SSSDConfig.py revision 780ffc9f6d5e1fcd4df3d390b56cb98878223cc0
32d98ca5e560cf6c1062a0463be4c350af32bed5Thiemo Wiedemeyer'''
7a8401ce858002b67e8f4198fde45a1562696ccbChristian MaederCreated on Sep 18, 2009
e5b79e9fe9606fd386dc840ea9f1514e7b9b32b9Christian Maeder
37eedb575dd3dc0ab25809693aa2d318f9084c56Christian Maeder@author: sgallagh
e5b79e9fe9606fd386dc840ea9f1514e7b9b32b9Christian Maeder'''
97018cf5fa25b494adffd7e9b4e87320dae6bf47Christian Maeder
e5b79e9fe9606fd386dc840ea9f1514e7b9b32b9Christian Maederimport os
3f69b6948966979163bdfe8331c38833d5d90ecdChristian Maederimport gettext
e5b79e9fe9606fd386dc840ea9f1514e7b9b32b9Christian Maederimport exceptions
e5b79e9fe9606fd386dc840ea9f1514e7b9b32b9Christian Maederfrom ipachangeconf import SSSDChangeConf
e5b79e9fe9606fd386dc840ea9f1514e7b9b32b9Christian Maeder
f3a94a197960e548ecd6520bb768cb0d547457bbChristian Maeder# Exceptions
e5b79e9fe9606fd386dc840ea9f1514e7b9b32b9Christian Maederclass SSSDConfigException(Exception): pass
e5b79e9fe9606fd386dc840ea9f1514e7b9b32b9Christian Maederclass ParsingError(Exception): pass
9b01b265715d725c17d51619d297bbb97f37d1b5Thiemo Wiedemeyerclass AlreadyInitializedError(SSSDConfigException): pass
9b01b265715d725c17d51619d297bbb97f37d1b5Thiemo Wiedemeyerclass NotInitializedError(SSSDConfigException): pass
9b01b265715d725c17d51619d297bbb97f37d1b5Thiemo Wiedemeyerclass NoOutputFileError(SSSDConfigException): pass
9b01b265715d725c17d51619d297bbb97f37d1b5Thiemo Wiedemeyerclass NoServiceError(SSSDConfigException): pass
32d98ca5e560cf6c1062a0463be4c350af32bed5Thiemo Wiedemeyerclass NoSectionError(SSSDConfigException): pass
d1066b8fb69179973dcab47154858d77e72760a7Thiemo Wiedemeyerclass NoOptionError(SSSDConfigException): pass
9b01b265715d725c17d51619d297bbb97f37d1b5Thiemo Wiedemeyerclass ServiceNotRecognizedError(SSSDConfigException): pass
9b01b265715d725c17d51619d297bbb97f37d1b5Thiemo Wiedemeyerclass ServiceAlreadyExists(SSSDConfigException): pass
9b01b265715d725c17d51619d297bbb97f37d1b5Thiemo Wiedemeyerclass NoDomainError(SSSDConfigException): pass
9b01b265715d725c17d51619d297bbb97f37d1b5Thiemo Wiedemeyerclass DomainNotRecognized(SSSDConfigException): pass
9b01b265715d725c17d51619d297bbb97f37d1b5Thiemo Wiedemeyerclass DomainAlreadyExistsError(SSSDConfigException): pass
d1066b8fb69179973dcab47154858d77e72760a7Thiemo Wiedemeyerclass NoSuchProviderError(SSSDConfigException): pass
d1066b8fb69179973dcab47154858d77e72760a7Thiemo Wiedemeyerclass NoSuchProviderSubtypeError(SSSDConfigException): pass
d1066b8fb69179973dcab47154858d77e72760a7Thiemo Wiedemeyerclass ProviderSubtypeInUse(SSSDConfigException): pass
9b01b265715d725c17d51619d297bbb97f37d1b5Thiemo Wiedemeyer
9b01b265715d725c17d51619d297bbb97f37d1b5Thiemo WiedemeyerPACKAGE = 'sss_daemon'
6e2c6baa4352577819386beb3a21d7c247eab52cThiemo WiedemeyerLOCALEDIR = '/usr/share/locale'
6e2c6baa4352577819386beb3a21d7c247eab52cThiemo Wiedemeyer
6e2c6baa4352577819386beb3a21d7c247eab52cThiemo Wiedemeyertranslation = gettext.translation(PACKAGE, LOCALEDIR, fallback=True)
9b01b265715d725c17d51619d297bbb97f37d1b5Thiemo Wiedemeyer_ = translation.ugettext
9b01b265715d725c17d51619d297bbb97f37d1b5Thiemo Wiedemeyer
9b01b265715d725c17d51619d297bbb97f37d1b5Thiemo Wiedemeyer# TODO: This needs to be made external
9b01b265715d725c17d51619d297bbb97f37d1b5Thiemo Wiedemeyeroption_strings = {
9a80079e082fdf4fe8e19f8fc61e6cd8799b47a7Christian Maeder # [service]
c7f4a6ff1152bff4eb0025eb70cfb2d96b55d4d8Thiemo Wiedemeyer 'debug_level' : _('Set the verbosity of the debug logging'),
c7f4a6ff1152bff4eb0025eb70cfb2d96b55d4d8Thiemo Wiedemeyer 'debug_timestamps' : _('Include timestamps in debug logs'),
c7f4a6ff1152bff4eb0025eb70cfb2d96b55d4d8Thiemo Wiedemeyer 'debug_to_files' : _('Write debug messages to logfiles'),
c7f4a6ff1152bff4eb0025eb70cfb2d96b55d4d8Thiemo Wiedemeyer 'timeout' : _('Ping timeout before restarting service'),
c7f4a6ff1152bff4eb0025eb70cfb2d96b55d4d8Thiemo Wiedemeyer 'command' : _('Command to start service'),
c7f4a6ff1152bff4eb0025eb70cfb2d96b55d4d8Thiemo Wiedemeyer 'reconnection_retries' : _('Number of times to attempt connection to Data Providers'),
c7f4a6ff1152bff4eb0025eb70cfb2d96b55d4d8Thiemo Wiedemeyer
c7f4a6ff1152bff4eb0025eb70cfb2d96b55d4d8Thiemo Wiedemeyer # [sssd]
c7f4a6ff1152bff4eb0025eb70cfb2d96b55d4d8Thiemo Wiedemeyer 'services' : _('SSSD Services to start'),
c7f4a6ff1152bff4eb0025eb70cfb2d96b55d4d8Thiemo Wiedemeyer 'domains' : _('SSSD Domains to start'),
c7f4a6ff1152bff4eb0025eb70cfb2d96b55d4d8Thiemo Wiedemeyer 'sbus_timeout' : _('Timeout for messages sent over the SBUS'),
c7f4a6ff1152bff4eb0025eb70cfb2d96b55d4d8Thiemo Wiedemeyer 're_expression' : _('Regex to parse username and domain'),
9b01b265715d725c17d51619d297bbb97f37d1b5Thiemo Wiedemeyer 'full_name_format' : _('Printf-compatible format for displaying fully-qualified names'),
c7f4a6ff1152bff4eb0025eb70cfb2d96b55d4d8Thiemo Wiedemeyer
c7f4a6ff1152bff4eb0025eb70cfb2d96b55d4d8Thiemo Wiedemeyer # [nss]
c7f4a6ff1152bff4eb0025eb70cfb2d96b55d4d8Thiemo Wiedemeyer 'enum_cache_timeout' : _('Enumeration cache timeout length (seconds)'),
c7f4a6ff1152bff4eb0025eb70cfb2d96b55d4d8Thiemo Wiedemeyer 'entry_cache_no_wait_timeout' : _('Entry cache background update timeout length (seconds)'),
c7f4a6ff1152bff4eb0025eb70cfb2d96b55d4d8Thiemo Wiedemeyer 'entry_negative_timeout' : _('Negative cache timeout length (seconds)'),
c7f4a6ff1152bff4eb0025eb70cfb2d96b55d4d8Thiemo Wiedemeyer 'filter_users' : _('Users that SSSD should explicitly ignore'),
c7f4a6ff1152bff4eb0025eb70cfb2d96b55d4d8Thiemo Wiedemeyer 'filter_groups' : _('Groups that SSSD should explicitly ignore'),
c7f4a6ff1152bff4eb0025eb70cfb2d96b55d4d8Thiemo Wiedemeyer 'filter_users_in_groups' : _('Should filtered users appear in groups'),
c7f4a6ff1152bff4eb0025eb70cfb2d96b55d4d8Thiemo Wiedemeyer 'pwfield' : _('The value of the password field the NSS provider should return'),
c7f4a6ff1152bff4eb0025eb70cfb2d96b55d4d8Thiemo Wiedemeyer
c7f4a6ff1152bff4eb0025eb70cfb2d96b55d4d8Thiemo Wiedemeyer # [pam]
c7f4a6ff1152bff4eb0025eb70cfb2d96b55d4d8Thiemo Wiedemeyer 'offline_credentials_expiration' : _('How long to allow cached logins between online logins (days)'),
c7f4a6ff1152bff4eb0025eb70cfb2d96b55d4d8Thiemo Wiedemeyer 'offline_failed_login_attempts' : _('How many failed logins attempts are allowed when offline'),
