Exemple #1
0
def getBackupConnection(start_tls=2, decode_ignorelist=[], reconnect=True):
    ucr = ConfigRegistry()
    ucr.load()
    bindpw = open('/etc/ldap-backup.secret').read().rstrip('\n')
    port = int(ucr.get('ldap/master/port', '7389'))
    try:
        return access(host=ucr['ldap/master'],
                      port=port,
                      base=ucr['ldap/base'],
                      binddn='cn=backup,' + ucr['ldap/base'],
                      bindpw=bindpw,
                      start_tls=start_tls,
                      decode_ignorelist=decode_ignorelist,
                      reconnect=reconnect)
    except ldap.SERVER_DOWN:
        if not ucr['ldap/backup']:
            raise
        backup = ucr['ldap/backup'].split(' ')[0]
        return access(host=backup,
                      port=port,
                      base=ucr['ldap/base'],
                      binddn='cn=backup,' + ucr['ldap/base'],
                      bindpw=bindpw,
                      start_tls=start_tls,
                      decode_ignorelist=decode_ignorelist,
                      reconnect=reconnect)
Exemple #2
0
def main():
    """Retrive current Univention Directory Notifier transaction ID."""
    configRegistry = ConfigRegistry()
    configRegistry.load()

    master = configRegistry.get('ldap/master')
    if not master:
        print >> sys.stderr, 'Error: ldap/master not set'
        sys.exit(1)

    try:
        sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        sock.connect((master, 6669))

        sock.send('Version: 2\nCapabilities: \n\n')
        sock.recv(100)

        sock.send('MSGID: 1\nGET_ID\n\n')
        notifier_result = sock.recv(100)

        if notifier_result:
            print "%s" % notifier_result.splitlines()[1]
    except socket.error, ex:
        print >> sys.stderr, 'Error: %s' % (ex,)
        sys.exit(1)
Exemple #3
0
def main():
    """Retrive current Univention Directory Notifier transaction ID."""
    configRegistry = ConfigRegistry()
    configRegistry.load()

    master = configRegistry.get('ldap/master')
    if not master:
        print >> sys.stderr, 'Error: ldap/master not set'
        sys.exit(1)

    try:
        sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        sock.connect((master, 6669))

        sock.send('Version: 2\nCapabilities: \n\n')
        sock.recv(100)

        sock.send('MSGID: 1\nGET_ID\n\n')
        notifier_result = sock.recv(100)

        if notifier_result:
            print "%s" % notifier_result.splitlines()[1]
    except socket.error, ex:
        print >> sys.stderr, 'Error: %s' % (ex, )
        sys.exit(1)
def fetch_schema_from_local_ldap():
    ucr = ConfigRegistry()
    ucr.load()

    ldap_uri = 'ldap://%(hostname)s:%(domainname)s' % ucr

    return __fetch_schema_from_uri(ldap_uri)
Exemple #5
0
def handler(dn, new, old, command):

    configRegistry = ConfigRegistry()
    configRegistry.load()
    interfaces = Interfaces(configRegistry)

    # dymanic module object filter
    current_fqdn = "%s.%s" % (configRegistry['hostname'], domainname)
    current_ip = str(interfaces.get_default_ip_address().ip)

    new_univentionShareHost = new.get('univentionShareHost', [None])[0]
    if new and not new_univentionShareHost in (current_fqdn, current_ip):
        new = {}  ## new object is not for this host

    old_univentionShareHost = old.get('univentionShareHost', [None])[0]
    if old and not old_univentionShareHost in (current_fqdn, current_ip):
        old = {}  ## old object is not for this host

    if not (new or old):
        return

    # create tmp dir
    tmpDir = os.path.dirname(tmpFile)
    listener.setuid(0)
    try:
        if not os.path.exists(tmpDir):
            os.makedirs(tmpDir)
    except Exception, e:
        univention.debug.debug(
            univention.debug.LISTENER, univention.debug.ERROR,
            "%s: could not create tmp dir %s (%s)" % (name, tmpDir, str(e)))
        return
 def __init__(self,
              userdn=None,
              password=None,
              host='localhost',
              base=None,
              start_tls=2,
              access=None,
              format=None):
     self._cached = {}
     self._modules = {}
     self._policies = {}
     self._format = format
     self._bc = ConfigRegistry()
     self._bc.load()
     self.__reverse = {}
     if not base:
         self._base = self._bc['ldap/base']
     else:
         self._base = base
     self._position = ua_ldap.position(self._base)
     if access:
         self._access = access
     else:
         self._access = ua_ldap.access(host=host,
                                       base=self._base,
                                       binddn=userdn,
                                       bindpw=password,
                                       start_tls=start_tls)
     ua_modules.update()
class UCSResync(object):
    def __init__(self):
        self.configRegistry = ConfigRegistry()
        self.configRegistry.load()

        self.lo = univention.uldap.getMachineConnection()

    def _get_listener_dir(self):
        return self.configRegistry.get('connector/s4/listener/dir',
                                       '/var/lib/univention-connector/s4')

    def _generate_filename(self):
        directory = self._get_listener_dir()
        return os.path.join(directory, "%f" % time.time())

    def _dump_object_to_file(self, object_data):
        filename = self._generate_filename()
        with open(filename, 'wb+') as fd:
            os.chmod(filename, 0o600)
            p = pickle.Pickler(fd)
            p.dump(object_data)
            p.clear_memo()

    def _search_ldap_object_orig(self, ucs_dn):
        return self.lo.get(ucs_dn, attr=['*', '+'], required=True)

    def resync(self, ucs_dns=None, ldapfilter=None):
        treated_dns = []
        for dn, new in self.search_ldap(ucs_dns, ldapfilter):
            object_data = (dn, new, {}, None)
            self._dump_object_to_file(object_data)
            treated_dns.append(dn)

        return treated_dns

    def search_ldap(self, ucs_dns=None, ldapfilter=None):
        attr = ('*', '+')

        if ucs_dns:
            if not ldapfilter:
                ldapfilter = '(objectClass=*)'

            ldap_result = []
            missing_dns = []
            for targetdn in ucs_dns:
                try:
                    result = self.lo.search(base=targetdn,
                                            scope='base',
                                            filter=ldapfilter,
                                            attr=attr)
                    ldap_result.extend(result)
                except ldap.NO_SUCH_OBJECT:
                    missing_dns.append(targetdn)
            if missing_dns:
                raise ldap.NO_SUCH_OBJECT(1, 'No object: %s' % (missing_dns, ),
                                          [r[0] for r in ldap_result])
        else:
            ldap_result = self.lo.search(filter=ldapfilter, attr=attr)

        return ldap_result
def getAdminConnection(
        start_tls=2,
        decode_ignorelist=[],
        reconnect=True):  # type: (int, List[str], bool) -> access
    """
	Open a LDAP connection to the Master LDAP server using the admin credentials.

