def get_members(self, attributes, members, subgroups, seen):
# add the memberUid values
for member in clean(attributes['memberUid']):
if common.is_valid_name(member):
members.add(member)
# translate and add the member values
for memberdn in clean(attributes['member']):
if memberdn in seen:
continue
seen.add(memberdn)
member = passwd.dn2uid(self.conn, memberdn)
if member and common.is_valid_name(member):
members.add(member)
elif cfg.nss_nested_groups:
subgroups.append(memberdn)
def validate(self, parameters):
"""Check the username for validity and fill in the DN if needed."""
# check username for validity
common.validate_name(parameters['username'])
# look up user DN
entry = passwd.uid2entry(self.conn, parameters['username'])
if not entry:
# FIXME: we should close the stream with an empty response here
raise ValueError('%r: user not found' % parameters['username'])
# save the DN
parameters['userdn'] = entry[0]
# get the "real" username
value = passwd.attmap.get_rdn_value(entry[0], 'uid')
if not value:
# get the username from the uid attribute
values = entry[1]['uid']
if not values or not values[0]:
logging.warning('%s: is missing a %s attribute', entry[0],
passwd.attmap['uid'])
value = values[0]
# check the username
if value and not common.is_valid_name(value):
raise ValueError('%s: has invalid %s attribute', entry[0],
passwd.attmap['uid'])
# check if the username is different and update it if needed
if value != parameters['username']:
logging.info('username changed from %r to %r',
parameters['username'], value)
parameters['username'] = value
def validate(self, parameters):
"""This method checks the provided username for validity and fills
in the DN if needed."""
# check username for validity
common.validate_name(parameters['username'])
# look up user DN
entry = passwd.uid2entry(self.conn, parameters['username'])
if not entry:
# FIXME: we should close the stream with an empty response here
raise ValueError('%r: user not found' % parameters['username'])
# save the DN
parameters['userdn'] = entry[0]
# get the "real" username
value = passwd.attmap.get_rdn_value(entry[0], 'uid')
if not value:
# get the username from the uid attribute
values = entry[1]['uid']
if not values or not values[0]:
logging.warning('%s: is missing a %s attribute', entry[0], passwd.attmap['uid'])
value = values[0]
# check the username
if value and not common.is_valid_name(value):
raise ValueError('%s: has invalid %s attribute', entry[0], passwd.attmap['uid'])
# check if the username is different and update it if needed
if value != parameters['username']:
logging.info('username changed from %r to %r', parameters['username'], value)
parameters['username'] = value
def convert(self, dn, attributes, parameters):
# get group names and check against requested group name
names = attributes['cn']
# get group password
try:
passwd = attributes['userPassword'][0]
except IndexError:
passwd = None
if not passwd or self.calleruid != 0:
passwd = '*'
# get group id(s)
gids = [int(x) for x in attributes['gidNumber']]
# build member list
members = set()
subgroups = []
seen = set([dn])
self.get_members(attributes, members, subgroups, seen)
# go over subgroups to find more members
while subgroups:
memberdn = subgroups.pop(0)
for dn2, attributes2 in self.search(self.conn, base=memberdn, scope=ldap.SCOPE_BASE):
self.get_members(attributes2, members, subgroups, seen)
# actually return the results
for name in names:
if not common.is_valid_name(name):
logging.warning('%s: %s: denied by validnames option', dn,
attmap['cn'])
else:
for gid in gids:
yield (name, passwd, gid, members)
def convert(self, dn, attributes, parameters):
# get group names and check against requested group name
names = attributes['cn']
# get group password
try:
passwd = attributes['userPassword'][0]
except IndexError:
passwd = None
if not passwd or self.calleruid != 0:
passwd = '*'
# get group id(s)
gids = [int(x) for x in attributes['gidNumber']]