c7f4a6ff1152bff4eb0025eb70cfb2d96b55d4d8Thiemo Wiedemeyer 'offline_failed_login_delay' : _('How long (minutes) to deny login after offline_failed_login_attempts has been reached'),
c7f4a6ff1152bff4eb0025eb70cfb2d96b55d4d8Thiemo Wiedemeyer
c7f4a6ff1152bff4eb0025eb70cfb2d96b55d4d8Thiemo Wiedemeyer # [provider]
c7f4a6ff1152bff4eb0025eb70cfb2d96b55d4d8Thiemo Wiedemeyer 'id_provider' : _('Identity provider'),
c7f4a6ff1152bff4eb0025eb70cfb2d96b55d4d8Thiemo Wiedemeyer 'auth_provider' : _('Authentication provider'),
c7f4a6ff1152bff4eb0025eb70cfb2d96b55d4d8Thiemo Wiedemeyer 'access_provider' : _('Access control provider'),
c7f4a6ff1152bff4eb0025eb70cfb2d96b55d4d8Thiemo Wiedemeyer 'chpass_provider' : _('Password change provider'),
c7f4a6ff1152bff4eb0025eb70cfb2d96b55d4d8Thiemo Wiedemeyer
c7f4a6ff1152bff4eb0025eb70cfb2d96b55d4d8Thiemo Wiedemeyer # [domain]
c7f4a6ff1152bff4eb0025eb70cfb2d96b55d4d8Thiemo Wiedemeyer 'min_id' : _('Minimum user ID'),
c7f4a6ff1152bff4eb0025eb70cfb2d96b55d4d8Thiemo Wiedemeyer 'max_id' : _('Maximum user ID'),
c7f4a6ff1152bff4eb0025eb70cfb2d96b55d4d8Thiemo Wiedemeyer 'timeout' : _('Ping timeout before restarting domain'),
c7f4a6ff1152bff4eb0025eb70cfb2d96b55d4d8Thiemo Wiedemeyer 'enumerate' : _('Enable enumerating all users/groups'),
c7f4a6ff1152bff4eb0025eb70cfb2d96b55d4d8Thiemo Wiedemeyer 'cache_credentials' : _('Cache credentials for offline login'),
c7f4a6ff1152bff4eb0025eb70cfb2d96b55d4d8Thiemo Wiedemeyer 'store_legacy_passwords' : _('Store password hashes'),
c7f4a6ff1152bff4eb0025eb70cfb2d96b55d4d8Thiemo Wiedemeyer 'use_fully_qualified_names' : _('Display users/groups in fully-qualified form'),
c7f4a6ff1152bff4eb0025eb70cfb2d96b55d4d8Thiemo Wiedemeyer 'entry_cache_timeout' : _('Entry cache timeout length (seconds)'),
c7f4a6ff1152bff4eb0025eb70cfb2d96b55d4d8Thiemo Wiedemeyer 'lookup_family_order' : _('Restrict or prefer a specific address family when performing DNS lookups'),
c7f4a6ff1152bff4eb0025eb70cfb2d96b55d4d8Thiemo Wiedemeyer 'account_cache_expiration' : _('How long to keep cached entries after last successful login (days)'),
c7f4a6ff1152bff4eb0025eb70cfb2d96b55d4d8Thiemo Wiedemeyer 'dns_resolver_timeout' : _('How long to wait for replies from DNS when resolving servers (seconds)'),
c7f4a6ff1152bff4eb0025eb70cfb2d96b55d4d8Thiemo Wiedemeyer 'dns_discovery_domain' : _('The domain part of service discovery DNS query'),
c7f4a6ff1152bff4eb0025eb70cfb2d96b55d4d8Thiemo Wiedemeyer
c7f4a6ff1152bff4eb0025eb70cfb2d96b55d4d8Thiemo Wiedemeyer # [provider/ipa]
c7f4a6ff1152bff4eb0025eb70cfb2d96b55d4d8Thiemo Wiedemeyer 'ipa_domain' : _('IPA domain'),
c7f4a6ff1152bff4eb0025eb70cfb2d96b55d4d8Thiemo Wiedemeyer 'ipa_server' : _('IPA server address'),
c7f4a6ff1152bff4eb0025eb70cfb2d96b55d4d8Thiemo Wiedemeyer 'ipa_hostname' : _('IPA client hostname'),
c7f4a6ff1152bff4eb0025eb70cfb2d96b55d4d8Thiemo Wiedemeyer 'ipa_dyndns_update' : _("Whether to automatically update the client's DNS entry in FreeIPA"),
c7f4a6ff1152bff4eb0025eb70cfb2d96b55d4d8Thiemo Wiedemeyer 'ipa_dyndns_iface' : _("The interface whose IP should be used for dynamic DNS updates"),
c7f4a6ff1152bff4eb0025eb70cfb2d96b55d4d8Thiemo Wiedemeyer
c7f4a6ff1152bff4eb0025eb70cfb2d96b55d4d8Thiemo Wiedemeyer # [provider/krb5]
c7f4a6ff1152bff4eb0025eb70cfb2d96b55d4d8Thiemo Wiedemeyer 'krb5_kdcip' : _('Kerberos server address'),
c7f4a6ff1152bff4eb0025eb70cfb2d96b55d4d8Thiemo Wiedemeyer 'krb5_realm' : _('Kerberos realm'),
c7f4a6ff1152bff4eb0025eb70cfb2d96b55d4d8Thiemo Wiedemeyer 'krb5_auth_timeout' : _('Authentication timeout'),
c7f4a6ff1152bff4eb0025eb70cfb2d96b55d4d8Thiemo Wiedemeyer
c7f4a6ff1152bff4eb0025eb70cfb2d96b55d4d8Thiemo Wiedemeyer # [provider/krb5/auth]
c7f4a6ff1152bff4eb0025eb70cfb2d96b55d4d8Thiemo Wiedemeyer 'krb5_ccachedir' : _('Directory to store credential caches'),
c7f4a6ff1152bff4eb0025eb70cfb2d96b55d4d8Thiemo Wiedemeyer 'krb5_ccname_template' : _("Location of the user's credential cache"),
c7f4a6ff1152bff4eb0025eb70cfb2d96b55d4d8Thiemo Wiedemeyer 'krb5_keytab' : _("Location of the keytab to validate credentials"),
c7f4a6ff1152bff4eb0025eb70cfb2d96b55d4d8Thiemo Wiedemeyer 'krb5_validate' : _("Enable credential validation"),
c7f4a6ff1152bff4eb0025eb70cfb2d96b55d4d8Thiemo Wiedemeyer 'krb5_store_password_if_offline' : _("Store password if offline for later online authentication"),
c7f4a6ff1152bff4eb0025eb70cfb2d96b55d4d8Thiemo Wiedemeyer
c7f4a6ff1152bff4eb0025eb70cfb2d96b55d4d8Thiemo Wiedemeyer # [provider/krb5/chpass]
c7f4a6ff1152bff4eb0025eb70cfb2d96b55d4d8Thiemo Wiedemeyer 'krb5_kpasswd' : _('Server where the change password service is running if not on the KDC'),
c7f4a6ff1152bff4eb0025eb70cfb2d96b55d4d8Thiemo Wiedemeyer
c7f4a6ff1152bff4eb0025eb70cfb2d96b55d4d8Thiemo Wiedemeyer # [provider/ldap]
c7f4a6ff1152bff4eb0025eb70cfb2d96b55d4d8Thiemo Wiedemeyer 'ldap_uri' : _('ldap_uri, The URI of the LDAP server'),
c7f4a6ff1152bff4eb0025eb70cfb2d96b55d4d8Thiemo Wiedemeyer 'ldap_search_base' : _('The default base DN'),
c7f4a6ff1152bff4eb0025eb70cfb2d96b55d4d8Thiemo Wiedemeyer 'ldap_schema' : _('The Schema Type in use on the LDAP server, rfc2307'),
c7f4a6ff1152bff4eb0025eb70cfb2d96b55d4d8Thiemo Wiedemeyer 'ldap_default_bind_dn' : _('The default bind DN'),
c7f4a6ff1152bff4eb0025eb70cfb2d96b55d4d8Thiemo Wiedemeyer 'ldap_default_authtok_type' : _('The type of the authentication token of the default bind DN'),
c7f4a6ff1152bff4eb0025eb70cfb2d96b55d4d8Thiemo Wiedemeyer 'ldap_default_authtok' : _('The authentication token of the default bind DN'),
9b01b265715d725c17d51619d297bbb97f37d1b5Thiemo Wiedemeyer 'ldap_network_timeout' : _('Length of time to attempt connection'),
9b01b265715d725c17d51619d297bbb97f37d1b5Thiemo Wiedemeyer 'ldap_opt_timeout' : _('Length of time to attempt synchronous LDAP operations'),
9b01b265715d725c17d51619d297bbb97f37d1b5Thiemo Wiedemeyer 'ldap_offline_timeout' : _('Length of time between attempts to reconnect while offline'),
9b01b265715d725c17d51619d297bbb97f37d1b5Thiemo Wiedemeyer 'ldap_tls_cacert' : _('File that contains CA certificates'),
9b01b265715d725c17d51619d297bbb97f37d1b5Thiemo Wiedemeyer 'ldap_tls_cacertdir' : _('Path to CA certificate directory'),
c7f4a6ff1152bff4eb0025eb70cfb2d96b55d4d8Thiemo Wiedemeyer 'ldap_tls_reqcert' : _('Require TLS certificate verification'),
