclass', 'ipaallowedtoperform;read_keys'}, 'default_privileges': {'Host Administrators'}}, 'System: Modify Hosts': {'ipapermright': {'write'}, 'ipapermdefaultattr': {'krbprincipalauthind', 'l', 'nshostlocation', 'nshardwareplatform', 'macaddress', 'description', 'userclass', 'ipaassignedidview', 'nsosversion'}, 'replaces': ['(targetattr = "description || l || nshostlocation || nshardwareplatform || nsosversion")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Modify Hosts";allow (write) groupdn = "ldap:///cn=Modify Hosts,cn=permissions,cn=pbac,$SUFFIX";)'], 'default_privileges': {'Host Administrators'}}, 'System: Remove Hosts': {'ipapermright': {'delete'}, 'replaces': ['(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Remove Hosts";allow (delete) groupdn = "ldap:///cn=Remove Hosts,cn=permissions,cn=pbac,$SUFFIX";)'], 'default_privileges': {'Host Administrators'}}, 'System: Manage Host Certificates': {'ipapermbindruletype': 'permission', 'ipapermright': {'write'}, 'ipapermdefaultattr': {'usercertificate'}, 'default_privileges': {'Host Enrollment', 'Host Administrators'}}, 'System: Manage Host Principals': {'ipapermbindruletype': 'permission', 'ipapermright': {'write'}, 'ipapermdefaultattr': {'krbprincipalname', 'krbcanonicalname'}, 'default_privileges': {'Host Enrollment', 'Host Administrators'}}, 'System: Manage Host Enrollment Password': {'ipapermbindruletype': 'permission', 'ipapermright': {'write'}, 'ipapermdefaultattr': {'userpassword'}, 'default_privileges': {'Host Enrollment', 'Host Administrators'}}, 'System: Read Host Compat Tree': {'non_object': True, 'ipapermbindruletype': 'anonymous', 'ipapermlocation': ipapython.dn.DN('dc=ipa,dc=example'), 'ipapermtarget': ipapython.dn.DN('cn=computers,cn=compat,dc=ipa,dc=example'), 'ipapermright': {'read', 'search', 'compare'}, 'ipapermdefaultattr': {'objectclass', 'macaddress', 'cn'}}}, 'label': Gettext('Hosts', domain='ipa', localedir=None), 'label_singular': Gettext('Host', domain='ipa', localedir=None), 'takes_params': (Str('fqdn', hostname_validator, cli_name='hostname', label=Gettext('Host name', domain='ipa', localedir=None), normalizer=normalize_hostname, primary_key=True), Str('description?', cli_name='desc', doc=Gettext('A description of this host', domain='ipa', localedir=None), label=Gettext('Description', domain='ipa', localedir=None)), Str('l?', cli_name='locality', doc=Gettext('Host locality (e.g. "Baltimore, MD")', domain='ipa', localedir=None), label=Gettext('Locality', domain='ipa', localedir=None)), Str('nshostlocation?', cli_name='location', doc=Gettext('Host location (e.g. "Lab 2")', domain='ipa', localedir=None), label=Gettext('Location', domain='ipa', localedir=None)), Str('nshardwareplatform?', cli_name='platform', doc=Gettext('Host hardware platform (e.g. "Lenovo T61")', domain='ipa', localedir=None), label=Gettext('Platform', domain='ipa', localedir=None)), Str('nsosversion?', cli_name='os', doc=Gettext('Host operating system and version (e.g. "Fedora 9")', domain='ipa', localedir=None), label=Gettext('Operating system', domain='ipa', localedir=None)), HostPassword('userpassword?', cli_name='password', doc=Gettext('Password used in bulk enrollment', domain='ipa', localedir=None), flags=[u'no_search'], label=Gettext('User password', domain='ipa', localedir=None)), Flag('random?', autofill=True, default=False, doc=Gettext('Generate a random password to be used in bulk enrollment', domain='ipa', localedir=None), flags=[u'no_search', u'virtual_attribute']), Str('randompassword?', flags=[u'no_create', u'no_search', u'no_update', u'virtual_attribute'], label=Gettext('Random password', domain='ipa', localedir=None)), Certificate('usercertificate*', cli_name='certificate', doc=Gettext('Base-64 encoded host