def config_set_password(self, username, password):
"""config user set password: <username> <new password>"""
rec = {'userPassword': ["{SHA}" + LDAP.hashPassword(password)]}
user, domain = self.udFromUname(username)
if Settings.sambaDN and domain==Settings.defaultDomain:
rec['sambaNTPassword'] = [Utils.createNTHash(password)]
rec['sambaLMPassword'] = [Utils.createLMHash(password)]
self.setUserAttr(username, rec)
else:
user, domain = uname.split('@')
emailAddress = user + '@' + domain
givenName = ""
sName = ""
#Generate sane givenNamen and sName
if len(namesname) > 0:
givenName = str.join(' ',namesname[0:-1])
sName = str.join('', namesname[-1:])
#Generate LDAP Entry
if Settings.sambaDN and domain==Settings.defaultDomain:
#Generate Samba Passwords
LM = Utils.createLMHash(password)
NT = Utils.createNTHash(password)
# Acquire local SID
l = LDAP.createLDAPConnection(Settings.LDAPServer, 'o='+Settings.LDAPBase, Settings.LDAPManager, Settings.LDAPPass)
dc = "%s,o=%s" % (LDAP.domainToDC(domain), Settings.LDAPBase)
domainData = LDAP.getDomInfo(l, dc, Settings.SMBDomain)
SID = str(domainData['sambaSID'][0])
# Acquire UID offset
uidOffset = int(domainData['uidNumber'][0])
# Make RID
SIDOffset = 2*uidOffset
def addUserToSmbDomain(self, data):
""" Add a user to a samba domain"""
# Hall out some data
relevantData, domainUsers, domainData = self.getDomainData()
timeNow = int(time.time())
if data['userSettings.userPassword']:
clearPassword = data['userSettings.userPassword'].encode(
'ascii', 'replace')
else:
clearPassword = sha.sha("%s%s%s" % (random.randint(
1, 2000), time.time(), random.randint(1, 4000))).hexdigest()
data['userSettings.userPassword'] = clearPassword
LM, NT = (Utils.createLMHash(clearPassword),
Utils.createNTHash(clearPassword))
# Grab some data
user = data['userSettings.uid'].encode('ascii', 'replace').lower()
# SMB template
newRecord = {
'sambaPrimaryGroupSID':
relevantData['sambaPrimaryGroupSID'],
'sambaSID':
relevantData['sambaSID'],
'uidNumber':
relevantData['uidNumber'],
'gidNumber':
513,
'sambaPasswordHistory':
'0000000000000000000000000000000000000000000000000000000000000000',
'sambaPwdMustChange':
2147483647,
'sambaPwdCanChange':
timeNow,
'sambaNTPassword':
NT,
'sambaLMPassword':
LM,
'gecos':
'System User',
'o':
self.ldapOrg,
'objectClass': [
'top', 'inetOrgPerson', 'posixAccount', 'shadowAccount',
'SambaSamAccount', 'thusaUser'
],
'sambaAcctFlags':
'[U ]',
'sambaPwdLastSet':
timeNow,
# set this later..
'employeeType': []
}
self.validateSettings(data, newRecord)
print self.ldapify(newRecord)
# Add user element
self.connect()
addElement(self.ldapConnector, 'uid=%s,%s' % (user, self.userDN),
self.ldapify(newRecord))
# Add user to domain group if not already there
if user not in domainUsers.get('memberUid'):
newDomainUsers = copy.deepcopy(domainUsers)
if not newDomainUsers.get('memberUid'):
newDomainUsers['memberUid'] = [user]
else:
newDomainUsers['memberUid'].append(user)
modifyElement(self.ldapConnector,
'cn=Domain Users,ou=Groups,' + self.baseDC,
domainUsers, newDomainUsers)
# increment nextUid
newDom = copy.deepcopy(domainData)
newDom['uidNumber'] = [str(relevantData['uidNumber'] + 1)]
modifyElement(self.ldapConnector,
'sambaDomainName=%s,%s' % (self.smbDomain, self.baseDC),
domainData, newDom)
