README
¶
===============================================================================
goipa - FreeIPA client library
===============================================================================
|godoc|
goipa is a `FreeIPA <http://www.freeipa.org/>`_ client library written in Go.
It interfaces with the FreeIPA JSON `api <https://git.fedorahosted.org/cgit/freeipa.git/tree/API.txt>`_
over HTTPS.
------------------------------------------------------------------------
Usage
------------------------------------------------------------------------
Install using go tools::
$ go get github.com/ubccr/goipa
Example calling FreeIPA user-show::
package main
import (
"fmt"
"github.com/ubccr/goipa"
)
func main() {
c := &ipa.Client{KeyTab: "/path/to/host.keytab", Host: "ipa.example.com"}
rec, err := c.UserShow("uid")
if err != nil {
panic(err)
}
fmt.Println("%s - %s", rec.Uid, rec.UidNumber)
}
------------------------------------------------------------------------
License
------------------------------------------------------------------------
goipa is released under a BSD style License. See the LICENSE file.
.. |godoc| image:: https://godoc.org/github.com/golang/gddo?status.svg
:target: https://godoc.org/github.com/ubccr/goipa
:alt: Godoc
Documentation
¶
Overview ¶
Package ipa is a Go client library for FreeIPA
Index ¶
- Constants
- type Algorithm
- type Client
- func (c *Client) AddTOTPToken(uid string, algo Algorithm, digits Digits, interval int) (*OTPToken, error)
- func (c *Client) ChangePassword(uid, old_passwd, new_passwd, otpcode string) error
- func (c *Client) ClearSession()
- func (c *Client) CreateGroup(gid string, description string, options map[string]interface{}) (*GroupRecord, error)
- func (c *Client) CreateUser(uid string, firstName string, lastName string, options map[string]interface{}) (*UserRecord, error)
- func (c *Client) DeleteGroup(gid string) error
- func (c *Client) DeleteUser(uid string) error
- func (c *Client) DisableOTPToken(tokenID string) error
- func (c *Client) EnableOTPToken(tokenID string) error
- func (c *Client) FetchOTPTokens(uid string) ([]*OTPToken, error)
- func (c *Client) GetGroup(gid string) (*GroupRecord, error)
- func (c *Client) GetGroupByGidNumber(gidNumber string) (*GroupRecord, error)
- func (c *Client) GetUser(uid string) (*UserRecord, error)
- func (c *Client) GetUserByUidNumber(uidNumber string) (*UserRecord, error)
- func (c *Client) GroupAddGroup(gid string, sgid string) error
- func (c *Client) GroupAddMember(gid string, memberId string, memberType string) error
- func (c *Client) GroupAddUser(gid string, uid string) error
- func (c *Client) GroupExists(uid string) (bool, error)
- func (c *Client) GroupMod(gid string, key string, value string) error
- func (c *Client) GroupRemoveGroup(gid string, sgid string) error
- func (c *Client) GroupRemoveMember(gid string, member string, memberType string) error
- func (c *Client) GroupRemoveMembers(gid string, members []string, memberType string) error
- func (c *Client) GroupRemoveUser(gid string, uid string) error
- func (c *Client) GroupRemoveUsers(gid string, uids []string) error
- func (c *Client) GroupSyncGroups(gid string, desired []string, reverse bool) error
- func (c *Client) GroupUpdateDescription(gid string, description string) error
- func (c *Client) GroupUpdateGid(oldGid string, newGid string) error
- func (c *Client) GroupUpdateGidNumber(gid string, gidNumber string) error
- func (c *Client) Login(uid, passwd string) (string, error)
- func (c *Client) Ping() (*Response, error)
- func (c *Client) PreserveUser(uid string) error
- func (c *Client) RemoveOTPToken(tokenID string) error
- func (c *Client) ResetPassword(uid string) (string, error)
- func (c *Client) SetAuthTypes(uid string, types []string) error
- func (c *Client) SetPassword(uid, old_passwd, new_passwd, otpcode string) error
- func (c *Client) SetSession(sid string)
- func (c *Client) UpdateSSHPubKeys(uid string, keys []string) ([]string, error)