certificate', domain='ipa', localedir=None), label=Gettext('Certificate', domain='ipa', localedir=None)), Str('subject', flags=[u'no_update', u'no_create', u'no_search', u'virtual_attribute'], label=Gettext('Subject', domain='ipa', localedir=None)), Str('serial_number', flags=[u'no_update', u'no_create', u'no_search', u'virtual_attribute'], label=Gettext('Serial Number', domain='ipa', localedir=None)), Str('serial_number_hex', flags=[u'no_update', u'no_create', u'no_search', u'virtual_attribute'], label=Gettext('Serial Number (hex)', domain='ipa', localedir=None)), Str('issuer', flags=[u'no_update', u'no_create', u'no_search', u'virtual_attribute'], label=Gettext('Issuer', domain='ipa', localedir=None)), Str('valid_not_before', flags=[u'no_update', u'no_create', u'no_search', u'virtual_attribute'], label=Gettext('Not Before', domain='ipa', localedir=None)), Str('valid_not_after', flags=[u'no_update', u'no_create', u'no_search', u'virtual_attribute'], label=Gettext('Not After', domain='ipa', localedir=None)), Str('sha1_fingerprint', flags=[u'no_update', u'no_create', u'no_search', u'virtual_attribute'], label=Gettext('Fingerprint (SHA1)', domain='ipa', localedir=None)), Str('sha256_fingerprint', flags=[u'no_update', u'no_create', u'no_search', u'virtual_attribute'], label=Gettext('Fingerprint (SHA256)', domain='ipa', localedir=None)), Str('revocation_reason?', flags=[u'no_update', u'no_create', u'no_search', u'virtual_attribute'], label=Gettext('Revocation reason', domain='ipa', localedir=None)), Principal('krbcanonicalname?', validate_realm, flags=[u'no_update', u'no_create', u'no_search'], label=Gettext('Principal name', domain='ipa', localedir=None), normalizer=normalize_principal), Principal('krbprincipalname*', validate_realm, flags=[u'no_create', u'no_search'], label=Gettext('Principal alias', domain='ipa', localedir=None), normalizer=normalize_principal), Str('macaddress*', doc=Gettext('Hardware MAC address(es) on this host', domain='ipa', localedir=None), label=Gettext('MAC address', domain='ipa', localedir=None), normalizer=<lambda>, pattern=u'^([a-fA-F0-9]{2}[:|\\-]?){5}[a-fA-F0-9]{2}$', pattern_errmsg=u'Must be of the form HH:HH:HH:HH:HH:HH, where each H is a hexadecimal character.'), Str('ipasshpubkey*', validate_sshpubkey_no_options, cli_name='sshpubkey', flags=[u'no_search'], label=Gettext('SSH public key', domain='ipa', localedir=None), normalizer=normalize_sshpubkey), Str('sshpubkeyfp*', flags=[u'no_update', u'no_create', u'no_search', u'virtual_attribute'], label=Gettext('SSH public key fingerprint', domain='ipa', localedir=None)), Str('userclass*', cli_name='class', doc=Gettext('Host category (semantics placed on this attribute are for local interpretation)', domain='ipa', localedir=None), label=Gettext('Class', domain='ipa', localedir=None)), Str('ipaassignedidview?', flags=[u'no_option'], label=Gettext('Assigned ID View', domain='ipa', localedir=None)), StrEnum('krbprincipalauthind*', cli_metavar=u"['radius', 'otp', 'pkinit', 'hardened', 'idp']", cli_name='auth_ind', doc=Gettext("Defines an allow list for Authentication Indicators. Use 'otp' to allow OTP-based 2FA authentications. Use 'radius' to allow RADIUS-based 2FA authentications. Use 'pkinit' to allow PKINIT-based 2FA authentications. Use 'hardened' to allow brute-force hardened password authentication by SPAKE or FAST. Use 'idp' to allow External Identity Provider authentications. With no indicator specified, all authentication mechanisms are allowed.", domain='ipa', localedir=None), label=Gettext('Authentication Indicators', domain='ipa', localedir=None), values=[u'radius', u'otp', u'pkinit', u'hardened', u'idp']), Bool('ipakrbrequirespreauth?', cli_name='requires_pre_auth', doc=Gettext('Pre-authentication is required for the service', domain='ipa', localedir=None), flags=[u'no_search', u'virtual_attribute'], label=Gettext('Requires pre-authentication', domain='ipa', localedir=None)), Bool('ipakrbokasdelegate?', cli_name='ok_as_delegate', doc=Gettext('Client credentials may be delegated to the