def handler(dn, new, old, cmd): ud.debug(ud.LISTENER, ud.INFO, '2 master2 handler') if cmd == 'n': return name = new.get('cn', [None])[0] port = new.get('univentionOpenvpnPort', [None])[0] addr = new.get('univentionOpenvpnAddress', [None])[0] if not name or not port or not addr: return listener.setuid(0) lo = ul.getMachineConnection() vpnusers = lo.search('(univentionOpenvpnAccount=1)') if not univention_openvpn_common.check_user_count(2): return # do nothing for user in vpnusers: uid = user[1].get('uid', [None])[0] home = user[1].get('homeDirectory', ['/dev/null'])[0] ud.debug(ud.LISTENER, ud.INFO, '2 Create new certificate for %s in %s' % (uid, home)) proto = 'udp6' if addr and addr.count(':') else 'udp' if uid and home: # update bundle for this openvpn server with new config try: listener.run('/usr/lib/openvpn-int/create-bundle', ['create-bundle', 'no', uid, home, name, addr, port, proto], uid=0) finally: listener.unsetuid() listener.unsetuid()
def handler(dn, new, old, command): ud.debug(ud.LISTENER, ud.INFO, '3 server handler') global action if command == 'n': action = None return if 'univentionOpenvpnActive' in new: action = 'restart' else: action = 'stop' cn = new.get('cn', [None])[0] myname = listener.baseConfig['hostname'] if cn != myname: action = None return if not univention_openvpn_common.check_user_count(3): listener.unsetuid() if action == 'stop': ud.debug(ud.LISTENER, ud.INFO, '3 Allowing stop action') else: action = None return # do nothing #### UCS 3 ('Borgfeld') uses openvpn 2.1 - no explicit ip6 support, later version are ok relnam = listener.baseConfig.get('version/releasename') ip6ok = relnam and relnam != 'Borgfeld' if not ip6ok: ud.debug(ud.LISTENER, ud.INFO, '3 IPv6 support DISABLED due to version') cnaddr = new.get('univentionOpenvpnAddress', [None])[0] ip6conn = True if cnaddr and cnaddr.count(':') else False # activate config if not 'univentionOpenvpnActive' in old and os.path.exists(fn_serverconf + '-disabled'): listener.setuid(0) try: os.rename (fn_serverconf + '-disabled', fn_serverconf) except Exception, e: listener.unsetuid() ud.debug(ud.LISTENER, ud.ERROR, '3 Failed to activate server config: %s' % str(e)) return listener.unsetuid()
def handler(dn, new, old, cmd): ud.debug(ud.LISTENER, ud.INFO, '1 master handler') if cmd == 'n': return uid = new.get('uid', [None])[0] uid_old = old.get('uid', [None])[0] home = new.get('homeDirectory', ['/dev/null'])[0] home_old = old.get('homeDirectory', ['/dev/null'])[0] trigger = new.get('univentionOpenvpnAccount', '0')[0] == '1' trigger_old = old.get('univentionOpenvpnAccount', '0')[0] == '1' flags = new.get('sambaAcctFlags', [None])[0] flags_old = old.get('sambaAcctFlags', [None])[0] if flags and ('L' in flags or not 'U' in flags): locked = True else: locked = False if flags_old and ('L' in flags_old or not 'U' in flags_old): locked_old = True else: locked_old = False listener.setuid(0) lo = ul.getMachineConnection() servers = lo.search('(univentionOpenvpnActive=1)') if not univention_openvpn_common.check_user_count(1): listener.unsetuid() return # do nothing if (trigger and not trigger_old and uid and home and not locked) or (locked_old and not locked and uid and home and trigger): ud.debug(ud.LISTENER, ud.INFO, '1 Create new certificate for %s in %s' % (uid, home)) # create a bundle for each openvpn server for server in servers: name = server[1].get('cn', [None])[0] port = server[1].get('univentionOpenvpnPort', [None])[0] addr = server[1].get('univentionOpenvpnAddress', [None])[0] proto = 'udp6' if addr and addr.count(':') else 'udp' if not name or not port or not addr: continue try: listener.run('/usr/lib/openvpn-int/create-bundle', ['create-bundle', 'yes', uid, home, name, addr, port, proto], uid=0) finally: listener.unsetuid() if (trigger_old and not trigger and uid_old and home_old) or (cmd == 'd' and uid_old and home_old) or (not locked_old and locked and uid_old and home_old): ud.debug(ud.LISTENER, ud.INFO, '1 Revoke certificate for %s' % (uid_old)) listener.setuid(0) try: listener.run('/usr/sbin/univention-certificate', ['univention-certificate', 'revoke', '-name', uid_old + '.openvpn'], uid=0) finally: listener.unsetuid() # remove bundle for each openvpn server for server in servers: name = server[1].get('cn', [None])[0] if not name: continue try: listener.run('/usr/lib/openvpn-int/remove-bundle', ['remove-bundle', uid_old, home_old, name], uid=0) finally: listener.unsetuid() listener.unsetuid()