def enableOrDisableAccount(self, domain, account, dn, action, accountTypeInLogger=None):
self.domain = web.safestr(domain).strip().lower()
self.account = web.safestr(account).strip().lower()
self.dn = escape_filter_chars(web.safestr(dn))
# Validate operation action.
if action in ["enable", "disable"]:
self.action = action
else:
return (False, "INVALID_ACTION")
# Set value of valid account status.
if action == "enable":
self.status = attrs.ACCOUNT_STATUS_ACTIVE
else:
self.status = attrs.ACCOUNT_STATUS_DISABLED
try:
self.updateAttrSingleValue(dn=self.dn, attr="accountStatus", value=self.status)
if accountTypeInLogger is not None:
web.logger(
msg="%s %s: %s." % (str(action).capitalize(), str(accountTypeInLogger), self.account),
domain=self.domain,
event=self.action,
)
return (True,)
except ldap.LDAPError, e:
return (False, ldaputils.getExceptionDesc(e))
def enableOrDisableAccount(
self,
domains,
action,
attr='accountStatus',
):
if domains is None or len(domains) == 0:
return (False, 'NO_DOMAIN_SELECTED')
result = {}
connutils = connUtils.Utils()
for domain in domains:
self.domain = web.safestr(domain)
self.dn = ldaputils.convert_keyword_to_dn(self.domain,
accountType='domain')
if self.dn[0] is False:
return self.dn
try:
connutils.enableOrDisableAccount(
domain=self.domain,
account=self.domain,
dn=self.dn,
action=web.safestr(action).strip().lower(),
accountTypeInLogger='domain',
)
except ldap.LDAPError as e:
result[self.domain] = str(e)
if result == {}:
return (True, )
else:
return (False, ldaputils.getExceptionDesc(result))
def enableOrDisableAccount(self, mails, action, attr='accountStatus',):
if mails is None or len(mails) == 0:
return (False, 'NO_ACCOUNT_SELECTED')
result = {}
connutils = connUtils.Utils()
for mail in mails:
self.mail = web.safestr(mail).strip().lower()
if not iredutils.is_email(self.mail):
continue
self.domain = self.mail.split('@')[-1]
self.dn = ldaputils.convert_keyword_to_dn(self.mail, accountType='admin')
if self.dn[0] is False:
return self.dn
try:
connutils.enableOrDisableAccount(
domain=self.domain,
account=self.mail,
dn=self.dn,
action=web.safestr(action).strip().lower(),
accountTypeInLogger='admin',
)
except ldap.LDAPError as e:
result[self.mail] = str(e)
if result == {}:
return (True,)
else:
return (False, ldaputils.getExceptionDesc(result))
def listAccounts(self, domain):
self.domain = domain
self.domainDN = ldaputils.convert_keyword_to_dn(self.domain,
accountType='domain')
if self.domainDN[0] is False:
return self.domainDN
try:
# Use '(!([email protected]))' to hide catch-all account.
self.users = self.conn.search_s(
attrs.DN_BETWEEN_USER_AND_DOMAIN + self.domainDN,
ldap.SCOPE_SUBTREE,
'(&(objectClass=mailUser)(!(mail=@%s)))' % self.domain,
attrs.USER_SEARCH_ATTRS,
)
connutils = connUtils.Utils()
connutils.updateAttrSingleValue(self.domainDN,
'domainCurrentUserNumber',
len(self.users))
return (True, self.users)
except ldap.NO_SUCH_OBJECT:
#self.conn.add_s(
# attrs.DN_BETWEEN_USER_AND_DOMAIN + self.domainDN,
# iredldif.ldif_group(attrs.GROUP_USERS),
# )
return (False, 'NO_SUCH_OBJECT')
except ldap.SIZELIMIT_EXCEEDED:
return (False, 'EXCEEDED_LDAP_SERVER_SIZELIMIT')
except Exception, e:
return (False, ldaputils.getExceptionDesc(e))
def deleteObjWithDN(
self,
domain,
dn,
account,
accountType,
):
self.domain = web.safestr(domain)
if not iredutils.is_domain(self.domain):
return (False, 'INVALID_DOMAIN_NAME')
self.dn = escape_filter_chars(dn)
