def handler(dn, new, old, cmd):
    ud.debug(ud.LISTENER, ud.INFO, '2 master2 handler')

    if cmd == 'n':
        return

    name = new.get('cn', [None])[0]
    port = new.get('univentionOpenvpnPort', [None])[0]
    addr = new.get('univentionOpenvpnAddress', [None])[0]

    if not name or not port or not addr:
        return

    listener.setuid(0)
    lo = ul.getMachineConnection()
    vpnusers = lo.search('(univentionOpenvpnAccount=1)')

    if not univention_openvpn_common.check_user_count(2):                                                                                                                                                                                 
        return          # do nothing

    for user in vpnusers:
        uid = user[1].get('uid', [None])[0]
        home = user[1].get('homeDirectory', ['/dev/null'])[0]
        ud.debug(ud.LISTENER, ud.INFO, '2 Create new certificate for %s in %s' % (uid, home))

        proto = 'udp6' if addr and addr.count(':') else 'udp'

        if uid and home:
        # update bundle for this openvpn server with new config
            try:
                listener.run('/usr/lib/openvpn-int/create-bundle', ['create-bundle', 'no', uid, home, name, addr, port, proto], uid=0)
            finally:
                listener.unsetuid()

    listener.unsetuid()
def handler(dn, new, old, command):
    ud.debug(ud.LISTENER, ud.INFO, '3 server handler')
    global action
    if command == 'n':
        action = None
        return

    if 'univentionOpenvpnActive' in new:
        action = 'restart'
    else:
        action = 'stop'

    cn = new.get('cn', [None])[0]
    myname = listener.baseConfig['hostname']
    if cn != myname:
        action = None
        return

    if not univention_openvpn_common.check_user_count(3):
        listener.unsetuid()
        if action == 'stop':
            ud.debug(ud.LISTENER, ud.INFO, '3 Allowing stop action')
        else:
            action = None
            return			# do nothing

    #### UCS 3 ('Borgfeld') uses openvpn 2.1 - no explicit ip6 support, later version are ok
    relnam = listener.baseConfig.get('version/releasename')
    ip6ok = relnam and relnam != 'Borgfeld'
    if not ip6ok:
        ud.debug(ud.LISTENER, ud.INFO, '3 IPv6 support DISABLED due to version')

    cnaddr = new.get('univentionOpenvpnAddress', [None])[0]
    ip6conn = True if cnaddr and cnaddr.count(':') else False

    # activate config
    if not 'univentionOpenvpnActive' in old and os.path.exists(fn_serverconf + '-disabled'):
        listener.setuid(0)
        try:
            os.rename (fn_serverconf + '-disabled', fn_serverconf)
        except Exception, e:
            listener.unsetuid()
            ud.debug(ud.LISTENER, ud.ERROR, '3 Failed to activate server config: %s' % str(e))
            return
        listener.unsetuid()
def handler(dn, new, old, cmd):
    ud.debug(ud.LISTENER, ud.INFO, '1 master handler')

    if cmd == 'n':
        return

    uid = new.get('uid', [None])[0]
    uid_old = old.get('uid', [None])[0]
    home = new.get('homeDirectory', ['/dev/null'])[0]
    home_old = old.get('homeDirectory', ['/dev/null'])[0]
    trigger = new.get('univentionOpenvpnAccount', '0')[0] == '1'
    trigger_old = old.get('univentionOpenvpnAccount', '0')[0] == '1'
    flags = new.get('sambaAcctFlags', [None])[0]
    flags_old = old.get('sambaAcctFlags', [None])[0]
    if flags and ('L' in flags or not 'U' in flags):
        locked = True
    else:
        locked = False

    if flags_old and ('L' in flags_old or not 'U' in flags_old):
        locked_old = True
    else:
        locked_old = False

    listener.setuid(0)
    lo = ul.getMachineConnection()
    servers = lo.search('(univentionOpenvpnActive=1)')

    if not univention_openvpn_common.check_user_count(1):
        listener.unsetuid()
        return			# do nothing

    if (trigger and not trigger_old and uid and home and not locked) or (locked_old and not locked and uid and home and trigger):
        ud.debug(ud.LISTENER, ud.INFO, '1 Create new certificate for %s in %s' % (uid, home))

        # create a bundle for each openvpn server
        for server in servers:
            name = server[1].get('cn', [None])[0]
            port = server[1].get('univentionOpenvpnPort', [None])[0]
            addr = server[1].get('univentionOpenvpnAddress', [None])[0]

            proto = 'udp6' if addr and addr.count(':') else 'udp'

            if not name or not port or not addr:
                continue
            try:
                listener.run('/usr/lib/openvpn-int/create-bundle', ['create-bundle', 'yes', uid, home, name, addr, port, proto], uid=0)
            finally:
                listener.unsetuid()


    if (trigger_old and not trigger and uid_old and home_old) or (cmd == 'd' and uid_old and home_old) or (not locked_old and locked and uid_old and home_old):
        ud.debug(ud.LISTENER, ud.INFO, '1 Revoke certificate for %s' % (uid_old))
        listener.setuid(0)
        try:
            listener.run('/usr/sbin/univention-certificate', ['univention-certificate', 'revoke', '-name', uid_old + '.openvpn'], uid=0)
        finally:
            listener.unsetuid()

        # remove bundle for each openvpn server
        for server in servers:
            name = server[1].get('cn', [None])[0]
            if not name:
                continue
            try:
                listener.run('/usr/lib/openvpn-int/remove-bundle', ['remove-bundle', uid_old, home_old, name], uid=0)
            finally:
                listener.unsetuid()

    listener.unsetuid()