9b01b265715d725c17d51619d297bbb97f37d1b5Thiemo Wiedemeyer 'ldap_sasl_mech' : _('Specify the sasl mechanism to use'),
d1066b8fb69179973dcab47154858d77e72760a7Thiemo Wiedemeyer 'ldap_sasl_authid' : _('Specify the sasl authorization id to use'),
d1066b8fb69179973dcab47154858d77e72760a7Thiemo Wiedemeyer 'krb5_kdcip' : _('Kerberos server address'),
d1066b8fb69179973dcab47154858d77e72760a7Thiemo Wiedemeyer 'krb5_realm' : _('Kerberos realm'),
d1066b8fb69179973dcab47154858d77e72760a7Thiemo Wiedemeyer 'ldap_krb5_keytab' : _('Kerberos service keytab'),
c7f4a6ff1152bff4eb0025eb70cfb2d96b55d4d8Thiemo Wiedemeyer 'ldap_krb5_init_creds' : _('Use Kerberos auth for LDAP connection'),
d1066b8fb69179973dcab47154858d77e72760a7Thiemo Wiedemeyer 'ldap_referrals' : _('Follow LDAP referrals'),
9b01b265715d725c17d51619d297bbb97f37d1b5Thiemo Wiedemeyer 'ldap_krb5_ticket_lifetime' : _('Lifetime of TGT for LDAP connection'),
9b01b265715d725c17d51619d297bbb97f37d1b5Thiemo Wiedemeyer
9b01b265715d725c17d51619d297bbb97f37d1b5Thiemo Wiedemeyer # [provider/ldap/id]
9b01b265715d725c17d51619d297bbb97f37d1b5Thiemo Wiedemeyer 'ldap_search_timeout' : _('Length of time to wait for a search request'),
9b01b265715d725c17d51619d297bbb97f37d1b5Thiemo Wiedemeyer 'ldap_enumeration_refresh_timeout' : _('Length of time between enumeration updates'),
c7f4a6ff1152bff4eb0025eb70cfb2d96b55d4d8Thiemo Wiedemeyer 'ldap_id_use_start_tls' : _('Require TLS for ID lookups'),
9b01b265715d725c17d51619d297bbb97f37d1b5Thiemo Wiedemeyer 'ldap_user_search_base' : _('Base DN for user lookups'),
9b01b265715d725c17d51619d297bbb97f37d1b5Thiemo Wiedemeyer 'ldap_user_search_scope' : _('Scope of user lookups'),
d1066b8fb69179973dcab47154858d77e72760a7Thiemo Wiedemeyer 'ldap_user_search_filter' : _('Filter for user lookups'),
9b01b265715d725c17d51619d297bbb97f37d1b5Thiemo Wiedemeyer 'ldap_user_object_class' : _('Objectclass for users'),
9b01b265715d725c17d51619d297bbb97f37d1b5Thiemo Wiedemeyer 'ldap_user_name' : _('Username attribute'),
9b01b265715d725c17d51619d297bbb97f37d1b5Thiemo Wiedemeyer 'ldap_user_uid_number' : _('UID attribute'),
c7f4a6ff1152bff4eb0025eb70cfb2d96b55d4d8Thiemo Wiedemeyer 'ldap_user_gid_number' : _('Primary GID attribute'),
9b01b265715d725c17d51619d297bbb97f37d1b5Thiemo Wiedemeyer 'ldap_user_gecos' : _('GECOS attribute'),
9b01b265715d725c17d51619d297bbb97f37d1b5Thiemo Wiedemeyer 'ldap_user_homedir' : _('Home directory attribute'),
9b01b265715d725c17d51619d297bbb97f37d1b5Thiemo Wiedemeyer 'ldap_user_shell' : _('Shell attribute'),
9b01b265715d725c17d51619d297bbb97f37d1b5Thiemo Wiedemeyer 'ldap_user_uuid' : _('UUID attribute'),
9b01b265715d725c17d51619d297bbb97f37d1b5Thiemo Wiedemeyer 'ldap_user_principal' : _('User principal attribute (for Kerberos)'),
d1066b8fb69179973dcab47154858d77e72760a7Thiemo Wiedemeyer 'ldap_user_fullname' : _('Full Name'),
d1066b8fb69179973dcab47154858d77e72760a7Thiemo Wiedemeyer 'ldap_user_member_of' : _('memberOf attribute'),
d1066b8fb69179973dcab47154858d77e72760a7Thiemo Wiedemeyer 'ldap_user_modify_timestamp' : _('Modification time attribute'),
9b01b265715d725c17d51619d297bbb97f37d1b5Thiemo Wiedemeyer
9b01b265715d725c17d51619d297bbb97f37d1b5Thiemo Wiedemeyer # [provider/ldap/auth]
d1066b8fb69179973dcab47154858d77e72760a7Thiemo Wiedemeyer 'ldap_pwd_policy' : _('Policy to evaluate the password expiration'),
d1066b8fb69179973dcab47154858d77e72760a7Thiemo Wiedemeyer
9b01b265715d725c17d51619d297bbb97f37d1b5Thiemo Wiedemeyer # [provider/ldap/access]
9b01b265715d725c17d51619d297bbb97f37d1b5Thiemo Wiedemeyer 'ldap_access_filter' : _('LDAP filter to determine access privileges'),
57bb31a6834641607fff7fc457b5a3e19238a132Christian Maeder
9b01b265715d725c17d51619d297bbb97f37d1b5Thiemo Wiedemeyer # [provider/simple/access]
2083e66e910c2144cf800f31910993064c5f16beThiemo Wiedemeyer 'simple_allow_users' : _('Comma separated list of allowed users'),
9b01b265715d725c17d51619d297bbb97f37d1b5Thiemo Wiedemeyer 'simple_deny_users' : _('Comma separated list of prohibited users'),
9b01b265715d725c17d51619d297bbb97f37d1b5Thiemo Wiedemeyer
9b01b265715d725c17d51619d297bbb97f37d1b5Thiemo Wiedemeyer # [provider/local/id]
9b01b265715d725c17d51619d297bbb97f37d1b5Thiemo Wiedemeyer 'default_shell' : _('Default shell, /bin/bash'),
9b01b265715d725c17d51619d297bbb97f37d1b5Thiemo Wiedemeyer 'base_directory' : _('Base for home directories'),
d1066b8fb69179973dcab47154858d77e72760a7Thiemo Wiedemeyer
9b01b265715d725c17d51619d297bbb97f37d1b5Thiemo Wiedemeyer # [provider/proxy/id]
9b01b265715d725c17d51619d297bbb97f37d1b5Thiemo Wiedemeyer 'proxy_lib_name' : _('The name of the NSS library to use'),
9b01b265715d725c17d51619d297bbb97f37d1b5Thiemo Wiedemeyer
9b01b265715d725c17d51619d297bbb97f37d1b5Thiemo Wiedemeyer # [provider/proxy/auth]
9b01b265715d725c17d51619d297bbb97f37d1b5Thiemo Wiedemeyer 'proxy_pam_target' : _('PAM stack to use')
d1066b8fb69179973dcab47154858d77e72760a7Thiemo Wiedemeyer}
9b01b265715d725c17d51619d297bbb97f37d1b5Thiemo Wiedemeyer
9b01b265715d725c17d51619d297bbb97f37d1b5Thiemo Wiedemeyerdef striplist(l):
9b01b265715d725c17d51619d297bbb97f37d1b5Thiemo Wiedemeyer return([x.strip() for x in l])
9b01b265715d725c17d51619d297bbb97f37d1b5Thiemo Wiedemeyer
2083e66e910c2144cf800f31910993064c5f16beThiemo Wiedemeyerdef options_overlap(options1, options2):
9b01b265715d725c17d51619d297bbb97f37d1b5Thiemo Wiedemeyer overlap = []
d1066b8fb69179973dcab47154858d77e72760a7Thiemo Wiedemeyer for option in options1:
d1066b8fb69179973dcab47154858d77e72760a7Thiemo Wiedemeyer if option in options2:
d1066b8fb69179973dcab47154858d77e72760a7Thiemo Wiedemeyer overlap.append(option)
d1066b8fb69179973dcab47154858d77e72760a7Thiemo Wiedemeyer return overlap
2083e66e910c2144cf800f31910993064c5f16beThiemo Wiedemeyer
d1066b8fb69179973dcab47154858d77e72760a7Thiemo Wiedemeyerclass SSSDConfigSchema(SSSDChangeConf):
d1066b8fb69179973dcab47154858d77e72760a7Thiemo Wiedemeyer def __init__(self, schemafile, schemaplugindir):
d1066b8fb69179973dcab47154858d77e72760a7Thiemo Wiedemeyer SSSDChangeConf.__init__(self)
9b01b265715d725c17d51619d297bbb97f37d1b5Thiemo Wiedemeyer #TODO: get these from a global setting
9b01b265715d725c17d51619d297bbb97f37d1b5Thiemo Wiedemeyer if not schemafile:
9b01b265715d725c17d51619d297bbb97f37d1b5Thiemo Wiedemeyer schemafile = '/etc/sssd/sssd.api.conf'
9b01b265715d725c17d51619d297bbb97f37d1b5Thiemo Wiedemeyer if not schemaplugindir:
