def __init__(self,
userdn=None,
password=None,
host='localhost',
base=None,
start_tls=2,
access=None,
format=None):
self._cached = {}
self._modules = {}
self._policies = {}
self._format = format
self._bc = ConfigRegistry()
self._bc.load()
self.__reverse = {}
if not base:
self._base = self._bc['ldap/base']
else:
self._base = base
self._position = ua_ldap.position(self._base)
if access:
self._access = access
else:
self._access = ua_ldap.access(host=host,
base=self._base,
binddn=userdn,
bindpw=password,
start_tls=start_tls)
ua_modules.update()
def getLdapConnection():
'''Create an LDAP connection and initialize UDM User and Group modules'''
global lo, po, user_module, simpleauth_module, group_module
lo, po = univention.admin.uldap.getAdminConnection()
udm.update()
user_module = udm.get('users/user')
simpleauth_module = udm.get('users/ldap')
group_module = udm.get('groups/group')
udm.init(lo, po, user_module)
udm.init(lo, po, simpleauth_module)
udm.init(lo, po, group_module)
def __set_users_module():
global users_module
if users_module:
return
try:
# get the users/user UDM module
udm_modules.update()
users_module = udm_modules.get('users/user')
except udm_errors.base as e:
# UDM error, user module coule not be initiated
CORE.warn('An error occurred getting the UDM users/user module: %s' % e)
def run(self, args):
# locale must be set before importing UDM!
log_init('/dev/stdout', args.debug)
language = str(Locale(args.language))
locale.setlocale(locale.LC_MESSAGES, language)
os.umask(
0o077) # FIXME: should probably be changed, this is what UMC sets
# The UMC-Server and module processes are clearing environment variables
os.environ.clear()
os.environ['PATH'] = '/bin:/sbin:/usr/bin:/usr/sbin'
os.environ['LANG'] = language
import univention.admin.modules as udm_modules
udm_modules.update()
from univention.admin.rest.module import Application
application = Application(serve_traceback=ucr.is_true(
'directory/manager/rest/show-tracebacks', True))
server = HTTPServer(application)
if args.port:
server.bind(args.port)
server.start(args.cpus)
if args.unix_socket:
socket = bind_unix_socket(args.unix_socket)
server.add_socket(socket)
signal.signal(signal.SIGTERM, partial(self.signal_handler_stop,
server))
signal.signal(signal.SIGINT, partial(self.signal_handler_stop, server))
signal.signal(signal.SIGHUP, self.signal_handler_reload)
channel = logging.StreamHandler()
channel.setFormatter(
tornado.log.LogFormatter(
fmt=
'%(color)s%(asctime)s %(levelname)10s (%(process)9d) :%(end_color)s %(message)s',
datefmt='%d.%m.%y %H:%M:%S'))
logger = logging.getLogger()
logger.setLevel(logging.INFO)
logger.addHandler(channel)
try:
tornado.ioloop.IOLoop.current().start()
except (SystemExit, KeyboardInterrupt):
raise
except:
CORE.error(traceback.format_exc())
raise
def __init__( self, username, password ):
global users_module
self.__username = username
self.__password = password
self.__user_dn = None
signals.Provider.__init__( self )
self.core_i18n = Translation( 'univention-management-console' )
self.i18n = I18N_Manager()
self.i18n[ 'umc-core' ] = I18N()
# stores the module processes [ modulename ] = <>
self.__processes = {}
self.__killtimer = {}
lo = ldap.open( ucr[ 'ldap/server/name' ], int( ucr.get( 'ldap/server/port', 7389 ) ) )
try:
# get LDAP connection with machine account
self.lo, self.po = udm_uldap.getMachineConnection( ldap_master = False )
# get the LDAP DN of the authorized user
ldap_dn = self.lo.searchDn( '(&(uid=%s)(objectClass=posixAccount))' % self.__username )
if ldap_dn:
self.__user_dn = ldap_dn[ 0 ]
CORE.info( 'The LDAP DN for user %s is %s' % ( self.__username, self.__user_dn ) )
else:
CORE.info( 'The LDAP DN for user %s could not be found' % self.__username )
