ipa

package module
v0.0.5-0...-6ac8e7b Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 28, 2021 License: BSD-3-Clause Imports: 16 Imported by: 0

README 

===============================================================================
goipa - FreeIPA client library
===============================================================================

|godoc|

goipa is a `FreeIPA <http://www.freeipa.org/>`_ client library written in Go.
It interfaces with the FreeIPA JSON `api <https://git.fedorahosted.org/cgit/freeipa.git/tree/API.txt>`_ 
over HTTPS.

------------------------------------------------------------------------
Usage
------------------------------------------------------------------------

Install using go tools::

    $ go get github.com/ubccr/goipa

Example calling FreeIPA user-show:

.. code-block:: go

    package main

    import (
        "fmt"

        "github.com/ubccr/goipa"
    )

    func main() {
        client := ipa.NewDefaultClient()

        err := client.LoginWithKeytab("/path/to/user.keytab", "username")
        if err != nil {
            panic(err)
        }

        rec, err := client.UserShow("uid")
        if err != nil {
            panic(err)
        }

        fmt.Println("%s - %s", rec.Uid, rec.UidNumber)
    }

------------------------------------------------------------------------
License
------------------------------------------------------------------------

goipa is released under a BSD style License. See the LICENSE file.


.. |godoc| image:: https://godoc.org/github.com/golang/gddo?status.svg
    :target: https://godoc.org/github.com/ubccr/goipa
    :alt: Godoc

Documentation

Overview

Package ipa is a Go client library for FreeIPA

Index

Constants

View Source 
const (
	IpaClientVersion  = "2.156"
	IpaDatetimeFormat = "20060102150405Z"
)
View Source 
const (
	AlgorithmSHA1   Algorithm = "SHA1"
	AlgorithmSHA256           = "SHA256"
	AlgorithmSHA384           = "SHA384"
	AlgorithmSHA512           = "SHA512"
)

Variables

This section is empty.

Functions

This section is empty.

Types

type Algorithm 

type Algorithm string

OTP Token hash Algorithms supported by FreeIPA

func (*Algorithm) String 

func (a *Algorithm) String() string

func (*Algorithm) UnmarshalJSON 

func (a *Algorithm) UnmarshalJSON(b []byte) error

Unmarshal a FreeIPA string from an array of strings and convert to an Algorithm. Uses the first value in the array as the value of the string.

type Client 

type Client struct {
	// contains filtered or unexported fields
}

FreeIPA Client

func NewClient 

func NewClient(host, realm string) *Client

New IPA Client with host and realm

func NewClientCustomHttp 

func NewClientCustomHttp(host, realm string, httpClient *http.Client) *Client

New IPA Client with host, realm and custom http client

func NewDefaultClient 

func NewDefaultClient() *Client

New default IPA Client using host and realm from /etc/ipa/default.conf

func NewDefaultClientWithSession 

func NewDefaultClientWithSession(sessionID string) *Client

New default IPA Client with existing sessionID using host and realm from /etc/ipa/default.conf

func (*Client) AddTOTPToken 

func (c *Client) AddTOTPToken(uid string, algo Algorithm, digits Digits, interval int) (*OTPToken, error)

Add TOTP token. Returns new OTPToken

func (*Client) ChangePassword 

func (c *Client) ChangePassword(uid, old_passwd, new_passwd, otpcode string) error

Change user password. This will run the passwd ipa command. Optionally provide an OTP if required

func (*Client) ClearSession 

func (c *Client) ClearSession()

Clears out FreeIPA session id

func (*Client) DisableOTPToken 

func (c *Client) DisableOTPToken(tokenID string) error

Disable OTP token.

func (*Client) EnableOTPToken 

func (c *Client) EnableOTPToken(tokenID string) error

Enable OTP token.

func (*Client) FetchOTPTokens 

func (c *Client) FetchOTPTokens(uid string) ([]*OTPToken, error)

Fetch all OTP tokens.

func (*Client) Login 

func (c *Client) Login(username, password string) error

Login to FreeIPA using local kerberos login username and password

func (*Client) LoginWithKeytab 

func (c *Client) LoginWithKeytab(ktab, username string) error

Login to FreeIPA using local kerberos login with keytab and username

func (*Client) Ping 

func (c *Client) Ping() (*Response, error)

