Xc@sddklZlZlZddkZddklZlZddklZl Z l Z l Z l Z l Z ddkTddklZddklZlZddklZdd klZdd klZddkZdd klZlZlZeiio3eiid<jo ddkl Z ddk!Z!nedZ"dZ#dZ$eddede ddedfZ%e d dede ddede ddede ddede ddedfZ&ei'ei(d Z)d!Z*d"Z+d#Z,d$Z-d%Z.d&d'Z/d(e0fd)YZ1ei2e1d*e3fd+YZ4ei2e4d,e5fd-YZ6ei2e6d.e7fd/YZ8ei2e8d0e9fd1YZ:ei2e:d2e;fd3YZ<ei2e<d4e=fd5YZ>ei2e>d6e=fd7YZ?ei2e?d8e=fd9YZ@ei2e@d:e=fd;YZAei2eAdS(=i(tgmtimetstrftimetstrptimeN(tapiterrors(tFlagtInttPasswordtStrtBooltBytes(t*(tcontext(t_tngettext(toutput(tipa_generate_password(tEmail(tnormalize_sshpubkeytvalidate_sshpubkeytconvert_sshpubkey_posttlitetserver(tldap2s Users Manage user entries. All users are POSIX users. IPA supports a wide range of username formats, but you need to be aware of any restrictions that may apply to your particular environment. For example, usernames that start with a digit or usernames that exceed a certain length may cause problems for some UNIX systems. Use 'ipa config-mod' to change the username format allowed by IPA tools. Disabling a user account prevents that user from obtaining new Kerberos credentials. It does not invalidate any credentials that have already been issued. Password management is not a part of this module. For more information about this topic please see: ipa help passwd Account lockout on password failure happens per IPA master. The user-status command can be used to identify which master the user is locked out on. It is on that master the administrator must unlock the user. EXAMPLES: Add a new user: ipa user-add --first=Tim --last=User --password tuser1 Find all users whose entries include the string "Tim": ipa user-find Tim Find all users with "Tim" as the first name: ipa user-find --first=Tim Disable a user account: ipa user-disable tuser1 Enable a user account: ipa user-enable tuser1 Delete a user: ipa user-del tuser1 t __no_upg__it has_keytabtlabelsKerberos keys availables sshpubkeyfp*sSSH public key fingerprinttServertkrbloginfailedcounts Failed loginstkrblastsuccessfulauthsLast successful authenticationtkrblastfailedauthsLast failed authenticationtnowsTime nows_,.@+-=cCsd|jo|d}t|ttfp_t|tptiddn|idjo"tidddtdqqndS( Nt nsaccountlocktattrttruetfalsetnameterrorsmust be TRUE or FALSE(R"R#( t isinstancetboolR t basestringRtOnlyOneValueAllowedtlowertValidationErrorR (t entry_attrsR ((s7/usr/lib/python2.6/site-packages/ipalib/plugins/user.pytvalidate_nsaccountlockts  cCsFd|jot|dR4(tugettextR3R=R:((s7/usr/lib/python2.6/site-packages/ipalib/plugins/user.pytvalidate_principalscCs&t|\}}td||fS(s Ensure that the name in the principal is lower-case. The realm is upper-case by convention but it isn't required. The principal is validated at this point. s%s@%s(R>tunicode(R3R=R:((s7/usr/lib/python2.6/site-packages/ipalib/plugins/user.pytnormalize_principalsuadminsc Cstiid|}|d}g}|D]$}|dp||ddq*q*~}||gjo(tid|dtdd |nd S( s{ Ensure the last enabled member of a protected group cannot be deleted or disabled by raising LastMemberError. tin_grouptresultR tuiditkeyRugroupt containerN(RtCommandt user_findRtLastMemberErrorR (R=tprotected_group_nameRDt_[1]tentryt enabled_users((s7/usr/lib/python2.6/site-packages/ipalib/plugins/user.pytcheck_protected_members  8R=c*Bs eZdZeiiZedZedZ dgZ dZ dgZ dgZ dZdd d d d d ddddddddgZdd d d d ddddd ddg ZdZhdddddgd6dddddgd6ZeZeZddgZed!Zed"Zedd#d$d%d&d'd(d)d*d+ed,d-ed.d/d0d1ed d)d2d+ed3ed d)d4d+ed5ed6d+ed7d.d8d9eed:d+ed;d.d<d9eed=d+ed>d.d?d9eed@d)dAd+edBedCd+edDd.dEd9eedFd)dGd+edHedIed)dJd+edKd.dLd9edMdNgd0dOedPd)dQd+edRedSd)dTd+edUdVedWdXdYedZdVed[dMdd^eed_d+ed`dMded