2083e66e910c2144cf800f31910993064c5f16beThiemo Wiedemeyer schemaplugindir = '/etc/sssd/sssd.api.d'
9b01b265715d725c17d51619d297bbb97f37d1b5Thiemo Wiedemeyer
d1066b8fb69179973dcab47154858d77e72760a7Thiemo Wiedemeyer try:
d1066b8fb69179973dcab47154858d77e72760a7Thiemo Wiedemeyer #Read the primary config file
d1066b8fb69179973dcab47154858d77e72760a7Thiemo Wiedemeyer fd = open(schemafile, 'r')
d1066b8fb69179973dcab47154858d77e72760a7Thiemo Wiedemeyer self.readfp(fd)
2083e66e910c2144cf800f31910993064c5f16beThiemo Wiedemeyer fd.close()
d1066b8fb69179973dcab47154858d77e72760a7Thiemo Wiedemeyer # Read in the provider files
d1066b8fb69179973dcab47154858d77e72760a7Thiemo Wiedemeyer for file in os.listdir(schemaplugindir):
57bb31a6834641607fff7fc457b5a3e19238a132Christian Maeder fd = open(schemaplugindir+ "/" + file)
d1066b8fb69179973dcab47154858d77e72760a7Thiemo Wiedemeyer self.readfp(fd)
d1066b8fb69179973dcab47154858d77e72760a7Thiemo Wiedemeyer fd.close()
d1066b8fb69179973dcab47154858d77e72760a7Thiemo Wiedemeyer except IOError:
d1066b8fb69179973dcab47154858d77e72760a7Thiemo Wiedemeyer raise
d1066b8fb69179973dcab47154858d77e72760a7Thiemo Wiedemeyer except SyntaxError: # can be raised with readfp
d1066b8fb69179973dcab47154858d77e72760a7Thiemo Wiedemeyer raise ParsingError
d1066b8fb69179973dcab47154858d77e72760a7Thiemo Wiedemeyer
57bb31a6834641607fff7fc457b5a3e19238a132Christian Maeder # Set up lookup table for types
d1066b8fb69179973dcab47154858d77e72760a7Thiemo Wiedemeyer self.type_lookup = {
d1066b8fb69179973dcab47154858d77e72760a7Thiemo Wiedemeyer 'bool' : bool,
d1066b8fb69179973dcab47154858d77e72760a7Thiemo Wiedemeyer 'int' : int,
d1066b8fb69179973dcab47154858d77e72760a7Thiemo Wiedemeyer 'long' : long,
d1066b8fb69179973dcab47154858d77e72760a7Thiemo Wiedemeyer 'float': float,
d1066b8fb69179973dcab47154858d77e72760a7Thiemo Wiedemeyer 'str' : str,
d1066b8fb69179973dcab47154858d77e72760a7Thiemo Wiedemeyer 'list' : list,
d1066b8fb69179973dcab47154858d77e72760a7Thiemo Wiedemeyer 'None' : None
d1066b8fb69179973dcab47154858d77e72760a7Thiemo Wiedemeyer }
d1066b8fb69179973dcab47154858d77e72760a7Thiemo Wiedemeyer
d1066b8fb69179973dcab47154858d77e72760a7Thiemo Wiedemeyer # Lookup table for acceptable boolean values
d1066b8fb69179973dcab47154858d77e72760a7Thiemo Wiedemeyer self.bool_lookup = {
d1066b8fb69179973dcab47154858d77e72760a7Thiemo Wiedemeyer 'false' : False,
57bb31a6834641607fff7fc457b5a3e19238a132Christian Maeder 'true' : True,
d1066b8fb69179973dcab47154858d77e72760a7Thiemo Wiedemeyer }
d1066b8fb69179973dcab47154858d77e72760a7Thiemo Wiedemeyer
d1066b8fb69179973dcab47154858d77e72760a7Thiemo Wiedemeyer def get_options(self, section):
d1066b8fb69179973dcab47154858d77e72760a7Thiemo Wiedemeyer if not self.has_section(section):
d1066b8fb69179973dcab47154858d77e72760a7Thiemo Wiedemeyer raise NoSectionError
d1066b8fb69179973dcab47154858d77e72760a7Thiemo Wiedemeyer options = self.options(section)
e5b79e9fe9606fd386dc840ea9f1514e7b9b32b9Christian Maeder
2083e66e910c2144cf800f31910993064c5f16beThiemo Wiedemeyer # Indexes
2083e66e910c2144cf800f31910993064c5f16beThiemo Wiedemeyer PRIMARY_TYPE = 0
2083e66e910c2144cf800f31910993064c5f16beThiemo Wiedemeyer SUBTYPE = 1
2083e66e910c2144cf800f31910993064c5f16beThiemo Wiedemeyer MANDATORY = 2
2083e66e910c2144cf800f31910993064c5f16beThiemo Wiedemeyer DEFAULT = 3
2083e66e910c2144cf800f31910993064c5f16beThiemo Wiedemeyer
6e2c6baa4352577819386beb3a21d7c247eab52cThiemo Wiedemeyer # Parse values
6e2c6baa4352577819386beb3a21d7c247eab52cThiemo Wiedemeyer parsed_options = {}
6e2c6baa4352577819386beb3a21d7c247eab52cThiemo Wiedemeyer for option in self.strip_comments_empty(options):
6e2c6baa4352577819386beb3a21d7c247eab52cThiemo Wiedemeyer unparsed_option = option['value']
6e2c6baa4352577819386beb3a21d7c247eab52cThiemo Wiedemeyer split_option = striplist(unparsed_option.split(','))
6e2c6baa4352577819386beb3a21d7c247eab52cThiemo Wiedemeyer optionlen = len(split_option)
6e2c6baa4352577819386beb3a21d7c247eab52cThiemo Wiedemeyer
6e2c6baa4352577819386beb3a21d7c247eab52cThiemo Wiedemeyer primarytype = self.type_lookup[split_option[PRIMARY_TYPE]]
6e2c6baa4352577819386beb3a21d7c247eab52cThiemo Wiedemeyer subtype = self.type_lookup[split_option[SUBTYPE]]
6e2c6baa4352577819386beb3a21d7c247eab52cThiemo Wiedemeyer mandatory = self.bool_lookup[split_option[MANDATORY]]
6e2c6baa4352577819386beb3a21d7c247eab52cThiemo Wiedemeyer
6e2c6baa4352577819386beb3a21d7c247eab52cThiemo Wiedemeyer if option_strings.has_key(option['name']):
6e2c6baa4352577819386beb3a21d7c247eab52cThiemo Wiedemeyer desc = option_strings[option['name']]
e5b79e9fe9606fd386dc840ea9f1514e7b9b32b9Christian Maeder else:
2c3b3333159c7eeef90480500729409bf3388550Klaus Luettich desc = None
e5b79e9fe9606fd386dc840ea9f1514e7b9b32b9Christian Maeder
if optionlen == 3:
# This option has no defaults
parsed_options[option['name']] = \
(primarytype,
subtype,
mandatory,
desc,
None)
elif optionlen == 4:
if type(split_option[DEFAULT]) == primarytype:
parsed_options[option['name']] = \
(primarytype,
subtype,
mandatory,
desc,
split_option[DEFAULT])
elif primarytype == list:
if (type(split_option[DEFAULT]) == subtype):
parsed_options[option['name']] = \
(primarytype,
subtype,
mandatory,
desc,
[split_option[DEFAULT]])
else:
try:
if subtype == bool and \
type(split_option[DEFAULT]) == str:
parsed_options[option['name']] = \
(primarytype,
subtype,
mandatory,
desc,
[self.bool_lookup[split_option[DEFAULT].lower()]])
else:
parsed_options[option['name']] = \
(primarytype,
subtype,
mandatory,
desc,
[subtype(split_option[DEFAULT])])
except ValueError, KeyError:
raise ParsingError
else:
try:
if primarytype == bool and \
type(split_option[DEFAULT]) == str:
parsed_options[option['name']] = \
(primarytype,
subtype,
mandatory,
desc,
self.bool_lookup[split_option[DEFAULT].lower()])
else:
parsed_options[option['name']] = \
(primarytype,
subtype,
mandatory,
desc,
primarytype(split_option[DEFAULT]))
except ValueError, KeyError:
raise ParsingError
elif optionlen > 4:
if (primarytype != list):
raise ParsingError
fixed_options = []
for x in split_option[DEFAULT:]:
if type(x) != subtype:
try:
if (subtype == bool and type(x) == str):
newvalue = self.bool_lookup[x.lower()]
else:
newvalue = subtype(x)
fixed_options.extend([newvalue])
except ValueError, KeyError:
raise ParsingError
else:
fixed_options.extend([x])
parsed_options[option['name']] = \
(primarytype,
subtype,
mandatory,
desc,
fixed_options)
else:
# Bad config file
raise ParsingError
return parsed_options
def get_option(self, section, option):
if not self.has_section(section):
raise NoSectionError(section)
if not self.has_option(section, option):
raise NoOptionError("Section [%s] has no option [%s]" %
(section, option))
return self.get_options(section)[option]
def get_defaults(self, section):
if not self.has_section(section):
raise NoSectionError(section)
schema_options = self.get_options(section)
defaults = dict([(x,schema_options[x][4])
for x in schema_options.keys()
if schema_options[x][4] != None])
return defaults
def get_services(self):
service_list = [x['name'] for x in self.sections()
if x['name'] != 'service' and
not x['name'].startswith('domain') and
not x['name'].startswith('provider')]
return service_list
def get_providers(self):
providers = {}
for section in self.sections():
splitsection = section['name'].split('/')
if (splitsection[0] == 'provider'):
if(len(splitsection) == 3):
if not providers.has_key(splitsection[1]):
providers[splitsection[1]] = []
providers[splitsection[1]].extend([splitsection[2]])
for key in providers.keys():
providers[key] = tuple(providers[key])
return providers
class SSSDConfigObject(object):
def __init__(self):
self.name = None
self.options = {}
def get_name(self):
"""
Return the name of the this object
=== Returns ===
The domain name
=== Errors ===
No errors
"""
return self.name
def get_option(self, optionname):
"""
Return the value of an service option
optionname:
The option to get.
=== Returns ===
The value for the requested option.
=== Errors ===
NoOptionError:
The specified option was not listed in the service
"""
if optionname in self.options.keys():
return self.options[optionname]
raise NoOptionError(optionname)
def get_all_options(self):
"""
Return a dictionary of name/value pairs for this object
=== Returns ===
A dictionary of name/value pairs currently in use for this object
=== Errors ===
No errors
"""
return self.options
def remove_option(self, optionname):
"""
Remove an option from the object. If the option does not exist, it is ignored.
=== Returns ===
No return value.
=== Errors ===
No errors
"""
if self.options.has_key(optionname):
del self.options[optionname]
class SSSDService(SSSDConfigObject):
'''
Object to manipulate SSSD service options
'''
def __init__(self, servicename, apischema):
"""
Create a new SSSDService, setting its defaults to those found in the
schema. This constructor should not be used directly. Use
SSSDConfig.new_service() instead.
name:
The service name
apischema:
An SSSDConfigSchema? object created by SSSDConfig.__init__()
=== Returns ===
The newly-created SSSDService object.
=== Errors ===
TypeError:
The API schema passed in was unusable or the name was not a string.
ServiceNotRecognizedError:
The service was not listed in the schema
"""
SSSDConfigObject.__init__(self)
if not isinstance(apischema, SSSDConfigSchema) or type(servicename) != str:
raise TypeError
if not apischema.has_section(servicename):
raise ServiceNotRecognizedError(servicename)
self.name = servicename
self.schema = apischema
# Set up the service object with any known defaults
self.options = {}
# Include a list of hidden options
self.hidden_options = []
# Set up default options for all services
self.options.update(self.schema.get_defaults('service'))
# Set up default options for this service
self.options.update(self.schema.get_defaults(self.name))
# For the [sssd] service, force the config file version
if servicename == 'sssd':
self.options['config_file_version'] = 2
self.hidden_options.append('config_file_version')
def list_options_with_mandatory(self):
"""
List options for the service, including the mandatory flag.
=== Returns ===
A dictionary of configurable options. This dictionary is keyed on the
option name with a tuple of the variable type, subtype ('None' if the
type is not a collection type), whether it is mandatory, the
translated option description, and the default value (or 'None') as
the value.
Example:
{ 'enumerate' :
(bool, None, False, u'Enable enumerating all users/groups', True) }
=== Errors ===
No errors
"""
options = {}
# Get the list of available options for all services
schema_options = self.schema.get_options('service')
options.update(schema_options)
schema_options = self.schema.get_options(self.name)
options.update(schema_options)
return options
def list_options(self):
"""
List all options that apply to this service
=== Returns ===
A dictionary of configurable options. This dictionary is keyed on the
option name with a tuple of the variable type, subtype ('None' if the
type is not a collection type), the translated option description, and
the default value (or 'None') as the value.
Example:
{ 'services' :
(list, str, u'SSSD Services to start', ['nss', 'pam']) }
=== Errors ===
No Errors
"""
options = self.list_options_with_mandatory()
# Filter out the mandatory field to maintain compatibility
# with older versions of the API
filtered_options = {}
for key in options.keys():
filtered_options[key] = (options[key][0], options[key][1], options[key][3], options[key][4])
return filtered_options
def list_mandatory_options(self):
"""
List all mandatory options that apply to this service
=== Returns ===
A dictionary of configurable options. This dictionary is keyed on the
option name with a tuple of the variable type, subtype ('None' if the
type is not a collection type), the translated option description, and
the default value (or 'None') as the value.
Example:
{ 'services' :
(list, str, u'SSSD Services to start', ['nss', 'pam']) }
=== Errors ===
No Errors
"""
options = self.list_options_with_mandatory()
# Filter out the mandatory field to maintain compatibility
# with older versions of the API
filtered_options = {}
for key in options.keys():
if options[key][2]:
filtered_options[key] = (options[key][0], options[key][1], options[key][3], options[key][4])
return filtered_options
def set_option(self, optionname, value):
"""
Set a service option to the specified value (or values)
optionname:
The option to change
value:
The value to set. This may be a single value or a list of values. If
it is set to None, it resets the option to its default.
