def dump(self):
fd = LDIFutils.ldif_outfile('RADIUS')
fd.write(LDIFutils.container_entry_string('RADIUS'))
noAuth = (None, None)
for account_id, vlan_vpn in self.id2vlan_vpn.iteritems():
info = self.auth[account_id]
uname = LDIFutils.iso2utf(str(info[0]))
auth = info[1]
ntAuth = self.md4_auth.get(account_id, noAuth)[1]
if account_id in self.quarantines:
qh = QuarantineHandler(self.db, self.quarantines[account_id])
if qh.should_skip():
continue
if qh.is_locked():
auth = ntAuth = None
dn = ','.join(('uid=' + uname, self.radius_dn))
entry = {
# Ikke endelig innhold
'objectClass': ['top', 'account', 'uiaRadiusAccount'],
'uid': (uname,),
'radiusTunnelType': ('VLAN',),
'radiusTunnelMediumType': ('IEEE-802',),
'radiusTunnelPrivateGroupId': (vlan_vpn[0],),
'radiusClass': (vlan_vpn[1],)}
if auth:
entry['objectClass'].append('simpleSecurityObject')
entry['userPassword'] = ('{crypt}' + auth,)
if ntAuth:
entry['ntPassword'] = (ntAuth,)
fd.write(LDIFutils.entry_string(dn, entry, False))
LDIFutils.end_ldif_outfile('RADIUS', fd)
def generate_guests(self):
"""
Guest account generator.
Yields accounts with the configured spread.
"""
ac = Factory.get('Account')(self.db)
co = Factory.get('Constants')(self.db)
for row in ac.search(spread=self.spread):
# NOTE: Will not consider expired accounts
ac.clear()
ac.find(row['account_id'])
qh = QuarantineHandler(self.db, [
int(row['quarantine_type'])
for row in ac.get_entity_quarantine(only_active=True)
])
# No need for quarantined guest accounts in ldap
# NOTE: We might want to export accounts that is_locked(), but
# without passwords.
if qh.should_skip() or qh.is_locked():
logger.debug("Skipping %s, quarantined: %r", ac.account_name,
[str(co.Quarantine(q)) for q in qh.quarantines])
continue
entry = self.ac2entry(ac)
yield entry
def init_user(self, auth_meth=None):
timer = make_timer(self.logger, 'Starting init_user...')
self.get_name = False
self.qh = QuarantineHandler(self.db, None)
self.posuser = Factory.get('PosixUser')(self.db)
self.load_disk_tab()
self.load_shell_tab()
self.load_quaratines()
self.load_auth_tab(auth_meth)
self.cache_account2name()
self.id2uname = {}
timer('... init_user done.')
def active_in_system(self, id_type, entity_id, system):
"""Check if a user is represented and active in a system.
:type id_type: basestring
:param id_type: The id-type to look-up by.
:type entity_id: basestring
:param entity_id: The entitys id.
:type system: basestring
:param system: The system to check."""
# Check for existing quarantines on the entity that are locking the
# entity out (if the quarantine is active), and also check if the
# entity is in the system.
# TODO: Should this evaluate the shell set by quarantine rules? Some
# quarantines does not result in a locked-status, but has
# nologin-shells associated with them..
import mx
from Cerebrum.QuarantineHandler import QuarantineHandler
co = Factory.get('Constants')(self.db)
# q[i] = {quarantine_type: int, creator_id: int, description: string,
# create_date: DateTime, start_date: DateTime,
# disable_until: DateTime, DateTime: end_date}
e = Utils.get(self.db, 'entity', id_type, entity_id)
# Fetch quarantines if applicable
try:
quars = e.get_entity_quarantine()
except AttributeError:
quars = []
now = mx.DateTime.now()
locked = False
for q in quars:
# Use code string for quarantine type
qt = q['quarantine_type']
qtype = co.map_const(qt)
qhandler = QuarantineHandler(self.db, [qtype])
if (qhandler.is_locked() and
(q['start_date'] <= now and
(q['end_date'] is None or q['end_date'] > now) and
(q['disable_until'] is None or q['disable_until'] <= now))):
locked = True
if (locked or not self.in_system(id_type, entity_id, system)):
return False
else:
return True
def init_user(self):
self.get_name = False
self.qh = QuarantineHandler(self.db, None)
self.posuser = Factory.get('PosixUser')(self.db)
self.shell_tab = self.user_exporter.shell_codes()
self.quarantines = self.user_exporter.make_quarantine_cache(
self.spread_d['user']
)
self.owners.make_owner_cache()
self.owners.make_name_cache()
self.homedirs.make_home_cache()
self.group2gid = self.user_exporter.make_posix_gid_cache()
self.load_auth_tab()
self.cache_account2name()
self.id2uname = {}
def dump(self):
fd = ldif_outfile('RADIUS')
logger.debug('writing to %s', repr(fd))
fd.write(container_entry_string('RADIUS'))
logger.info('Generating export...')