# Used for logger.
self.account = web.safestr(account)
try:
delete_ldap_tree(dn=self.dn, conn=self.conn)
web.logger(
msg="Delete %s: %s." % (str(accountType), self.account),
domain=self.domain,
event='delete',
)
return (True, )
except Exception, e:
return (False, ldaputils.getExceptionDesc(e))
def getManagedDomains(self, mail, attrs=attrs.ADMIN_ATTRS_ALL):
self.mail = web.safestr(mail)
if not iredutils.isEmail(self.mail):
return (False, 'INCORRECT_USERNAME')
# Pre-defined filter.
filter = '(&(objectClass=mailDomain)(domainAdmin=%s))' % self.mail
# Check admin type: global/normal admin.
try:
profile = self.profile(self.mail)
if profile[1][0][1].get('domainGlobalAdmin', ['no'])[0] == 'yes':
filter = '(objectClass=mailDomain)'
except:
pass
try:
self.managedDomains = self.conn.search_s(
self.basedn,
ldap.SCOPE_ONELEVEL,
filter,
attrs,
)
return (True, self.managedDomains)
except Exception, e:
return (False, ldaputils.getExceptionDesc(e))
def getNumberOfCurrentAccountsUnderDomain(self, domain, accountType='user', filter=None):
# accountType in ['user', 'list', 'alias',]
self.domain = web.safestr(domain)
self.domaindn = ldaputils.convKeywordToDN(self.domain, accountType='domain')
if filter is not None:
self.searchdn = self.domaindn
self.filter = filter
else:
if accountType == 'user':
self.searchdn = attrs.DN_BETWEEN_USER_AND_DOMAIN + self.domaindn
self.filter = '(&(objectClass=mailUser)(!(mail=@%s)))' % self.domain
elif accountType == 'maillist':
self.searchdn = attrs.DN_BETWEEN_MAILLIST_AND_DOMAIN + self.domaindn
self.filter = '(objectClass=mailList)'
else:
self.searchdn = self.domaindn
self.filter = '(&(objectClass=mailUser)(!(mail=@%s)))' % self.domain
try:
result = self.conn.search_s(
self.searchdn,
ldap.SCOPE_SUBTREE,
self.filter,
['dn',],
)
return (True, len(result))
except Exception, e:
return (False, ldaputils.getExceptionDesc(e))
def getAvailableDomainNames(self, domain):
'''Get list of domainName and domainAliasName by quering domainName.
>>> getAvailableDomainNames(domain='example.com')
(True, ['example.com', 'aliasdomain01.com', 'aliasdomain02.com', ...])
'''
domain = web.safestr(domain).strip().lower()
if not iredutils.is_domain(domain):
return (False, 'INVALID_DOMAIN_NAME')
dn = ldaputils.convert_keyword_to_dn(domain, accountType='domain')
try:
result = self.conn.search_s(
dn,
ldap.SCOPE_BASE,
'(&(objectClass=mailDomain)(domainName=%s))' % domain,
['domainName', 'domainAliasName'],
)
all_domains = result[0][1].get('domainName', []) + result[0][1].get('domainAliasName', [])
all_domains = [str(d).lower() for d in all_domains if iredutils.is_domain(d)]
return (True, all_domains)
except Exception as e:
return (False, ldaputils.getExceptionDesc(e))
def getManagedDomains(self, mail, attrs=attrs.ADMIN_ATTRS_ALL):
self.mail = web.safestr(mail)
if not iredutils.isEmail(self.mail):
return (False, 'INCORRECT_USERNAME')
# Pre-defined filter.
filter = '(&(objectClass=mailDomain)(domainAdmin=%s))' % self.mail
# Check admin type: global/normal admin.
try:
profile = self.profile(self.mail)
if profile[1][0][1].get('domainGlobalAdmin', ['no'])[0] == 'yes':
filter = '(objectClass=mailDomain)'
except:
pass
try:
self.managedDomains = self.conn.search_s(
self.basedn,
ldap.SCOPE_ONELEVEL,
filter,
attrs,
)
return (True, self.managedDomains)
except Exception, e:
return (False, ldaputils.getExceptionDesc(e))
def deleteSingleUser(
self,
mail,
deleteFromGroups=True,
):
self.mail = web.safestr(mail)
if not iredutils.isEmail(self.mail):
return (False, 'INVALID_MAIL')