	:param int start_tls: Negotiate TLS with server. If `2` is given, the command will require the operation to be successful.
	:param decode_ignorelist: List of LDAP attribute names which shall be handled as binary attributes.
	:type decode_ignorelist: list[str]
	:param bool reconnect: Automatically reconect if the connection fails.
	:return: A LDAP access object.
	:rtype: univention.uldap.access
	"""
    ucr = ConfigRegistry()
    ucr.load()
    bindpw = open('/etc/ldap.secret').read().rstrip('\n')
    port = int(ucr.get('ldap/master/port', '7389'))
    return access(host=ucr['ldap/master'],
                  port=port,
                  base=ucr['ldap/base'],
                  binddn='cn=admin,' + ucr['ldap/base'],
                  bindpw=bindpw,
                  start_tls=start_tls,
                  decode_ignorelist=decode_ignorelist,
                  reconnect=reconnect)
Exemple #9
0
    def __init__(self,
                 listener,
                 name,
                 attrs,
                 ldap_cred,
                 dn,
                 adconnection_alias=None):
        """
		:param listener: listener object or None
		:param name: str, prepend to log messages
		:param attrs: {"listener": [attributes, listener, listens, on], ... }
		:param ldap_cred: {ldapserver: FQDN, binddn: cn=admin,$ldap_base, basedn: $ldap_base, bindpw: s3cr3t} or None
		:param dn of LDAP object to work on
		"""
        self.listener = listener
        self.attrs = attrs
        self.udm = UDMHelper(ldap_cred, adconnection_alias)
        # self.ldap_cred = ldap_cred
        self.dn = dn
        self.adconnection_alias = adconnection_alias
        logger.debug('adconnection_alias=%r', adconnection_alias)

        if self.listener:
            self.ucr = self.listener.configRegistry
        else:
            # allow use of this class outside listener
            from univention.config_registry import ConfigRegistry
            self.ucr = ConfigRegistry()
        self.ucr.load()

        self.not_migrated_to_v3 = self.ucr.is_false(
            'office365/migrate/adconnectionalias')

        self.ah = AzureHandler(self.ucr, name, self.adconnection_alias)
def connect(options):
	print(time.ctime())

	ucr = ConfigRegistry()
	ucr.load()

	poll_sleep = int(ucr['%s/ad/poll/sleep' % options.configbasename])
	ad_init = None
	while not ad_init:
		try:
			ad = univention.connector.ad.ad.main(ucr, options.configbasename, logfilename=options.log_file, debug_level=options.debug)
			ad.init_ldap_connections()
			ad.init_group_cache()
			ad_init = True
		except ldap.SERVER_DOWN:
			print("Warning: Can't initialize LDAP-Connections, wait...")
			sys.stdout.flush()
			time.sleep(poll_sleep)

	# log the active mapping
	with open('/var/log/univention/%s-ad-mapping.log' % options.configbasename, 'w+') as fd:
		print(repr(univention.connector.Mapping(ad.property)), file=fd)

	with ad as ad:
		_connect(ad, poll_sleep, ucr.get('%s/ad/retryrejected' % options.configbasename, 10))
def parse_args():
    usage = '%prog [options] [master]'
    desc = sys.modules[__name__].__doc__
    parser = OptionParser(usage=usage, description=desc)
    parser.add_option('-m',
                      '--master',
                      dest='master',
                      help='LDAP Server address')
    parser.add_option('-s',
                      '--shema',
                      dest='cmd',
                      action='store_const',
                      const='GET_SCHEMA_ID',
                      default='GET_ID',
                      help='Fetch LDAP Schema ID')
    (options, args) = parser.parse_args()

    if not options.master:
        if args:
            try:
                options.master, = args
            except ValueError:
                parser.error('incorrect number of arguments')
        else:
            from univention.config_registry import ConfigRegistry
            configRegistry = ConfigRegistry()
            configRegistry.load()
            options.master = configRegistry.get('ldap/master')

    if not options.master:
        parser.error('ldap/master or --master not set')

    return options
Exemple #12
0
def getBackupConnection(start_tls=2, decode_ignorelist=[]):
    ucr = ConfigRegistry()
    ucr.load()
    bindpw = open("/etc/ldap-backup.secret").read()
    if bindpw[-1] == "\n":
        bindpw = bindpw[0:-1]
    port = int(ucr.get("ldap/master/port", "7389"))
    try:
        lo = access(
            host=ucr["ldap/master"],
            port=port,
            base=ucr["ldap/base"],
            binddn="cn=backup," + ucr["ldap/base"],
            bindpw=bindpw,
            start_tls=start_tls,
            decode_ignorelist=decode_ignorelist,
        )
    except ldap.SERVER_DOWN, e:
        if ucr["ldap/backup"]:
            backup = string.split(ucr["ldap/backup"], " ")[0]
            lo = access(
                host=backup,
                port=port,
                base=ucr["ldap/base"],
                binddn="cn=backup," + ucr["ldap/base"],
                bindpw=bindpw,
                start_tls=start_tls,
                decode_ignorelist=decode_ignorelist,
            )
        else:
            raise ldap.SERVER_DOWN, e
Exemple #13
0
def getBackupConnection(start_tls=2, decode_ignorelist=[]):
    ucr = ConfigRegistry()
    ucr.load()
    bindpw = open('/etc/ldap-backup.secret').read()
    if bindpw[-1] == '\n':
        bindpw = bindpw[0:-1]
    port = int(ucr.get('ldap/master/port', '7389'))
    try:
        lo = access(host=ucr['ldap/master'],
                    port=port,
                    base=ucr['ldap/base'],
                    binddn='cn=backup,' + ucr['ldap/base'],
                    bindpw=bindpw,
                    start_tls=start_tls,
                    decode_ignorelist=decode_ignorelist)
    except ldap.SERVER_DOWN, e:
        if ucr['ldap/backup']:
            backup = string.split(ucr['ldap/backup'], ' ')[0]
            lo = access(host=backup,
                        port=port,
                        base=ucr['ldap/base'],
                        binddn='cn=backup,' + ucr['ldap/base'],
                        bindpw=bindpw,
                        start_tls=start_tls,
                        decode_ignorelist=decode_ignorelist)
        else:
            raise ldap.SERVER_DOWN, e
Exemple #14
0
def handler(dn, new, old, command):