service', domain='ipa', localedir=None), flags=[u'no_search', u'virtual_attribute'], label=Gettext('Trusted for delegation', domain='ipa', localedir=None)), Bool('ipakrboktoauthasdelegate?', cli_name='ok_to_auth_as_delegate', doc=Gettext('The service is allowed to authenticate on behalf of a client', domain='ipa', localedir=None), flags=[u'no_search', u'virtual_attribute'], label=Gettext('Trusted to authenticate as user', domain='ipa', localedir=None))), 'get_dn': <function host.get_dn>, 'get_managed_hosts': <function host.get_managed_hosts>, 'suppress_netgroup_memberof': <function host.suppress_netgroup_memberof>, '__annotations__': {}})¶
- __init__(api)¶
- __islocked__()¶
Return True if instance is locked, otherwise False.
- __json__()¶
- __lock__()¶
Put this instance into a read-only state.
After the instance has been locked, attempting to set or delete an attribute will raise an AttributeError.
- __module__ = 'ipaserver.plugins.host'¶
- __repr__()¶
Return ‘module_name.class_name()’ representation.
This representation could be used to instantiate this Plugin instance given the appropriate environment.
- __setattr__(name, value)¶
If unlocked, set attribute named
name
tovalue
.If this instance is locked, an AttributeError will be raised.
- Parameters
name – Name of attribute to set.
value – Value to assign to attribute.
- __weakref__¶
list of weak references to the object (if defined)
- _create_param_namespace(name, env=None)¶
- _filter_param_by_context(name, env=None)¶
Filter params on attribute named
name
by environmentenv
.For example:
>>> from ipalib.config import Env >>> class Example(HasParam): ... ... takes_args = ( ... Str('foo_only', include=['foo']), ... Str('not_bar', exclude=['bar']), ... 'both', ... ) ... ... def get_args(self): ... return self._get_param_iterable('args') ... ... >>> eg = Example() >>> foo = Env(context='foo') >>> bar = Env(context='bar') >>> another = Env(context='another') >>> (foo.context, bar.context, another.context) (u'foo', u'bar', u'another') >>> list(eg._filter_param_by_context('args', foo)) [Str('foo_only', include=['foo']), Str('not_bar', exclude=['bar']), Str('both')] >>> list(eg._filter_param_by_context('args', bar)) [Str('both')] >>> list(eg._filter_param_by_context('args', another)) [Str('not_bar', exclude=['bar']), Str('both')]
- _get_param_iterable(name, verb='takes')¶
Return an iterable of params defined by the attribute named
name
.A sequence of params can be defined one of three ways: as a
tuple
; as a callable that returns an iterable; or as a param spec (a Param orstr
instance). This method returns a uniform iterable regardless of how the param sequence was defined.For example, when defined with a tuple:
>>> class ByTuple(HasParam): ... takes_args = (Param('foo'), Param('bar')) ... >>> by_tuple = ByTuple() >>> list(by_tuple._get_param_iterable('args')) [Param('foo'), Param('bar')]
Or you can define your param sequence with a callable when you need to reference attributes on your plugin instance (for validation rules, etc.). For example:
>>> class ByCallable(HasParam): ... def takes_args(self): ... yield Param('foo', self.validate_foo) ... yield Param('bar', self.validate_bar) ... ... def validate_foo(self, _, value, **kw): ... if value != 'Foo': ... return _("must be 'Foo'") ... ... def validate_bar(self, _, value, **kw): ... if value != 'Bar': ... return _("must be 'Bar'") ... >>> by_callable = ByCallable() >>> list(by_callable._get_param_iterable('args')) [Param('foo', validate_foo), Param('bar', validate_bar)]
Lastly, as a convenience for when a param sequence contains a single param, your defining attribute may a param spec (either a Param or an
str
instance). For example:>>> class BySpec(HasParam): ... takes_args = Param('foo') ... takes_options = 'bar?' ... >>> by_spec = BySpec() >>> list(by_spec._get_param_iterable('args')) [Param('foo')] >>> list(by_spec._get_param_iterable('options')) ['bar?']