# Get domain name of this account.
self.domain = self.mail.split('@')[-1]
# Get dn of mail user and domain.
self.dnUser = ldaputils.convKeywordToDN(self.mail, accountType='user')
# Delete user object.
try:
#deltree.DelTree(self.conn, self.dnUser, ldap.SCOPE_SUBTREE)
self.conn.delete_s(self.dnUser)
if deleteFromGroups:
self.deleteSingleUserFromGroups(self.mail)
# Log delete action.
web.logger(
msg="Delete user: %s." % (self.mail),
domain=self.domain,
event='delete',
)
return (True, )
except ldap.LDAPError, e:
return (False, ldaputils.getExceptionDesc(e))
def getManagedDomains(self, mail, attrs=attrs.ADMIN_ATTRS_ALL, listedOnly=False):
self.mail = web.safestr(mail)
if not iredutils.is_email(self.mail):
return (False, 'INCORRECT_USERNAME')
# Pre-defined filter.
filter = '(&(objectClass=mailDomain)(domainAdmin=%s))' % self.mail
if session.get('domainGlobalAdmin') is True and listedOnly is False:
filter = '(objectClass=mailDomain)'
try:
self.managedDomains = self.conn.search_s(
self.basedn,
ldap.SCOPE_ONELEVEL,
filter,
attrs,
)
if listedOnly:
domains = []
for qr in self.managedDomains:
domains += qr[1]['domainName']
self.managedDomains = domains
return (True, self.managedDomains)
except Exception as e:
return (False, ldaputils.getExceptionDesc(e))
def updateAttrSingleValue(self, dn, attr, value):
self.mod_attrs = [(ldap.MOD_REPLACE, web.safestr(attr), web.safestr(value))]
try:
result = self.conn.modify_s(web.safestr(dn), self.mod_attrs)
return (True,)
except Exception, e:
return (False, ldaputils.getExceptionDesc(e))
def enableOrDisableAccount(self, domain, account, dn, action, accountTypeInLogger=None):
self.domain = web.safestr(domain).strip().lower()
self.account = web.safestr(account).strip().lower()
self.dn = escape_filter_chars(web.safestr(dn))
# Validate operation action.
if action in ['enable', 'disable',]:
self.action = action
else:
return (False, 'INVALID_ACTION')
# Set value of valid account status.
if action == 'enable':
self.status = attrs.ACCOUNT_STATUS_ACTIVE
else:
self.status = attrs.ACCOUNT_STATUS_DISABLED
try:
self.updateAttrSingleValue(
dn=self.dn,
attr='accountStatus',
value=self.status,
)
if accountTypeInLogger is not None:
web.logger(
msg="%s %s: %s." % (str(action).capitalize(), str(accountTypeInLogger), self.account),
domain=self.domain,
event=self.action,
)
return (True,)
except ldap.LDAPError, e:
return (False, ldaputils.getExceptionDesc(e))
def profile(self, domain, mail, accountType="user"):
self.mail = web.safestr(mail)
self.domain = self.mail.split("@", 1)[-1]
if self.domain != domain:
raise web.seeother("/domains?msg=PERMISSION_DENIED")
self.filter = "(&(objectClass=mailUser)(mail=%s))" % (self.mail,)
if accountType == "catchall":
self.filter = "(&(objectClass=mailUser)(mail=@%s))" % (self.mail,)
else:
if not self.mail.endswith("@" + self.domain):
raise web.seeother("/domains?msg=PERMISSION_DENIED")
if attrs.RDN_USER == "mail":
self.searchdn = ldaputils.convert_keyword_to_dn(self.mail, accountType=accountType)
self.scope = ldap.SCOPE_BASE
if self.searchdn[0] is False:
return self.searchdn
else:
domain_dn = ldaputils.convert_keyword_to_dn(self.domain, accountType="domain")
if domain_dn[0] is False:
return domain_dn
self.searchdn = attrs.DN_BETWEEN_USER_AND_DOMAIN + domain_dn
self.scope = ldap.SCOPE_SUBTREE
try:
self.user_profile = self.conn.search_s(self.searchdn, self.scope, self.filter, attrs.USER_ATTRS_ALL)
return (True, self.user_profile)
except Exception, e:
return (False, ldaputils.getExceptionDesc(e))
def deleteSingleUser(self, mail, deleteFromGroups=True,):
self.mail = web.safestr(mail)
if not iredutils.isEmail(self.mail):
return (False, 'INVALID_MAIL')