	configRegistry = ConfigRegistry()
	configRegistry.load()
	interfaces = Interfaces(configRegistry)

	# dymanic module object filter
	current_fqdn = "%s.%s" % (configRegistry['hostname'], domainname)
	current_ip = str(interfaces.get_default_ip_address().ip)

	new_univentionShareHost = new.get('univentionShareHost', [None])[0]
	if new and not new_univentionShareHost in (current_fqdn, current_ip):
		new = {}	## new object is not for this host

	old_univentionShareHost = old.get('univentionShareHost', [None])[0]
	if old and not old_univentionShareHost in (current_fqdn, current_ip):
		old = {}	## old object is not for this host

	if not (new or old):
		return

	# create tmp dir
	tmpDir = os.path.dirname(tmpFile)
	listener.setuid(0)
	try:
		if not os.path.exists(tmpDir):
			os.makedirs(tmpDir)
	except Exception, e:
		univention.debug.debug(
			univention.debug.LISTENER, univention.debug.ERROR,
			"%s: could not create tmp dir %s (%s)" % (name, tmpDir, str(e)))
		return
Exemple #15
0
def call_unjoin_script(unjoin_script_name):
	print('call_unjoin_script(%r)' % (unjoin_script_name,))
	ucr = ConfigRegistry()
	ucr.load()

	join_script = '/usr/lib/univention-uninstall/%s' % unjoin_script_name

	return subprocess.call([join_script, '--binddn', ucr.get('tests/domainadmin/account'), '--bindpwdfile', ucr.get('tests/domainadmin/pwdfile')], shell=False)
Exemple #16
0
 def __init__(self):
     """Test Class constructor"""
     self.username = None
     self.password = None
     self.hostname = None
     self.client = None
     self.ucr = ConfigRegistry()
     self.ucr.load()
     self.ldap_base = self.ucr.get('ldap/base')
Exemple #17
0
def call_join_script(name, fail_on_error=True):
	# type: (str, bool) -> int
	"""
	Calls the given join script (e.g. name='66foobar.inst').
	If fail is true, then the function fail() is called if the exitcode is not zero.
	"""
	ucr = ConfigRegistry()
	ucr.load()
	return call_cmd(['/usr/lib/univention-install/%s' % name, '--binddn', ucr.get('tests/domainadmin/account'), '--bindpwdfile', ucr.get('tests/domainadmin/pwdfile')], fail_on_error=fail_on_error)
Exemple #18
0
    def __init__(self,
                 host='localhost',
                 port=None,
                 base='',
                 binddn='',
                 bindpw='',
                 start_tls=2,
                 ca_certfile=None,
                 decode_ignorelist=[],
                 use_ldaps=False,
                 uri=None,
                 follow_referral=False):
        """start_tls = 0 (no); 1 (try); 2 (must)"""
        ucr = None
        self.host = host
        self.base = base
        self.binddn = binddn
        self.bindpw = bindpw
        self.start_tls = start_tls
        self.ca_certfile = ca_certfile

        self.port = port

        if not self.port:  ## if no explicit port is given
            ucr = ConfigRegistry()
            ucr.load()
            self.port = int(ucr.get('ldap/server/port',
                                    7389))  ## take UCR value
            if use_ldaps and self.port == "7389":  ## adjust the standard port for ssl
                self.port = "7636"

        # http://www.openldap.org/faq/data/cache/605.html
        self.protocol = 'ldap'
        if use_ldaps:
            self.protocol = 'ldaps'
            self.uri = 'ldaps://%s:%s" % (self.host, self.port)'
        elif uri:
            self.uri = uri
        else:
            self.uri = "ldap://%s:%s" % (self.host, self.port)

        if not decode_ignorelist or decode_ignorelist == []:
            if not ucr:
                ucr = ConfigRegistry()
                ucr.load()
            self.decode_ignorelist = ucr.get(
                'ldap/binaryattributes',
                'krb5Key,userCertificate;binary').split(',')
        else:
            self.decode_ignorelist = decode_ignorelist

        # python-ldap does not cache the credentials, so we override the
        # referral handling if follow_referral is set to true
        #  https://forge.univention.org/bugzilla/show_bug.cgi?id=9139
        self.follow_referral = follow_referral

        self.__open(ca_certfile)
 def load(self):
     # type: () -> None
     """ call load() of superclass and save original registry values """
     ConfigRegistry.load(self)
     if self.__original_registry is None:
         self.__original_registry = {
             regtype: copy.deepcopy(dict(reg))
             for (regtype, reg) in self._walk()
         }
Exemple #20
0
	def __init__(self, name, version, container_version=None, app_directory_suffix=None, package_name=None, build_package=True, call_join_scripts=True):
		self.app_name = name
		self.app_version = version
		self.call_join_scripts = call_join_scripts

		if not app_directory_suffix:
			self.app_directory_suffix = random_version()
		else:
			self.app_directory_suffix = app_directory_suffix

		self.app_directory = '%s_%s' % (self.app_name, self.app_directory_suffix)

		if package_name:
			self.package_name = package_name
		else:
			self.package_name = get_app_name()

		self.package_version = '%s.%s' % (version, get_app_version())

		self.ucr = ConfigRegistry()
		self.ucr.load()