# Disconnect ourselves.
self.disconnect()
# Return the record we have added
return self.ldapify(newRecord)
def validateSettings(self, data, newRecord):
""" Validates a form into the ldap record. Must be interchangable between add and edit """
user = data['userSettings.uid'].encode('ascii', 'replace').lower()
newRecord['uid'] = user
# Set employeeType values
empVals = []
if data.get('userPermissions.employeeType'):
empVals.append('squid')
if data.get('userPermissions.tumsAdmin', None):
# Tums Admin overrides every other setting
empVals.append('tumsAdmin')
else:
if data.get('userPermissions.tumsUser', None):
tuenc = 'tumsUser[%s]' % ','.join(
data['userPermissions.tumsUser'])
empVals.append(tuenc.encode("ascii", "replace"))
if data.get('userPermissions.tumsReports', None):
empVals.append('tumsReports')
if empVals:
newRecord['employeeType'] = empVals
elif newRecord.get('employeeType'):
del newRecord['employeeType']
# Account is active
if data.get('userPermissions.accountStatus'):
newRecord['accountStatus'] = 'active'
elif newRecord.get('accountStatus'):
del newRecord['accountStatus']
# Mail forwarding addresses
mFA = []
for i in xrange(10):
# Reap data into list
if data.get('mailSettings.mailForwardingAddress%s' % i):
ad = data['mailSettings.mailForwardingAddress%s' % i].replace(
' ', '').replace('\r', '')
if ad:
mFA.append(ad)
if mFA:
newRecord['mailForwardingAddress'] = [
le.encode("ascii", "replace") for le in mFA
]
elif newRecord.get('mailForwardingAddress'):
del newRecord['mailForwardingAddress']
# Mail aliases
mAA = []
for i in xrange(10):
# Reap data into list
if data.get('mailSettings.mailAlternateAddress%s' % i):
ad = data['mailSettings.mailAlternateAddress%s' % i].replace(
' ', '').replace('\r', '')
if ad:
mAA.append(ad)
if mAA:
newRecord['mailAlternateAddress'] = [
le.encode("ascii", "replace").strip('\r') for le in mAA
]
elif newRecord.get('mailAlternateAddress'):
del newRecord['mailAlternateAddress']
# Password
if data['userSettings.userPassword']:
newRecord['userPassword'] = "******" + hashPassword(
data['userSettings.userPassword'].encode("ascii", "replace"))
if self.sambaDN:
newRecord['sambaPwdLastSet'] = int(time.time())
clearPassword = data['userSettings.userPassword'].encode(
'ascii', 'replace')
newRecord['sambaLMPassword'] = Utils.createLMHash(
clearPassword)
newRecord['sambaNTPassword'] = Utils.createNTHash(
clearPassword)
if newRecord.get('sambaPwdMustChange'):
del newRecord['sambaPwdMustChange']
sn = data.get('userSettings.sn') or '-'
gn = data.get('userSettings.givenName') or user.capitalize()
newRecord['sn'] = sn
newRecord['givenName'] = gn
newRecord['cn'] = "%s %s" % (gn, sn)
# FTP data
if data.get('userAccess.ftpGlobal'):
ftp = self.sysconf.FTP
if ftp.get('globals', None):
if newRecord['uid'] not in ftp['globals']:
ftp['globals'].append(user)
else:
ftp['globals'] = [user]
self.sysconf.FTP = ftp
else:
ftp = self.sysconf.FTP
newGlobals = []
globals = ftp.get('globals', [])
for id in globals:
if id != user:
newGlobals.append(id)
ftp['globals'] = newGlobals
self.sysconf.FTP = ftp
if self.sambaDN:
newRecord['loginShell'] = data.get(
'userAccess.ftpEnabled', False) and '/bin/bash' or '/bin/false'
newRecord['homeDirectory'] = '/home/%s' % user
emailAddress = str("%s@%s" % (user, self.domain))
newRecord['mailMessageStore'] = '/var/spool/mail/' + emailAddress
newRecord['mail'] = emailAddress
def validateFormData(self, dc, data, newRecord):
newRecord['uid'] = [data['userSettings.uid'].encode("utf-8").lower()]
sn = data['userSettings.sn'] or u""
if sn:
newRecord['sn'] = [sn.encode("utf-8")]