# initiate the users/user UDM module
udm_modules.update()
users_module = udm_modules.get('users/user')
udm_modules.init(self.lo, self.po, users_module)
except ( ldap.LDAPError, IOError ) as e:
# problems connection to LDAP server or the server is not joined (machine.secret is missing)
CORE.warn('An error occurred connecting to the LDAP server: %s' % e)
self.lo = None
users_module = None
except udm_errors.base as e:
# UDM error, user module coule not be initiated
CORE.warn('An error occurred intializing the UDM users/user module: %s' % e)
users_module = None
# read the ACLs
self.acls = LDAP_ACLs( self.lo, self.__username, ucr[ 'ldap/base' ] )
self.__command_list = moduleManager.permitted_commands( ucr[ 'hostname' ], self.acls )
self.signal_new( 'response' )
def udm_objects_without_type(lo):
global _UPDATED
if not _UPDATED:
update()
_UPDATED = True
objs = []
query = lo.search('(!(univentionObjectType=*))')
for dn, attrs in query:
if dn.endswith(',cn=temporary,cn=univention,%s' % ucr.get('ldap/base')):
continue
modules = identify(dn, attrs)
if modules:
for module in modules: # Bug #47846
if module.module == 'kerberos/kdcentry':
break
else:
objs.append((dn, modules, attrs['objectClass']))
return objs
def remove_object(udm_module_name, object_dn): listener.setuid(0) try: try: ldap_connection, ldap_position = udm_uldap.getAdminConnection() udm_modules.update() udm_module = udm_modules.get(udm_module_name) udm_modules.init(ldap_connection, ldap_position, udm_module) except udm_errors.ldapError as exc: ud.debug(ud.LISTENER, ud.ERROR, '%s: Error accessing UDM: %s' % (name, exc)) raise exc try: udm_object = udm_module.object(None, ldap_connection, ldap_position, object_dn) udm_object.remove() except (udm_errors.ldapError, udm_errors.noObject) as exc: ud.debug(ud.LISTENER, ud.ERROR, '%s: Error deleting %s: %s.' % (name, object_dn, exc)) raise exc finally: listener.unsetuid()
def __init__( self, userdn = None, password = None, host = 'localhost', base = None, start_tls = 2, access = None, format = True ):
self._cached = {}
self._modules = {}
self._policies = {}
self._format = format
self._bc = ub.baseConfig()
self._bc.load()
self.__reverse = {}
if not base:
self._base = self._bc[ 'ldap/base' ]
else:
self._base = base
self._position = ua_ldap.position( self._base )
if access:
self._access = access
else:
self._access = ua_ldap.access( host = host, base = self._base,
binddn = userdn, bindpw = password, start_tls = start_tls )
ua_modules.update()
self._config = ua_config.config( host = host )
def run(self, args):
# locale must be set before importing UDM!
log_init('/dev/stdout', args.debug)
language = str(Locale(args.language))
locale.setlocale(locale.LC_MESSAGES, language)
os.umask(
0o077) # FIXME: should probably be changed, this is what UMC sets
# The UMC-Server and module processes are clearing environment variables
os.environ.clear()
os.environ['PATH'] = '/bin:/sbin:/usr/bin:/usr/sbin'
os.environ['LANG'] = language
import univention.admin.modules as udm_modules
udm_modules.update()
from univention.admin.rest.module import Application
application = Application(serve_traceback=ucr.is_true(
'directory/manager/rest/show-tracebacks', True))
server = HTTPServer(application)
server.start(args.cpus)
if args.port:
server.listen(args.port)
if args.unix_socket:
socket = bind_unix_socket(args.unix_socket)
server.add_socket(socket)
signal.signal(signal.SIGTERM, partial(self.signal_handler_stop,
server))
signal.signal(signal.SIGINT, partial(self.signal_handler_stop, server))
signal.signal(signal.SIGHUP, self.signal_handler_reload)
tornado.log.enable_pretty_logging()
try:
tornado.ioloop.IOLoop.current().start()
except (SystemExit, KeyboardInterrupt):
raise
except:
CORE.error(traceback.format_exc())
