README
¶
===============================================================================
goipa - FreeIPA client library
===============================================================================
|godoc|
goipa is a `FreeIPA <http://www.freeipa.org/>`_ client library written in Go.
It interfaces with the FreeIPA JSON `api <https://git.fedorahosted.org/cgit/freeipa.git/tree/API.txt>`_
over HTTPS.
------------------------------------------------------------------------
Usage
------------------------------------------------------------------------
Install using go tools::
$ go get github.com/ubccr/goipa
Example calling FreeIPA user-show:
.. code-block:: go
package main
import (
"fmt"
"github.com/ubccr/goipa"
)
func main() {
client := ipa.NewDefaultClient()
err := client.LoginWithKeytab("/path/to/user.keytab", "username")
if err != nil {
panic(err)
}
rec, err := client.UserShow("uid")
if err != nil {
panic(err)
}
fmt.Println("%s - %s", rec.Uid, rec.UidNumber)
}
------------------------------------------------------------------------
License
------------------------------------------------------------------------
goipa is released under a BSD style License. See the LICENSE file.
.. |godoc| image:: https://godoc.org/github.com/golang/gddo?status.svg
:target: https://godoc.org/github.com/ubccr/goipa
:alt: Godoc
Documentation
¶
Overview ¶
Package ipa is a Go client library for FreeIPA
Index ¶
- Constants
- type Algorithm
- type Client
- func (c *Client) AddTOTPToken(uid string, algo Algorithm, digits Digits, interval int) (*OTPToken, error)
- func (c *Client) ChangePassword(uid, old_passwd, new_passwd, otpcode string) error
- func (c *Client) ClearSession()
- func (c *Client) DisableOTPToken(tokenID string) error
- func (c *Client) EnableOTPToken(tokenID string) error
- func (c *Client) FetchOTPTokens(uid string) ([]*OTPToken, error)
- func (c *Client) Login(username, password string) error
- func (c *Client) LoginWithKeytab(ktab, username string) error
- func (c *Client) Ping() (*Response, error)
- func (c *Client) RemoteLogin(uid, passwd string) (string, error)
- func (c *Client) RemoveOTPToken(tokenID string) error
- func (c *Client) ResetPassword(uid string) (string, error)
- func (c *Client) SessionID() string
- func (c *Client) SetAuthTypes(uid string, types []string) error
- func (c *Client) SetPassword(uid, old_passwd, new_passwd, otpcode string) error
- func (c *Client) StickySession(enable bool)
- func (c *Client) UpdateMobileNumber(uid string, number string) error
- func (c *Client) UpdateSSHPubKeys(uid string, keys []string) ([]string, error)
- func (c *Client) UserAdd(uid, email, first, last, homedir, shell string, random bool) (*UserRecord, error)
- func (c *Client) UserDisable(uid string) error
- func (c *Client) UserEnable(uid string) error
- func (c *Client) UserShow(uid string) (*UserRecord, error)
- type Digits
- type ErrInvalidPassword
- type ErrPasswordPolicy
- type IpaDateTime
- type IpaError
- type IpaString
- type OTPToken
- type Response
- type Result
- type UserRecord
Constants ¶
const ( IpaClientVersion = "2.156" IpaDatetimeFormat = "20060102150405Z" )
const ( AlgorithmSHA1 Algorithm = "SHA1" AlgorithmSHA256 = "SHA256" AlgorithmSHA384 = "SHA384" AlgorithmSHA512 = "SHA512" )
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Client ¶
type Client struct {
// contains filtered or unexported fields
}
FreeIPA Client
func NewClientCustomHttp ¶
New IPA Client with host, realm and custom http client
func NewDefaultClient ¶
func NewDefaultClient() *Client
New default IPA Client using host and realm from /etc/ipa/default.conf
func NewDefaultClientWithSession ¶
New default IPA Client with existing sessionID using host and realm from /etc/ipa/default.conf
func (*Client) AddTOTPToken ¶
func (c *Client) AddTOTPToken(uid string, algo Algorithm, digits Digits, interval int) (*OTPToken, error)
Add TOTP token. Returns new OTPToken
func (*Client) ChangePassword ¶
Change user password. This will run the passwd ipa command. Optionally provide an OTP if required
func (*Client) DisableOTPToken ¶
Disable OTP token.
func (*Client) EnableOTPToken ¶
Enable OTP token.
func (*Client) FetchOTPTokens ¶
Fetch all OTP tokens.
func (*Client) Login ¶
Login to FreeIPA using local kerberos login username and password
func (*Client) LoginWithKeytab ¶
Login to FreeIPA using local kerberos login with keytab and username
func (*Client) Ping ¶
Ping FreeIPA server to check connection
func (*Client) RemoteLogin ¶
Login to FreeIPA using web API with uid/passwd and set the FreeIPA session id on the client for subsequent requests.
func (*Client) RemoveOTPToken ¶
Remove OTP token
func (*Client) ResetPassword ¶
Reset user password and return new random password
func (*Client) SetAuthTypes ¶
Update user authentication types.