For information on how an
str
param spec is interpreted, see the create_param() and parse_param_spec() functions in the ipalib.parameters module.Also see HasParam._filter_param_by_context().
- _on_finalize()¶
Do custom finalization.
This method is called from finalize(). Subclasses can override this method in order to add custom finalization.
- allow_rename = False¶
- already_exists_msg = Gettext('%(oname)s with name "%(pkey)s" already exists', domain='ipa', localedir=None)¶
- property api¶
Return API instance passed to __init__().
- attribute_members = {'enrolledby': ['user'], 'ipaallowedtoperform_read_keys': ['user', 'group', 'host', 'hostgroup'], 'ipaallowedtoperform_write_keys': ['user', 'group', 'host', 'hostgroup'], 'managedby': ['host'], 'managing': ['host'], 'memberof': ['hostgroup', 'netgroup', 'role', 'hbacrule', 'sudorule'], 'memberofindirect': ['hostgroup', 'netgroup', 'role', 'hbacrule', 'sudorule']}¶
- backend = None¶
- backend_name = 'ldap2'¶
- bases = (<class 'ipaserver.plugins.baseldap.LDAPObject'>,)¶
- bindable = True¶
- container_dn = ipapython.dn.DN('cn=computers,cn=accounts')¶
- container_not_found_msg = Gettext('container entry (%(container)s) not found', domain='ipa', localedir=None)¶
- property context¶
- convert_attribute_members(entry_attrs, *keys, **options)¶
- default_attributes = ['fqdn', 'description', 'l', 'nshostlocation', 'krbcanonicalname', 'krbprincipalname', 'nshardwareplatform', 'nsosversion', 'usercertificate', 'memberof', 'managedby', 'memberofindirect', 'macaddress', 'userclass', 'ipaallowedtoperform', 'ipaassignedidview', 'krbprincipalauthind']¶
- disallow_object_classes = []¶
- doc = '\n Host object.\n '¶
- ensure_finalized()¶
Finalize plugin initialization if it has not yet been finalized.
- property env¶
- finalize()¶
Finalize plugin initialization.
This method calls _on_finalize() and locks the plugin object.
Subclasses should not override this method. Custom finalization is done in _on_finalize().
- class finalize_attr(name, value=None)¶
Bases:
object
Create a stub object for plugin attribute that isn’t set until the finalization of the plugin initialization.
When the stub object is accessed, it calls ensure_finalized() to make sure the plugin initialization is finalized. The stub object is expected to be replaced with the actual attribute value during the finalization (preferably in _on_finalize()), otherwise an AttributeError is raised.
This is used to implement on-demand finalization of plugin initialization.
- __get__(obj, cls)¶
- __init__(name, value=None)¶
- __module__ = 'ipalib.plugable'¶
- __slots__ = ('name', 'value')¶
- name¶
- value¶
- full_name = 'host/1'¶
- get_ancestor_primary_keys()¶
- get_dn_if_exists(*keys, **kwargs)¶
- get_indirect_members(entry_attrs, attrs_list)¶
- get_memberindirect(group_entry)¶
Get indirect members
- get_memberofindirect(entry)¶
- get_params()¶
This method gets called by HasParam._create_param_namespace().
- get_password_attributes(ldap, dn, entry_attrs)¶
Search on the entry to determine if it has a password or keytab set.