- func (c *Client) UserExists(uid string) (bool, error)
- func (c *Client) UserMod(uid string, key string, value string) error
- func (c *Client) UserSyncGroups(uid string, desired []string) error
- func (c *Client) UserUpdateEmail(uid string, email string) error
- func (c *Client) UserUpdateFirstName(uid string, firstName string) error
- func (c *Client) UserUpdateGidNumber(uid string, gidNumber string) error
- func (c *Client) UserUpdateLastName(uid string, lastName string) error
- func (c *Client) UserUpdateMobileNumber(uid string, number string) error
- func (c *Client) UserUpdateShell(uid string, email string) error
- func (c *Client) UserUpdateUid(oldUid string, newUid string) error
- func (c *Client) UserUpdateUidNumber(uid string, uidNumber string) error
- type Digits
- type ErrInvalidPassword
- type ErrPasswordPolicy
- type GroupRecord
- type IpaDateTime
- type IpaError
- type IpaString
- type LdapClient
- func (c *LdapClient) Close()
- func (c *LdapClient) GetGroupForGroupname(groupname string) (*string, error)
- func (c *LdapClient) GetGroupForUUID(uuid string) (*string, error)
- func (c *LdapClient) GetUserForUUID(uuid string) (*string, error)
- func (c *LdapClient) GetUserForUsername(username string) (*string, error)
- func (c *LdapClient) GroupExistsForUUID(uuid string) (bool, error)
- func (c *LdapClient) Search(childDn string, filter string, attributes []string) (*ldap.SearchResult, error)
- func (c *LdapClient) UserExistsForUUID(uuid string) (bool, error)
- type OTPToken
- type Response
- type Result
- type UserRecord
Constants ¶
View Source
const ( IpaClientVersion = "2.156" IpaDatetimeFormat = "20060102150405Z" )
View Source
const ( AlgorithmSHA1 Algorithm = "SHA1" AlgorithmSHA256 = "SHA256" AlgorithmSHA384 = "SHA384" AlgorithmSHA512 = "SHA512" )
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Algorithm ¶
type Algorithm string
OTP Token hash Algorithms supported by FreeIPA
func (*Algorithm) UnmarshalJSON ¶
Unmarshal a FreeIPA string from an array of strings and convert to an Algorithm. Uses the first value in the array as the value of the string.
type Client ¶
type Client struct {
Host string
CaCert string
KeyTab string
// contains filtered or unexported fields
}
FreeIPA Client
func (*Client) AddTOTPToken ¶
func (c *Client) AddTOTPToken(uid string, algo Algorithm, digits Digits, interval int) (*OTPToken, error)
Add TOTP token. Returns new OTPToken
func (*Client) ChangePassword ¶
Change user password. This will run the passwd ipa command. Optionally provide an OTP if required
func (*Client) CreateGroup ¶
func (*Client) CreateUser ¶
func (c *Client) CreateUser(uid string, firstName string, lastName string, options map[string]interface{}) (*UserRecord, error)
Create user
func (*Client) DeleteGroup ¶
func (*Client) DisableOTPToken ¶
Disable OTP token.
func (*Client) EnableOTPToken ¶
Enable OTP token.
func (*Client) FetchOTPTokens ¶
Fetch all OTP tokens.
func (*Client) GetGroup ¶
func (c *Client) GetGroup(gid string) (*GroupRecord, error)
Fetch user details by calling the FreeIPA group-show method
func (*Client) GetGroupByGidNumber ¶
func (c *Client) GetGroupByGidNumber(gidNumber string) (*GroupRecord, error)
This doesn't work for primary groups - this appears to be a deficiency in FreeIPA as it also doesn't work from the ipa CLI
func (*Client) GetUser ¶
func (c *Client) GetUser(uid string) (*UserRecord, error)
Fetch user details by call the FreeIPA user-show method
func (*Client) GetUserByUidNumber ¶
func (c *Client) GetUserByUidNumber(uidNumber string) (*UserRecord, error)
Fetch user details by call the FreeIPA user-show method
func (*Client) GroupAddMember ¶
func (*Client) GroupRemoveMember ¶
func (*Client) GroupRemoveMembers ¶
func (*Client) GroupRemoveUsers ¶
func (*Client) GroupSyncGroups ¶
func (*Client) GroupUpdateDescription ¶
func (*Client) GroupUpdateGidNumber ¶
func (*Client) Login ¶
Login to FreeIPA with uid/passwd and set the FreeIPA session id on the client for subsequent requests.