=== Returns ===
No return value
=== Errors ===
NoOptionError:
The specified option is not listed in the schema
TypeError:
The value specified was not of the expected type
"""
if self.schema.has_option(self.name, optionname):
option_schema = self.schema.get_option(self.name, optionname)
elif self.schema.has_option('service', optionname):
option_schema = self.schema.get_option('service', optionname)
elif optionname in self.hidden_options:
# Set this option and do not add it to the list of changeable values
self.options[optionname] = value
return
else:
raise NoOptionError('Section [%s] has no option [%s]' % (self.name, optionname))
if value == None:
self.remove_option(optionname)
return
raise_error = False
# If we were expecting a list and didn't get one,
# Create a list with a single entry. If it's the
# wrong subtype, it will fail below
if option_schema[0] == list and type(value) != list:
if type(value) == str:
value = striplist(value.split(','))
else:
value = [value]
if type(value) != option_schema[0]:
# If it's possible to convert it, do so
try:
if option_schema[0] == bool and \
type(value) == str:
value = self.schema.bool_lookup[value.lower()]
else:
value = option_schema[0](value)
except ValueError:
raise_error = True
except KeyError:
raise_error = True
if raise_error:
raise TypeError('Expected %s for %s, received %s' %
(option_schema[0], optionname, type(value)))
if type(value) == list:
# Iterate through the list an ensure that all members
# are of the appropriate subtype
try:
newvalue = []
for x in value:
if option_schema[1] == bool and \
type(x) == str:
newvalue.extend([self.schema.bool_lookup[x.lower()]])
else:
newvalue.extend([option_schema[1](x)])
except ValueError:
raise_error = True
except KeyError:
raise_error = True
if raise_error:
raise TypeError('Expected %s' % option_schema[1])
value = newvalue
self.options[optionname] = value
class SSSDDomain(SSSDConfigObject):
"""
Object to manipulate SSSD domain options
"""
def __init__(self, domainname, apischema):
"""
Creates a new, empty SSSDDomain. This domain is inactive by default.
This constructor should not be used directly. Use
SSSDConfig.new_domain() instead.
name:
The domain name.
apischema:
An SSSDConfigSchema object created by SSSDConfig.__init__()
=== Returns ===
The newly-created SSSDDomain object.
=== Errors ===
TypeError:
apischema was not an SSSDConfigSchema object or domainname was not
a string
"""
SSSDConfigObject.__init__(self)
if not isinstance(apischema, SSSDConfigSchema) or type(domainname) != str:
raise TypeError
self.name = domainname
self.schema = apischema
self.active = False
self.oldname = None
self.providers = []
# Set up the domain object with any known defaults
self.options = {}
# Set up default options for all domains
self.options.update(self.schema.get_defaults('provider'))
self.options.update(self.schema.get_defaults('domain'))
def set_active(self, active):
"""
Enable or disable this domain
active:
Boolean value. If True, this domain will be added to the active
domains list when it is saved. If False, it will be removed from the
active domains list when it is saved.
=== Returns ===
No return value
=== Errors ===
No errors
"""
self.active = bool(active)
def list_options_with_mandatory(self):
"""
List options for the currently-configured providers, including the
mandatory flag
=== Returns ===
A dictionary of configurable options. This dictionary is keyed on the
option name with a tuple of the variable type, subtype ('None' if the
type is not a collection type), whether it is mandatory, the
translated option description, and the default value (or 'None') as
the value.
Example:
{ 'enumerate' :
(bool, None, False, u'Enable enumerating all users/groups', True) }
=== Errors ===
No errors
"""
options = {}
# Get the list of available options for all domains
options.update(self.schema.get_options('provider'))
options.update(self.schema.get_options('domain'))
# Candidate for future optimization: will update primary type
# for each subtype
for (provider, providertype) in self.providers:
schema_options = self.schema.get_options('provider/%s'
% provider)
options.update(schema_options)
schema_options = self.schema.get_options('provider/%s/%s'
% (provider, providertype))
options.update(schema_options)
return options
def list_options(self):
"""
List options available for the currently-configured providers.
=== Returns ===
A dictionary of configurable options. This dictionary is keyed on the
option name with a tuple of the variable type, subtype ('None' if the
type is not a collection type), the translated option description, and
the default value (or 'None') as the value.
Example:
{ 'enumerate' :
(bool, None, u'Enable enumerating all users/groups', True) }
=== Errors ===
No errors
"""
options = self.list_options_with_mandatory()
# Filter out the mandatory field to maintain compatibility
# with older versions of the API
filtered_options = {}
for key in options.keys():
filtered_options[key] = (options[key][0], options[key][1], options[key][3], options[key][4])
return filtered_options
def list_mandatory_options(self):
"""
List mandatory options for the currently-configured providers.
=== Returns ===
A dictionary of configurable options. This dictionary is keyed on the
option name with a tuple of the variable type, subtype ('None' if the
type is not a collection type), the translated option description, and
the default value (or 'None') as the value.
Example:
{ 'enumerate' :
(bool, None, u'Enable enumerating all users/groups', True) }
=== Errors ===
No errors
"""
options = self.list_options_with_mandatory()
# Filter out the mandatory field to maintain compatibility
# with older versions of the API
filtered_options = {}
for key in options.keys():
if options[key][2]:
filtered_options[key] = (options[key][0], options[key][1], options[key][3], options[key][4])
return filtered_options
def list_provider_options(self, provider, provider_type=None):
"""
If provider_type is specified, list all options applicable to that
target, otherwise list all possible options available for a provider.
type:
Provider backend type. (e.g. local, ldap, krb5, etc.)
provider_type:
Subtype of the backend type. (e.g. id, auth, access, chpass)
=== Returns ===
A dictionary of configurable options for the specified provider type.
This dictionary is keyed on the option name with a tuple of the
variable type, subtype ('None' if the type is not a collection type),
the translated option description, and the default value (or 'None')
as the value.
=== Errors ===
NoSuchProviderError:
The specified provider is not listed in the schema or plugins
NoSuchProviderSubtypeError:
The specified provider subtype is not listed in the schema
"""
#TODO section checking
options = self.schema.get_options('provider/%s' % provider)
if(provider_type):
options.update(self.schema.get_options('provider/%s/%s' %
(provider, provider_type)))
else:
# Add options from all provider subtypes
known_providers = self.list_providers()
for provider_type in known_providers[provider]:
options.update(self.list_provider_options(provider,
provider_type))
return options
def list_providers(self):
"""
Return a dictionary of providers.
=== Returns ===
Returns a dictionary of providers, keyed on the primary type, with the
value being a tuple of the subtypes it supports.
Example:
{ 'ldap' : ('id', 'auth', 'chpass') }
=== Errors ===
No Errors
"""
return self.schema.get_providers()
def set_option(self, option, value):
"""
Set a domain option to the specified value (or values)
option:
The option to change.
value:
The value to set. This may be a single value or a list of values.
If it is set to None, it resets the option to its default.
=== Returns ===
No return value.
=== Errors ===
NoOptionError:
The specified option is not listed in the schema
TypeError:
The value specified was not of the expected type
"""
options = self.list_options()
if (option not in options.keys()):
raise NoOptionError('Section [%s] has no option [%s]' %
(self.name, option))
if value == None:
self.remove_option(option)
return
option_schema = options[option]
raise_error = False
# If we were expecting a list and didn't get one,
# Create a list with a single entry. If it's the
# wrong subtype, it will fail below
if option_schema[0] == list and type(value) != list:
if type(value) == str:
value = striplist(value.split(','))
else:
value = [value]
if type(value) != option_schema[0]:
# If it's possible to convert it, do so
try:
if option_schema[0] == bool and \
type(value) == str:
value = self.schema.bool_lookup[value.lower()]
else:
value = option_schema[0](value)
except ValueError:
raise_error = True
except KeyError:
raise_error = True
if raise_error:
raise TypeError('Expected %s for %s, received %s' %
(option_schema[0], option, type(value)))
if type(value) == list:
# Iterate through the list an ensure that all members
# are of the appropriate subtype
try:
newvalue = []
for x in value:
if option_schema[1] == bool and \
type(x) == str:
newvalue.extend([self.schema.bool_lookup[x.lower()]])
else:
newvalue.extend([option_schema[1](x)])
except ValueError:
raise_error = True
except KeyError:
raise_error = True
if raise_error:
raise TypeError('Expected %s' % option_schema[1])
value = newvalue
# Check whether we're adding a provider entry.
is_provider = option.rfind('_provider')
if (is_provider > 0):
provider = option[:is_provider]
try:
self.add_provider(value, provider)
except NoSuchProviderError:
raise NoOptionError
else:
self.options[option] = value
def set_name(self, newname):
"""
Change the name of the domain
newname:
New name for this domain
=== Returns ===
No return value.