d)dd+edbdVedcd9ed^edddeedd+edfdVedgddded^ed9eedhd)did+edjedkd)dld+edmednd)dod+edpedqd+edredsd)dtd+eduedvd+edwedxd+edyedzd)d{d+ed|ed}d)d~d+ededd+ededd+ededd+ede dd+eddMdgede!d)dd+edd0e"dedMd\gfZ#ddZ%dZ&dZ'RS(s User object. R=tuserst posixaccounttipauserobjectclassestmeporiginentrytkrbticketpolicyauxtipausersearchfieldsREt givennametsnt homedirectoryt loginshellt uidnumbert gidnumbertmailtouttelephonenumberttitletmemberofR tmemberofindirectt sshpubkeyfpt ipauniqueidtgrouptnetgrouptrolethbacruletsudorulet userpasswordt has_passwordtkrbprincipalkeyRtUserstUsertpatterns4^[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?$tpattern_errmsgs0may only include letters, numbers, _, -, . and $t maxlengthitcli_nametloginRs User logint primary_keyt default_fromcCs |d|S(i((RVRW((s7/usr/lib/python2.6/site-packages/ipalib/plugins/user.pytst normalizercCs |iS((R*(tvalue((s7/usr/lib/python2.6/site-packages/ipalib/plugins/user.pyRustfirsts First nametlasts Last nametcns Full namecCsd||fS(s%s %s((RVRW((s7/usr/lib/python2.6/site-packages/ipalib/plugins/user.pyRustautofills displayname?s Display namecCsd||fS(s%s %s((RVRW((s7/usr/lib/python2.6/site-packages/ipalib/plugins/user.pyRuss initials?tInitialscCsd|d|dfS(s%c%ci((RVRW((s7/usr/lib/python2.6/site-packages/ipalib/plugins/user.pyRusshomedirectory?thomedirsHome directorysgecos?s GECOS fieldcCsd||fS(s%s %s((RVRW((s7/usr/lib/python2.6/site-packages/ipalib/plugins/user.pyRu ss loginshell?tshells Login shellskrbprincipalname?R3sKerberos principalcCsd|itiifS(s%s@%s(R*RR9R:(RE((s7/usr/lib/python2.6/site-packages/ipalib/plugins/user.pyRustflagst no_updatecCs t|S((RB(Rw((s7/usr/lib/python2.6/site-packages/ipalib/plugins/user.pyRussmail*temails Email addresss userpassword?tpasswordRtdocsPrompt to set the user passwordtexcludetwebuisrandom?sGenerate a random user passwordt no_searchtvirtual_attributetdefaultsrandompassword?sRandom passwordt no_createtUIDs7User ID Number (system will assign one if not provided)tminvalueitGIDsGroup ID Numbersstreet?tstreetsStreet addresssl?tcitytCitysst?tstatesState/Provinces postalcode?tZIPstelephonenumber*tphonesTelephone Numbersmobile*sMobile Telephone Numberspager*s Pager Numbersfacsimiletelephonenumber*tfaxs Fax Numbersou?torgunits Org. Unitstitle?s Job Titlesmanager?tManagers carlicense?s Car Licensesnsaccountlock?sAccount disabledt no_options ipasshpubkey*t sshpubkeysSSH public keytcsvc CsM|p|iid}n|iddgd}|o g}t|ttfp |g}nx|D]}t|tosd|jo|o|d|}nt|p/t i dddt d t d|n|i |qnt|p/t i dddt d t d|n|i |qnW|S|S( NitipadefaultemaildomainiR2u@R$RR%s invalid e-mail format: %(email)s(tbackendtget_ipa_configtgetR4R&tlistttupleR(RRR+R tdicttappend(tselfRtconfigt defaultdomaint norm_emailtm((s7/usr/lib/python2.6/site-packages/ipalib/plugins/user.pyt_normalize_and_validate_emailus(  / /c Cs|pdSt|tp |g}nyt|itii}xtt |D]v}t||to||i |oqWn|i i |i i|||idg|i\}}|||R4R"R!R<tmasterR;t other_ldaptet newresultRMR!tnewtimet time_format((s7/usr/lib/python2.6/site-packages/ipalib/plugins/user.pyR+s !     )    ! $          ( RRR RRtstandard_list_of_entriesR*R%R tstatus_output_paramsR(((s7/usr/lib/python2.6/site-packages/ipalib/plugins/user.pyR3s    (Rsserver(BRFRRRtstringtipalibRRRRRRR R tipalib.plugins.baseldaptipalib.requestR R RRtipapython.ipautilRtipapython.ipavalidateRRt ipalib.utilRRRR9t in_servertipaserver.plugins.ldap2RRBRRRRRRtdigitst ascii_lettersRR-R1R>R@RBROt LDAPObjectR=tregisterR Rt LDAPDeleteRRRR%RIR&RR-R'R+R.R3(((s7/usr/lib/python2.6/site-packages/ipalib/plugins/user.pytsv .   )                    4 +     p