A tuple is used to determine which attribute is set in entry_attrs. The value is set to True/False whether a given password type is set.
- get_primary_key_from_dn(dn)¶
- handle_duplicate_entry(*keys)¶
- handle_not_found(*keys)¶
Handle NotFound exception
Must raise errors.NotFound again.
- has_objectclass(classes, objectclass)¶
- json_friendly_attributes = ('parent_object', 'container_dn', 'object_name', 'object_name_plural', 'object_class', 'object_class_config', 'default_attributes', 'label', 'label_singular', 'hidden_attributes', 'uuid_attribute', 'attribute_members', 'name', 'takes_params', 'rdn_attribute', 'bindable', 'relationships')¶
- label = Gettext('Hosts', domain='ipa', localedir=None)¶
- label_singular = Gettext('Host', domain='ipa', localedir=None)¶
- limit_object_classes = []¶
- managed_permissions = {'System: Add Hosts': {'default_privileges': {'Host Administrators'}, 'ipapermright': {'add'}, 'replaces': ['(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Add Hosts";allow (add) groupdn = "ldap:///cn=Add Hosts,cn=permissions,cn=pbac,$SUFFIX";)']}, 'System: Add krbPrincipalName to a Host': {'default_privileges': {'Host Administrators', 'Host Enrollment'}, 'ipapermdefaultattr': {'krbprincipalname'}, 'ipapermright': {'write'}, 'ipapermtargetfilter': ['(objectclass=ipahost)', '(!(krbprincipalname=*))'], 'replaces': ['(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(targetfilter = "(!(krbprincipalname=*))")(targetattr = "krbprincipalname")(version 3.0;acl "permission:Add krbPrincipalName to a host"; allow (write) groupdn = "ldap:///cn=Add krbPrincipalName to a host,cn=permissions,cn=pbac,$SUFFIX";)']}, 'System: Enroll a Host': {'default_privileges': {'Host Administrators', 'Host Enrollment'}, 'ipapermdefaultattr': {'enrolledby', 'nshardwareplatform', 'nsosversion', 'objectclass'}, 'ipapermright': {'write'}, 'replaces': ['(targetattr = "objectclass")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Enroll a host";allow (write) groupdn = "ldap:///cn=Enroll a host,cn=permissions,cn=pbac,$SUFFIX";)', '(targetattr = "enrolledby || objectclass")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Enroll a host";allow (write) groupdn = "ldap:///cn=Enroll a host,cn=permissions,cn=pbac,$SUFFIX";)']}, 'System: Manage Host Certificates': {'default_privileges': {'Host Administrators', 'Host Enrollment'}, 'ipapermbindruletype': 'permission', 'ipapermdefaultattr': {'usercertificate'}, 'ipapermright': {'write'}}, 'System: Manage Host Enrollment Password': {'default_privileges': {'Host Administrators', 'Host Enrollment'}, 'ipapermbindruletype': 'permission', 'ipapermdefaultattr': {'userpassword'}, 'ipapermright': {'write'}}, 'System: Manage Host Keytab': {'default_privileges': {'Host Administrators', 'Host Enrollment'}, 'ipapermdefaultattr': {'krblastpwdchange', 'krbprincipalkey'}, 'ipapermright': {'write'}, 'ipapermtargetfilter': ['(objectclass=ipahost)', '(!