raise
def mark_active(self): if self._todo_list: try: lo, ldap_position = udm_uldap.getAdminConnection() udm_modules.update() udm_module = udm_modules.get(self.udm_module_name) udm_modules.init(lo, ldap_position, udm_module) for object_dn in self._todo_list: try: udm_object = udm_module.object(None, lo, ldap_position, object_dn) udm_object.open() udm_object['active'] = True udm_object.modify() except udm_errors.noObject as e: ud.debug(ud.LISTENER, ud.ERROR, 'Error modifying %s: object not found.' % (object_dn,)) except udm_errors.ldapError as e: ud.debug(ud.LISTENER, ud.ERROR, 'Error modifying %s: %s.' % (object_dn, e)) raise self._todo_list = [] except udm_errors.ldapError as e: ud.debug(ud.LISTENER, ud.ERROR, 'Error accessing UDM: %s' % (e,))
def query(self):
udm_modules.update()
lo, po = get_machine_connection()
servers = udm_modules.lookup(
'computers/computer',
None,
lo,
filter=
'(&(|(objectClass=univentionDomainController)(objectClass=univentionMemberServer))(!(univentionObjectFlag=docker)))',
base=ucr['ldap/base'],
scope='sub')
result = [
dict(
dn=i.dn,
hostname=i.info.get('name'),
domain=i.info.get('domain'),
ip=i.info.get('ip'),
version=i.info.get('operatingSystemVersion'),
serverRole=i.info.get('serverRole'),
) for i in servers
]
return result
def __init__(self, changeset):
super(PhaseLdapReferences, self).__init__(changeset)
modules.update()
from ...log import MODULE
from .syntax import widget, default_value
from ldap import LDAPError
try:
import univention.admin.license
GPLversion=False
except:
GPLversion=True
_ = Translation( 'univention-management-console-module-udm' ).translate
udm_modules.update()
# current user
_user_dn = None
_password = None
def get_exception_msg(e):
msg = getattr(e, 'message', '')
if getattr(e, 'args', False):
if e.args[0] != msg or len(e.args) != 1:
for arg in e.args:
msg += ' ' + arg
return msg
def set_credentials( dn, passwd ):
def _get_module(self):
modules.update()
module_name = "computers/%(server/role)s" % self.changeset.ucr
self.module = modules.get(module_name)
modules.init(self.ldap, self.position, self.module)
def handler(dn, new, old):
"""Handle UDM extension modules"""
if new:
ocs = new.get('objectClass', [])
univentionUCSVersionStart = new.get('univentionUCSVersionStart',
[b''])[0].decode('UTF-8')
univentionUCSVersionEnd = new.get('univentionUCSVersionEnd',
[b''])[0].decode('UTF-8')
elif old:
ocs = old.get('objectClass', [])
if b'univentionUDMModule' in ocs:
objectclass = 'univentionUDMModule'
udm_module_name = 'settings/udm_module'
target_subdir = 'univention/admin/handlers'
elif b'univentionUDMHook' in ocs:
objectclass = 'univentionUDMHook'
udm_module_name = 'settings/udm_hook'
target_subdir = 'univention/admin/hooks.d'
elif b'univentionUDMSyntax' in ocs:
objectclass = 'univentionUDMSyntax'
udm_module_name = 'settings/udm_syntax'
target_subdir = 'univention/admin/syntax.d'
else:
ud.debug(
ud.LISTENER, ud.ERROR,
'%s: Undetermined error: unknown objectclass: %s.' % (name, ocs))
# Bug #51622 for UCS 5.0 update:
if new and not old:
if listener.configRegistry.get(
'server/role') == 'domaincontroller_master':
# Remove objects that don't signal Python3 support
cmp_start_vs_50 = apt.apt_pkg.version_compare(
univentionUCSVersionStart,
"5.0") # -1 if univentionUCSVersionStart is unset
# cmp_end_vs_499 = apt.apt_pkg.version_compare(univentionUCSVersionEnd, "4.99")
# Keep object if cmp_start_vs_50 >= 0 [i.e. Py3] or (cmp_start_vs_50 < and univentionUCSVersionEnd) [or cmp_end_vs_499 == 0]
# Otherwise remove it:
if cmp_start_vs_50 < 0 and not univentionUCSVersionEnd:
ud.debug(
ud.LISTENER, ud.WARN,
'%s: Removing incompatible extension %s (univentionUCSVersionStart=%r and univentionUCSVersionEnd not set).'