		if build_package:
			self.package = DebianPackage(name=self.package_name, version=self.package_version)
			self.package.build()
		else:
			self.package = None

		self.ini = {}

		self.ini['ID'] = self.app_name
		self.ini['Code'] = self.app_name[0:2]
		self.ini['Name'] = self.app_name
		self.ini['Version'] = self.app_version
		self.ini['NotifyVendor'] = False
		self.ini['Categories'] = 'System services'
		self.ini['Logo'] = '%s.svg' % self.app_name
		if self.package:
			self.ini['DefaultPackages'] = self.package_name
		self.ini['ServerRole'] = 'domaincontroller_master,domaincontroller_backup,domaincontroller_slave,memberserver'

		self.scripts = {}

		if not container_version:
			self.ucs_version = self.ucr.get('version/version')
		else:
			self.ucs_version = container_version
			self.ini['SupportedUCSVersions'] = '%s-0,%s-0' % (container_version, self.ucr.get('version/version'))

		self.installed = False

		self.admin_user = self.ucr.get('tests/domainadmin/account').split(',')[0][len('uid='):]
		self.admin_pwdfile = self.ucr.get('tests/domainadmin/pwdfile')

		print repr(self)
    def __init__(self):
        self.configRegistry = ConfigRegistry()
        self.configRegistry.load()

        lp = LoadParm()
        creds = Credentials()
        creds.guess(lp)
        self.samdb = SamDB(url='/var/lib/samba/private/sam.ldb',
                           session_info=system_session(),
                           credentials=creds,
                           lp=lp)
Exemple #22
0
    def config():
        """Test wide Configuration aka UCR
		Used to get some defaults if not environment variables are
		given. But if UCR is not avaiable, returns an empty dict...
		"""
        try:
            from univention.config_registry import ConfigRegistry
            ucr = ConfigRegistry()
            ucr.load()
            return dict(ucr)
        except ImportError:
            return {}
Exemple #23
0
def postrun():
	ucr = ConfigRegistry()
	ucr.load()

	if ucr.is_true("dhcpd/autostart", False):
		if ucr.is_true('dhcpd/restart/listener', False):
			ud.debug(ud.LISTENER, ud.INFO, 'DHCP: Restarting server')
			try:
				listener.run('/etc/init.d/univention-dhcp', ['univention-dhcp', 'restart'], uid=0)
			except Exception, e:
				ud.debug(ud.ADMIN, ud.WARN, 'The restart of the DHCP server failed: %s' % str(e))
		else:
			ud.debug(ud.ADMIN, ud.INFO, 'DHCP: the automatic restart of the dhcp server by the listener is disabled. Set dhcpd/restart/listener to true to enable this option.')
def get_query_limit():
    ucr = ConfigRegistry()
    ucr.load()
    limit = ucr.get('admin/diary/query/limit', '')
    default_limit = 1000
    try:
        limit = int(limit)
    except ValueError:
        limit = default_limit
    else:
        if limit < 0:
            limit = default_limit
    return limit
Exemple #25
0
    def create_udm_adconnection(cls, alias, description=""):
        ucr = ConfigRegistry()
        ucr.load()

        lo, po, mod = cls.init_udm("office365/ad-connection")
        po = univention.admin.uldap.position(
            "cn=ad-connections,cn=office365,%s" % ucr["ldap/base"])
        adconn = mod.object(co=None, lo=lo, position=po)
        adconn.open()
        adconn['name'] = alias
        adconn['description'] = description
        dn = adconn.create()
        return dn
Exemple #26
0
def getAdminConnection(start_tls=2, decode_ignorelist=[], reconnect=True):
    ucr = ConfigRegistry()
    ucr.load()
    bindpw = open('/etc/ldap.secret').read().rstrip('\n')
    port = int(ucr.get('ldap/master/port', '7389'))
    return access(host=ucr['ldap/master'],
                  port=port,
                  base=ucr['ldap/base'],
                  binddn='cn=admin,' + ucr['ldap/base'],
                  bindpw=bindpw,
                  start_tls=start_tls,
                  decode_ignorelist=decode_ignorelist,
                  reconnect=reconnect)
Exemple #27
0
    def __init__(self):
        """
		Test class constructor
		"""
        self.UCR = ConfigRegistry()
        self.client = None

        self.admin_username = ''
        self.admin_password = ''

        self.ldap_master = ''

        self.gpo_reference = ''
Exemple #28
0
class TransactionalUcr(object):

	def __init__(self):
		self.ucr = ConfigRegistry()
		self.ucr.load()
		self.changes = {}

	def set(self, key, value):
		'''
		Set the value of key of UCR.
		Does not save immediately.
		commit() is called at the end of inner_run(). If you need to commit
		changes immediately, you can call commit() at any time.
		'''
		orig_val = self.ucr.get(key)
		if orig_val == value:
			# in case it was overwritten previously
			self.changes.pop(key, None)
		else:
			self.changes[key] = value

	def commit(self):
		'''
		Saves UCR variables previously set by set_ucr_var(). Also commits
		changes (if done any). Is called automatically *if inner_run() did not
		raise an exception*. You can call it manually if you need to
		do it (e.g. in down()).
		'''
		if self.changes:
			ucr_update(self.ucr, self.changes)
			# reset (in case it is called multiple) times in a script
			self.changes.clear()

	def get(self, key, search_in_changes=True):
		'''
		Retrieve the value of key from ucr.
		If search_in_changes, it first looks in (not yet committed) values.
		'''
		if search_in_changes:
			try:
				return self.changes[key]
			except KeyError:
				pass
		return self.ucr.get(key)

	def __enter__(self):
		return self

	def __exit__(self, exc_type, exc_value, traceback):
		if exc_type is None:
			self.commit()
def getMachineConnection(start_tls=2, decode_ignorelist=[], ldap_master=True, secret_file="/etc/machine.secret", reconnect=True):
	ucr = ConfigRegistry()
	ucr.load()

	bindpw = open(secret_file).read().rstrip('\n')