(memberOf=cn=ipaservers,cn=hostgroups,cn=accounts,dc=ipa,dc=example))'], 'replaces': ['(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Manage host keytab";allow (write) groupdn = "ldap:///cn=Manage host keytab,cn=permissions,cn=pbac,$SUFFIX";)']}, 'System: Manage Host Keytab Permissions': {'default_privileges': {'Host Administrators'}, 'ipapermdefaultattr': {'ipaallowedtoperform;read_keys', 'ipaallowedtoperform;write_keys', 'objectclass'}, 'ipapermright': {'compare', 'read', 'search', 'write'}}, 'System: Manage Host Principals': {'default_privileges': {'Host Administrators', 'Host Enrollment'}, 'ipapermbindruletype': 'permission', 'ipapermdefaultattr': {'krbcanonicalname', 'krbprincipalname'}, 'ipapermright': {'write'}}, 'System: Manage Host SSH Public Keys': {'default_privileges': {'Host Administrators'}, 'ipapermdefaultattr': {'ipasshpubkey'}, 'ipapermright': {'write'}, 'replaces': ['(targetattr = "ipasshpubkey")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Manage Host SSH Public Keys";allow (write) groupdn = "ldap:///cn=Manage Host SSH Public Keys,cn=permissions,cn=pbac,$SUFFIX";)']}, 'System: Modify Hosts': {'default_privileges': {'Host Administrators'}, 'ipapermdefaultattr': {'description', 'ipaassignedidview', 'krbprincipalauthind', 'l', 'macaddress', 'nshardwareplatform', 'nshostlocation', 'nsosversion', 'userclass'}, 'ipapermright': {'write'}, 'replaces': ['(targetattr = "description || l || nshostlocation || nshardwareplatform || nsosversion")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Modify Hosts";allow (write) groupdn = "ldap:///cn=Modify Hosts,cn=permissions,cn=pbac,$SUFFIX";)']}, 'System: Read Host Compat Tree': {'ipapermbindruletype': 'anonymous', 'ipapermdefaultattr': {'cn', 'macaddress', 'objectclass'}, 'ipapermlocation': ipapython.dn.DN('dc=ipa,dc=example'), 'ipapermright': {'compare', 'read', 'search'}, 'ipapermtarget': ipapython.dn.DN('cn=computers,cn=compat,dc=ipa,dc=example'), 'non_object': True}, 'System: Read Host Membership': {'ipapermbindruletype': 'all', 'ipapermdefaultattr': {'memberof'}, 'ipapermright': {'compare', 'read', 'search'}, 'replaces_global_anonymous_aci': True}, 'System: Read Hosts': {'ipapermbindruletype': 'all', 'ipapermdefaultattr': {'cn', 'description', 'enrolledby', 'fqdn', 'ipaassignedidview', 'ipaclientversion', 'ipakrbauthzdata', 'ipasshpubkey', 'ipauniqueid', 'krbcanonicalname', 'krblastpwdchange', 'krbpasswordexpiration', 'krbprincipalaliases', 'krbprincipalauthind', 'krbprincipalexpiration', 'krbprincipalname', 'l', 'macaddress', 'managedby', 'nshardwareplatform', 'nshostlocation', 'nsosversion', 'objectclass', 'serverhostname', 'usercertificate', 'userclass'}, 'ipapermright': {'compare', 'read', 'search'}, 'replaces_global_anonymous_aci': True}, 'System: Remove Hosts': {'default_privileges': {'Host Administrators'}, 'ipapermright': {'delete'}, 'replaces': ['(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Remove Hosts";allow (delete) groupdn = "ldap:///cn=Remove Hosts,cn=permissions,cn=pbac,$SUFFIX";)']}}¶
- methods = None¶
- name = 'host'¶
- object_class = ['ipaobject', 'nshost', 'ipahost', 'pkiuser', 'ipaservice']¶
- object_class_config = None¶
- object_name = Gettext('host', domain='ipa', localedir=None)¶
- object_name_plural = Gettext('hosts', domain='ipa', localedir=None)¶
- object_not_found_msg = Gettext('%(pkey)s: %(oname)s not found', domain='ipa', localedir=None)¶
- params = None¶
- params_minus(*names)¶
Yield all Param whose name is not in
names
.