for account_id, vlan_vpn in self.id2vlan_vpn.iteritems():
try:
uname = self.account_names[account_id]
except KeyError:
logger.error('No account name for account_id=%r', account_id)
continue
try:
auth = self.user_password.get(account_id)
except LookupError:
auth = None
try:
ntauth = self.nt_password.get(account_id)
except LookupError:
ntauth = None
if account_id in self.quarantines:
qh = QuarantineHandler(self.db, self.quarantines[account_id])
if qh.should_skip():
continue
if qh.is_locked():
auth = ntauth = None
dn = ','.join(('uid=' + uname, self.user_dn))
entry = {
'objectClass': ['top', 'account', 'uiaRadiusAccount'],
'uid': (uname, ),
'radiusTunnelType': ('VLAN', ),
'radiusTunnelMediumType': ('IEEE-802', ),
'radiusTunnelPrivateGroupId': (vlan_vpn[0], ),
'radiusClass': (vlan_vpn[1], ),
}
if auth:
entry['objectClass'].append('simpleSecurityObject')
entry['userPassword'] = auth
if ntauth:
entry['ntPassword'] = (ntauth, )
fd.write(entry_string(dn, entry, False))
end_ldif_outfile('RADIUS', fd)
def gather_user_data(self, row):
data = PosixData()
data.account_id = int(row['account_id'])
data.uname = self.e_id2name[data.account_id]
data.uid = str(row['posix_uid'])
data.gid = str(self.g_id2gid[row['gid']])
if not row['shell']:
self.logger.warn("User %s has no posix-shell!" % data.uname)
return None
data.shell = self.shell_tab[int(row['shell'])]
data.quarantined, data.passwd = False, None
if data.account_id in self.quarantines:
qh = QuarantineHandler(self.db, self.quarantines[data.account_id])
if qh.should_skip():
return None
if qh.is_locked():
data.quarantined, data.passwd = True, '*Locked'
qshell = qh.get_shell()
if qshell is not None:
data.shell = qshell
try:
home = self.a_id2home[data.account_id]
data.home = self.posix_user.resolve_homedir(
account_name=data.uname,
home=home[3],
disk_path=self.disk_tab[home[1]])
except:
self.logger.warn("User %s has no home-directory!" % data.uname)
return None
cn = gecos = row['gecos']
if data.account_id in self.a_id2owner:
cn = self.p_id2name.get(self.a_id2owner[data.account_id], gecos)
data.cn = cn or data.uname
data.gecos = latin1_to_iso646_60(gecos or data.cn)
return data
def dump(self):
fd = LDIFutils.ldif_outfile('USER')
fd.write(LDIFutils.container_entry_string('USER'))
for row in self.account.search():
account_id = row['account_id']
info = self.auth[account_id]
uname = LDIFutils.iso2utf(str(info[0]))
auth = info[1]
if account_id in self.quarantines:
qh = QuarantineHandler(self.db, self.quarantines[account_id])
if qh.should_skip():
continue
if qh.is_locked():
auth = None
dn = ','.join(('uid=' + uname, self.user_dn))
entry = {
'objectClass': ['account'],
'uid': (uname, ),
}
if auth:
entry['objectClass'].append('simpleSecurityObject')
entry['userPassword'] = ('{crypt}' + auth, )
fd.write(LDIFutils.entry_string(dn, entry, False))
LDIFutils.end_ldif_outfile('USER', fd)
def make_person_entry(self, row, person_id):