	if ldap_master:
		# Connect to DC Master
		port = int(ucr.get('ldap/master/port', '7389'))
		return access(host=ucr['ldap/master'], port=port, base=ucr['ldap/base'], binddn=ucr['ldap/hostdn'], bindpw=bindpw, start_tls=start_tls, decode_ignorelist=decode_ignorelist, reconnect=reconnect)
	else:
		# Connect to ldap/server/name
		port = int(ucr.get('ldap/server/port', '7389'))
		try:
			return access(host=ucr['ldap/server/name'], port=port, base=ucr['ldap/base'], binddn=ucr['ldap/hostdn'], bindpw=bindpw, start_tls=start_tls, decode_ignorelist=decode_ignorelist, reconnect=reconnect)
		except ldap.SERVER_DOWN as exc:
			# ldap/server/name is down, try next server
			if not ucr.get('ldap/server/addition'):
				raise
			servers = ucr.get('ldap/server/addition', '')
			for server in servers.split():
				try:
					return access(host=server, port=port, base=ucr['ldap/base'], binddn=ucr['ldap/hostdn'], bindpw=bindpw, start_tls=start_tls, decode_ignorelist=decode_ignorelist, reconnect=reconnect)
				except ldap.SERVER_DOWN:
					pass
			raise exc
Exemple #30
0
def getAdminConnection(start_tls=2, decode_ignorelist=[]):
    ucr = ConfigRegistry()
    ucr.load()
    bindpw = open('/etc/ldap.secret').read()
    if bindpw[-1] == '\n':
        bindpw = bindpw[0:-1]
    port = int(ucr.get('ldap/master/port', '7389'))
    lo = access(host=ucr['ldap/master'],
                port=port,
                base=ucr['ldap/base'],
                binddn='cn=admin,' + ucr['ldap/base'],
                bindpw=bindpw,
                start_tls=start_tls,
                decode_ignorelist=decode_ignorelist)
    return lo
def write_cron_job(configRegistry: ConfigRegistry, cron: str, updateto: str,
                   reboot: str, try_release_update: bool) -> None:
    with open(CRON_D, 'w') as file:
        file.write('# cron job for update\n')
        file.write('PATH=/sbin:/usr/sbin:/usr/bin:/bin\n')
        if cron == '* * * * * ':
            return
        cmd = ['/usr/sbin/jitter 600 true']
        if try_release_update:
            cmd.append(
                '/usr/share/univention-updater/univention-updater %s %s --silent --noninteractive'
                % (
                    'local'
                    if configRegistry.is_true('local/repository') else 'net',
                    '--updateto=%s' % (quote(updateto), ) if updateto else '',
                ))
        cmd.append(
            '/usr/share/univention-updater/univention-actualise --dist-upgrade --silent'
        )
        if reboot:
            cmd.append(
                'if [ -f /run/univention-updater-reboot ];then '
                'at -f /var/lib/univention-updater/reboot.at -- %s 2>/dev/null;'
                'rm -f /run/univention-updater-reboot;'
                'fi' % (quote(reboot), ))
        print('%s\troot\t%s' % (cron, ';'.join(cmd)), file=file)
Exemple #32
0
 def _get_ldap_connection(cls, ldap_cred=None):
     if ldap_cred and not cls.ldap_cred:
         cls.ldap_cred = ldap_cred
     if not cls.lo or not cls.po:
         if cls.ldap_cred:
             cls.lo = univention.admin.uldap.access(
                 host=cls.ldap_cred["ldapserver"],
                 base=cls.ldap_cred["basedn"],
                 binddn=cls.ldap_cred["binddn"],
                 bindpw=cls.ldap_cred["bindpw"])
             ucr = ConfigRegistry()
             ucr.load()
             cls.po = univention.admin.uldap.position(ucr["ldap/base"])
         else:
             cls.lo, cls.po = univention.admin.uldap.getAdminConnection()
     return cls.lo, cls.po
Exemple #33
0
	def set_ucs_overview_link(cls):
		from univention.config_registry import ConfigRegistry
		ucr = ConfigRegistry()
		ucr.load()

		sp_query_string = "?spentityid=urn:federation:MicrosoftOnline"
		sp_link = "https://{}/simplesamlphp/saml2/idp/SSOService.php{}".format(ucr["ucs/server/sso/fqdn"], sp_query_string)
		ucr_update(ucr, {
			"ucs/web/overview/entries/service/office365/description": "Single Sign-On login for Microsoft Office 365",
			"ucs/web/overview/entries/service/office365/label": "Office 365 Login",
			"ucs/web/overview/entries/service/office365/link": sp_link,
			"ucs/web/overview/entries/service/office365/description/de": "Single-Sign-On Link für Microsoft Office 365",
			"ucs/web/overview/entries/service/office365/label/de": "Office 365 Login",
			"ucs/web/overview/entries/service/office365/priority": "50",
			"ucs/web/overview/entries/service/office365/icon": "/office365.png"
		})
def __fetch_schema_from_uri(ldap_uri):
    ucr = ConfigRegistry()
    ucr.load()

    retry = ucr.get('ldap/client/retry/count', 15)
    attempts = int(retry) + 1

    i = 0
    while i < attempts:
        try:
            return ldap.schema.subentry.urlfetch(ldap_uri)
        except ldap.SERVER_DOWN:
            if i >= (attempts - 1):
                raise
            time.sleep(1)
        i += 1
Exemple #35
0
    def __init__(
        self,
        host="localhost",
        port=None,
        base="",
        binddn="",
        bindpw="",
        start_tls=2,
        ca_certfile=None,
        decode_ignorelist=[],
        use_ldaps=False,
        uri=None,
        follow_referral=False,
    ):
        """start_tls = 0 (no); 1 (try); 2 (must)"""
        ucr = None
        self.host = host
        self.base = base
        self.binddn = binddn
        self.bindpw = bindpw
        self.start_tls = start_tls
        self.ca_certfile = ca_certfile

        self.port = port

        if not self.port:  ## if no explicit port is given
            ucr = ConfigRegistry()
            ucr.load()
            self.port = int(ucr.get("ldap/server/port", 7389))  ## take UCR value
            if use_ldaps and self.port == "7389":  ## adjust the standard port for ssl
                self.port = "7636"