func (*Client) RemoveOTPToken ¶
Remove OTP token
func (*Client) ResetPassword ¶
Reset user password and return new random password
func (*Client) SetAuthTypes ¶
Update user authentication types.
func (*Client) SetPassword ¶
Set user password. In FreeIPA when a password is first set or when a password is later reset it is marked as immediately expired and requires the owner to perform a password change. This function exists to allow an administrator to use mokey to send a user a link in an email and allow the user to set a new password without it being expired. This is acheived by first calling ResetPassword() then immediately calling this function.
func (*Client) UpdateSSHPubKeys ¶
Update ssh public keys for user uid. Returns the fingerprints on success.
func (*Client) UserUpdateFirstName ¶
func (*Client) UserUpdateGidNumber ¶
func (*Client) UserUpdateLastName ¶
func (*Client) UserUpdateMobileNumber ¶
type Digits ¶
type Digits int
Number of digits each OTP token code will have
func (*Digits) UnmarshalJSON ¶
Unmarshal a FreeIPA string from an array of strings and convert to Digits. Uses the first value in the array as the value of the string.
type ErrInvalidPassword ¶
type ErrInvalidPassword struct {
}
FreeIPA Invalid Password Error
func (*ErrInvalidPassword) Error ¶
func (e *ErrInvalidPassword) Error() string
type ErrPasswordPolicy ¶
type ErrPasswordPolicy struct {
}
FreeIPA Password Policy Error
func (*ErrPasswordPolicy) Error ¶
func (e *ErrPasswordPolicy) Error() string
type GroupRecord ¶
type GroupRecord struct {
Dn string `json:"dn"`
Description IpaString `json:"description"`
Gid IpaString `json:"cn"`
GidNumber IpaString `json:"gidnumber"`
Groups []string `json:"memberof_group"`
GroupMembers []string `json:"member_group"`
MepManagedBy IpaString `json:"mepmanagedby"`
IpaUniqueId IpaString `json:"ipauniqueid"`
Users []string `json:"member_user"`
HbacRules []string `json:"memberof_hbacrule"`
}
type IpaDateTime ¶
Custom FreeIPA datetime type
func (*IpaDateTime) Format ¶
func (dt *IpaDateTime) Format(layout string) string
func (*IpaDateTime) MarshalBinary ¶
func (dt *IpaDateTime) MarshalBinary() (data []byte, err error)
func (*IpaDateTime) String ¶
func (dt *IpaDateTime) String() string
func (*IpaDateTime) UnmarshalBinary ¶
func (dt *IpaDateTime) UnmarshalBinary(data []byte) error
func (*IpaDateTime) UnmarshalJSON ¶
func (dt *IpaDateTime) UnmarshalJSON(b []byte) error
Unmarshal a FreeIPA datetime. Datetimes in FreeIPA are returned using a class-hint system. Values are stored as an array with a single element indicating the type and value, for example, '[{"__datetime__": "YYYY-MM-DDTHH:MM:SSZ"]}'
type IpaString ¶
type IpaString string
Custom FreeIPA string type
func (*IpaString) UnmarshalJSON ¶
Unmarshal a FreeIPA string from an array of strings. Uses the first value in the array as the value of the string.