func (*Client) SetPassword ¶
Set user password. In FreeIPA when a password is first set or when a password is later reset it is marked as immediately expired and requires the owner to perform a password change. See here https://www.freeipa.org/page/New_Passwords_Expired for more details. This function exists to circumvent the "new passwords expired" feature of FreeIPA and allow an administrator to set a new password for a user without it being expired. This is acheived, for example, by first calling ResetPassword() then immediately calling this function. *WARNING* See https://www.freeipa.org/page/Self-Service_Password_Reset for security issues and possible weaknesses of this approach.
func (*Client) UpdateMobileNumber ¶
Update mobile number. Currently will store only a single number. Any existing numbers will be overwritten.
func (*Client) UpdateSSHPubKeys ¶
Update ssh public keys for user uid. Returns the fingerprints on success.
func (*Client) UserAdd ¶
func (c *Client) UserAdd(uid, email, first, last, homedir, shell string, random bool) (*UserRecord, error)
Add new user. If random is true a random password will be created for the user. Note this requires "User Administrators" Privilege in FreeIPA.
func (*Client) UserShow ¶
func (c *Client) UserShow(uid string) (*UserRecord, error)
Fetch user details by call the FreeIPA user-show method
type ErrInvalidPassword ¶
type ErrInvalidPassword struct {
}
FreeIPA Invalid Password Error
func (*ErrInvalidPassword) Error ¶
func (e *ErrInvalidPassword) Error() string
type ErrPasswordPolicy ¶
type ErrPasswordPolicy struct {
}
FreeIPA Password Policy Error
func (*ErrPasswordPolicy) Error ¶
func (e *ErrPasswordPolicy) Error() string
type IpaDateTime ¶
Custom FreeIPA datetime type
func (*IpaDateTime) Format ¶
func (dt *IpaDateTime) Format(layout string) string
func (*IpaDateTime) MarshalBinary ¶
func (dt *IpaDateTime) MarshalBinary() (data []byte, err error)
func (*IpaDateTime) String ¶
func (dt *IpaDateTime) String() string
func (*IpaDateTime) UnmarshalBinary ¶
func (dt *IpaDateTime) UnmarshalBinary(data []byte) error
func (*IpaDateTime) UnmarshalJSON ¶
func (dt *IpaDateTime) UnmarshalJSON(b []byte) error
Unmarshal a FreeIPA datetime. Datetimes in FreeIPA are returned using a class-hint system. Values are stored as an array with a single element indicating the type and value, for example, '[{"__datetime__": "YYYY-MM-DDTHH:MM:SSZ"]}'
type IpaError ¶
FreeIPA error
type OTPToken ¶
type OTPToken struct {
DN string `json:"dn"`
Algorithm Algorithm `json:"ipatokenotpalgorithm"`
Digits Digits `json:"ipatokenotpdigits"`
Owner IpaString `json:"ipatokenowner"`
TimeStep IpaString `json:"ipatokentotptimestep"`
UUID IpaString `json:"ipatokenuniqueid"`
ManagedBy IpaString `json:"managedby_user"`
Disabled IpaString `json:"ipatokendisabled"`
Type string `json:"type"`
URI string `json:"uri"`
}
OTPToken encapsulates FreeIPA otptokens
type Response ¶
type Response struct {
Error *IpaError `json:"error"`
Id string `json:"id"`
Principal string `json:"principal"`
Version string `json:"version"`
Result *Result `json:"result"`
}
Response returned from a FreeIPA JSON rpc call
type Result ¶
type Result struct {
Summary string `json:"summary"`
Value interface{} `json:"value"`
Data json.RawMessage `json:"result"`
}
Result returned from a FreeIPA JSON rpc call
type UserRecord ¶
type UserRecord struct {
Dn string `json:"dn"`
First IpaString `json:"givenname"`
Last IpaString `json:"sn"`
DisplayName IpaString `json:"displayname"`
Principal IpaString `json:"krbprincipalname"`
Uid IpaString `json:"uid"`
UidNumber IpaString `json:"uidnumber"`
GidNumber IpaString `json:"gidnumber"`
Groups []string `json:"memberof_group"`
SSHPubKeys []string `json:"ipasshpubkey"`
SSHPubKeyFps []string `json:"sshpubkeyfp"`
AuthTypes []string `json:"ipauserauthtype"`
HasKeytab bool `json:"has_keytab"`
HasPassword bool `json:"has_password"`
NSAccountLock bool `json:"nsaccountlock"`
HomeDir IpaString `json:"homedirectory"`
Email IpaString `json:"mail"`
Mobile IpaString `json:"mobile"`
Shell IpaString `json:"loginshell"`
SudoRules IpaString `json:"memberofindirect_sudorule"`
HbacRules IpaString `json:"memberofindirect_hbacrule"`
LastPasswdChange IpaDateTime `json:"krblastpwdchange"`
PasswdExpire IpaDateTime `json:"krbpasswordexpiration"`
PrincipalExpire IpaDateTime `json:"krbprincipalexpiration"`
LastLoginSuccess IpaDateTime `json:"krblastsuccessfulauth"`
LastLoginFail IpaDateTime `json:"krblastfailedauth"`
Randompassword string `json:"randompassword"`
}
UserRecord encapsulates user data returned from ipa user commands
func (*UserRecord) HasGroup ¶
func (u *UserRecord) HasGroup(group string) bool
Returns true if the User is in group
func (*UserRecord) OTPOnly ¶
func (u *UserRecord) OTPOnly() bool
Returns true if OTP is the only authentication type enabled
Source Files