                # http://www.openldap.org/faq/data/cache/605.html
        self.protocol = "ldap"
        if use_ldaps:
            self.protocol = "ldaps"
            self.uri = 'ldaps://%s:%s" % (self.host, self.port)'
        elif uri:
            self.uri = uri
        else:
            self.uri = "ldap://%s:%s" % (self.host, self.port)

        if not decode_ignorelist or decode_ignorelist == []:
            if not ucr:
                ucr = ConfigRegistry()
                ucr.load()
            self.decode_ignorelist = ucr.get("ldap/binaryattributes", "krb5Key,userCertificate;binary").split(",")
        else:
            self.decode_ignorelist = decode_ignorelist

            # python-ldap does not cache the credentials, so we override the
            # referral handling if follow_referral is set to true
            #  https://forge.univention.org/bugzilla/show_bug.cgi?id=9139
        self.follow_referral = follow_referral

        self.__open(ca_certfile)
Exemple #36
0
def getAdminConnection(start_tls=2, decode_ignorelist=[]):
    ucr = ConfigRegistry()
    ucr.load()
    bindpw = open("/etc/ldap.secret").read()
    if bindpw[-1] == "\n":
        bindpw = bindpw[0:-1]
    port = int(ucr.get("ldap/master/port", "7389"))
    lo = access(
        host=ucr["ldap/master"],
        port=port,
        base=ucr["ldap/base"],
        binddn="cn=admin," + ucr["ldap/base"],
        bindpw=bindpw,
        start_tls=start_tls,
        decode_ignorelist=decode_ignorelist,
    )
    return lo
Exemple #37
0
def getMachineConnection(start_tls=2, decode_ignorelist=[], ldap_master=True, secret_file="/etc/machine.secret"):
    ucr = ConfigRegistry()
    ucr.load()

    bindpw = open(secret_file).read()
    if bindpw[-1] == "\n":
        bindpw = bindpw[0:-1]

    if ldap_master:
        # Connect to DC Master
        port = int(ucr.get("ldap/master/port", "7389"))
        lo = access(
            host=ucr["ldap/master"],
            port=port,
            base=ucr["ldap/base"],
            binddn=ucr["ldap/hostdn"],
            bindpw=bindpw,
            start_tls=start_tls,
            decode_ignorelist=decode_ignorelist,
        )
    else:
        # Connect to ldap/server/name
        port = int(ucr.get("ldap/server/port", "7389"))
        try:
            lo = access(
                host=ucr["ldap/server/name"],
                port=port,
                base=ucr["ldap/base"],
                binddn=ucr["ldap/hostdn"],
                bindpw=bindpw,
                start_tls=start_tls,
                decode_ignorelist=decode_ignorelist,
            )
        except ldap.SERVER_DOWN, e:
            # ldap/server/name is down, try next server
            if not ucr.get("ldap/server/addition"):
                raise ldap.SERVER_DOWN, e
            for server in ucr.get("ldap/server/addition", []):
                try:
                    lo = access(
                        host=server,
                        port=port,
                        base=ucr["ldap/base"],
                        binddn=ucr["ldap/hostdn"],
                        bindpw=bindpw,
                        start_tls=start_tls,
                        decode_ignorelist=decode_ignorelist,
                    )
                except ldap.SERVER_DOWN, e:
                    pass
                else:
                    return lo
            raise ldap.SERVER_DOWN, e
Exemple #38
0
	def _load_ucr(self):
		"""Load Univention Config Registry informations."""
		self.ucr = ConfigRegistry()
		self.ucr.load()
		self.role = self.ucr.get('server/role', '')
		TestEnvironment.logger.debug('Role=%r' % self.role)

		version = self.ucr.get('version/version').split('.', 1)
		major, minor = int(version[0]), int(version[1])
		patchlevel = int(self.ucr.get('version/patchlevel'))
		if (major, minor) < (3, 0):
			securitylevel = int(self.ucr.get('version/security-patchlevel', 0))
			self.ucs_version = UCSVersion((major, minor, patchlevel,
				securitylevel))
		else:
			erratalevel = int(self.ucr.get('version/erratalevel', 0))
			self.ucs_version = UCSVersion((major, minor, patchlevel,
				erratalevel))
		TestEnvironment.logger.debug('Version=%r' % self.ucs_version)
Exemple #39
0
def handler(dn, new, old):
	"""Called on each change."""
	ucr = ConfigRegistry()
	ucr.load()
	value = ucr.get('uvmm/managers','')
	debug.debug(debug.LISTENER, debug.ALL, "old hosts: %s" % value)
	tls_allowed_dn_list = value.split()

	old_host = None
	if old and service_names & set(old.get('univentionService', [])):
		try:
			domain = old['associatedDomain'][0]
		except KeyError:
			domain = ucr.get('domainname')
		old_host = "%s.%s" % (old['cn'][0], domain)
		if old_host in tls_allowed_dn_list:
			debug.debug(debug.LISTENER, debug.INFO, "removing host %s" % (old_host,))
			tls_allowed_dn_list.remove(old_host)
	new_host = None
	if new and service_names & set(new.get('univentionService', [])):
		try:
			domain = new['associatedDomain'][0]
		except KeyError:
			domain = ucr.get('domainname')
		new_host = "%s.%s" % (new['cn'][0], domain)
		debug.debug(debug.LISTENER, debug.INFO, "+uvmm %s" % (new_host,))
		if new_host not in tls_allowed_dn_list:
			debug.debug(debug.LISTENER, debug.INFO, "adding host %s" % (new_host,))
			tls_allowed_dn_list.append(new_host)

	if old_host != new_host:
		value = ' '.join(tls_allowed_dn_list)
		debug.debug(debug.LISTENER, debug.ALL, "new hosts: %s" % value)
		key_value = 'uvmm/managers=%s' % (value,)
		listener.setuid(0)
		try:
			handler_set([key_value])
			global need_restart
			need_restart = True
		finally:
			listener.unsetuid()
Exemple #40
0
# /usr/share/common-licenses/AGPL-3; if not, see
# <http://www.gnu.org/licenses/>.

