def dump(self): fd = LDIFutils.ldif_outfile('RADIUS') fd.write(LDIFutils.container_entry_string('RADIUS')) noAuth = (None, None) for account_id, vlan_vpn in self.id2vlan_vpn.iteritems(): info = self.auth[account_id] uname = LDIFutils.iso2utf(str(info[0])) auth = info[1] ntAuth = self.md4_auth.get(account_id, noAuth)[1] if account_id in self.quarantines: qh = QuarantineHandler(self.db, self.quarantines[account_id]) if qh.should_skip(): continue if qh.is_locked(): auth = ntAuth = None dn = ','.join(('uid=' + uname, self.radius_dn)) entry = { # Ikke endelig innhold 'objectClass': ['top', 'account', 'uiaRadiusAccount'], 'uid': (uname,), 'radiusTunnelType': ('VLAN',), 'radiusTunnelMediumType': ('IEEE-802',), 'radiusTunnelPrivateGroupId': (vlan_vpn[0],), 'radiusClass': (vlan_vpn[1],)} if auth: entry['objectClass'].append('simpleSecurityObject') entry['userPassword'] = ('{crypt}' + auth,) if ntAuth: entry['ntPassword'] = (ntAuth,) fd.write(LDIFutils.entry_string(dn, entry, False)) LDIFutils.end_ldif_outfile('RADIUS', fd)
def generate_guests(self): """ Guest account generator. Yields accounts with the configured spread. """ ac = Factory.get('Account')(self.db) co = Factory.get('Constants')(self.db) for row in ac.search(spread=self.spread): # NOTE: Will not consider expired accounts ac.clear() ac.find(row['account_id']) qh = QuarantineHandler(self.db, [ int(row['quarantine_type']) for row in ac.get_entity_quarantine(only_active=True) ]) # No need for quarantined guest accounts in ldap # NOTE: We might want to export accounts that is_locked(), but # without passwords. if qh.should_skip() or qh.is_locked(): logger.debug("Skipping %s, quarantined: %r", ac.account_name, [str(co.Quarantine(q)) for q in qh.quarantines]) continue entry = self.ac2entry(ac) yield entry
def init_user(self, auth_meth=None): timer = make_timer(self.logger, 'Starting init_user...') self.get_name = False self.qh = QuarantineHandler(self.db, None) self.posuser = Factory.get('PosixUser')(self.db) self.load_disk_tab() self.load_shell_tab() self.load_quaratines() self.load_auth_tab(auth_meth) self.cache_account2name() self.id2uname = {} timer('... init_user done.')
def active_in_system(self, id_type, entity_id, system): """Check if a user is represented and active in a system. :type id_type: basestring :param id_type: The id-type to look-up by. :type entity_id: basestring :param entity_id: The entitys id. :type system: basestring :param system: The system to check.""" # Check for existing quarantines on the entity that are locking the # entity out (if the quarantine is active), and also check if the # entity is in the system. # TODO: Should this evaluate the shell set by quarantine rules? Some # quarantines does not result in a locked-status, but has # nologin-shells associated with them.. import mx from Cerebrum.QuarantineHandler import QuarantineHandler co = Factory.get('Constants')(self.db) # q[i] = {quarantine_type: int, creator_id: int, description: string, # create_date: DateTime, start_date: DateTime, # disable_until: DateTime, DateTime: end_date} e = Utils.get(self.db, 'entity', id_type, entity_id) # Fetch quarantines if applicable try: quars = e.get_entity_quarantine() except AttributeError: quars = [] now = mx.DateTime.now() locked = False for q in quars: # Use code string for quarantine type qt = q['quarantine_type'] qtype = co.map_const(qt) qhandler = QuarantineHandler(self.db, [qtype]) if (qhandler.is_locked() and (q['start_date'] <= now and (q['end_date'] is None or q['end_date'] > now) and (q['disable_until'] is None or q['disable_until'] <= now))): locked = True if (locked or not self.in_system(id_type, entity_id, system)): return False else: return True
