def get_test_connection(cls, hostname=None, *args, **kwargs): ucr = ConfigRegistry() ucr.load() username = ucr.get('tests/domainadmin/account') username = username.split(',')[0][len('uid='):] password = ucr.get('tests/domainadmin/pwd') return cls(hostname, username, password, *args, **kwargs)
def getMachineConnection(start_tls=2, decode_ignorelist=[], ldap_master=True, secret_file="/etc/machine.secret", reconnect=True): ucr = ConfigRegistry() ucr.load() bindpw = open(secret_file).read().rstrip('\n') if ldap_master: # Connect to DC Master port = int(ucr.get('ldap/master/port', '7389')) return access(host=ucr['ldap/master'], port=port, base=ucr['ldap/base'], binddn=ucr['ldap/hostdn'], bindpw=bindpw, start_tls=start_tls, decode_ignorelist=decode_ignorelist, reconnect=reconnect) else: # Connect to ldap/server/name port = int(ucr.get('ldap/server/port', '7389')) try: return access(host=ucr['ldap/server/name'], port=port, base=ucr['ldap/base'], binddn=ucr['ldap/hostdn'], bindpw=bindpw, start_tls=start_tls, decode_ignorelist=decode_ignorelist, reconnect=reconnect) except ldap.SERVER_DOWN as exc: # ldap/server/name is down, try next server if not ucr.get('ldap/server/addition'): raise servers = ucr.get('ldap/server/addition', '') for server in servers.split(): try: return access(host=server, port=port, base=ucr['ldap/base'], binddn=ucr['ldap/hostdn'], bindpw=bindpw, start_tls=start_tls, decode_ignorelist=decode_ignorelist, reconnect=reconnect) except ldap.SERVER_DOWN: pass raise exc
def handler(dn, new, old): ucr = ConfigRegistry() ucr.load() idp_config_objectdn = ucr.get( 'saml/idp/configobject', 'id=default-saml-idp,cn=univention,%s' % ucr.get('ldap/base')) listener.setuid(0) try: if idp_config_objectdn == new['entryDN'][0]: for key in LDAP_UCR_MAPPING.keys(): if key in new: ucr_value = "" if key == 'LdapGetAttributes': ucr_value = "'" + "', '".join(new[key]) + "'" handler_set(['%s=%s' % (LDAP_UCR_MAPPING[key], ucr_value)]) else: handler_unset(['%s' % LDAP_UCR_MAPPING[key]]) else: ud.debug( ud.LISTENER, ud.WARN, 'An IdP config object was modified, but it is not the object the listener is configured for (%s). Ignoring changes. DN of modified object: %s' % (idp_config_objectdn, new['entryDN'])) finally: listener.unsetuid()
def main(): """Retrive current Univention Directory Notifier transaction ID.""" configRegistry = ConfigRegistry() configRegistry.load() master = configRegistry.get('ldap/master') if not master: print >> sys.stderr, 'Error: ldap/master not set' sys.exit(1) try: sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.connect((master, 6669)) sock.send('Version: 2\nCapabilities: \n\n') sock.recv(100) sock.send('MSGID: 1\nGET_ID\n\n') notifier_result = sock.recv(100) if notifier_result: print "%s" % notifier_result.splitlines()[1] except socket.error, ex: print >> sys.stderr, 'Error: %s' % (ex,) sys.exit(1)
def getBackupConnection(start_tls=2, decode_ignorelist=[]): ucr = ConfigRegistry() ucr.load() bindpw = open("/etc/ldap-backup.secret").read() if bindpw[-1] == "\n": bindpw = bindpw[0:-1] port = int(ucr.get("ldap/master/port", "7389")) try: lo = access( host=ucr["ldap/master"], port=port, base=ucr["ldap/base"], binddn="cn=backup," + ucr["ldap/base"], bindpw=bindpw, start_tls=start_tls, decode_ignorelist=decode_ignorelist, ) except ldap.SERVER_DOWN, e: if ucr["ldap/backup"]: backup = string.split(ucr["ldap/backup"], " ")[0] lo = access( host=backup, port=port, base=ucr["ldap/base"], binddn="cn=backup," + ucr["ldap/base"], bindpw=bindpw, start_tls=start_tls, decode_ignorelist=decode_ignorelist, ) else: raise ldap.SERVER_DOWN, e
def fetch_schema_from_local_ldap(): ucr = ConfigRegistry() ucr.load() ldap_uri = 'ldap://%(hostname)s:%(domainname)s' % ucr return __fetch_schema_from_uri(ldap_uri)
class UCSResync(object): def __init__(self): self.configRegistry = ConfigRegistry() self.configRegistry.load() self.lo = univention.uldap.getMachineConnection() def _get_listener_dir(self): return self.configRegistry.get('connector/s4/listener/dir', '/var/lib/univention-connector/s4') def _generate_filename(self): directory = self._get_listener_dir() return os.path.join(directory, "%f" % time.time()) def _dump_object_to_file(self, object_data): filename = self._generate_filename() with open(filename, 'wb+') as fd: os.chmod(filename, 0o600) p = pickle.Pickler(fd) p.dump(object_data) p.clear_memo() def _search_ldap_object_orig(self, ucs_dn): return self.lo.get(ucs_dn, attr=['*', '+'], required=True) def resync(self, ucs_dns=None, ldapfilter=None): treated_dns = [] for dn, new in self.search_ldap(ucs_dns, ldapfilter): object_data = (dn, new, {}, None) self._dump_object_to_file(object_data) treated_dns.append(dn) return treated_dns def search_ldap(self, ucs_dns=None, ldapfilter=None): attr = ('*', '+') if ucs_dns: if not ldapfilter: ldapfilter = '(objectClass=*)' ldap_result = [] missing_dns = [] for targetdn in ucs_dns: try: result = self.lo.search(base=targetdn, scope='base', filter=ldapfilter, attr=attr) ldap_result.extend(result) except ldap.NO_SUCH_OBJECT: missing_dns.append(targetdn) if missing_dns: raise ldap.NO_SUCH_OBJECT(1, 'No object: %s' % (missing_dns, ), [r[0] for r in ldap_result]) else: ldap_result = self.lo.search(filter=ldapfilter, attr=attr) return ldap_result