# This file is part of univention-lib and have to contain python2.4 valid code

from univention.config_registry import ConfigRegistry

from ConfigParser import ConfigParser
import os
import re
import shlex
import string
import sys

# defaults
ucr	= ConfigRegistry()

# global hashes
include = set()
shares = {}
globals = {}
printers = {}

ucr.load()

class Restrictions( dict ):
	INVALID_USERS = 'invalid users'
	VALID_USERS = 'valid users'
	HOSTS_DENY = 'hosts deny'
	HOSTS_ALLOW = 'hosts allow'
Exemple #41
0
class TestEnvironment(object):
	"""Test environment for running test cases.

	Handels system data, requirements checks, test output.
	"""

	logger = logging.getLogger('test.env')

	def __init__(self, interactive=True, logfile=None):
		self.exposure = 'safe'
		self.interactive = interactive

		self._load_host()
		self._load_ucr()
		self._load_join()
		self._load_apt()

		if interactive:
			self.tags_required = None
			self.tags_prohibited = None
		else:
			self.tags_required = set()
			self.tags_prohibited = set(('SKIP', 'WIP'))

		self.log = open(logfile or os.path.devnull, 'a')

	def _load_host(self):
		"""Load host system informations."""
		(_sysname, nodename, _release, _version, machine) = os.uname()
		self.hostname = nodename
		self.architecture = machine

	def _load_ucr(self):
		"""Load Univention Config Registry informations."""
		self.ucr = ConfigRegistry()
		self.ucr.load()
		self.role = self.ucr.get('server/role', '')
		TestEnvironment.logger.debug('Role=%r' % self.role)

		version = self.ucr.get('version/version').split('.', 1)
		major, minor = int(version[0]), int(version[1])
		patchlevel = int(self.ucr.get('version/patchlevel'))
		if (major, minor) < (3, 0):
			securitylevel = int(self.ucr.get('version/security-patchlevel', 0))
			self.ucs_version = UCSVersion((major, minor, patchlevel,
				securitylevel))
		else:
			erratalevel = int(self.ucr.get('version/erratalevel', 0))
			self.ucs_version = UCSVersion((major, minor, patchlevel,
				erratalevel))
		TestEnvironment.logger.debug('Version=%r' % self.ucs_version)

	def _load_join(self):
		"""Load join status."""
		devnull = open(os.path.devnull, 'w+')
		try:
			ret = call(('/usr/sbin/univention-check-join-status',),
					stdin=devnull, stdout=devnull, stderr=devnull)
			self.joined = ret == 0
		finally:
			devnull.close()
		TestEnvironment.logger.debug('Join=%r' % self.joined)

	def _load_apt(self):
		"""Load package informations."""
		self.apt = apt.Cache()

	def dump(self, stream=sys.stdout):
		"""Dump environment informations."""
		print >> stream, 'hostname: %s' % (self.hostname,)
		print >> stream, 'architecture: %s' % (self.architecture,)
		print >> stream, 'version: %s' % (self.ucs_version,)
		print >> stream, 'role: %s' % (self.role,)
		print >> stream, 'joined: %s' % (self.joined,)
		print >> stream, 'tags_required: %s' % \
				(' '.join(self.tags_required) or '-',)
		print >> stream, 'tags_prohibited: %s' % \
				(' '.join(self.tags_prohibited) or '-',)

	def tag(self, require=set(), ignore=set(), prohibit=set()):
		"""Update required, ignored, prohibited tags."""
		if self.tags_required is not None:
			self.tags_required -= set(ignore)
			self.tags_required |= set(require)
		if self.tags_prohibited is not None:
			self.tags_prohibited -= set(ignore)
			self.tags_prohibited |= set(prohibit)
		TestEnvironment.logger.debug('tags_required=%r tags_prohibited=%r' % \
				(self.tags_required, self.tags_prohibited))

	def set_exposure(self, exposure):
		"""Set maximum allowed exposure level."""
		self.exposure = exposure
Exemple #42
0
def handler(*args, **kw):
    log.info("kolab.handler(args(%d): %r, kw: %r)" % (len(args), args, kw))

    auth = Auth()
    auth.connect()

    if len(args) == 4:
        # moddn
        dn = args[0]
        new = utils.normalize(args[1])
        old = utils.normalize(args[2])
        command = args[4]
        pass

    elif len(args) == 3:
        dn = args[0]
        new = utils.normalize(args[1])
        old = utils.normalize(args[2])

        if isinstance(old, dict) and len(old.keys()) > 0:
            # Two options:
            # - entry changed
            # - entry deleted
            log.info("user %r, old is dict" % (dn))

            if isinstance(new, dict) and len(new.keys()) > 0:
                log.info("Modify entry %r" % (dn))

                mailserver_attribute = conf.get('ldap', 'mailserver_attribute').lower()

                if mailserver_attribute == None:
                    log.error("Mail server attribute is not set")
                    return

                if old.has_key(mailserver_attribute):
                    log.info("Modified entry %r has mail server attribute %s: %r" % (dn, mailserver_attribute, new[mailserver_attribute]))

                    if not old[mailserver_attribute] == constants.fqdn:
                        # Even though the new mailserver can be us, it is the
                        # *current* mail server that needs to push for the XFER.
                        log.info("The mail server for user %r is set, and it is not me (%r)" % (dn, old[mailserver_attribute]))
                        return

                else:
                    # If old has no mailserver attribute, but new does, we need to create
                    # the user locally.
                    if new.has_key(mailserver_attribute):
                        if not new[mailserver_attribute] == constants.fqdn:
                            log.info("The mail server for user %r is set (in new, not old), but it is not me (%r)" % (dn, new[mailserver_attribute]))
                            return
                    else:
                        log.info("Entry %r does not have a mail server attribute." % (dn))
                        return

                auth._auth._synchronize_callback(
                        change_type = 'modify',
                        previous_dn = None,
                        change_number = None,
                        dn = dn,
                        entry = new
                    )

            else:
                log.info("Delete entry %r" % (dn))