type LdapClient ¶
type LdapClient struct {
BaseDN string
Connection *ldap.Conn
}
func LdapConnect ¶
func (*LdapClient) Close ¶
func (c *LdapClient) Close()
func (*LdapClient) GetGroupForGroupname ¶
func (c *LdapClient) GetGroupForGroupname(groupname string) (*string, error)
func (*LdapClient) GetGroupForUUID ¶
func (c *LdapClient) GetGroupForUUID(uuid string) (*string, error)
func (*LdapClient) GetUserForUUID ¶
func (c *LdapClient) GetUserForUUID(uuid string) (*string, error)
func (*LdapClient) GetUserForUsername ¶
func (c *LdapClient) GetUserForUsername(username string) (*string, error)
func (*LdapClient) GroupExistsForUUID ¶
func (c *LdapClient) GroupExistsForUUID(uuid string) (bool, error)
func (*LdapClient) Search ¶
func (c *LdapClient) Search(childDn string, filter string, attributes []string) (*ldap.SearchResult, error)
func (*LdapClient) UserExistsForUUID ¶
func (c *LdapClient) UserExistsForUUID(uuid string) (bool, error)
type OTPToken ¶
type OTPToken struct {
DN string `json:"dn"`
Algorithm Algorithm `json:"ipatokenotpalgorithm"`
Digits Digits `json:"ipatokenotpdigits"`
Owner IpaString `json:"ipatokenowner"`
TimeStep IpaString `json:"ipatokentotptimestep"`
UUID IpaString `json:"ipatokenuniqueid"`
ManagedBy IpaString `json:"managedby_user"`
Disabled IpaString `json:"ipatokendisabled"`
Type string `json:"type"`
URI string `json:"uri"`
}
OTPToken encapsulates FreeIPA otptokens
type Response ¶
type Response struct {
Error *IpaError `json:"error"`
Id string `json:"id"`
Principal string `json:"principal"`
Version string `json:"version"`
Result *Result `json:"result"`
}
Response returned from a FreeIPA JSON rpc call
type Result ¶
type Result struct {
Summary string `json:"summary"`
Value interface{} `json:"value"`
Data json.RawMessage `json:"result"`
}
Result returned from a FreeIPA JSON rpc call
type UserRecord ¶
type UserRecord struct {
Dn string `json:"dn"`
First IpaString `json:"givenname"`
Last IpaString `json:"sn"`
DisplayName IpaString `json:"displayname"`
Principal IpaString `json:"krbprincipalname"`
Uid IpaString `json:"uid"`
UidNumber IpaString `json:"uidnumber"`
GidNumber IpaString `json:"gidnumber"`
Groups []string `json:"memberof_group"`
SSHPubKeys []string `json:"ipasshpubkey"`
SSHPubKeyFps []string `json:"sshpubkeyfp"`
AuthTypes []string `json:"ipauserauthtype"`
HasKeytab bool `json:"has_keytab"`
HasPassword bool `json:"has_password"`
Locked bool `json:"nsaccountlock"`
HomeDir IpaString `json:"homedirectory"`
Email IpaString `json:"mail"`
Mobile IpaString `json:"mobile"`
Shell IpaString `json:"loginshell"`
SudoRules []string `json:"memberofindirect_sudorule"`
HbacRules []string `json:"memberofindirect_hbacrule"`
LastPasswdChange IpaDateTime `json:"krblastpwdchange"`
PasswdExpire IpaDateTime `json:"krbpasswordexpiration"`
PrincipalExpire IpaDateTime `json:"krbprincipalexpiration"`
LastLoginSuccess IpaDateTime `json:"krblastsuccessfulauth"`
LastLoginFail IpaDateTime `json:"krblastfailedauth"`
Randompassword string `json:"randompassword"`
IpaUniqueId IpaString `json:"ipauniqueid"`
}
UserRecord encapsulates user data returned from ipa user commands
func (*UserRecord) HasGroup ¶
func (u *UserRecord) HasGroup(group string) bool
Returns true if the User is in group
func (*UserRecord) OTPOnly ¶
func (u *UserRecord) OTPOnly() bool
Returns true if OTP is the only authentication type enabled
Source Files
Click to show internal directories.
Click to hide internal directories.