def getLDAPURIs(ucr=None): # type: (Optional[ConfigRegistry]) -> str """ Returns a space separated list of all configured |LDAP| servers, according to |UCR| variables `ldap/server/name` and `ldap/server/addition`. :param ConfigRegistry ucr: An optional |UCR| instance. :returns: A space separated list of |LDAP| |URI|. :rtype: str """ if ucr is None: ucr = ConfigRegistry() ucr.load() uri_string = '' ldaphosts = [] port = ucr.get('ldap/server/port', '7389') ldap_server_name = ucr.get('ldap/server/name') ldap_server_addition = ucr.get('ldap/server/addition') if ldap_server_name: ldaphosts.append(ldap_server_name) if ldap_server_addition: ldaphosts.extend(ldap_server_addition.split()) if ldaphosts: urilist = ["ldap://%s:%s" % (host, port) for host in ldaphosts] uri_string = ' '.join(urilist) return uri_string
def handler(dn, new, old): # type: (str, dict, dict) -> None ucr = ConfigRegistry() ucr.load() listener.setuid(0) try: try: fqdn = '%s.%s' % (new['cn'][0].decode('UTF-8'), new['associatedDomain'][0].decode('ASCII')) except (KeyError, IndexError): return change = False if b'univention-saml' in new.get('univentionService', []): handler_set(['ucs/server/saml-idp-server/%s=%s' % (fqdn, fqdn)]) change = True elif b'univention-saml' in old.get('univentionService', []): handler_unset(['ucs/server/saml-idp-server/%s' % (fqdn,)]) change = True if change: path_to_cert = ucr.get('saml/idp/certificate/certificate') path_to_key = ucr.get('saml/idp/certificate/privatekey') if path_to_cert and os.path.exists(path_to_cert) and path_to_key and os.path.exists(path_to_key): subprocess.call(['systemctl', 'restart', 'univention-saml']) finally: listener.unsetuid()
def getBackupConnection(start_tls=2, decode_ignorelist=[], reconnect=True): ucr = ConfigRegistry() ucr.load() bindpw = open('/etc/ldap-backup.secret').read().rstrip('\n') port = int(ucr.get('ldap/master/port', '7389')) try: return access(host=ucr['ldap/master'], port=port, base=ucr['ldap/base'], binddn='cn=backup,' + ucr['ldap/base'], bindpw=bindpw, start_tls=start_tls, decode_ignorelist=decode_ignorelist, reconnect=reconnect) except ldap.SERVER_DOWN: if not ucr['ldap/backup']: raise backup = ucr['ldap/backup'].split(' ')[0] return access(host=backup, port=port, base=ucr['ldap/base'], binddn='cn=backup,' + ucr['ldap/base'], bindpw=bindpw, start_tls=start_tls, decode_ignorelist=decode_ignorelist, reconnect=reconnect)
def main(): """Retrive current Univention Directory Notifier transaction ID.""" configRegistry = ConfigRegistry() configRegistry.load() master = configRegistry.get('ldap/master') if not master: print >> sys.stderr, 'Error: ldap/master not set' sys.exit(1) try: sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.connect((master, 6669)) sock.send('Version: 2\nCapabilities: \n\n') sock.recv(100) sock.send('MSGID: 1\nGET_ID\n\n') notifier_result = sock.recv(100) if notifier_result: print "%s" % notifier_result.splitlines()[1] except socket.error, ex: print >> sys.stderr, 'Error: %s' % (ex, ) sys.exit(1)
def getLDAPServersCommaList(ucr=None): # type: (Optional[ConfigRegistry]) -> str """ Returns a comma-separated string with all configured |LDAP| servers, `ldap/server/name` and `ldap/server/addition`. :param ConfigRegistry ucr: An optional |UCR| instance. :returns: A space separated list of |LDAP| host names. :rtype: str """ if ucr is None: ucr = ConfigRegistry() ucr.load() ldap_servers = '' ldaphosts = [] ldap_server_name = ucr.get('ldap/server/name') ldap_server_addition = ucr.get('ldap/server/addition') if ldap_server_name: ldaphosts.append(ldap_server_name) if ldap_server_addition: ldaphosts.extend(ldap_server_addition.split()) if ldaphosts: ldap_servers = ','.join(ldaphosts) return ldap_servers
def getAdminConnection( start_tls=2, decode_ignorelist=[], reconnect=True): # type: (int, List[str], bool) -> access """ Open a LDAP connection to the Master LDAP server using the admin credentials. :param int start_tls: Negotiate TLS with server. If `2` is given, the command will require the operation to be successful. :param decode_ignorelist: List of LDAP attribute names which shall be handled as binary attributes. :type decode_ignorelist: list[str] :param bool reconnect: Automatically reconect if the connection fails. :return: A LDAP access object. :rtype: univention.uldap.access """ ucr = ConfigRegistry() ucr.load() bindpw = open('/etc/ldap.secret').read().rstrip('\n') port = int(ucr.get('ldap/master/port', '7389')) return access(host=ucr['ldap/master'], port=port, base=ucr['ldap/base'], binddn='cn=admin,' + ucr['ldap/base'], bindpw=bindpw, start_tls=start_tls, decode_ignorelist=decode_ignorelist, reconnect=reconnect)
def getRootDnConnection(start_tls=2, decode_ignorelist=[], reconnect=True): # type: (int, List[str], bool) -> access """ Open a LDAP connection to the local LDAP server with the LDAP root account. :param int start_tls: Negotiate TLS with server. If `2` is given, the command will require the operation to be successful. :param decode_ignorelist: List of LDAP attribute names which shall be handled as binary attributes. :type decode_ignorelist: list[str] :param bool reconnect: Automatically reconect if the connection fails. :return: A LDAP access object. :rtype: univention.uldap.access """ ucr = ConfigRegistry() ucr.load() port = int(ucr.get('slapd/port', '7389').split(',')[0]) host = ucr['hostname'] + '.' + ucr['domainname'] if ucr.get('ldap/server/type', 'dummy') == 'master': bindpw = open('/etc/ldap.secret').read().rstrip('\n') binddn = 'cn=admin,{0}'.format(ucr['ldap/base']) else: bindpw = open('/etc/ldap/rootpw.conf').read().rstrip('\n').replace( 'rootpw "', '', 1)[:-1] binddn = 'cn=update,{0}'.format(ucr['ldap/base']) return access(host=host, port=port, base=ucr['ldap/base'], binddn=binddn, bindpw=bindpw, start_tls=start_tls, decode_ignorelist=decode_ignorelist, reconnect=reconnect)
def handler(dn, new, old, command): configRegistry = ConfigRegistry() configRegistry.load() interfaces = Interfaces(configRegistry) # dymanic module object filter current_fqdn = "%s.%s" % (configRegistry['hostname'], domainname) current_ip = str(interfaces.get_default_ip_address().ip) new_univentionShareHost = new.get('univentionShareHost', [None])[0] if new and not new_univentionShareHost in (current_fqdn, current_ip): new = {} ## new object is not for this host old_univentionShareHost = old.get('univentionShareHost', [None])[0] if old and not old_univentionShareHost in (current_fqdn, current_ip): old = {} ## old object is not for this host if not (new or old): return # create tmp dir tmpDir = os.path.dirname(tmpFile) listener.setuid(0) try: if not os.path.exists(tmpDir): os.makedirs(tmpDir) except Exception, e: univention.debug.debug( univention.debug.LISTENER, univention.debug.ERROR, "%s: could not create tmp dir %s (%s)" % (name, tmpDir, str(e))) return
def handler(dn, new, old, command): configRegistry = ConfigRegistry() configRegistry.load() interfaces = Interfaces(configRegistry) # dymanic module object filter current_fqdn = "%s.%s" % (configRegistry['hostname'], domainname) current_ip = str(interfaces.get_default_ip_address().ip) new_univentionShareHost = new.get('univentionShareHost', [None])[0] if new and not new_univentionShareHost in (current_fqdn, current_ip): new = {} ## new object is not for this host old_univentionShareHost = old.get('univentionShareHost', [None])[0] if old and not old_univentionShareHost in (current_fqdn, current_ip): old = {} ## old object is not for this host if not (new or old): return # create tmp dir tmpDir = os.path.dirname(tmpFile) listener.setuid(0) try: if not os.path.exists(tmpDir): os.makedirs(tmpDir) except Exception, e: univention.debug.debug( univention.debug.LISTENER, univention.debug.ERROR, "%s: could not create tmp dir %s (%s)" % (name, tmpDir, str(e))) return
def parse_args(): usage = '%prog [options] [master]' desc = sys.modules[__name__].__doc__ parser = OptionParser(usage=usage, description=desc) parser.add_option('-m', '--master', dest='master', help='LDAP Server address') parser.add_option('-s', '--shema', dest='cmd', action='store_const', const='GET_SCHEMA_ID', default='GET_ID', help='Fetch LDAP Schema ID') (options, args) = parser.parse_args() if not options.master: if args: try: options.master, = args except ValueError: parser.error('incorrect number of arguments') else: from univention.config_registry import ConfigRegistry configRegistry = ConfigRegistry() configRegistry.load() options.master = configRegistry.get('ldap/master') if not options.master: parser.error('ldap/master or --master not set') return options
def main() -> None: """ Set repository server. """ ucr = ConfigRegistry() ucr.load() hostdn = ucr.get('ldap/hostdn') if not hostdn: # can't query policy without host-dn exit(0) online_server = ucr.get('repository/online/server') mirror_server = ucr.get('repository/mirror/server') fqdn = '%(hostname)s.%(domainname)s' % ucr self_update = '%(version/version)s-%(version/patchlevel)s' % ucr ucr_variables = [] # type: List[str] new_server, policy_update = query_policy(hostdn) policy_update or self_update # FIXME: not used - should be pass to `univention-repository-update --updateto=` if ucr.is_true('local/repository'): # on a repository server if not new_server: ucr_variables.append('repository/online/server?%s' % fqdn) elif new_server != mirror_server and new_server != fqdn: ucr_variables.append('repository/mirror/server=%s' % new_server) else: # without a local repository if new_server and new_server != online_server: ucr_variables.append('repository/online/server=%s' % new_server) if ucr_variables: handler_set(ucr_variables)
def connect(options): print(time.ctime()) ucr = ConfigRegistry() ucr.load() poll_sleep = int(ucr['%s/ad/poll/sleep' % options.configbasename]) ad_init = None while not ad_init: try: ad = univention.connector.ad.ad.main(ucr, options.configbasename, logfilename=options.log_file, debug_level=options.debug) ad.init_ldap_connections() ad.init_group_cache() ad_init = True except ldap.SERVER_DOWN: print("Warning: Can't initialize LDAP-Connections, wait...") sys.stdout.flush() time.sleep(poll_sleep) # log the active mapping with open('/var/log/univention/%s-ad-mapping.log' % options.configbasename, 'w+') as fd: print(repr(univention.connector.Mapping(ad.property)), file=fd) with ad as ad: _connect(ad, poll_sleep, ucr.get('%s/ad/retryrejected' % options.configbasename, 10))
def getBackupConnection(start_tls=2, decode_ignorelist=[]): ucr = ConfigRegistry() ucr.load() bindpw = open('/etc/ldap-backup.secret').read() if bindpw[-1] == '\n': bindpw = bindpw[0:-1] port = int(ucr.get('ldap/master/port', '7389')) try: lo = access(host=ucr['ldap/master'], port=port, base=ucr['ldap/base'], binddn='cn=backup,' + ucr['ldap/base'], bindpw=bindpw, start_tls=start_tls, decode_ignorelist=decode_ignorelist) except ldap.SERVER_DOWN, e: if ucr['ldap/backup']: backup = string.split(ucr['ldap/backup'], ' ')[0] lo = access(host=backup, port=port, base=ucr['ldap/base'], binddn='cn=backup,' + ucr['ldap/base'], bindpw=bindpw, start_tls=start_tls, decode_ignorelist=decode_ignorelist) else: raise ldap.SERVER_DOWN, e
def call_unjoin_script(unjoin_script_name): print('call_unjoin_script(%r)' % (unjoin_script_name,)) ucr = ConfigRegistry() ucr.load() join_script = '/usr/lib/univention-uninstall/%s' % unjoin_script_name return subprocess.call([join_script, '--binddn', ucr.get('tests/domainadmin/account'), '--bindpwdfile', ucr.get('tests/domainadmin/pwdfile')], shell=False)
def getMachineConnection(start_tls=2, decode_ignorelist=[], ldap_master=True, secret_file="/etc/machine.secret", reconnect=True, random_server=False): # type: (int, List[str], bool, str, bool) -> access """ Open a LDAP connection using the machine credentials. :param int start_tls: Negotiate TLS with server. If `2` is given, the command will require the operation to be successful. :param decode_ignorelist: List of LDAP attribute names which shall be handled as binary attributes. :type decode_ignorelist: list[str] :param bool ldap_master: Open a connection to the Master if True, to the preferred LDAP server otherwise. :param str secret_file: The name of a file containing the password credentials. :param bool reconnect: Automatically reconnect if the connection fails. :param bool random_server: Choose a random LDAP server from ldap/server/name and ldap/server/addition. :return: A LDAP access object. :rtype: univention.uldap.access """ ucr = ConfigRegistry() ucr.load() bindpw = open(secret_file).read().rstrip('\n') if ldap_master: # Connect to DC Master port = int(ucr.get('ldap/master/port', '7389')) return access(host=ucr['ldap/master'], port=port, base=ucr['ldap/base'], binddn=ucr['ldap/hostdn'], bindpw=bindpw, start_tls=start_tls, decode_ignorelist=decode_ignorelist, reconnect=reconnect) else: # Connect to ldap/server/name port = int(ucr.get('ldap/server/port', '7389')) servers = [ucr.get('ldap/server/name')] servers += ucr.get('ldap/server/addition', '').split() if random_server: random.shuffle(servers) for server in servers: try: return access(host=server, port=port, base=ucr['ldap/base'], binddn=ucr['ldap/hostdn'], bindpw=bindpw, start_tls=start_tls, decode_ignorelist=decode_ignorelist, reconnect=reconnect) #LDAP server down, try next server except ldap.SERVER_DOWN as exc: pass raise exc
def call_join_script(name, fail_on_error=True): # type: (str, bool) -> int """ Calls the given join script (e.g. name='66foobar.inst'). If fail is true, then the function fail() is called if the exitcode is not zero. """ ucr = ConfigRegistry() ucr.load() return call_cmd(['/usr/lib/univention-install/%s' % name, '--binddn', ucr.get('tests/domainadmin/account'), '--bindpwdfile', ucr.get('tests/domainadmin/pwdfile')], fail_on_error=fail_on_error)