Ping FreeIPA server to check connection

func (*Client) RemoteLogin 

func (c *Client) RemoteLogin(uid, passwd string) (string, error)

Login to FreeIPA using web API with uid/passwd and set the FreeIPA session id on the client for subsequent requests.

func (*Client) RemoveOTPToken 

func (c *Client) RemoveOTPToken(tokenID string) error

Remove OTP token

func (*Client) ResetPassword 

func (c *Client) ResetPassword(uid string) (string, error)

Reset user password and return new random password

func (*Client) SessionID 

func (c *Client) SessionID() string

Return current FreeIPA sessionID

func (*Client) SetAuthTypes 

func (c *Client) SetAuthTypes(uid string, types []string) error

Update user authentication types.

func (*Client) SetPassword 

func (c *Client) SetPassword(uid, old_passwd, new_passwd, otpcode string) error

Set user password. In FreeIPA when a password is first set or when a password is later reset it is marked as immediately expired and requires the owner to perform a password change. See here https://www.freeipa.org/page/New_Passwords_Expired for more details. This function exists to circumvent the "new passwords expired" feature of FreeIPA and allow an administrator to set a new password for a user without it being expired. This is acheived, for example, by first calling ResetPassword() then immediately calling this function. *WARNING* See https://www.freeipa.org/page/Self-Service_Password_Reset for security issues and possible weaknesses of this approach.

func (*Client) StickySession 

func (c *Client) StickySession(enable bool)

Set stick sessions.

func (*Client) UpdateMobileNumber 

func (c *Client) UpdateMobileNumber(uid string, number string) error

Update mobile number. Currently will store only a single number. Any existing numbers will be overwritten.

func (*Client) UpdateSSHPubKeys 

func (c *Client) UpdateSSHPubKeys(uid string, keys []string) ([]string, error)

Update ssh public keys for user uid. Returns the fingerprints on success.

func (*Client) UserAdd 

func (c *Client) UserAdd(uid, email, first, last, homedir, shell string, random bool) (*UserRecord, error)

Add new user. If random is true a random password will be created for the user. Note this requires "User Administrators" Privilege in FreeIPA.

func (*Client) UserDisable 

func (c *Client) UserDisable(uid string) error

Disable User Account

func (*Client) UserEnable 

func (c *Client) UserEnable(uid string) error

Enable User Account

func (*Client) UserShow 

func (c *Client) UserShow(uid string) (*UserRecord, error)

Fetch user details by call the FreeIPA user-show method

type Digits 

type Digits int

Number of digits each OTP token code will have 

const (
	DigitsSix   Digits = 6
	DigitsEight Digits = 8
)

func (*Digits) String 

func (d *Digits) String() string

func (*Digits) UnmarshalJSON 

func (d *Digits) UnmarshalJSON(b []byte) error

Unmarshal a FreeIPA string from an array of strings and convert to Digits. Uses the first value in the array as the value of the string.

type ErrInvalidPassword 

type ErrInvalidPassword struct {
}

FreeIPA Invalid Password Error

func (*ErrInvalidPassword) Error 

func (e *ErrInvalidPassword) Error() string

type ErrPasswordPolicy 

type ErrPasswordPolicy struct {
}

FreeIPA Password Policy Error

func (*ErrPasswordPolicy) Error 

func (e *ErrPasswordPolicy) Error() string

type IpaDateTime 

type IpaDateTime time.Time

Custom FreeIPA datetime type

func (*IpaDateTime) Format 

func (dt *IpaDateTime) Format(layout string) string

func (*IpaDateTime) MarshalBinary 

func (dt *IpaDateTime) MarshalBinary() (data []byte, err error)

func (*IpaDateTime) String 

func (dt *IpaDateTime) String() string

func (*IpaDateTime) UnmarshalBinary 

func (dt *IpaDateTime) UnmarshalBinary(data []byte) error

func (*IpaDateTime) UnmarshalJSON 

func (dt *IpaDateTime) UnmarshalJSON(b []byte) error

Unmarshal a FreeIPA datetime. Datetimes in FreeIPA are returned using a class-hint system. Values are stored as an array with a single element indicating the type and value, for example, '[{"__datetime__": "YYYY-MM-DDTHH:MM:SSZ"]}'

