Context Navigation

source: trunk/LATMOS-Accounts/lib/LATMOS/Accounts/Bases/Heimdal/User.pm @ 2220

Visit:

Last change on this file since 2220 was 1971, checked in by nanardon, 7 years ago
Manage it's impossible to reset krb5ValidEnd, so setting max value
File size: 5.2 KB

Line
1	package LATMOS::Accounts::Bases::Heimdal::User;
2
3	use 5.010000;
4	use strict;
5	use warnings;
6
7	use base qw(LATMOS::Accounts::Bases::Objects);
8	use LATMOS::Accounts::Log;
9
10	our $VERSION = (q$Rev: 652 $ =~ /^Rev: (\d+) /)[0];
11
12	=head1 NAME
13
14	LATMOS::Ldap - Perl extension for blah blah blah
15
16	=head1 SYNOPSIS
17
18	use LATMOS::Ldap;
19	blah blah blah
20
21	=head1 DESCRIPTION
22
23	Stub documentation for LATMOS::Ldap, created by h2xs. It looks like the
24	author of the extension was negligent enough to leave the stub
25	unedited.
26
27	Blah blah blah.
28
29	=head1 FUNCTIONS
30
31	=cut
32
33	sub _get_attr_schema {
34	my ($class, $base, $info) = @_;
35	$info \|\|= {};
36
37	foreach (qw(
38	uid
39	modName
40	)) {
41	$info->{$_} = { ro => 1 };
42	}
43	$info->{userPassword} = { ro => 1, readable => 0 };
44	foreach (qw(
45	krb5ValidEnd
46	krb5KDCFlags
47	krb5MaxRenew
48	krb5MaxLife
49	)) {
50	$info->{$_} = { };
51	}
52
53	return $info;
54	}
55
56	sub _is_ignored_user {
57	my ($base, $uid) = @_;
58
59	$uid eq 'default' and return 1;
60	grep { $uid eq $_ } split(/ , /, $base->config('ignoredusers'))
61	and return 1;
62
63	return;
64	}
65
66	sub list {
67	my ($class, $base) = @_;
68
69	my $realm = $base->config('realm');
70	my @uids;
71	foreach ($base->heimdal->getPrincipals('*@' . $realm)) {
72	/^([^@\/]+)\@\Q$realm\E$/ or next;
73	my $uid = $1;
74	_is_ignored_user($base, $uid) and next;
75	push(@uids, $uid);
76	}
77
78	return @uids;
79
80	}
81
82	=head2 uid2principal ($uid, $base)
83
84	Convert UID to kerberos principal
85
86	=cut
87
88	sub uid2principal {
89	my ($self, $uid, $base) = @_;
90	my $ba = $base \|\| $self->base;
91	$uid \|\|= $self->id;
92	return $uid . '@' . $ba->config('realm');
93	}
94
95
96	sub new {
97	my ($class, $base, $uid) = @_;
98
99	_is_ignored_user($base, $uid) and return;
100	my $entry = $base->heimdal->getPrincipal($class->uid2principal($uid, $base));
101	return if (!$entry);
102	bless({ entry => $entry, _base => $base, _id => $uid }, $class);
103	}
104
105	sub _create {
106	my ($class, $base, $id, %data) = @_;
107
108	_is_ignored_user($base, $id) and do {
109	$base->log('User %s is ignored by config, creation refused', $id);
110	return;
111	};
112	my $principal = $base->heimdal->makePrincipal($class->uid2principal($id, $base));
113	exists($data{krb5KDCFlags}) or $data{krb5KDCFlags} = 0;
114	exists($data{krb5MaxRenew}) or $data{krb5MaxRenew} = 604800;
115	exists($data{krb5MaxLife}) or $data{krb5MaxLife} = 86400;
116
117	_setprincipal($principal, %data);
118	my $pass = join('', map { ('a'..'z')[rand 26] } (0..10));
119	return $base->heimdal->createPrincipal($principal, $pass);
120
121	return 1;
122	}
123
124	sub _delete {
125	my ($class, $base, $uid) = @_;
126	_is_ignored_user($base, $uid) and return;
127	my $obj = $class->new($base, $uid) or return;
128
129	my $code = $base->heimdal->deletePrincipal($class->uid2principal($uid, $base));
130
131	if (!$code) {
132	$base->log(LA_ERR, "Cannot delete object %s", $uid);
133	return;
134	} else {
135	$base->log(LA_INFO, "Object (%s) %s delete", $class->type, $uid);
136	return 1
137	}
138	}
139
140	sub _rename {
141	my ($class, $base, $uid, $newuid) = @_;
142	my $obj = $class->new($base, $uid) or return;
143
144	my $mesg = $base->ldap->moddn( $obj->{entry},
145	newrdn => 'cn=' . escape_filter_value($newuid),
146	deleteoldrdn => 1,
147	);
148
149	if ($mesg->code) {
150	$base->log(LA_ERR, "Cannot rename object %s: %s", $uid, $mesg->error);
151	return;
152	} else {
153	return 1;
154	}
155	}
156
157	sub get_field {
158	my ($self, $field) = @_;
159
160	for ($field) {
161	/uid/ and return $self->id;
162	/modName/ and return $self->{entry}->getModName();
163	/krb5ValidEnd/ and do {
164	# (2^31) - 1 means no expiration
165	my $val = $self->{entry}->getPrincExpireTime();
166	return $val == 2_147_483_647 ? undef : $val;
167	};
168	/krb5KDCFlags/ and return $self->{entry}->getAttributes();
169	/krb5MaxRenew/ and return $self->{entry}->getMaxRenewableLife();
170	/krb5MaxLife/ and return $self->{entry}->getMaxLife();
171	/userPassword/ and return '';
172	}
173
174	return;
175	}
176
177	sub _setprincipal {
178	my ($principal, %fields) = @_;
179	for (keys %fields) {
180	# It's seems krb5ValidEnd cannot be unset using perl API
181	# so we're setting the expiration to max time (2^31 - 1)
182	/krb5ValidEnd/ and $principal->setPrincExpireTime($fields{$_} \|\| 2_147_483_647);
183	/krb5KDCFlags/ and $principal->setAttributes($fields{$_} \|\| 0);
184	/krb5MaxRenew/ and $principal->setMaxRenewableLife($fields{$_} \|\| 0);
185	/krb5MaxLife/ and $principal->setMaxLife($fields{$_} \|\| 0);
186	}
187	}
188
189
190	sub set_fields {
191	my ($self, %fields) = @_;
192
193	_setprincipal($self->{entry}, %fields);
194
195	return $self->base->heimdal->modifyPrincipal($self->{entry});
196	}
197
198	sub _set_password {
199	my ($self, $clear_pass) = @_;
200
201	$self->base->heimdal->changePassword(
202	$self->uid2principal(),
203	$clear_pass
204	);
205	}
206
207	1;
208
209	__END__
210
211	=head1 SEE ALSO
212
213	=head1 AUTHOR
214
215	Olivier Thauvin, E<lt>olivier.thauvin@aerov.jussieu.frE<gt>
216
217	=head1 COPYRIGHT AND LICENSE
218
219	Copyright (C) 2008 CNRS SA/CETP/LATMOS
220
221	This library is free software; you can redistribute it and/or modify
222	it under the same terms as Perl itself, either Perl version 5.10.0 or,
223	at your option, any later version of Perl 5 you may have available.
224
225
226	=cut

Note: See TracBrowser for help on using the repository browser.

Download in other formats: