def setprimarygroup(self, user_dn, group_dn): res = self.lo.search_ext_s(group_dn, ldap.SCOPE_BASE, timeout=10) import re groupid = (re.search('^(.*)-(.*?)$', s4.decode_sid( res[0][1]['objectSid'][0]))).group(2) self.set_attribute(user_dn, 'primaryGroupID', groupid.encode('UTF-8'))
def sid_to_ucs(s4connector, key, s4_object): ud.debug(ud.LDAP, ud.INFO, "sid_to_ucs S4 object: %r" % s4_object) ud.debug(ud.LDAP, ud.INFO, "sid_to_ucs S4 key: %r" % key) sidAttribute = 'sambaSID' if s4connector.configRegistry.is_false('connector/s4/mapping/sid', False): ud.debug( ud.LDAP, ud.INFO, 'sid_to_ucs: SID mapping is disabled via UCR: connector/s4/mapping/sid' ) sidAttribute = 'univentionSamba4SID' else: # This case will be handled by direct mapping return # modlist ml = [] # object dn is already mapped to the UCS DN: if not s4_object.get('dn'): return # ignore ucs_dn = s4_object['dn'] ud.debug(ud.LDAP, ud.INFO, "sid_to_s4: UCS DN %s" % ucs_dn) objectSid = s4_object['attributes'].get('objectSid', [None])[0] if objectSid: objectSid = decode_sid(objectSid) ud.debug(ud.LDAP, ud.INFO, 'sid_to_ucs: objectSid found: %r' % (objectSid, )) else: ud.debug(ud.LDAP, ud.INFO, 'sid_to_ucs: objectSid not found in attributes!') return (ucs_dn, ucs_attributes) = s4connector.lo.lo.search( base=ucs_dn, scope='base', attr=[sidAttribute, 'objectClass'])[0] if not ucs_dn: ud.debug(ud.LDAP, ud.WARN, 'sid_to_ucs: UCS object (%s) not found' % ucs_dn) return sambaSID = ucs_attributes.get(sidAttribute) if not sambaSID or objectSid.encode('ASCII') not in sambaSID: ml.append( (sidAttribute, sambaSID, s4_object['attributes'].get('objectSid'))) s4_ocs = s4_object['attributes'].get('objectClass', []) ucs_ocs = ucs_attributes.get('objectClass') if b'user' in s4_ocs: if b'sambaSamAccount' not in ucs_ocs: ml.append( ('objectClass', ucs_ocs, ucs_ocs + [b'sambaSamAccount'])) if b'group' in s4_ocs: if b'sambaGroupMapping' not in ucs_ocs: ml.append( ('objectClass', ucs_ocs, ucs_ocs + [b'sambaGroupMapping'])) if ml: ud.debug(ud.LDAP, ud.INFO, 'sid_to_ucs: modlist = %r' % (ml, )) s4connector.lo.lo.modify(ucs_dn, ml)
def sid_to_s4(s4connector, key, object): ud.debug(ud.LDAP, ud.INFO, "sid_to_s4 object: %s" % object) sidAttribute = 'sambaSID' if s4connector.configRegistry.is_false('connector/s4/mapping/sid', False): ud.debug( ud.LDAP, ud.INFO, 'sid_to_s4: SID mapping is disabled via UCR: connector/s4/mapping/sid' ) sidAttribute = 'univentionSamba4SID' else: # This case will be handled by direct mapping return # object dn was already mapped to the s4 DN: s4_dn = object['dn'] modlist = [] # search the ucs object via if sidAttribute not in object['attributes']: ud.debug(ud.LDAP, ud.INFO, 'sid_to_s4: UCS object does not have a %s' % sidAttribute) return sambaSID = object['attributes'][sidAttribute][0].decode('ASCII') # get the ad sid (s4_dn, s4_attributes) = s4connector.lo_s4.lo.search_s(s4_dn, ldap.SCOPE_BASE, '(objectSid=*)', ['objectSid'])[0] objectSid = s4_attributes.get('objectSid') if objectSid: decoded_s4_sid = decode_sid(objectSid[0]) if decoded_s4_sid == sambaSID: ud.debug(ud.LDAP, ud.INFO, 'sid_to_s4: objectSid and %s are equal' % sidAttribute) return # change objectSID # http://serverfault.com/questions/53717/how-can-i-change-the-sid-of-a-user-account-in-the-active-directory # http://technet.microsoft.com/en-us/library/cc961998.aspx ud.debug( ud.LDAP, ud.INFO, 'sid_to_s4: changing objectSid from %r to %r' % (decoded_s4_sid, sambaSID)) new_objectSid_ndr = ndr_pack(security.dom_sid(sambaSID)) modlist.append((ldap.MOD_REPLACE, 'objectSid', new_objectSid_ndr)) # objectSid modification for an Samba4 object is only possible with the "provision" control: LDB_CONTROL_PROVISION_OID = '1.3.6.1.4.1.7165.4.3.16' controls = [LDAPControl(LDB_CONTROL_PROVISION_OID, criticality=0)] s4connector.lo_s4.lo.modify_ext_s(s4_dn, modlist, serverctrls=controls)
def getprimarygroup(self, user_dn): try: res = self.lo.search_ext_s(user_dn, ldap.SCOPE_BASE, timeout=10) except Exception: return None primaryGroupID = res[0][1]['primaryGroupID'][0].decode('UTF-8') res = self.lo.search_ext_s(self.adldapbase, ldap.SCOPE_SUBTREE, 'objectClass=group', timeout=10) import re regex = '^(.*?)-%s$' % primaryGroupID for r in res: if r[0] is None or r[0] == 'None': continue # Referral if re.search(regex, s4.decode_sid(r[1]['objectSid'][0])): return r[0]
def getprimarygroup(self, user_dn): try: res = self.lo.search_ext_s(user_dn, ldap.SCOPE_BASE, timeout=10) except: return None primaryGroupID = res[0][1]['primaryGroupID'][0] res = self.lo.search_ext_s(self.adldapbase, ldap.SCOPE_SUBTREE, 'objectClass=group'.encode ('utf8'), timeout=10) import re regex = '^(.*?)-%s$' % primaryGroupID for r in res: if r[0] == None or r[0] == 'None': continue # Referral if re.search (regex, s4.decode_sid(r[1]['objectSid'][0])): return r[0]
def sid_to_ucs_mapping(s4connector, key, s4_object): ud.debug(ud.LDAP, ud.INFO, "sid_to_ucs_mapping") object_sid = decode_sid(s4_object['attributes']['objectSid'][0]) return [object_sid.split('-')[-1].encode('ASCII')]
def setprimarygroup(self, user_dn, group_dn): res = self.lo.search_ext_s(group_dn, ldap.SCOPE_BASE, timeout=10) import re groupid = (re.search ('^(.*)-(.*?)$', s4.decode_sid (res[0][1]['objectSid'][0]))).group (2) self.set_attribute (user_dn, 'primaryGroupID', groupid)
def con2ucs(s4connector, key, object): ud.debug(ud.LDAP, ud.INFO, 'dc con2ucs: Object (%s): %s' % (object['dn'], object)) # Search sambaDomainname object via sambaSID object_sid = decode_sid(object['attributes']['objectSid'][0]) sambadomainnameObject = univention.admin.handlers.settings.sambadomain.lookup( None, s4connector.lo, format_escaped('sambaSID={0!e}', object_sid)) if len(sambadomainnameObject) > 1: ud.debug( ud.LDAP, ud.WARN, 'dc con2ucs: Found more than one sambaDomainname object with sambaSID %r' % (object_sid, )) elif len(sambadomainnameObject) == 1: # Use the first sambaDomain sambadomainnameObject = sambadomainnameObject[0] # Do we modify this UCS object modify = False sync_times = [('maxPasswordAge', 'maxPwdAge'), ('minPasswordAge', 'minPwdAge'), ('lockoutDuration', 'lockoutDuration')] for (ucs_attr, s4_attr) in sync_times: ucs_time = _unixTimeInverval2seconds( sambadomainnameObject.get(ucs_attr, 0)) s4_time = _nano2s( int(object['attributes'].get(s4_attr, [0])[0]) * -1) if ucs_time != s4_time: sambadomainnameObject[ucs_attr] = [str(s4_time), 'seconds'] modify = True sync_integers = [('passwordHistory', 'pwdHistoryLength'), ('passwordLength', 'minPwdLength'), ('domainPwdProperties', 'pwdProperties')] for (ucs_attr, s4_attr) in sync_integers: ucs_val = sambadomainnameObject.get(ucs_attr, 0) s4_val = object['attributes'].get(s4_attr, [None])[0] if ucs_val != s4_val: sambadomainnameObject[ucs_attr] = s4_val.decode('UTF-8') modify = True if modify: sambadomainnameObject.modify() if s4connector.configRegistry.is_true('connector/s4/mapping/gpo', True): # Search DC object via ldap search dn, attr = s4connector.lo.search('objectClass=*', scope='base')[0] ml = [] ucs_val = attr.get('msGPOLink') s4_val = object['attributes'].get('gPLink') if ucs_val != s4_val: if b'msGPO' not in attr.get('objectClass', []): ml.append(('objectClass', b'', b'msGPO')) ml.append(('msGPOLink', ucs_val, s4_val)) if ml: s4connector.lo.modify(dn, ml) return True