Xc@s,ddklZddklZlZddkTddklZlZeiioIeii d*jo6yddk Z e Z Wqej o eZ qXnedZd+Zd efd YZeieeddddeddedde ddddgZdefdYZeiedefdYZeiedefdYZeied efd!YZeied"efd#YZeied$e fd%YZ!eie!d&e"fd'YZ#eie#d(e$fd)YZ%eie%dS(,i(tapi(tInttStr(t*(t_tngettexttlitetserverNsA Groups of users Manage groups of users. By default, new groups are POSIX groups. You can add the --nonposix option to the group-add command to mark a new group as non-POSIX. You can use the --posix argument with the group-mod command to convert a non-POSIX group into a POSIX group. POSIX groups cannot be converted to non-POSIX groups. Every group must have a description. POSIX groups must have a Group ID (GID) number. Changing a GID is supported but can have an impact on your file permissions. It is not necessary to supply a GID when creating a group. IPA will generate one automatically if it is not provided. EXAMPLES: Add a new group: ipa group-add --desc='local administrators' localadmins Add a new non-POSIX group: ipa group-add --nonposix --desc='remote administrators' remoteadmins Convert a non-POSIX group to posix: ipa group-mod --posix remoteadmins Add a new POSIX group with a specific Group ID number: ipa group-add --gid=500 --desc='unix admins' unixadmins Add a new POSIX group and let IPA assign a Group ID number: ipa group-add --desc='printer admins' printeradmins Remove a group: ipa group-del unixadmins To add the "remoteadmins" group to the "localadmins" group: ipa group-add-member --groups=remoteadmins localadmins Add a list of users to the "localadmins" group: ipa group-add-member --users=test1,test2 localadmins Remove a user from the "localadmins" group: ipa group-remove-member --users=test2 localadmins Display information about a named group. ipa group-show localadmins External group membership is designed to allow users from trusted domains to be mapped to local POSIX groups in order to actually use IPA resources. External members should be added to groups that specifically created as external and non-POSIX. Such group later should be included into one of POSIX groups. An external group member is currently a Security Identifier (SID) as defined by the trusted domain. When adding external group members, it is possible to specify them in either SID, or DOM\name, or name@domain format. IPA will attempt to resolve passed name to SID with the use of Global Catalog of the trusted domain. Example: 1. Create group for the trusted domain admins' mapping and their local POSIX group: ipa group-add --desc=' admins external map' ad_admins_external --external ipa group-add --desc=' admins' ad_admins 2. Add security identifier of Domain Admins of the to the ad_admins_external group: ipa group-add-member ad_admins_external --external 'AD\Domain Admins' 3. Allow members of ad_admins_external group to be associated with ad_admins POSIX group: ipa group-add-member ad_admins --groups ad_admins_external 4. List members of external members of ad_admins_external group to see their SIDs: ipa group-show ad_admins_external uadminsu trust adminsudefault smb grouptgroupcBszeZdZeiiZedZedZ dgZ dZ dddgZ dZ d d d d d dddgZdZhddgd 6dddddgd 6ddgd6dddddgd6ZeZedZedZed dddddddd d!ed"d#ed$d%ed dd&d!ed'd(ed)ed*dd+d!ed,d(ed-d.d/fZRS(0s Group object. Rtgroupst ipausergrouptipagroupobjectclassest posixGrouptmepManagedEntrytipaExternalGrouptipagroupsearchfieldstcnt descriptiont gidnumbertmembertmemberoftmemberindirecttmemberofindirecttipaexternalmembert ipauniqueidtusertnetgrouptrolethbacruletsudorules User Groupss User Grouptpatterns4^[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?$tpattern_errmsgs0may only include letters, numbers, _, -, . and $t maxlengthitcli_namet group_nametlabels Group namet primary_keyt normalizercCs |iS((tlower(tvalue((s8/usr/lib/python2.6/site-packages/ipalib/plugins/group.pytstdesct DescriptiontdocsGroup descriptions gidnumber?tgidtGIDs(GID (use this option to set it manually)tminvaluei(t__name__t __module__t__doc__Rtenvtcontainer_groupt container_dnRt object_nametobject_name_pluralt object_classtobject_class_configtpossible_objectclassestsearch_attributes_configtdefault_attributestuuid_attributetattribute_memberstTruetrdn_is_primary_keyR#tlabel_singularRRt takes_params(((s8/usr/lib/python2.6/site-packages/ipalib/plugins/group.pyRrsJ                   sipaexternalmember*R!texternalR#sExternal memberR+sScomma-separated list of members of a trusted domain in DOM\name or name@domain formtcsvtflagst no_createt no_updatet no_searcht group_addc BsxeZedZedZeieddddeddeeddddeddefZd Z RS( sCreate a new group.sAdded group "%(value)s"tnonposixR!R+sCreate as a non-POSIX grouptdefaultRBs:Allow adding external non-IPA members from trusted domainscOs|do8|didd|jotiddq~n<|dp0|didd|jod |dtPROTECTED_GROUPStProtectedEntryErrorRtManagedGroupError( RRRSRTRWRXtconfigtdef_primary_grouptdef_primary_group_dntgroup_dnt group_attrs((s8/usr/lib/python2.6/site-packages/ipalib/plugins/group.pyRYs   cOs6ytid|dWntij onXtS(Nt pwpolicy_deli(RtCommandRPtNotFoundR>(RRRSRTRWRX((s8/usr/lib/python2.6/site-packages/ipalib/plugins/group.pyt post_callbacks (R/R0RR1RZRYRz(((s8/usr/lib/python2.6/site-packages/ipalib/plugins/group.pyR_s   t group_modc Bs{eZedZedZeieddddededdddeddefZd Z d Z RS( sModify a group.sModified group "%(value)s"tposixR!R+schange to a POSIX groupRBs?change to support external non-IPA members from trusted domainsRJcOs |dtj}d|jo1|o&tiddd|dddqNnd|jo |dp d |jo|i|d g\}}d |d jotind |d jo|dotiqq|d id |d |d s texternal_callback_normalize(t_dcerpc_bindings_installedRPRyRt ipaservertdcerpctDomainValidatorRt is_configuredtis_trusted_sid_validROtget_sid_trusted_domain_objectRtunicodeRtValidationErrortlisttadd_external_post_callbackR^(RRRSt completedtfailedRTRURWRXRctdomain_validatortsidst failed_sidstsidt actual_sidtrestore((s8/usr/lib/python2.6/site-packages/ipalib/plugins/group.pyRzqs:     (R/R0RR1RR\Rz(((s8/usr/lib/python2.6/site-packages/ipalib/plugins/group.pyRls  tgroup_remove_membercBs/eZedZefZdZdZRS(sRemove members from a group.c Os|dtjo|d}tii|}t|didg} t|d} | i| o2tidt | ddt dd|qn|S( NiRct member_userRRdR#ugroupt container( RoRRxRtsetRhtissubsetRPtLastMemberErrortsortedR( RRRSRTtfoundt not_foundRWRXtprotected_group_nameRct users_leftt users_deleted((s8/usr/lib/python2.6/site-packages/ipalib/plugins/group.pyRYs c Os||f}d|jo|d} t} d|jo#d|djo|dd} ntd| D|dds (Rtremove_external_post_callback( RRRSRRRTRURWRXRcRR((s8/usr/lib/python2.6/site-packages/ipalib/plugins/group.pyRzs      (R/R0RR1RR\RYRz(((s8/usr/lib/python2.6/site-packages/ipalib/plugins/group.pyRs   t group_detachcBs2eZedZeiZedZdZRS(s#Detach a managed group from a user.s0Detached group "%(value)s" from user "%(value)s"cOs|ii}|ii||}|iidi|}y|i|\}}Wn&tij o|ii|nX|ii |dd}|i |d p|i |d o#|oti dt dn|i|\}}|ii |dd}|i |d p|i |d o#|oti dt d n|d} y>| i d } | | =h| d6dd6} |i|| Wntj onX|i|\}}|d} y| i d} Wn+tj otid t d nX| | =|id } | i|ii| } tt| | } h| d6dd6} |i|| tdtd|dS(s# This requires updating both the user and the group. We first need to verify that both the user and group can be updated, then we go about our work. We don't want a situation where only the user or group can be modified and we're left in a bad state. RRKtmepmanagedentryR tinfos"not allowed to modify user entriesRft mepManagedBys#not allowed to modify group entriestmepOriginEntryResNot a managed groupiRcR'iN(RitbackendRjRtObjectR~RPRythandle_not_foundthas_objectclasst can_writetACIErrorRtindexRRt ValueErrorRgRhR8RRtdictR>(RRRWRXRSRutuser_dnt user_attrst is_managedRvt objectclassestit update_attrsRrtdef_objectclass((s8/usr/lib/python2.6/site-packages/ipalib/plugins/group.pytexecutesP   ( R/R0RR1toutputtstandard_valuet has_outputRZR(((s8/usr/lib/python2.6/site-packages/ipalib/plugins/group.pyRs   (RR(uadminsu trust adminsudefault smb group(&tipalibRRRtipalib.plugins.baseldapRRR2t in_servertcontexttipaserver.dcerpcRR>Rt ImportErrorR^R1Rot LDAPObjectRtregisterRR[RHt LDAPDeleteR_RR{RRRRt LDAPAddMemberRtLDAPRemoveMemberRt LDAPQueryR(((s8/usr/lib/python2.6/site-packages/ipalib/plugins/group.pytsH    N 3    "  C '  )  D