# Return (dn, person entry, alias_info) for a person to output,
# or (None, anything, anything) if the person should not be output.
# bool(alias_info) == False means no alias will be output.
# Receives a row from list_persons() as a parameter.
# The row must have key 'account_id',
# and if person_dn_primaryOU() is not overridden: 'ou_id'.
account_id = int(row['account_id'])
p_affiliations = self.affiliations.get(person_id)
if not p_affiliations:
self.logger.debug3("Omitting person id=%d, no affiliations",
person_id)
return None, None, None
names = self.person_names.get(person_id)
if not names:
self.logger.warn("Person %s got no names. Skipping.", person_id)
return None, None, None
name = iso2utf(names.get(int(self.const.name_full), '').strip())
givenname = iso2utf(names.get(int(self.const.name_first), '').strip())
lastname = iso2utf(names.get(int(self.const.name_last), '').strip())
if not (lastname and givenname):
givenname, lastname = self.split_name(name, givenname, lastname)
if not lastname:
self.logger.warn("Person %s got no lastname. Skipping.",
person_id)
return None, None, None
if not name:
name = " ".join(filter(None, (givenname, lastname)))
entry = {
'objectClass': [
'top', 'person', 'organizationalPerson', 'inetOrgPerson',
'eduPerson'
],
'cn': (name, ),
'sn': (lastname, )
}
if givenname:
entry['givenName'] = (givenname, )
try:
entry['uid'] = (self.acc_name[account_id], )
except KeyError:
pass
passwd = self.acc_passwd.get(account_id)
qt = self.acc_quarantines.get(account_id)
if qt:
qh = QuarantineHandler(self.db, qt)
if qh.should_skip():
self.logger.debug3("Omitting person id=%d, quarantined",
person_id)
return None, None, None
if self.acc_locked_quarantines is not self.acc_quarantines:
qt = self.acc_locked_quarantines.get(account_id)
if qt:
qh = QuarantineHandler(self.db, qt)
if qt and qh.is_locked():
passwd = 0
if passwd:
entry['userPassword'] = ("{crypt}" + passwd, )
elif passwd != 0 and entry.get('uid'):
self.logger.debug("User %s got no password-hash.", entry['uid'][0])
dn, primary_ou_dn = self.person_dn_primaryOU(entry, row, person_id)
if not dn:
self.logger.debug3("Omitting person id=%d, no DN", person_id)
return None, None, None
if self.org_dn:
entry['eduPersonOrgDN'] = (self.org_dn, )
if primary_ou_dn:
entry['eduPersonPrimaryOrgUnitDN'] = (primary_ou_dn, )
# edu_OUs = [primary_ou_dn] + [self.ou2DN.get(aff[2])
# for aff in p_affiliations]
edu_OUs = self._calculate_edu_OUs(
primary_ou_dn, [self.ou2DN.get(aff[2]) for aff in p_affiliations])
entry['eduPersonOrgUnitDN'] = self.attr_unique(filter(None, edu_OUs))
entry['eduPersonAffiliation'] = self.attr_unique(
self.select_list(self.eduPersonAff_selector, person_id,
p_affiliations))
if self.select_bool(self.contact_selector, person_id, p_affiliations):
# title:
titles = self.person_titles.get(person_id)
self.add_lang_names(entry, 'title', titles)
# phone & fax:
for attr, contact in self.attr2id2contacts:
contact = contact.get(person_id)
if contact:
entry[attr] = contact
# addresses:
addrs = self.addr_info.get(person_id)
post = addrs and addrs.get(int(self.const.address_post))
if post:
a_txt, p_o_box, p_num, city, country = post
post = self.make_address("$", p_o_box, a_txt, p_num, city,
country)
if post:
entry['postalAddress'] = (post, )
street = addrs and addrs.get(int(self.const.address_street))
if street:
a_txt, p_o_box, p_num, city, country = street
street = self.make_address(", ", None, a_txt, p_num, city,
country)
if street:
entry['street'] = (street, )
else:
URIs = self.id2labeledURI.get(person_id)
if URIs:
entry['labeledURI'] = self.attr_unique(
map(iso2utf, URIs), normalize_caseExactString)
if self.account_mail:
mail = self.account_mail(account_id)
if mail:
entry['mail'] = (mail, )
else:
if self.person_contact_mail:
mail_source_id = person_id
else:
mail_source_id = account_id
mail = self.get_contacts(entity_id=mail_source_id,
contact_type=self.const.contact_email,
verify=verify_IA5String,
normalize=normalize_IA5String)
if mail:
entry['mail'] = mail
if self.is_person_visible(person_id):
attrs, alias_info = self.visible_person_attrs, (primary_ou_dn, )
else:
attrs, alias_info = self.invisible_person_attrs, ()
for key, values in attrs.items():
if key in entry:
entry[key].extend(values)
else:
entry[key] = list(values)
self.update_person_entry(entry, row, person_id)
return dn, entry, alias_info