% (name, new['cn'][0].decode('UTF-8'),
univentionUCSVersionStart))
remove_object(udm_module_name, dn)
return
if new:
current_UCS_version = "%s-%s" % (
listener.configRegistry.get('version/version'),
listener.configRegistry.get('version/patchlevel'))
if univentionUCSVersionStart and UCS_Version(
current_UCS_version) < UCS_Version(univentionUCSVersionStart):
ud.debug(
ud.LISTENER, ud.INFO,
'%s: extension %s requires at least UCS version %s.' %
(name, new['cn'][0].decode('UTF-8'),
univentionUCSVersionStart))
# Trigger remove on this system
old = old or new
new = None
elif univentionUCSVersionEnd and UCS_Version(
current_UCS_version) > UCS_Version(univentionUCSVersionEnd):
ud.debug(
ud.LISTENER, ud.INFO,
'%s: extension %s specifies compatibility only up to and including UCR version %s.'
%
(name, new['cn'][0].decode('UTF-8'), univentionUCSVersionEnd))
# Trigger remove on this system
old = old or new
new = None
old_relative_filename = None
if old:
old_relative_filename = old['%sFilename' %
objectclass][0].decode('UTF-8')
if new:
new_version = new.get('univentionOwnedByPackageVersion',
[b''])[0].decode('UTF-8')
if not new_version:
return
new_pkgname = new.get('univentionOwnedByPackage', [None])[0]
if not new_pkgname:
return
if old: # check for trivial changes
diff_keys = [
key for key in new.keys()
if new.get(key) != old.get(key) and key not in (
'entryCSN', 'modifyTimestamp', 'modifiersName')
]
if diff_keys == ['%sActive' % objectclass] and new.get(
'%sActive' % objectclass)[0] == b'TRUE':
ud.debug(
ud.LISTENER, ud.INFO,
'%s: %s: activation status changed.' %
(name, new['cn'][0]))
return
elif diff_keys == ['univentionAppIdentifier']:
ud.debug(
ud.LISTENER, ud.INFO, '%s: %s: App identifier changed.' %
(name, new['cn'][0].decode('UTF-8')))
return
if new_pkgname == old.get('univentionOwnedByPackage', [None])[0]:
old_version = old.get('univentionOwnedByPackageVersion',
[b'0'])[0].decode('UTF-8')
rc = apt.apt_pkg.version_compare(new_version, old_version)
if not rc > -1:
ud.debug(
ud.LISTENER, ud.WARN,
'%s: New version is lower than version of old object (%s), skipping update.'
% (name, old_version))
return
# ok, basic checks passed, handle the data
try:
new_object_data = bz2.decompress(
new.get('%sData' % objectclass)[0])
except TypeError:
ud.debug(ud.LISTENER, ud.ERROR,
'%s: Error uncompressing data of object %s.' % (name, dn))
return
new_relative_filename = new['%sFilename' %
objectclass][0].decode('UTF-8')
listener.setuid(0)
try:
if old_relative_filename and old_relative_filename != new_relative_filename:
remove_python_file(objectclass, target_subdir,
old_relative_filename)
if not install_python_file(objectclass, target_subdir,
new_relative_filename, new_object_data):
return
install_messagecatalog(dn, new, objectclass)
install_umcmessagecatalogs(new, old)
if objectclass == 'univentionUDMModule':
install_umcregistration(dn, new)
install_umcicons(dn, new)
finally:
listener.unsetuid()
elif old:
# ok, basic checks passed, handle the change
listener.setuid(0)
try:
remove_python_file(objectclass, target_subdir,
old_relative_filename)
remove_messagecatalog(dn, old, objectclass)
remove_umcmessagecatalogs(old)
if objectclass == 'univentionUDMModule':
remove_umcicons(dn, old)
remove_umcregistration(dn, old)
finally:
listener.unsetuid()