=== Errors ===
TypeError:
newname was not a string
"""
if type(newname) != str:
raise TypeError
if not self.oldname:
# Only set the oldname once
self.oldname = self.name
self.name = newname
def add_provider(self, provider, provider_type):
"""
Add a new provider type to the domain
type:
Provider backend type. (e.g. local, ldap, krb5, etc.)
subtype:
Subtype of the backend type. (e.g. id, auth, chpass)
=== Returns ===
No return value.
=== Errors ===
ProviderSubtypeInUse:
Another backend is already providing this subtype
NoSuchProviderError:
The specified provider is not listed in the schema or plugins
NoSuchProviderSubtypeError:
The specified provider subtype is not listed in the schema
"""
# Check that provider and provider_type are valid
configured_providers = self.list_providers()
if provider in configured_providers.keys():
if provider_type not in configured_providers[provider]:
raise NoSuchProviderSubtypeError(provider_type)
else:
raise NoSuchProviderError
# Don't add a provider twice
with_this_type = [x for x in self.providers if x[1] == provider_type]
if len(with_this_type) > 1:
# This should never happen!
raise ProviderSubtypeInUse
if len(with_this_type) == 1:
if with_this_type[0][0] != provider:
raise ProviderSubtypeInUse(with_this_type[0][0])
else:
self.providers.extend([(provider, provider_type)])
option_name = '%s_provider' % provider_type
self.options[option_name] = provider
# Add defaults for this provider
self.options.update(self.schema.get_defaults('provider/%s' %
provider))
self.options.update(self.schema.get_defaults('provider/%s/%s' %
(provider,
provider_type)))
def remove_provider(self, provider_type):
"""
Remove a provider from the domain. If the provider is not present, it
is ignored.
provider_type:
Subtype of the backend type. (e.g. id, auth, chpass)
=== Returns ===
No return value.
=== Errors ===
No Errors
"""
provider = None
for (provider, ptype) in self.providers:
if ptype == provider_type:
break
provider = None
# Check whether the provider_type was found
if not provider:
return
# Remove any unused options when removing the provider.
options = self.list_provider_options(provider, provider_type)
# Trim any options that are used by other providers,
# if that provider is in use
for (prov, ptype) in self.providers:
# Ignore the one being removed
if (prov, ptype) == (provider, provider_type):
continue
provider_options = self.list_provider_options(prov, ptype)
overlap = options_overlap(options.keys(), provider_options.keys())
for opt in overlap:
del options[opt]
# We should now have a list of options used only by this
# provider. So we remove them.
for option in options:
if self.options.has_key(option):
del self.options[option]
self.providers.remove((provider, provider_type))
class SSSDConfig(SSSDChangeConf):
"""
class SSSDConfig
Primary class for operating on SSSD configurations
"""
def __init__(self, schemafile=None, schemaplugindir=None):
"""
Initialize the SSSD config parser/editor. This constructor does not
open or create a config file. If the schemafile and schemaplugindir
are not passed, it will use the system defaults.
schemafile:
The path to the api schema config file. Usually
/etc/sssd/sssd.api.conf
schemaplugindir:
The path the directory containing the provider schema config files.
Usually /etc/sssd/sssd.api.d
=== Returns ===
The newly-created SSSDConfig object.
=== Errors ===
IOError:
Exception raised when the schema file could not be opened for
reading.
ParsingError:
The main schema file or one of those in the plugin directory could
not be parsed.
"""
SSSDChangeConf.__init__(self)
self.schema = SSSDConfigSchema(schemafile, schemaplugindir)
self.configfile = None
self.initialized = False
self.API_VERSION = 2
def import_config(self,configfile=None):
"""
Read in a config file, populating all of the service and domain
objects with the read values.
configfile:
The path to the SSSD config file. If not specified, use the system
default, usually /etc/sssd/sssd.conf
=== Returns ===
No return value
=== Errors ===
IOError:
Exception raised when the file could not be opened for reading
ParsingError:
Exception raised when errors occur attempting to parse a file.
AlreadyInitializedError:
This SSSDConfig object was already initialized by a call to
import_config() or new_config()
"""
if self.initialized:
raise AlreadyInitializedError
if not configfile:
#TODO: get this from a global setting
configfile = '/etc/sssd/sssd.conf'
# open will raise an IOError if it fails
fd = open(configfile, 'r')
try:
self.readfp(fd)
except:
raise ParsingError
fd.close()
self.configfile = configfile
self.initialized = True
try:
if int(self.get('sssd', 'config_file_version')) != self.API_VERSION:
raise ParsingError("Wrong config_file_version")
except:
# Either the 'sssd' section or the 'config_file_version' was not
# present in the config file
raise ParsingError("File contains no config_file_version")
def new_config(self):
"""
Initialize the SSSDConfig object with the defaults from the schema.
=== Returns ===
No return value
=== Errors ===
AlreadyInitializedError:
This SSSDConfig object was already initialized by a call to
import_config() or new_config()
"""
if self.initialized:
raise AlreadyInitializedError
self.initialized = True
#Initialize all services
for servicename in self.schema.get_services():
service = self.new_service(servicename)
def write(self, outputfile=None):
"""
Write out the configuration to a file.
outputfile:
The path to write the new config file. If it is not specified, it
will use the path specified by the import() call.
=== Returns ===
No return value
=== Errors ===
IOError:
Exception raised when the file could not be opened for writing
NotInitializedError:
This SSSDConfig object has not had import_config() or new_config()
run on it yet.
NoOutputFileError:
No outputfile was specified and this SSSDConfig object was not
initialized by import()
"""
if not self.initialized:
raise NotInitializedError
if outputfile == None:
if(self.configfile == None):
raise NoOutputFileError
outputfile = self.configfile
# open() will raise IOError if it fails
old_umask = os.umask(0177)
of = open(outputfile, "wb")
output = self.dump(self.opts)
of.write(output)
of.close()
os.umask(old_umask)
def list_services(self):
"""
Retrieve a list of known services.
=== Returns ===
The list of known services.
=== Errors ===
NotInitializedError:
This SSSDConfig object has not had import_config() or new_config()
run on it yet.
"""
if not self.initialized:
raise NotInitializedError
service_list = [x['name'] for x in self.sections()
if not x['name'].startswith('domain') ]
return service_list
def get_service(self, name):
"""
Get an SSSDService object to edit a service.
name:
The name of the service to return.
=== Returns ===
An SSSDService instance containing the current state of a service in
the SSSDConfig
=== Errors ===
NoServiceError:
There is no such service with the specified name in the SSSDConfig.
NotInitializedError:
This SSSDConfig object has not had import_config() or new_config()
run on it yet.
"""
if not self.initialized:
raise NotInitializedError
if not self.has_section(name):
raise NoServiceError
service = SSSDService(name, self.schema)
for opt in self.strip_comments_empty(self.options(name)):
try:
service.set_option(opt['name'], opt['value'])
except NoOptionError:
# If we come across an option that we don't recognize,
# we should just ignore it and continue
pass
return service
def new_service(self, name):
"""
Create a new service from the defaults and return the SSSDService
object for it. This function will also add this service to the list of
active services in the [SSSD] section.
name:
The name of the service to create and return.
=== Returns ===
The newly-created SSSDService object
=== Errors ===
ServiceNotRecognizedError:
There is no such service in the schema.
ServiceAlreadyExistsError:
The service being created already exists in the SSSDConfig object.
NotInitializedError:
This SSSDConfig object has not had import_config() or new_config()
run on it yet.
"""
if not self.initialized:
raise NotInitializedError
if (self.has_section(name)):
raise ServiceAlreadyExists(name)
service = SSSDService(name, self.schema)
self.save_service(service)
return service
def delete_service(self, name):
"""
Remove a service from the SSSDConfig object. This function will also
remove this service from the list of active services in the [SSSD]
section. Has no effect if the service does not exist.
=== Returns ===
No return value
=== Errors ===
NotInitializedError:
This SSSDConfig object has not had import_config() or new_config()
run on it yet.
"""
if not self.initialized:
raise NotInitializedError
self.delete_option('section', name)
def save_service(self, service):
"""
Save the changes made to the service object back to the SSSDConfig
object.
service_object:
The SSSDService object to save to the configuration.
=== Returns ===
No return value
=== Errors ===
NotInitializedError:
This SSSDConfig object has not had import_config() or new_config()
run on it yet.