def __init__(self, host='localhost', port=None, base='', binddn='', bindpw='', start_tls=2, ca_certfile=None, decode_ignorelist=[], use_ldaps=False, uri=None, follow_referral=False): """start_tls = 0 (no); 1 (try); 2 (must)""" ucr = None self.host = host self.base = base self.binddn = binddn self.bindpw = bindpw self.start_tls = start_tls self.ca_certfile = ca_certfile self.port = port if not self.port: ## if no explicit port is given ucr = ConfigRegistry() ucr.load() self.port = int(ucr.get('ldap/server/port', 7389)) ## take UCR value if use_ldaps and self.port == "7389": ## adjust the standard port for ssl self.port = "7636" # http://www.openldap.org/faq/data/cache/605.html self.protocol = 'ldap' if use_ldaps: self.protocol = 'ldaps' self.uri = 'ldaps://%s:%s" % (self.host, self.port)' elif uri: self.uri = uri else: self.uri = "ldap://%s:%s" % (self.host, self.port) if not decode_ignorelist or decode_ignorelist == []: if not ucr: ucr = ConfigRegistry() ucr.load() self.decode_ignorelist = ucr.get( 'ldap/binaryattributes', 'krb5Key,userCertificate;binary').split(',') else: self.decode_ignorelist = decode_ignorelist # python-ldap does not cache the credentials, so we override the # referral handling if follow_referral is set to true # https://forge.univention.org/bugzilla/show_bug.cgi?id=9139 self.follow_referral = follow_referral self.__open(ca_certfile)
def load(self): # type: () -> None """ call load() of superclass and save original registry values """ ConfigRegistry.load(self) if self.__original_registry is None: self.__original_registry = { regtype: copy.deepcopy(dict(reg)) for (regtype, reg) in self._walk() }
def __init__( self, host="localhost", port=None, base="", binddn="", bindpw="", start_tls=2, ca_certfile=None, decode_ignorelist=[], use_ldaps=False, uri=None, follow_referral=False, ): """start_tls = 0 (no); 1 (try); 2 (must)""" ucr = None self.host = host self.base = base self.binddn = binddn self.bindpw = bindpw self.start_tls = start_tls self.ca_certfile = ca_certfile self.port = port if not self.port: ## if no explicit port is given ucr = ConfigRegistry() ucr.load() self.port = int(ucr.get("ldap/server/port", 7389)) ## take UCR value if use_ldaps and self.port == "7389": ## adjust the standard port for ssl self.port = "7636" # http://www.openldap.org/faq/data/cache/605.html self.protocol = "ldap" if use_ldaps: self.protocol = "ldaps" self.uri = 'ldaps://%s:%s" % (self.host, self.port)' elif uri: self.uri = uri else: self.uri = "ldap://%s:%s" % (self.host, self.port) if not decode_ignorelist or decode_ignorelist == []: if not ucr: ucr = ConfigRegistry() ucr.load() self.decode_ignorelist = ucr.get("ldap/binaryattributes", "krb5Key,userCertificate;binary").split(",") else: self.decode_ignorelist = decode_ignorelist # python-ldap does not cache the credentials, so we override the # referral handling if follow_referral is set to true # https://forge.univention.org/bugzilla/show_bug.cgi?id=9139 self.follow_referral = follow_referral self.__open(ca_certfile)
def get_ldap_master_connection(user_dn): ucr = ConfigRegistry() ucr.load() return univention.uldap.access(host=ucr.get('ldap/master'), port=int(ucr.get('ldap/master/port', '7389')), base=ucr.get('ldap/base'), binddn=user_dn, bindpw='univention')
def config(): """Test wide Configuration aka UCR Used to get some defaults if not environment variables are given. But if UCR is not avaiable, returns an empty dict... """ try: from univention.config_registry import ConfigRegistry ucr = ConfigRegistry() ucr.load() return dict(ucr) except ImportError: return {}
def postrun(): baseConfig = ConfigRegistry() baseConfig.load() if baseConfig.is_true('nscd/group/invalidate_cache_on_changes', False) and baseConfig.is_false('nss/group/cachefile', True): listener.setuid(0) try: univention.debug.debug(univention.debug.LISTENER, univention.debug.INFO, "calling 'nscd -i group'") listener.run('/usr/sbin/nscd', ['nscd', '-i', 'group'], uid=0) except: univention.debug.debug(univention.debug.LISTENER, univention.debug.ERROR, "nscd -i group was not successful") listener.unsetuid()
def getRootDnConnection(start_tls=2, decode_ignorelist=[], reconnect=True): ucr = ConfigRegistry() ucr.load() port = int(ucr.get('slapd/port', '7389').split(',')[0]) host = ucr['hostname'] + '.' + ucr['domainname'] if ucr.get('ldap/server/type', 'dummy') == 'master': bindpw = open('/etc/ldap.secret').read().rstrip('\n') binddn = 'cn=admin,{0}'.format(ucr['ldap/base']) else: bindpw = open('/etc/ldap/rootpw.conf').read().rstrip('\n').lstrip('rootpw "').rstrip('"') binddn = 'cn=update,{0}'.format(ucr['ldap/base']) return access(host=host, port=port, base=ucr['ldap/base'], binddn=binddn, bindpw=bindpw, start_tls=start_tls, decode_ignorelist=decode_ignorelist, reconnect=reconnect)
def getMachineConnection(start_tls=2, decode_ignorelist=[], ldap_master=True, secret_file="/etc/machine.secret"): ucr = ConfigRegistry() ucr.load() bindpw = open(secret_file).read() if bindpw[-1] == "\n": bindpw = bindpw[0:-1] if ldap_master: # Connect to DC Master port = int(ucr.get("ldap/master/port", "7389")) lo = access( host=ucr["ldap/master"], port=port, base=ucr["ldap/base"], binddn=ucr["ldap/hostdn"], bindpw=bindpw, start_tls=start_tls, decode_ignorelist=decode_ignorelist, ) else: # Connect to ldap/server/name port = int(ucr.get("ldap/server/port", "7389")) try: lo = access( host=ucr["ldap/server/name"], port=port, base=ucr["ldap/base"], binddn=ucr["ldap/hostdn"], bindpw=bindpw, start_tls=start_tls, decode_ignorelist=decode_ignorelist, ) except ldap.SERVER_DOWN, e: # ldap/server/name is down, try next server if not ucr.get("ldap/server/addition"): raise ldap.SERVER_DOWN, e for server in ucr.get("ldap/server/addition", []): try: lo = access( host=server, port=port, base=ucr["ldap/base"], binddn=ucr["ldap/hostdn"], bindpw=bindpw, start_tls=start_tls, decode_ignorelist=decode_ignorelist, ) except ldap.SERVER_DOWN, e: pass else: return lo raise ldap.SERVER_DOWN, e