# TODO: Kill running univention-cli-server?
# Mark new extension object active
listener.setuid(0)
try:
if new:
if not listener.configRegistry.get(
'server/role') == 'domaincontroller_master':
# Only set active flag on Primary
return
try:
lo, ldap_position = udm_uldap.getAdminConnection()
udm_modules.update()
udm_module = udm_modules.get(udm_module_name)
udm_modules.init(lo, ldap_position, udm_module)
try:
udm_object = udm_module.object(None, lo, ldap_position, dn)
udm_object.open()
udm_object['active'] = True
udm_object.modify()
except udm_errors.ldapError as exc:
ud.debug(ud.LISTENER, ud.ERROR,
'%s: Error modifying %s: %s.' % (name, dn, exc))
except udm_errors.noObject as exc:
ud.debug(ud.LISTENER, ud.ERROR,
'%s: Error modifying %s: %s.' % (name, dn, exc))
except udm_errors.ldapError as exc:
ud.debug(ud.LISTENER, ud.ERROR,
'%s: Error accessing UDM: %s' % (name, exc))
finally:
listener.unsetuid()
def test_script_lock_expired_accounts(stopped_s4_connector,
udm): # TODO: parametrize
"""Check cron job script lock_expired_accounts"""
# bugs: [35088]
print(time.ctime())
udm_modules.update()
lo, position = univention.admin.uldap.getAdminConnection()
udm_modules.init(lo, position, udm_modules.get('users/user'))
def create_user(expiry_days_delta, locked_status):
expiry_time = datetime.utcnow() + timedelta(days=expiry_days_delta)
userdn, username = udm.create_user(
userexpiry=expiry_time.strftime("%Y-%m-%d"),
check_for_drs_replication=False,
wait_for=False)
if locked_status == '1':
locktime = time.strftime("%Y%m%d%H%M%SZ", time.gmtime())
subprocess.check_call([
'/usr/bin/python2.7', '-m', 'univention.lib.account', 'lock',
'--dn', userdn, '--lock-time', locktime
])
return username
userdata = {}
for delta, initial_state, expected_state in [
[-9, '0', '0'],
[-8, '0', '0'],
# [-7, '0', '0'], disabled due to bug #36210
# [-6, '0', '1'], disabled due to bug #36210
[-5, '0', '1'],
[-4, '0', '1'],
[-3, '0', '1'],
[-2, '0', '1'],
[-1, '0', '1'],
# [0, '0', '1'], disabled due to bug #36210
[1, '0', '0'],
[2, '0', '0'],
[-4, '1', '1'],
# [0, '1', '1'], disabled due to bug #36210
[2, '1', '1'],
]:
userdata[create_user(delta,
initial_state)] = [initial_state, expected_state]
ldap_filter = '(|(uid=' + ')(uid='.join(userdata.keys()) + '))'
results = udm_modules.lookup('users/user',
None,
lo,
scope='sub',
filter=ldap_filter)
if len(results) != len(userdata):
print('RESULTS: %r' %
(pprint.PrettyPrinter(indent=2).pformat(results), ))
utils.fail('Did not find all users prior to script execution!')
for entry in results:
entry.open()
if not entry['locked'] == userdata[entry['username']][0]:
utils.fail(
'uid=%s should not be locked for posix prior to script execution!'
% (entry['username'], ))
print('Calling lock_expired_accounts...')
subprocess.check_call([
'/usr/share/univention-directory-manager-tools/lock_expired_accounts',
'--only-last-week'
])
print('DONE')
results = udm_modules.lookup('users/user',
None,
lo,
scope='sub',
filter=ldap_filter)
if len(results) != len(userdata):
print('RESULTS: %r' %
(pprint.PrettyPrinter(indent=2).pformat(results), ))
utils.fail('Did not find all users after script execution!')
for entry in results:
entry.open()
if not entry['locked'] == userdata[entry['username']][1]:
utils.fail(
'The account uid=%r is not in expected locking state: expected=%r current=%r'
% (entry['username'], userdata[entry['username']][1],
entry['locked']))
def handler(dn, new, old):
"""Handle UDM extension modules"""
if new:
ocs = new.get('objectClass', [])
univentionUCSVersionStart = new.get('univentionUCSVersionStart', [None])[0]
univentionUCSVersionEnd = new.get('univentionUCSVersionEnd', [None])[0]
current_UCS_version = "%s-%s" % (listener.configRegistry.get('version/version'), listener.configRegistry.get('version/patchlevel'))
if univentionUCSVersionStart and UCS_Version(current_UCS_version) < UCS_Version(univentionUCSVersionStart):
ud.debug(ud.LISTENER, ud.INFO, '%s: extension %s requires at least UCR version %s.' % (name, new['cn'][0], univentionUCSVersionStart))
new = None
elif univentionUCSVersionEnd and UCS_Version(current_UCS_version) > UCS_Version(univentionUCSVersionEnd):
ud.debug(ud.LISTENER, ud.INFO, '%s: extension %s specifies compatibility only up to and including UCR version %s.' % (name, new['cn'][0], univentionUCSVersionEnd))
new = None
elif old:
ocs = old.get('objectClass', [])
if 'univentionUDMModule' in ocs:
objectclass = 'univentionUDMModule'
udm_module_name = 'settings/udm_module'
target_subdir = 'univention/admin/handlers'
elif 'univentionUDMHook' in ocs:
objectclass = 'univentionUDMHook'
udm_module_name = 'settings/udm_hook'
target_subdir = 'univention/admin/hooks.d'
elif 'univentionUDMSyntax' in ocs:
objectclass = 'univentionUDMSyntax'
udm_module_name = 'settings/udm_syntax'
target_subdir = 'univention/admin/syntax.d'
else:
ud.debug(ud.LISTENER, ud.ERROR, '%s: Undetermined error: unknown objectclass: %s.' % (name, ocs))
if new:
new_version = new.get('univentionOwnedByPackageVersion', [None])[0]
if not new_version:
return
new_pkgname = new.get('univentionOwnedByPackage', [None])[0]
if not new_pkgname:
return
if old: # check for trivial changes
diff_keys = [key for key in new.keys() if new.get(key) != old.get(key) and key not in ('entryCSN', 'modifyTimestamp', 'modifiersName')]
if diff_keys == ['%sActive' % objectclass] and new.get('%sActive' % objectclass)[0] == 'TRUE':
ud.debug(ud.LISTENER, ud.INFO, '%s: %s: activation status changed.' % (name, new['cn'][0]))
return
elif diff_keys == ['univentionAppIdentifier']:
ud.debug(ud.LISTENER, ud.INFO, '%s: %s: App identifier changed.' % (name, new['cn'][0]))
return
if new_pkgname == old.get('univentionOwnedByPackage', [None])[0]:
old_version = old.get('univentionOwnedByPackageVersion', ['0'])[0]
rc = apt.apt_pkg.version_compare(new_version, old_version)
if not rc > -1:
ud.debug(ud.LISTENER, ud.WARN, '%s: New version is lower than version of old object (%s), skipping update.' % (name, old_version))
return
# ok, basic checks passed, handle the data
try:
new_object_data = bz2.decompress(new.get('%sData' % objectclass)[0])
except TypeError:
ud.debug(ud.LISTENER, ud.ERROR, '%s: Error uncompressing data of object %s.' % (name, dn))
return
new_relative_filename = new.get('%sFilename' % objectclass)[0]
listener.setuid(0)
try:
if not install_python_file(objectclass, target_subdir, new_relative_filename, new_object_data):
return
install_messagecatalog(dn, new, objectclass)
if objectclass == 'univentionUDMModule':
install_umcregistration(dn, new)
install_umcicons(dn, new)
finally:
listener.unsetuid()
elif old:
# ok, basic checks passed, handle the change
old_relative_filename = old.get('%sFilename' % objectclass)[0]
listener.setuid(0)
try:
remove_python_file(objectclass, target_subdir, old_relative_filename)
remove_messagecatalog(dn, old, objectclass)
if objectclass == 'univentionUDMModule':
remove_umcicons(dn, old)
remove_umcregistration(dn, old)
finally:
listener.unsetuid()
# Kill running univention-cli-server and mark new extension object active
listener.setuid(0)
try:
if new:
if not listener.configRegistry.get('server/role') == 'domaincontroller_master':
# Only set active flag on Master
return
try:
lo, ldap_position = udm_uldap.getAdminConnection()
udm_modules.update()
udm_module = udm_modules.get(udm_module_name)
udm_modules.init(lo, ldap_position, udm_module)
try:
udm_object = udm_module.object(None, lo, ldap_position, dn)
udm_object.open()
udm_object['active'] = True
udm_object.modify()
except udm_errors.ldapError as e:
ud.debug(ud.LISTENER, ud.ERROR, '%s: Error modifying %s: %s.' % (name, dn, e))
except udm_errors.noObject as e:
ud.debug(ud.LISTENER, ud.ERROR, '%s: Error modifying %s: %s.' % (name, dn, e))
except udm_errors.ldapError as e:
ud.debug(ud.LISTENER, ud.ERROR, '%s: Error accessing UDM: %s' % (name, e))
finally:
listener.unsetuid()
import subprocess
import sys
lo, position = uldap.getAdminConnection()
co = config.config()
ucr = univention.config_registry.ConfigRegistry()
ucr.load()
base = ucr.get('ldap/base')
cusers = 5000
cgroups = 1050
cuseringroups = 50
cgroupsForTestUser = 50
username = "******"
groupname = "testgroup"
modules.update()
users = modules.get('users/user')
modules.init(lo, position, users)
groups = modules.get('groups/group')
modules.init(lo, position, groups)
for i in range(0, cusers):
name = "%s%s" % (username, i)
if not users.lookup(co, lo, "uid=%s" % name):
user = users.object(co, lo, position)
user.open()
user["lastname"] = name
user["password"] = "******"
user["username"] = name
user.create()
import os
import base64
from ldap.filter import escape_filter_chars
from ldap.dn import explode_dn, escape_dn_chars
import univention.admin.objects as udm_objects
import univention.admin.modules as udm_modules
import univention.admin.uexceptions as udm_errors
from univention.uldap import access as base_access
from univention.admin.uldap import getMachineConnection, getAdminConnection, access, position
from univention.appcenter.ucr import ucr_get
udm_modules.update()
_initialized = set()
class FakeApp(object):
def __init__(self, id, version):
self.id = id
self.version = version
def _get_module(module, lo, pos):
mod = udm_modules.get(module)
if module not in _initialized:
udm_modules.init(lo, pos, mod)
_initialized.add(module)
def main():
### Step 1) Open connection to remote (source) LDAP server
#
# TODO: Replace example strings below
#
remote_ldap_base = 'dc=remote,dc=domain,dc=net'
remote_ldap_binddn = 'uid=Administrator,cn=users,%s' % remote_ldap_base
remote_ldap_bindpw = 'Fill in the password'
remote_ldap_uri = 'ldaps://server.remote.domain.net:636'
# remote_ldap_start_tls = 2 # this means force TLS in uldap.access
remote_ldap_start_tls = 0
remote_ldap_ca_certfile = '/var/tmp/remote_ldap_ca_certfile.pem'
## Alternative: read from an LDIF file
# remote_ldap_uri = 'file:///var/tmp/users.ldif'
if remote_ldap_uri.startswith('ldap'):
## E.g. use "low level" univention.uldap class (wrapper around python-ldap)
#
access_to_source_ldap = univention.uldap.access(
uri=remote_ldap_uri,
base=remote_ldap_base,
binddn=remote_ldap_binddn,
bindpw=remote_ldap_bindpw,
start_tls=remote_ldap_start_tls,
ca_certfile=remote_ldap_ca_certfile)
## Alternative: use plain python-ldap directly
#
# source_ldap = ldap.initialize('ldaps://%s:%s' % (remote_ldap_host, remote_ldap_port))
# source_ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, remote_ldap_ca_certfile)
# source_ldap.simple_bind_s(remote_ldap_binddn, remote_ldap_bindpw)
# source_ldap.set_option(ldap.OPT_REFERRALS, 0)
elif remote_ldap_uri.startswith('file://'):
if not os.path.exists(remote_ldap_uri[7:]):
print("File {} does not exist".format(remote_ldap_uri[7:]))
sys.exit(1)
else:
print(
"LDAP URI must start either with 'file://', 'ldap://' or 'ldaps://'"
)
sys.exit(1)
### Step 2) Get a connection to the local LDAP server with admin credentials
access_to_local_ldap, pos = get_admin_connection()