# build member list
members = set()
subgroups = []
seen = set([dn])
self.get_members(attributes, members, subgroups, seen)
# go over subgroups to find more members
while subgroups:
memberdn = subgroups.pop(0)
for dn2, attributes2 in self.search(self.conn,
base=memberdn,
scope=ldap.SCOPE_BASE):
self.get_members(attributes2, members, subgroups, seen)
# actually return the results
for name in names:
if not common.is_valid_name(name):
logging.warning('%s: %s: denied by validnames option', dn,
attmap['cn'])
else:
for gid in gids:
yield (name, passwd, gid, members)
def get_members(self, attributes, members, subgroups, seen):
# add the memberUid values
for member in clean(attributes['memberUid']):
if common.is_valid_name(member):
members.add(member)
# translate and add the member values
if attmap['member']:
for memberdn in clean(attributes['member']):
if memberdn in seen:
continue
seen.add(memberdn)
member = passwd.dn2uid(self.conn, memberdn)
if member and common.is_valid_name(member):
members.add(member)
elif cfg.nss_nested_groups:
subgroups.append(memberdn)
def convert(self, dn, attributes, parameters):
names = attributes['uid']
try:
passwd = attributes['userPassword'][0]
except IndexError:
passwd = None
if not passwd or self.calleruid != 0:
passwd = '*'
# function for making an int
def mk_int(attr):
try:
return int(attr)
except TypeError:
return None
# get lastchange date
lastchangedate = mk_int(attributes.get('shadowLastChange', [0])[0])
# we expect an AD 64-bit datetime value;
# we should do date=date/864000000000-134774
# but that causes problems on 32-bit platforms,
# first we devide by 1000000000 by stripping the
# last 9 digits from the string and going from there */
if attmap['shadowLastChange'] == 'pwdLastSet':
lastchangedate = (lastchangedate / 864000000000) - 134774
# get longs
mindays = mk_int(attributes.get('shadowMin', [-1])[0])
maxdays = mk_int(attributes.get('shadowMax', [-1])[0])
warndays = mk_int(attributes.get('shadowWarning', [-1])[0])
inactdays = mk_int(attributes.get('shadowInactive', [-1])[0])
expiredate = mk_int(attributes.get('shadowExpire', [-1])[0])
flag = mk_int(attributes.get('shadowFlag', [0])[0])
if attmap['shadowFlag'] == 'pwdLastSet':
if flag & 0x10000:
maxdays = -1
flag = 0
# return results
for name in names:
if not common.is_valid_name(name):
logging.warning('%s: %s: denied by validnames option', dn,
attmap['uid'])
else:
yield (name, passwd, lastchangedate, mindays, maxdays,
warndays, inactdays, expiredate, flag)
def convert(self, dn, attributes, parameters):
names = attributes['uid']
if 'shadowAccount' in attributes['objectClass']:
passwd = 'x'
else:
try:
passwd = attributes['userPassword'][0]
except IndexError:
passwd = None
if not passwd or self.calleruid != 0:
passwd = '*'
uids = [int(x) for x in attributes['uidNumber']]
gid = int(attributes['gidNumber'][0])
gecos = attributes['gecos'][0]
home = attributes['homeDirectory'][0]
shell = attributes['loginShell'][0]
for name in names:
if not common.is_valid_name(name):
logging.warning('%s: %s: denied by validnames option', dn, attmap['uid'])
else:
for uid in uids:
if uid >= cfg.nss_min_uid:
yield (name, passwd, uid, gid, gecos, home, shell)
def convert(self, dn, attributes, parameters):
names = attributes['uid']
if 'shadowAccount' in attributes['objectClass']:
passwd = 'x'
else:
try:
passwd = attributes['userPassword'][0]
except IndexError:
passwd = None
if not passwd or self.calleruid != 0:
passwd = '*'
uids = [int(x) + cfg.nss_uid_offset for x in attributes['uidNumber']]
gid = int(attributes['gidNumber'][0]) + cfg.nss_gid_offset
gecos = attributes['gecos'][0]
home = attributes['homeDirectory'][0]
shell = attributes['loginShell'][0]
for name in names:
if not common.is_valid_name(name):
logging.warning('%s: %s: denied by validnames option', dn, attmap['uid'])
else:
for uid in uids:
if uid >= cfg.nss_min_uid:
yield (name, passwd, uid, gid, gecos, home, shell)