                # See if the mailserver_attribute exists
                mailserver_attribute = conf.get('ldap', 'mailserver_attribute').lower()

                if mailserver_attribute == None:
                    log.error("Mail server attribute is not set")
                    # TODO: Perhaps, query for IMAP servers. If there is only one,
                    #       we know what to do.
                    return

                if old.has_key(mailserver_attribute):
                    log.info("Deleted entry %r has mail server attribute %s: %r" % (dn, mailserver_attribute, old[mailserver_attribute]))

                    if not old[mailserver_attribute] == constants.fqdn:
                        log.info("The mail server for user %r is set, and it is not me (%r)" % (dn, old[mailserver_attribute]))
                        return

                else:
                    log.info("Entry deletion notification for %r does not have a mail server attribute specified." % (dn))

                cfg = ConfigRegistry()
                cfg.load()

                if cfg.is_true('mail/cyrus/mailbox/delete', True):
                    auth._auth._synchronize_callback(
                            change_type = 'delete',
                            previous_dn = None,
                            change_number = None,
                            dn = dn,
                            entry = old
                        )

        elif isinstance(new, dict) and len(new.keys()) > 0:
            # Old is not a dict (or empty), so the entry is just created
            log.info("Add entry %r" % (dn))

            # See if the mailserver_attribute exists
            mailserver_attribute = conf.get('ldap', 'mailserver_attribute').lower()

            if mailserver_attribute == None:
                log.error("Mail server attribute is not set")
                # TODO: Perhaps, query for IMAP servers. If there is only one,
                #       we know what to do.
                return

            if new.has_key(mailserver_attribute):
                log.info("Added entry %r has mail server attribute %s: %r" % (dn, mailserver_attribute, new[mailserver_attribute]))

                if not new[mailserver_attribute] == constants.fqdn:
                    log.info("The mail server for user %r is set, and it is not me (%r)" % (dn, new[mailserver_attribute]))
                    return

            else:
                log.info("Added entry %r does not have a mail server attribute set." % (dn))
                return

            auth._auth._synchronize_callback(
                    change_type = 'add',
                    previous_dn = None,
                    change_number = None,
                    dn = dn,
                    entry = new
                )

        else:
            log.info("entry %r changed, but no new or old attributes" % (dn))
Exemple #43
0
if __name__ == '__main__':
	from optparse import OptionParser
	parser = OptionParser(usage="%prog [-h|--help] [--direct-resync]")
	parser.add_option("--direct-resync", action="store_true", dest="direct_resync", default=False,
		help="Filter the output of univention-ldapsearch through the this module")
	(options, args) = parser.parse_args()

	if not options.direct_resync:
		parser.error("The option --direct-resync is required to run this module directly")
		import sys
		sys.exit(1)

	univention.debug.init("stderr", univention.debug.NO_FLUSH, univention.debug.NO_FUNCTION)
	from univention.config_registry import ConfigRegistry
	ucr = ConfigRegistry()
	ucr.load()
	univention.debug.set_level(univention.debug.LISTENER, int(ucr.get('listener/debug/level', 2)))

	import subprocess
	cmd = ['/usr/bin/univention-ldapsearch', '-xLLL', filter, 'objectClass']
	cmd.extend(attributes)
	p1 = subprocess.Popen(cmd, stdout=subprocess.PIPE)
	(stdout, stderr) = p1.communicate()

	from ldif import LDIFParser
	class ListenerHandler(LDIFParser):
		def __init__(self,input):
			LDIFParser.__init__(self,input)
		def handle(self,dn,entry):
			handler(dn, entry, {}, 'a')
Exemple #44
0
import ldap
from univention.config_registry import ConfigRegistry
from ldap.controls import LDAPControl
import ldap.modlist as modlist
try:
	from univention.connector.ad import compatible_modstring
except ImportError, e:
	try:
		from univention.s4connector.s4 import compatible_modstring
	except ImportError, e:
		def compatible_modstring(dn):
			return dn

baseConfig = ConfigRegistry()
baseConfig.load()

def get_rdn(dn):
	index = dn.find(',')
	if index == -1:
		return dn
	else:
		return dn[0:index]

def get_parent_dn(dn):
	index = dn.find(',')
	if index == -1:
		return None
	else:
		return dn[index+1:len(dn)]

class LDAPConnection(object):
Exemple #45
0
# cryptographic keys etc. are subject to a license agreement between
# you and Univention and not subject to the GNU AGPL V3.
#
# In the case you use this program under the terms of the GNU AGPL V3,
# the program is provided in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Affero General Public License for more details.
#
# You should have received a copy of the GNU Affero General Public
# License with the Debian GNU/Linux or Univention distribution in file
# /usr/share/common-licenses/AGPL-3; if not, see
# <http://www.gnu.org/licenses/>.

from univention.config_registry import ConfigRegistry
configRegistry = ConfigRegistry()
configRegistry.load()

# Update package cache
cmd_update = configRegistry.get('update/commands/update', 'apt-get update')

# Show package information
cmd_show = configRegistry.get('update/commands/show', 'apt-cache show')

# Upgrade only installed packages
cmd_upgrade = configRegistry.get('update/commands/upgrade', 'apt-get -o DPkg::Options::=--force-confold -o DPkg::Options::=--force-overwrite -o DPkg::Options::=--force-overwrite-dir --trivial-only=no --assume-yes --quiet=1 -u upgrade')
cmd_upgrade_sim = configRegistry.get('update/commands/upgrade/simulate', 'apt-get -o DPkg::Options::=--force-confold -o DPkg::Options::=--force-overwrite -o DPkg::Options::=--force-overwrite-dir --trivial-only=no --assume-yes --quiet=1 -us upgrade')

# Upgrade system, may install new packages to satisfy dependencies
cmd_dist_upgrade = configRegistry.get('update/commands/distupgrade', 'apt-get -o DPkg::Options::=--force-confold -o DPkg::Options::=--force-overwrite -o DPkg::Options::=--force-overwrite-dir --trivial-only=no --assume-yes --quiet=1 -u dist-upgrade')
cmd_dist_upgrade_sim = configRegistry.get('update/commands/distupgrade/simulate', 'apt-get -o DPkg::Options::=--force-confold -o DPkg::Options::=--force-overwrite -o DPkg::Options::=--force-overwrite-dir --trivial-only=no --assume-yes --quiet=1 -us dist-upgrade')