pos.setDn('cn=users')
### Initialize the UDM module users/user, to create user objects
udm_modules.update(
) # required to load all modules and extended attributes
udm_users = udm_modules.get('users/user')
### Create queue and start UDM writers as subprocesses
queue = Queue(LDAP_OBJECTS_QUEUE_SIZE)
udm_workers = list()
for i in range(UDM_WRITERS):
p = Process(target=ldap_object_consumer,
args=(queue, i, access_to_local_ldap, pos, udm_users))
p.start()
udm_workers.append(p)
print("Ok, here we go, starting import")
if remote_ldap_uri.startswith('file://'):
ldif_file_object_reader(queue, remote_ldap_uri[7:])
else:
reconnect_paged_remote_ldap_object_reader(queue, access_to_source_ldap)
print("All data read, waiting for workers to finish")
for p in udm_workers:
p.join()
def run(_umc_instance):
# Now a workaround for paramico logging to connector-s4.log
# because one of the diagnostic plugins instantiates s4connector.s4.s4()
# which initializes univention.debug2, which initializes logging.basicConfig
logger = paramiko.util.logging.getLogger()
logger.setLevel(logging.CRITICAL)
try:
lo, position = uldap.getMachineConnection(ldap_master=False)
except Exception as err:
raise Warning(str(err))
modules.update()
ucs_hosts = []
roles = [
'computers/domaincontroller_backup',
'computers/domaincontroller_master',
'computers/domaincontroller_slave', 'computers/memberserver'
]
for role in roles:
udm_obj = modules.get(role)
modules.init(lo, position, udm_obj)
for host in udm_obj.lookup(None, lo, 'cn=*'):
if 'docker' in host.oldattr.get('univentionObjectFlag', []):
continue
if not host.get('ip'):
continue
host.open()
ucs_hosts.append(host['name'])
with open('/etc/machine.secret', 'rb') as fd:
password = fd.read().strip()
gen_msg = _('The ssh connection to at least one other UCS server failed. ')
gen_msg += _(
'The following list shows the affected remote servers and the reason for the failed ssh connection:'
)
key_msg = _('Host key for server does not match')
key_info = _(
'The ssh host key of the remote server has changed (maybe the host was reinstalled). '
)
key_info += _(
'Please repair the host key of the remote server in /root/.ssh/known_hosts on %(fqdn)s.'
)
auth_msg = _('Machine authentication failed')
auth_info = _(
'Login to the remote server with the uid %(uid)s and the password from /etc/machine.secret failed. '
)
auth_info += _(
'Please check /var/log/auth.log on the remote server for further information.'
)
bad = dict()
key_failed = False
auth_failed = False
data = dict(fqdn=ucr['hostname'] + '.' + ucr['domainname'],
uid=ucr['hostname'] + '$',
hostname=ucr['hostname'])
for host in ucs_hosts:
client = paramiko.SSHClient()
client.load_system_host_keys()
client.set_missing_host_key_policy(IgnorePolicy())
fqdn = host + '.' + ucr['domainname']
try:
client.connect(fqdn,
port=22,
username=ucr['hostname'] + '$',
password=password,
timeout=2,
banner_timeout=2,
allow_agent=False)
client.close()
except paramiko.BadHostKeyException as err:
bad[fqdn] = key_msg + '!'
key_failed = True
except paramiko.BadAuthenticationType as err:
bad[fqdn] = auth_msg + '!'
auth_failed = True
except (paramiko.SSHException, socket.timeout) as err:
# ignore if host is not reachable and other ssh errors
pass
except Exception as err:
bad[fqdn] = str(err)
if bad:
msg = gen_msg
msg += '\n\n'
for host in bad:
msg += '%s - %s\n' % (host, bad[host])
if key_failed:
msg += '\n' + key_msg + ' - ' + key_info + '\n'
if auth_failed:
msg += '\n' + auth_msg + ' - ' + auth_info + '\n'
msg += '\n'
log_msg = msg.splitlines()
for line in log_msg:
if not re.match(r'^\s*$', line):
MODULE.error("%s" % line)
MODULE.error("%s" % data)
raise Critical(msg % data)
def _update_modules():
if not _initialized:
udm_modules.update()
def __init__(self, changeset):
super(PhaseLdapSSO, self).__init__(changeset)
modules.update()