type IpaError 

type IpaError struct {
	Message string
	Code    int
}

FreeIPA error

func (*IpaError) Error 

func (e *IpaError) Error() string

type IpaString 

type IpaString string

Custom FreeIPA string type

func (*IpaString) String 

func (s *IpaString) String() string

func (*IpaString) UnmarshalJSON 

func (s *IpaString) UnmarshalJSON(b []byte) error

Unmarshal a FreeIPA string from an array of strings. Uses the first value in the array as the value of the string.

type OTPToken 

type OTPToken struct {
	DN        string    `json:"dn"`
	Algorithm Algorithm `json:"ipatokenotpalgorithm"`
	Digits    Digits    `json:"ipatokenotpdigits"`
	Owner     IpaString `json:"ipatokenowner"`
	TimeStep  IpaString `json:"ipatokentotptimestep"`
	UUID      IpaString `json:"ipatokenuniqueid"`
	ManagedBy IpaString `json:"managedby_user"`
	Disabled  IpaString `json:"ipatokendisabled"`
	Type      string    `json:"type"`
	URI       string    `json:"uri"`
}

OTPToken encapsulates FreeIPA otptokens

func (*OTPToken) Enabled 

func (t *OTPToken) Enabled() bool

type Response 

type Response struct {
	Error     *IpaError `json:"error"`
	Id        string    `json:"id"`
	Principal string    `json:"principal"`
	Version   string    `json:"version"`
	Result    *Result   `json:"result"`
}

Response returned from a FreeIPA JSON rpc call

type Result 

type Result struct {
	Summary string          `json:"summary"`
	Value   interface{}     `json:"value"`
	Data    json.RawMessage `json:"result"`
}

Result returned from a FreeIPA JSON rpc call

type UserRecord 

type UserRecord struct {
	Dn               string      `json:"dn"`
	First            IpaString   `json:"givenname"`
	Last             IpaString   `json:"sn"`
	DisplayName      IpaString   `json:"displayname"`
	Principal        IpaString   `json:"krbprincipalname"`
	Uid              IpaString   `json:"uid"`
	UidNumber        IpaString   `json:"uidnumber"`
	GidNumber        IpaString   `json:"gidnumber"`
	Groups           []string    `json:"memberof_group"`
	SSHPubKeys       []string    `json:"ipasshpubkey"`
	SSHPubKeyFps     []string    `json:"sshpubkeyfp"`
	AuthTypes        []string    `json:"ipauserauthtype"`
	HasKeytab        bool        `json:"has_keytab"`
	HasPassword      bool        `json:"has_password"`
	NSAccountLock    bool        `json:"nsaccountlock"`
	HomeDir          IpaString   `json:"homedirectory"`
	Email            IpaString   `json:"mail"`
	Mobile           IpaString   `json:"mobile"`
	Shell            IpaString   `json:"loginshell"`
	SudoRules        IpaString   `json:"memberofindirect_sudorule"`
	HbacRules        IpaString   `json:"memberofindirect_hbacrule"`
	LastPasswdChange IpaDateTime `json:"krblastpwdchange"`
	PasswdExpire     IpaDateTime `json:"krbpasswordexpiration"`
	PrincipalExpire  IpaDateTime `json:"krbprincipalexpiration"`
	LastLoginSuccess IpaDateTime `json:"krblastsuccessfulauth"`
	LastLoginFail    IpaDateTime `json:"krblastfailedauth"`
	Randompassword   string      `json:"randompassword"`
}

UserRecord encapsulates user data returned from ipa user commands

func (*UserRecord) HasGroup 

func (u *UserRecord) HasGroup(group string) bool

Returns true if the User is in group

func (*UserRecord) Locked 

func (u *UserRecord) Locked() bool

Returns true if the User is locked

func (*UserRecord) OTPOnly 

func (u *UserRecord) OTPOnly() bool

Returns true if OTP is the only authentication type enabled

Source Files

  • ipa.go
  • otp.go
  • user.go

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.