TypeError:
service_object was not of the type SSSDService
"""
if not self.initialized:
raise NotInitializedError
if not isinstance(service, SSSDService):
raise TypeError
name = service.get_name()
# Ensure that the existing section is removed
# This way we ensure that we are getting a
# complete copy of the service.
# delete_option() is a noop if the section
# does not exist.
index = self.delete_option('section', name)
addkw = []
for option,value in service.get_all_options().items():
if (type(value) == list):
value = ', '.join(value)
addkw.append( { 'type' : 'option',
'name' : option,
'value' : str(value) } )
self.add_section(name, addkw, index)
def list_active_domains(self):
"""
Return a list of all active domains.
=== Returns ===
The list of configured, active domains.
=== Errors ===
NotInitializedError:
This SSSDConfig object has not had import_config() or new_config()
run on it yet.
"""
if not self.initialized:
raise NotInitializedError
if (self.has_option('sssd', 'domains')):
active_domains = striplist(self.get('sssd', 'domains').split(','))
domain_dict = dict.fromkeys(active_domains)
if domain_dict.has_key(''):
del domain_dict['']
# Remove any entries in this list that don't
# correspond to an active domain, for integrity
configured_domains = self.list_domains()
for dom in domain_dict.keys():
if dom not in configured_domains:
del domain_dict[dom]
active_domains = domain_dict.keys()
else:
active_domains = []
return active_domains
def list_inactive_domains(self):
"""
Return a list of all configured, but disabled domains.
=== Returns ===
The list of configured, inactive domains.
=== Errors ===
NotInitializedError:
This SSSDConfig object has not had import_config() or new_config()
run on it yet.
"""
if not self.initialized:
raise NotInitializedError
if (self.has_option('sssd', 'domains')):
active_domains = striplist(self.get('sssd', 'domains').split(','))
else:
active_domains = []
domains = [x for x in self.list_domains()
if x not in active_domains]
return domains
def list_domains(self):
"""
Return a list of all configured domains, including inactive domains.
=== Returns ===
The list of configured domains, both active and inactive.
=== Errors ===
NotInitializedError:
This SSSDConfig object has not had import_config() or new_config()
run on it yet.
"""
if not self.initialized:
raise NotInitializedError
domains = [x['name'][7:] for x in self.sections() if x['name'].startswith('domain/')]
return domains
def get_domain(self, name):
"""
Get an SSSDDomain object to edit a domain.
name:
The name of the domain to return.
=== Returns ===
An SSSDDomain instance containing the current state of a domain in the
SSSDConfig
=== Errors ===
NoDomainError:
There is no such domain with the specified name in the SSSDConfig.
NotInitializedError:
This SSSDConfig object has not had import_config() or new_config()
run on it yet.
"""
if not self.initialized:
raise NotInitializedError
if not self.has_section('domain/%s' % name):
raise NoDomainError(name)
domain = SSSDDomain(name, self.schema)
# Read in the providers first or we may have type
# errors trying to read in their options
providers = [ (x['name'],x['value']) for x in self.strip_comments_empty(self.options('domain/%s' % name))
if x['name'].rfind('_provider') > 0]
for (option, value) in providers:
try:
domain.set_option(option, value)
except NoOptionError:
# If we come across an option that we don't recognize,
# we should just ignore it and continue
pass
# Read in all the options from the configuration
for opt in self.strip_comments_empty(self.options('domain/%s' % name)):
if (opt['name'], opt['value']) not in providers:
try:
domain.set_option(opt['name'], opt['value'])
except NoOptionError:
# If we come across an option that we don't recognize,
# we should just ignore it and continue
pass
# Determine if this domain is currently active
domain.active = self.is_domain_active(name)
return domain
def new_domain(self, name):
"""
Create a new, empty domain and return the SSSDDomain object for it.
name:
The name of the domain to create and return.
=== Returns ===
The newly-created SSSDDomain object
=== Errors ===
DomainAlreadyExistsError:
The service being created already exists in the SSSDConfig object.
NotInitializedError:
This SSSDConfig object has not had import_config() or new_config()
run on it yet.
"""
if not self.initialized:
raise NotInitializedError
if self.has_section('domain/%s' % name):
raise DomainAlreadyExistsError
domain = SSSDDomain(name, self.schema)
self.save_domain(domain)
return domain
def is_domain_active(self, name):
"""
Is a particular domain set active
name:
The name of the configured domain to check
=== Returns ===
True if the domain is active, False if it is inactive
=== Errors ===
NotInitializedError:
This SSSDConfig object has not had import_config() or new_config()
run on it yet.
NoDomainError:
No domain by this name is configured
"""
if not self.initialized:
raise NotInitializedError
if name not in self.list_domains():
raise NoDomainError
return name in self.list_active_domains()
def activate_domain(self, name):
"""
Activate a configured domain
name:
The name of the configured domain to activate
=== Returns ===
No return value
=== Errors ===
NotInitializedError:
This SSSDConfig object has not had import_config() or new_config()
run on it yet.
NoDomainError:
No domain by this name is configured
"""
if not self.initialized:
raise NotInitializedError
if name not in self.list_domains():
raise NoDomainError
item = self.get_option_index('sssd', 'domains')[1]
if not item:
self.set('sssd','domains', name)
return
# Turn the items into a set of dictionary keys
# This guarantees uniqueness and makes it easy
# to add a new value
domain_dict = dict.fromkeys(striplist(item['value'].split(',')))
if domain_dict.has_key(''):
del domain_dict['']
# Add a new key for the domain being activated
domain_dict[name] = None
# Write out the joined keys
self.set('sssd','domains', ", ".join(domain_dict.keys()))
def deactivate_domain(self, name):
"""
Deactivate a configured domain
name:
The name of the configured domain to deactivate
=== Returns ===
No return value
=== Errors ===
NotInitializedError:
This SSSDConfig object has not had import_config() or new_config()
run on it yet.
NoDomainError:
No domain by this name is configured
"""
if not self.initialized:
raise NotInitializedError
if name not in self.list_domains():
raise NoDomainError
item = self.get_option_index('sssd', 'domains')[1]
if not item:
self.set('sssd','domains', '')
return
# Turn the items into a set of dictionary keys
# This guarantees uniqueness and makes it easy
# to remove the one unwanted value.
domain_dict = dict.fromkeys(striplist(item['value'].split(',')))
if domain_dict.has_key(''):
del domain_dict['']
# Remove the unwanted domain from the lest
if domain_dict.has_key(name):
del domain_dict[name]
# Write out the joined keys
self.set('sssd','domains', ", ".join(domain_dict.keys()))
def delete_domain(self, name):
"""
Remove a domain from the SSSDConfig object. This function will also
remove this domain from the list of active domains in the [SSSD]
section, if it is there.
=== Returns ===
No return value
=== Errors ===
NotInitializedError:
This SSSDConfig object has not had import_config() or new_config()
run on it yet.
"""
if not self.initialized:
raise NotInitializedError
# Remove the domain from the active domains list if applicable
self.deactivate_domain(name)
self.delete_option('section', 'domain/%s' % name)
def save_domain(self, domain):
"""
Save the changes made to the domain object back to the SSSDConfig
object. If this domain is marked active, ensure it is present in the
active domain list in the [SSSD] section
domain_object:
The SSSDDomain object to save to the configuration.
=== Returns ===
No return value
=== Errors ===
NotInitializedError:
This SSSDConfig object has not had import_config() or new_config()
run on it yet.
TypeError:
domain_object was not of type SSSDDomain
"""
if not self.initialized:
raise NotInitializedError
if not isinstance(domain, SSSDDomain):
raise TypeError
name = domain.get_name()
oldindex = None
if domain.oldname and domain.oldname != name:
# We are renaming this domain
# Remove the old section
self.deactivate_domain(domain.oldname)
oldindex = self.delete_option('section', 'domain/%s' %
domain.oldname)
# Reset the oldname, in case we're not done with
# this domain object.
domain.oldname = None;
sectionname = 'domain/%s' % name
# Ensure that the existing section is removed
# This way we ensure that we are getting a
# complete copy of the service.
# delete_option() is a noop if the section
# does not exist.
index = self.delete_option('section', sectionname)
addkw = []
for option,value in domain.get_all_options().items():
if (type(value) == list):
value = ', '.join(value)
addkw.append( { 'type' : 'option',
'name' : option,
'value' : str(value) } )
if oldindex:
self.add_section(sectionname, addkw, oldindex)
else:
self.add_section(sectionname, addkw, index)
if domain.active:
self.activate_domain(name)
else:
self.deactivate_domain(name)