def getAdminConnection(start_tls=2, decode_ignorelist=[], reconnect=True): ucr = ConfigRegistry() ucr.load() bindpw = open('/etc/ldap.secret').read().rstrip('\n') port = int(ucr.get('ldap/master/port', '7389')) return access(host=ucr['ldap/master'], port=port, base=ucr['ldap/base'], binddn='cn=admin,' + ucr['ldap/base'], bindpw=bindpw, start_tls=start_tls, decode_ignorelist=decode_ignorelist, reconnect=reconnect)
def get_query_limit(): ucr = ConfigRegistry() ucr.load() limit = ucr.get('admin/diary/query/limit', '') default_limit = 1000 try: limit = int(limit) except ValueError: limit = default_limit else: if limit < 0: limit = default_limit return limit
def postrun(): ucr = ConfigRegistry() ucr.load() if ucr.is_true("dhcpd/autostart", False): if ucr.is_true('dhcpd/restart/listener', False): ud.debug(ud.LISTENER, ud.INFO, 'DHCP: Restarting server') try: listener.run('/etc/init.d/univention-dhcp', ['univention-dhcp', 'restart'], uid=0) except Exception, e: ud.debug(ud.ADMIN, ud.WARN, 'The restart of the DHCP server failed: %s' % str(e)) else: ud.debug(ud.ADMIN, ud.INFO, 'DHCP: the automatic restart of the dhcp server by the listener is disabled. Set dhcpd/restart/listener to true to enable this option.')
def create_udm_adconnection(cls, alias, description=""): ucr = ConfigRegistry() ucr.load() lo, po, mod = cls.init_udm("office365/ad-connection") po = univention.admin.uldap.position( "cn=ad-connections,cn=office365,%s" % ucr["ldap/base"]) adconn = mod.object(co=None, lo=lo, position=po) adconn.open() adconn['name'] = alias adconn['description'] = description dn = adconn.create() return dn
class TransactionalUcr(object): def __init__(self): self.ucr = ConfigRegistry() self.ucr.load() self.changes = {} def set(self, key, value): ''' Set the value of key of UCR. Does not save immediately. commit() is called at the end of inner_run(). If you need to commit changes immediately, you can call commit() at any time. ''' orig_val = self.ucr.get(key) if orig_val == value: # in case it was overwritten previously self.changes.pop(key, None) else: self.changes[key] = value def commit(self): ''' Saves UCR variables previously set by set_ucr_var(). Also commits changes (if done any). Is called automatically *if inner_run() did not raise an exception*. You can call it manually if you need to do it (e.g. in down()). ''' if self.changes: ucr_update(self.ucr, self.changes) # reset (in case it is called multiple) times in a script self.changes.clear() def get(self, key, search_in_changes=True): ''' Retrieve the value of key from ucr. If search_in_changes, it first looks in (not yet committed) values. ''' if search_in_changes: try: return self.changes[key] except KeyError: pass return self.ucr.get(key) def __enter__(self): return self def __exit__(self, exc_type, exc_value, traceback): if exc_type is None: self.commit()
def getAdminConnection(start_tls=2, decode_ignorelist=[]): ucr = ConfigRegistry() ucr.load() bindpw = open("/etc/ldap.secret").read() if bindpw[-1] == "\n": bindpw = bindpw[0:-1] port = int(ucr.get("ldap/master/port", "7389")) lo = access( host=ucr["ldap/master"], port=port, base=ucr["ldap/base"], binddn="cn=admin," + ucr["ldap/base"], bindpw=bindpw, start_tls=start_tls, decode_ignorelist=decode_ignorelist, ) return lo
def handler(dn, new, old): """Called on each change.""" ucr = ConfigRegistry() ucr.load() value = ucr.get('uvmm/managers','') debug.debug(debug.LISTENER, debug.ALL, "old hosts: %s" % value) tls_allowed_dn_list = value.split() old_host = None if old and service_names & set(old.get('univentionService', [])): try: domain = old['associatedDomain'][0] except KeyError: domain = ucr.get('domainname') old_host = "%s.%s" % (old['cn'][0], domain) if old_host in tls_allowed_dn_list: debug.debug(debug.LISTENER, debug.INFO, "removing host %s" % (old_host,)) tls_allowed_dn_list.remove(old_host) new_host = None if new and service_names & set(new.get('univentionService', [])): try: domain = new['associatedDomain'][0] except KeyError: domain = ucr.get('domainname') new_host = "%s.%s" % (new['cn'][0], domain) debug.debug(debug.LISTENER, debug.INFO, "+uvmm %s" % (new_host,)) if new_host not in tls_allowed_dn_list: debug.debug(debug.LISTENER, debug.INFO, "adding host %s" % (new_host,)) tls_allowed_dn_list.append(new_host) if old_host != new_host: value = ' '.join(tls_allowed_dn_list) debug.debug(debug.LISTENER, debug.ALL, "new hosts: %s" % value) key_value = 'uvmm/managers=%s' % (value,) listener.setuid(0) try: handler_set([key_value]) global need_restart need_restart = True finally: listener.unsetuid()