- params_minus_pk = None¶
- parent_not_found_msg = Gettext('%(parent)s: %(oname)s not found', domain='ipa', localedir=None)¶
- parent_object = ''¶
- password_attributes = [('userpassword', 'has_password'), ('krbprincipalkey', 'has_keytab')]¶
- permission_filter_objectclasses = ['ipahost']¶
- possible_objectclasses = ['ipaallowedoperations']¶
- primary_key = None¶
- rdn_attribute = ''¶
- relationships = {'enrolledby': ('Enrolled by', 'enroll_by_', 'not_enroll_by_'), 'ipaallowedtoperform_read_keys': ('Allow to retrieve keytab by', 'retrieve_keytab_by_', 'not_retrieve_keytab_by_'), 'ipaallowedtoperform_write_keys': ('Allow to create keytab by', 'write_keytab_by_', 'not_write_keytab_by'), 'managedby': ('Managed by', 'man_by_', 'not_man_by_'), 'managing': ('Managing', 'man_', 'not_man_'), 'memberof': ('Member Of', 'in_', 'not_in_')}¶
- search_attributes = ['fqdn', 'description', 'l', 'nshostlocation', 'krbcanonicalname', 'krbprincipalname', 'nshardwareplatform', 'nsosversion', 'managedby']¶
- search_attributes_config = None¶
- search_display_attributes = []¶
- summary = 'Host object.'¶
- suppress_netgroup_memberof(ldap, entry_attrs)[source]¶
We don’t want to show managed netgroups so remove them from the memberofindirect list.
- takes_params = (Str('fqdn', hostname_validator, cli_name='hostname', label=Gettext('Host name', domain='ipa', localedir=None), normalizer=normalize_hostname, primary_key=True), Str('description?', cli_name='desc', doc=Gettext('A description of this host', domain='ipa', localedir=None), label=Gettext('Description', domain='ipa', localedir=None)), Str('l?', cli_name='locality', doc=Gettext('Host locality (e.g. "Baltimore, MD")', domain='ipa', localedir=None), label=Gettext('Locality', domain='ipa', localedir=None)), Str('nshostlocation?', cli_name='location', doc=Gettext('Host location (e.g. "Lab 2")', domain='ipa', localedir=None), label=Gettext('Location', domain='ipa', localedir=None)), Str('nshardwareplatform?', cli_name='platform', doc=Gettext('Host hardware platform (e.g. "Lenovo T61")', domain='ipa', localedir=None), label=Gettext('Platform', domain='ipa', localedir=None)), Str('nsosversion?', cli_name='os', doc=Gettext('Host operating system and version (e.g. "Fedora 9")', domain='ipa', localedir=None), label=Gettext('Operating system', domain='ipa', localedir=None)), HostPassword('userpassword?', cli_name='password', doc=Gettext('Password used in bulk enrollment', domain='ipa', localedir=None), flags=[u'no_search'], label=Gettext('User password', domain='ipa', localedir=None)), Flag('random?', autofill=True, default=False, doc=Gettext('Generate a random password to be used in bulk enrollment', domain='ipa', localedir=None), flags=[u'no_search', u'virtual_attribute']), Str('randompassword?', flags=[u'no_create', u'no_search', u'no_update', u'virtual_attribute'], label=Gettext('Random password', domain='ipa', localedir=None)), Certificate('usercertificate*', cli_name='certificate', doc=Gettext('Base-64 encoded host certificate', domain='ipa', localedir=None), label=Gettext('Certificate', domain='ipa', localedir=None)), Str('subject', flags=[u'no_update', u'no_create', u'no_search', u'virtual_attribute'], label=Gettext('Subject', domain='ipa', localedir=None)), Str('serial_number', flags=[u'no_update', u'no_create', u'no_search', u'virtual_attribute'], label=Gettext('Serial Number', domain='ipa', localedir=None)), Str('serial_number_hex', flags=[u'no_update', u'no_create', u'no_search', u'virtual_attribute'], label=Gettext('Serial Number (hex)', domain='ipa', localedir=None)), Str('issuer', flags=[u'no_update', u'no_create', u'no_search', u'virtual_attribute'], label=Gettext('Issuer', domain='ipa', localedir=None)), Str('valid_not_before', flags=[u'no_update', u'no_create', u'no_search', u'virtual_attribute'], label=Gettext('Not