else:
newRecord['sn'] = [" "]
shell = '/bin/false'
if data['userAccess.ftpEnabled']:
shell = '/bin/bash'
if Settings.sambaDN and self.domain==Settings.defaultDomain:
newRecord['loginShell'] = [shell]
uid = data['userSettings.uid'].encode("utf-8").lower()
if data['userAccess.ftpGlobal']:
ftp = self.sysconf.FTP
if ftp.get('globals', None):
if uid not in ftp['globals']:
ftp['globals'].append(uid)
else:
ftp['globals'] = [uid]
self.sysconf.FTP = ftp
else:
ftp = self.sysconf.FTP
newGlobals = []
globals = ftp.get('globals', [])
for id in globals:
if id != uid:
newGlobals.append(id)
ftp['globals'] = newGlobals
self.sysconf.FTP = ftp
# Disable password change date
if data.get('sambaPwdMustChange'):
del data['sambaPwdMustChange']
if data.get('sambaPwdLastSet'):
data['sambaPwdLastSet'] = [str(int(time.time()))]
if data['userSettings.givenName']:
newRecord['givenName'] = [data['userSettings.givenName'].encode("utf-8")]
else:
newRecord['givenName'] = [data['userSettings.uid'].encode("utf-8").capitalize()]
newRecord['cn'] = ["%s %s" % (newRecord['givenName'][0], sn.encode("utf-8"))]
newRecord['employeeType'] = []
if data['userPermissions.employeeType']:
newRecord['employeeType'].append('squid')
if data.get('userPermissions.tumsAdmin', None):
newRecord['employeeType'].append('tumsAdmin')
elif data.get('userPermissions.tumsUser', None):
tuenc = 'tumsUser[%s]' % ','.join(data['userPermissions.tumsUser'])
newRecord['employeeType'].append(tuenc.encode())
if data.get('userPermissions.tumsReports', None):
newRecord['employeeType'].append('tumsReports')
if data['userPermissions.accountStatus']:
newRecord['accountStatus'] = [ 'active' ]
elif newRecord.get('accountStatus',False):
del newRecord['accountStatus']
mFA = []
for i in xrange(10):
if data['mailSettings.mailForwardingAddress%s' % i]:
ad = data['mailSettings.mailForwardingAddress%s' % i].replace(' ', '').replace('\r','')
if ad:
mFA.append(ad)
if mFA:
newRecord['mailForwardingAddress'] = [ le.encode() for le in mFA ]
else:
try:
del newRecord['mailForwardingAddress']
except:
pass
mAA = []
for i in xrange(10):
if data['mailSettings.mailAlternateAddress%s' % i]:
ad = data['mailSettings.mailAlternateAddress%s' % i].replace(' ', '').replace('\r','')
if ad:
mAA.append(ad)
if mAA:
newRecord['mailAlternateAddress'] = [ le.encode().strip('\r') for le in mAA ]
else:
try:
del newRecord['mailAlternateAddress']
except:
pass
if data['userSettings.userPassword']:
newRecord['userPassword'] = ["{SHA}"+LDAP.hashPassword(data['userSettings.userPassword'])]
if Settings.sambaDN and self.domain==Settings.defaultDomain:
newRecord['sambaLMPassword'] = Utils.createLMHash(data['userSettings.userPassword'])
newRecord['sambaNTPassword'] = Utils.createNTHash(data['userSettings.userPassword'])
return newRecord
def submitForm(self, ctx, form, data):
user = data['userSettings.uid'].encode("utf-8").lower()
data['userSettings.uid'] = user
emailAddress = str("%s@%s" % (user, self.domain))
if not data['userSettings.sn']:
data['userSettings.sn'] = "-"
if not data['userSettings.givenName']:
data['userSettings.givenName'] = user.capitalize()
if data['userPermissions.copyto']:
address = emailAddress
mailConf = self.sysconf.Mail
if mailConf.get('copys', []):
mailConf['copys'].append(
(address, data['userPermissions.copyto']))
else:
mailConf['copys'] = [(address, data['userPermissions.copyto'])]
self.sysconf.Mail = mailConf
# We need to restart exim if a copyto was set
WebUtils.system(
'/usr/local/tcs/tums/configurator --exim; /etc/init.d/exim4 restart'
)
if data['userSettings.userPassword']:
clearPassword = data['userSettings.userPassword'].encode()
else:
clearPassword = sha.sha("%s" % random.randint(1, 4000)).hexdigest()
LM = Utils.createLMHash(clearPassword)
NT = Utils.createNTHash(clearPassword)
if Settings.sambaDN and self.domain == Settings.defaultDomain:
# Acquire local SID
l = LDAP.createLDAPConnection(Settings.LDAPServer,
'o=' + Settings.LDAPBase,
Settings.LDAPManager,
Settings.LDAPPass)
dc = "%s,o=%s" % (LDAP.domainToDC(self.domain), Settings.LDAPBase)
domainData = LDAP.getDomInfo(l, dc, Settings.SMBDomain)
SID = str(domainData['sambaSID'][0])
# Acquire UID offset
uidOffset = int(domainData['uidNumber'][0])
# Make RID
SIDOffset = 2 * uidOffset
# Append user to Domain Users
try:
domainUsers = LDAP.getDomUsers(l, dc)
newDomainUsers = copy.deepcopy(domainUsers)
if not newDomainUsers.get('memberUid',
None): # Very very new domain
newDomainUsers['memberUid'] = []
newDomainUsers['memberUid'].append(user)
LDAP.modifyElement(l, 'cn=Domain Users,ou=Groups,' + dc,
domainUsers, newDomainUsers)
except:
pass # User already in group
# Increment UID for domain
newDom = copy.deepcopy(domainData)
newDom['uidNumber'] = [str(uidOffset + 1)]
try:
LDAP.modifyElement(
l, 'sambaDomainName=%s,%s,o=%s' %
(Settings.SMBDomain, LDAP.domainToDC(
self.domain), Settings.LDAPBase), domainData, newDom)
except:
pass # User has a uid or something
timeNow = str(int(time.time()))
# LDAP template for SAMBA
shell = '/bin/false'
if data['userAccess.ftpEnabled']:
shell = '/bin/bash'
newRecord = {
'sambaPrimaryGroupSID':
[SID + "-" + str(1000 + SIDOffset + 1)],
'sambaSID': [SID + "-" + str(1000 + SIDOffset)],
'gidNumber': ['513'],
'uidNumber': [str(uidOffset)],
'sambaPasswordHistory': [
'0000000000000000000000000000000000000000000000000000000000000000'
],
'sambaPwdMustChange': ['2147483647'],
'sambaPwdCanChange': [timeNow],
'sambaNTPassword': [NT],
'sambaLMPassword': [LM],
'gecos': ['System User'],
'sn': [data['userSettings.sn'].encode("utf-8")],
'givenName': [data['userSettings.givenName'].encode("utf-8")],
'cn': [
"%s %s" % (data['userSettings.givenName'].encode("utf-8"),
data['userSettings.sn'].encode("utf-8"))
],
'o': [Settings.LDAPOrganisation],
'objectClass': [
'top', 'inetOrgPerson', 'posixAccount', 'shadowAccount',
'SambaSamAccount', 'thusaUser'
],
'loginShell': [shell],
'sambaPwdLastSet': [timeNow],
'sambaAcctFlags': ['[U ]'],
'mailMessageStore': ['/var/spool/mail/' + emailAddress],
'mail': [emailAddress],
'homeDirectory': ['/home/%s' % user],
'uid': [user],
'employeeType': []
}
l.unbind_s()
else:
# LDAP Template for without samba
newRecord = {
'sn': [data['userSettings.sn'].encode("utf-8")],
'givenName': [data['userSettings.givenName'].encode("utf-8")],
'cn': [
"%s %s" % (data['userSettings.givenName'].encode("utf-8"),
data['userSettings.sn'].encode("utf-8"))
],
'o': [Settings.LDAPOrganisation],
'objectClass': ['top', 'inetOrgPerson', 'thusaUser'],
'mailMessageStore': ['/var/spool/mail/' + emailAddress],
'mail': [emailAddress],
'uid': [user],
'employeeType': []
}
self.validateAttributes(data, newRecord)
self.addEntry(newRecord, user, data['userPermissions.accountStatus'],
data['userAccess.vpnEnabled'])
# Create Home directory and restart NSCD
if Settings.sambaDN and self.domain == Settings.defaultDomain:
WebUtils.system('/etc/init.d/nscd restart')
WebUtils.system('mkdir /home/%s; chown %s:Domain\ Users /home/%s' %
(user, user, user))
WebUtils.system(
'/usr/local/tcs/tums/configurator --ftp; /etc/init.d/vsftpd restart'
)
return url.root.child('Users').child('Edit').child(
self.domain).child(user)