def init_user(self): self.get_name = False self.qh = QuarantineHandler(self.db, None) self.posuser = Factory.get('PosixUser')(self.db) self.shell_tab = self.user_exporter.shell_codes() self.quarantines = self.user_exporter.make_quarantine_cache( self.spread_d['user'] ) self.owners.make_owner_cache() self.owners.make_name_cache() self.homedirs.make_home_cache() self.group2gid = self.user_exporter.make_posix_gid_cache() self.load_auth_tab() self.cache_account2name() self.id2uname = {}
def dump(self): fd = ldif_outfile('RADIUS') logger.debug('writing to %s', repr(fd)) fd.write(container_entry_string('RADIUS')) logger.info('Generating export...') for account_id, vlan_vpn in self.id2vlan_vpn.iteritems(): try: uname = self.account_names[account_id] except KeyError: logger.error('No account name for account_id=%r', account_id) continue try: auth = self.user_password.get(account_id) except LookupError: auth = None try: ntauth = self.nt_password.get(account_id) except LookupError: ntauth = None if account_id in self.quarantines: qh = QuarantineHandler(self.db, self.quarantines[account_id]) if qh.should_skip(): continue if qh.is_locked(): auth = ntauth = None dn = ','.join(('uid=' + uname, self.user_dn)) entry = { 'objectClass': ['top', 'account', 'uiaRadiusAccount'], 'uid': (uname, ), 'radiusTunnelType': ('VLAN', ), 'radiusTunnelMediumType': ('IEEE-802', ), 'radiusTunnelPrivateGroupId': (vlan_vpn[0], ), 'radiusClass': (vlan_vpn[1], ), } if auth: entry['objectClass'].append('simpleSecurityObject') entry['userPassword'] = auth if ntauth: entry['ntPassword'] = (ntauth, ) fd.write(entry_string(dn, entry, False)) end_ldif_outfile('RADIUS', fd)
def gather_user_data(self, row): data = PosixData() data.account_id = int(row['account_id']) data.uname = self.e_id2name[data.account_id] data.uid = str(row['posix_uid']) data.gid = str(self.g_id2gid[row['gid']]) if not row['shell']: self.logger.warn("User %s has no posix-shell!" % data.uname) return None data.shell = self.shell_tab[int(row['shell'])] data.quarantined, data.passwd = False, None if data.account_id in self.quarantines: qh = QuarantineHandler(self.db, self.quarantines[data.account_id]) if qh.should_skip(): return None if qh.is_locked(): data.quarantined, data.passwd = True, '*Locked' qshell = qh.get_shell() if qshell is not None: data.shell = qshell try: home = self.a_id2home[data.account_id] data.home = self.posix_user.resolve_homedir( account_name=data.uname, home=home[3], disk_path=self.disk_tab[home[1]]) except: self.logger.warn("User %s has no home-directory!" % data.uname) return None cn = gecos = row['gecos'] if data.account_id in self.a_id2owner: cn = self.p_id2name.get(self.a_id2owner[data.account_id], gecos) data.cn = cn or data.uname data.gecos = latin1_to_iso646_60(gecos or data.cn) return data
def dump(self): fd = LDIFutils.ldif_outfile('USER') fd.write(LDIFutils.container_entry_string('USER')) for row in self.account.search(): account_id = row['account_id'] info = self.auth[account_id] uname = LDIFutils.iso2utf(str(info[0])) auth = info[1] if account_id in self.quarantines: qh = QuarantineHandler(self.db, self.quarantines[account_id]) if qh.should_skip(): continue if qh.is_locked(): auth = None dn = ','.join(('uid=' + uname, self.user_dn)) entry = { 'objectClass': ['account'], 'uid': (uname, ), } if auth: entry['objectClass'].append('simpleSecurityObject') entry['userPassword'] = ('{crypt}' + auth, ) fd.write(LDIFutils.entry_string(dn, entry, False)) LDIFutils.end_ldif_outfile('USER', fd)
def make_person_entry(self, row, person_id): # Return (dn, person entry, alias_info) for a person to output, # or (None, anything, anything) if the person should not be output. # bool(alias_info) == False means no alias will be output. # Receives a row from list_persons() as a parameter. # The row must have key 'account_id', # and if person_dn_primaryOU() is not overridden: 'ou_id'. account_id = int(row['account_id']) p_affiliations = self.affiliations.get(person_id) if not p_affiliations: self.logger.debug3("Omitting person id=%d, no affiliations", person_id) return None, None, None names = self.person_names.get(person_id) if not names: self.logger.warn("Person %s got no names. Skipping.", person_id) return None, None, None name = iso2utf(names.get(int(self.const.name_full), '').strip()) givenname = iso2utf(names.get(int(self.const.name_first), '').strip()) lastname = iso2utf(names.get(int(self.const.name_last), '').strip()) if not (lastname and givenname): givenname, lastname = self.split_name(name, givenname, lastname) if not lastname: self.logger.warn("Person %s got no lastname. Skipping.", person_id) return None, None, None if not name: name = " ".join(filter(None, (givenname, lastname))) entry = { 'objectClass': [ 'top', 'person', 'organizationalPerson', 'inetOrgPerson', 'eduPerson' ], 'cn': (name, ), 'sn': (lastname, ) } if givenname: entry['givenName'] = (givenname, ) try: entry['uid'] = (self.acc_name[account_id], ) except KeyError: pass passwd = self.acc_passwd.get(account_id) qt = self.acc_quarantines.get(account_id) if qt: qh = QuarantineHandler(self.db, qt) if qh.should_skip(): self.logger.debug3("Omitting person id=%d, quarantined", person_id) return None, None, None if self.acc_locked_quarantines is not self.acc_quarantines: qt = self.acc_locked_quarantines.get(account_id) if qt: qh = QuarantineHandler(self.db, qt) if qt and qh.is_locked(): passwd = 0 if passwd: entry['userPassword'] = ("{crypt}" + passwd, ) elif passwd != 0 and entry.get('uid'): self.logger.debug("User %s got no password-hash.", entry['uid'][0]) dn, primary_ou_dn = self.person_dn_primaryOU(entry, row, person_id) if not dn: self.logger.debug3("Omitting person id=%d, no DN", person_id) return None, None, None if self.org_dn: entry['eduPersonOrgDN'] = (self.org_dn, ) if primary_ou_dn: entry['eduPersonPrimaryOrgUnitDN'] = (primary_ou_dn, ) # edu_OUs = [primary_ou_dn] + [self.ou2DN.get(aff[2]) # for aff in p_affiliations] edu_OUs = self._calculate_edu_OUs( primary_ou_dn, [self.ou2DN.get(aff[2]) for aff in p_affiliations]) entry['eduPersonOrgUnitDN'] = self.attr_unique(filter(None, edu_OUs)) entry['eduPersonAffiliation'] = self.attr_unique( self.select_list(self.eduPersonAff_selector, person_id, p_affiliations)) if self.select_bool(self.contact_selector, person_id, p_affiliations): # title: titles = self.person_titles.get(person_id) self.add_lang_names(entry, 'title', titles) # phone & fax: for attr, contact in self.attr2id2contacts: contact = contact.get(person_id) if contact: entry[attr] = contact # addresses: addrs = self.addr_info.get(person_id) post = addrs and addrs.get(int(self.const.address_post)) if post: a_txt, p_o_box, p_num, city, country = post post = self.make_address("$", p_o_box, a_txt, p_num, city, country) if post: entry['postalAddress'] = (post, ) street = addrs and addrs.get(int(self.const.address_street)) if street: a_txt, p_o_box, p_num, city, country = street street = self.make_address(", ", None, a_txt, p_num, city, country) if street: entry['street'] = (street, ) else: URIs = self.id2labeledURI.get(person_id) if URIs: entry['labeledURI'] = self.attr_unique( map(iso2utf, URIs), normalize_caseExactString) if self.account_mail: mail = self.account_mail(account_id) if mail: entry['mail'] = (mail, ) else: if self.person_contact_mail: mail_source_id = person_id else: mail_source_id = account_id mail = self.get_contacts(entity_id=mail_source_id, contact_type=self.const.contact_email, verify=verify_IA5String, normalize=normalize_IA5String) if mail: entry['mail'] = mail if self.is_person_visible(person_id): attrs, alias_info = self.visible_person_attrs, (primary_ou_dn, ) else: attrs, alias_info = self.invisible_person_attrs, () for key, values in attrs.items(): if key in entry: entry[key].extend(values) else: entry[key] = list(values) self.update_person_entry(entry, row, person_id) return dn, entry, alias_info