Before', domain='ipa', localedir=None)), Str('valid_not_after', flags=[u'no_update', u'no_create', u'no_search', u'virtual_attribute'], label=Gettext('Not After', domain='ipa', localedir=None)), Str('sha1_fingerprint', flags=[u'no_update', u'no_create', u'no_search', u'virtual_attribute'], label=Gettext('Fingerprint (SHA1)', domain='ipa', localedir=None)), Str('sha256_fingerprint', flags=[u'no_update', u'no_create', u'no_search', u'virtual_attribute'], label=Gettext('Fingerprint (SHA256)', domain='ipa', localedir=None)), Str('revocation_reason?', flags=[u'no_update', u'no_create', u'no_search', u'virtual_attribute'], label=Gettext('Revocation reason', domain='ipa', localedir=None)), Principal('krbcanonicalname?', validate_realm, flags=[u'no_update', u'no_create', u'no_search'], label=Gettext('Principal name', domain='ipa', localedir=None), normalizer=normalize_principal), Principal('krbprincipalname*', validate_realm, flags=[u'no_create', u'no_search'], label=Gettext('Principal alias', domain='ipa', localedir=None), normalizer=normalize_principal), Str('macaddress*', doc=Gettext('Hardware MAC address(es) on this host', domain='ipa', localedir=None), label=Gettext('MAC address', domain='ipa', localedir=None), normalizer=<lambda>, pattern=u'^([a-fA-F0-9]{2}[:|\\-]?){5}[a-fA-F0-9]{2}$', pattern_errmsg=u'Must be of the form HH:HH:HH:HH:HH:HH, where each H is a hexadecimal character.'), Str('ipasshpubkey*', validate_sshpubkey_no_options, cli_name='sshpubkey', flags=[u'no_search'], label=Gettext('SSH public key', domain='ipa', localedir=None), normalizer=normalize_sshpubkey), Str('sshpubkeyfp*', flags=[u'no_update', u'no_create', u'no_search', u'virtual_attribute'], label=Gettext('SSH public key fingerprint', domain='ipa', localedir=None)), Str('userclass*', cli_name='class', doc=Gettext('Host category (semantics placed on this attribute are for local interpretation)', domain='ipa', localedir=None), label=Gettext('Class', domain='ipa', localedir=None)), Str('ipaassignedidview?', flags=[u'no_option'], label=Gettext('Assigned ID View', domain='ipa', localedir=None)), StrEnum('krbprincipalauthind*', cli_metavar=u"['radius', 'otp', 'pkinit', 'hardened', 'idp']", cli_name='auth_ind', doc=Gettext("Defines an allow list for Authentication Indicators. Use 'otp' to allow OTP-based 2FA authentications. Use 'radius' to allow RADIUS-based 2FA authentications. Use 'pkinit' to allow PKINIT-based 2FA authentications. Use 'hardened' to allow brute-force hardened password authentication by SPAKE or FAST. Use 'idp' to allow External Identity Provider authentications. With no indicator specified, all authentication mechanisms are allowed.", domain='ipa', localedir=None), label=Gettext('Authentication Indicators', domain='ipa', localedir=None), values=[u'radius', u'otp', u'pkinit', u'hardened', u'idp']), Bool('ipakrbrequirespreauth?', cli_name='requires_pre_auth', doc=Gettext('Pre-authentication is required for the service', domain='ipa', localedir=None), flags=[u'no_search', u'virtual_attribute'], label=Gettext('Requires pre-authentication', domain='ipa', localedir=None)), Bool('ipakrbokasdelegate?', cli_name='ok_as_delegate', doc=Gettext('Client credentials may be delegated to the service', domain='ipa', localedir=None), flags=[u'no_search', u'virtual_attribute'], label=Gettext('Trusted for delegation', domain='ipa', localedir=None)), Bool('ipakrboktoauthasdelegate?', cli_name='ok_to_auth_as_delegate', doc=Gettext('The service is allowed to authenticate on behalf of a client', domain='ipa', localedir=None), flags=[u'no_search', u'virtual_attribute'], label=Gettext('Trusted to authenticate as user', domain='ipa', localedir=None)))¶
- uuid_attribute = 'ipauniqueid'¶
- version = '1'¶