import os import re import shlex import string import sys # defaults ucr = ConfigRegistry() # global hashes include = set() shares = {} globals = {} printers = {} ucr.load() class Restrictions( dict ): INVALID_USERS = 'invalid users' VALID_USERS = 'valid users' HOSTS_DENY = 'hosts deny' HOSTS_ALLOW = 'hosts allow' def __init__( self, name ): dict.__init__( self, { Restrictions.INVALID_USERS : None, Restrictions.VALID_USERS : None, Restrictions.HOSTS_DENY : None, Restrictions.HOSTS_ALLOW : None } ) self.name = name
class TestEnvironment(object): """Test environment for running test cases. Handels system data, requirements checks, test output. """ logger = logging.getLogger('test.env') def __init__(self, interactive=True, logfile=None): self.exposure = 'safe' self.interactive = interactive self._load_host() self._load_ucr() self._load_join() self._load_apt() if interactive: self.tags_required = None self.tags_prohibited = None else: self.tags_required = set() self.tags_prohibited = set(('SKIP', 'WIP')) self.log = open(logfile or os.path.devnull, 'a') def _load_host(self): """Load host system informations.""" (_sysname, nodename, _release, _version, machine) = os.uname() self.hostname = nodename self.architecture = machine def _load_ucr(self): """Load Univention Config Registry informations.""" self.ucr = ConfigRegistry() self.ucr.load() self.role = self.ucr.get('server/role', '') TestEnvironment.logger.debug('Role=%r' % self.role) version = self.ucr.get('version/version').split('.', 1) major, minor = int(version[0]), int(version[1]) patchlevel = int(self.ucr.get('version/patchlevel')) if (major, minor) < (3, 0): securitylevel = int(self.ucr.get('version/security-patchlevel', 0)) self.ucs_version = UCSVersion((major, minor, patchlevel, securitylevel)) else: erratalevel = int(self.ucr.get('version/erratalevel', 0)) self.ucs_version = UCSVersion((major, minor, patchlevel, erratalevel)) TestEnvironment.logger.debug('Version=%r' % self.ucs_version) def _load_join(self): """Load join status.""" devnull = open(os.path.devnull, 'w+') try: ret = call(('/usr/sbin/univention-check-join-status',), stdin=devnull, stdout=devnull, stderr=devnull) self.joined = ret == 0 finally: devnull.close() TestEnvironment.logger.debug('Join=%r' % self.joined) def _load_apt(self): """Load package informations.""" self.apt = apt.Cache() def dump(self, stream=sys.stdout): """Dump environment informations.""" print >> stream, 'hostname: %s' % (self.hostname,) print >> stream, 'architecture: %s' % (self.architecture,) print >> stream, 'version: %s' % (self.ucs_version,) print >> stream, 'role: %s' % (self.role,) print >> stream, 'joined: %s' % (self.joined,) print >> stream, 'tags_required: %s' % \ (' '.join(self.tags_required) or '-',) print >> stream, 'tags_prohibited: %s' % \ (' '.join(self.tags_prohibited) or '-',) def tag(self, require=set(), ignore=set(), prohibit=set()): """Update required, ignored, prohibited tags.""" if self.tags_required is not None: self.tags_required -= set(ignore) self.tags_required |= set(require) if self.tags_prohibited is not None: self.tags_prohibited -= set(ignore) self.tags_prohibited |= set(prohibit) TestEnvironment.logger.debug('tags_required=%r tags_prohibited=%r' % \ (self.tags_required, self.tags_prohibited)) def set_exposure(self, exposure): """Set maximum allowed exposure level.""" self.exposure = exposure
# you and Univention and not subject to the GNU AGPL V3. # # In the case you use this program under the terms of the GNU AGPL V3, # the program is provided in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU Affero General Public License for more details. # # You should have received a copy of the GNU Affero General Public # License with the Debian GNU/Linux or Univention distribution in file # /usr/share/common-licenses/AGPL-3; if not, see # <http://www.gnu.org/licenses/>. from univention.config_registry import ConfigRegistry configRegistry = ConfigRegistry() configRegistry.load() # Update package cache cmd_update = configRegistry.get('update/commands/update', 'apt-get update') # Show package information cmd_show = configRegistry.get('update/commands/show', 'apt-cache show') # Upgrade only installed packages cmd_upgrade = configRegistry.get('update/commands/upgrade', 'apt-get -o DPkg::Options::=--force-confold -o DPkg::Options::=--force-overwrite -o DPkg::Options::=--force-overwrite-dir --trivial-only=no --assume-yes --quiet=1 -u upgrade') cmd_upgrade_sim = configRegistry.get('update/commands/upgrade/simulate', 'apt-get -o DPkg::Options::=--force-confold -o DPkg::Options::=--force-overwrite -o DPkg::Options::=--force-overwrite-dir --trivial-only=no --assume-yes --quiet=1 -us upgrade') # Upgrade system, may install new packages to satisfy dependencies cmd_dist_upgrade = configRegistry.get('update/commands/distupgrade', 'apt-get -o DPkg::Options::=--force-confold -o DPkg::Options::=--force-overwrite -o DPkg::Options::=--force-overwrite-dir --trivial-only=no --assume-yes --quiet=1 -u dist-upgrade') cmd_dist_upgrade_sim = configRegistry.get('update/commands/distupgrade/simulate', 'apt-get -o DPkg::Options::=--force-confold -o DPkg::Options::=--force-overwrite -o DPkg::Options::=--force-overwrite-dir --trivial-only=no --assume-yes --quiet=1 -us dist-upgrade')
def handler(*args, **kw): log.info("kolab.handler(args(%d): %r, kw: %r)" % (len(args), args, kw)) auth = Auth() auth.connect() if len(args) == 4: # moddn dn = args[0] new = utils.normalize(args[1]) old = utils.normalize(args[2]) command = args[4] pass elif len(args) == 3: dn = args[0] new = utils.normalize(args[1]) old = utils.normalize(args[2]) if isinstance(old, dict) and len(old.keys()) > 0: # Two options: # - entry changed # - entry deleted log.info("user %r, old is dict" % (dn)) if isinstance(new, dict) and len(new.keys()) > 0: log.info("Modify entry %r" % (dn)) mailserver_attribute = conf.get('ldap', 'mailserver_attribute').lower() if mailserver_attribute == None: log.error("Mail server attribute is not set") return if old.has_key(mailserver_attribute): log.info("Modified entry %r has mail server attribute %s: %r" % (dn, mailserver_attribute, new[mailserver_attribute])) if not old[mailserver_attribute] == constants.fqdn: # Even though the new mailserver can be us, it is the # *current* mail server that needs to push for the XFER. log.info("The mail server for user %r is set, and it is not me (%r)" % (dn, old[mailserver_attribute])) return else: # If old has no mailserver attribute, but new does, we need to create # the user locally. if new.has_key(mailserver_attribute): if not new[mailserver_attribute] == constants.fqdn: log.info("The mail server for user %r is set (in new, not old), but it is not me (%r)" % (dn, new[mailserver_attribute])) return else: log.info("Entry %r does not have a mail server attribute." % (dn)) return auth._auth._synchronize_callback( change_type = 'modify', previous_dn = None, change_number = None, dn = dn, entry = new ) else: log.info("Delete entry %r" % (dn)) # See if the mailserver_attribute exists mailserver_attribute = conf.get('ldap', 'mailserver_attribute').lower() if mailserver_attribute == None: log.error("Mail server attribute is not set") # TODO: Perhaps, query for IMAP servers. If there is only one, # we know what to do. return if old.has_key(mailserver_attribute): log.info("Deleted entry %r has mail server attribute %s: %r" % (dn, mailserver_attribute, old[mailserver_attribute])) if not old[mailserver_attribute] == constants.fqdn: log.info("The mail server for user %r is set, and it is not me (%r)" % (dn, old[mailserver_attribute])) return else: log.info("Entry deletion notification for %r does not have a mail server attribute specified." % (dn)) cfg = ConfigRegistry() cfg.load() if cfg.is_true('mail/cyrus/mailbox/delete', True): auth._auth._synchronize_callback( change_type = 'delete', previous_dn = None, change_number = None, dn = dn, entry = old ) elif isinstance(new, dict) and len(new.keys()) > 0: # Old is not a dict (or empty), so the entry is just created log.info("Add entry %r" % (dn)) # See if the mailserver_attribute exists mailserver_attribute = conf.get('ldap', 'mailserver_attribute').lower() if mailserver_attribute == None: log.error("Mail server attribute is not set") # TODO: Perhaps, query for IMAP servers. If there is only one, # we know what to do. return if new.has_key(mailserver_attribute): log.info("Added entry %r has mail server attribute %s: %r" % (dn, mailserver_attribute, new[mailserver_attribute])) if not new[mailserver_attribute] == constants.fqdn: log.info("The mail server for user %r is set, and it is not me (%r)" % (dn, new[mailserver_attribute])) return else: log.info("Added entry %r does not have a mail server attribute set." % (dn)) return auth._auth._synchronize_callback( change_type = 'add', previous_dn = None, change_number = None, dn = dn, entry = new ) else: log.info("entry %r changed, but no new or old attributes" % (dn))
import ldap from univention.config_registry import ConfigRegistry from ldap.controls import LDAPControl import ldap.modlist as modlist try: from univention.connector.ad import compatible_modstring except ImportError, e: try: from univention.s4connector.s4 import compatible_modstring except ImportError, e: def compatible_modstring(dn): return dn baseConfig = ConfigRegistry() baseConfig.load() def get_rdn(dn): index = dn.find(',') if index == -1: return dn else: return dn[0:index] def get_parent_dn(dn): index = dn.find(',') if index == -1: return None else: return dn[index+1:len(dn)] class LDAPConnection(object):