# Get domain name of this account.
self.domain = self.mail.split('@')[-1]
# Get dn of mail user and domain.
self.dnUser = ldaputils.convKeywordToDN(self.mail, accountType='user')
# Delete user object.
try:
#deltree.DelTree(self.conn, self.dnUser, ldap.SCOPE_SUBTREE)
self.conn.delete_s(self.dnUser)
if deleteFromGroups:
self.deleteSingleUserFromGroups(self.mail)
# Log delete action.
web.logger(
msg="Delete user: %s." % (self.mail),
domain=self.domain,
event='delete',
)
return (True,)
except ldap.LDAPError, e:
return (False, ldaputils.getExceptionDesc(e))
def delete(self, domain, mails=[]):
if mails is None or len(mails) == 0:
return (False, 'NO_ACCOUNT_SELECTED')
self.domain = web.safestr(domain)
self.mails = [str(v) for v in mails if iredutils.isEmail(v) and str(v).endswith('@'+self.domain)]
self.domaindn = ldaputils.convKeywordToDN(self.domain, accountType='domain')
if not iredutils.isDomain(self.domain):
return (False, 'INVALID_DOMAIN_NAME')
result = {}
for mail in self.mails:
self.mail = web.safestr(mail)
try:
# Delete user object (ldap.SCOPE_BASE).
self.deleteSingleUser(self.mail,)
# Delete user object and whole sub-tree.
# Get dn of mail user and domain.
"""
self.userdn = ldaputils.convKeywordToDN(self.mail, accountType='user')
deltree.DelTree(self.conn, self.userdn, ldap.SCOPE_SUBTREE)
# Log delete action.
web.logger(
msg="Delete user: %s." % (self.mail),
domain=self.mail.split('@')[1],
event='delete',
)
"""
except ldap.LDAPError, e:
result[self.mail] = ldaputils.getExceptionDesc(e)
def getDomainCurrentQuotaSizeFromLDAP(self, domain):
self.domain = web.safestr(domain).strip().lower()
if not iredutils.is_domain(self.domain):
return (False, 'INVALID_DOMAIN_NAME')
self.domainDN = ldaputils.convert_keyword_to_dn(self.domain, accountType='domain')
# Initial @domainCurrentQuotaSize
self.domainCurrentQuotaSize = 0
try:
# Use '(!([email protected]))' to hide catch-all account.
self.users = self.conn.search_s(
attrs.DN_BETWEEN_USER_AND_DOMAIN + self.domainDN,
ldap.SCOPE_SUBTREE,
'(&(objectClass=mailUser)(!(mail=@%s)))' % self.domain,
attrs.USER_SEARCH_ATTRS,
)
# Update @domainCurrentUserNumber
self.updateAttrSingleValue(self.domainDN, 'domainCurrentUserNumber', len(self.users))
for i in self.users:
quota = i[1].get('mailQuota', ['0'])[0]
if quota.isdigit():
self.domainCurrentQuotaSize += int(quota)
return (True, self.domainCurrentQuotaSize)
except ldap.NO_SUCH_OBJECT:
return (False, 'NO_SUCH_OBJECT')
except ldap.SIZELIMIT_EXCEEDED:
return (False, 'EXCEEDED_LDAP_SERVER_SIZELIMIT')
except Exception as e:
return (False, ldaputils.getExceptionDesc(e))
def listAccounts(self, domain):
self.domain = domain
self.domainDN = ldaputils.convKeywordToDN(self.domain, accountType='domain')
try:
# Use '(!([email protected]))' to hide catch-all account.
self.users = self.conn.search_s(
attrs.DN_BETWEEN_USER_AND_DOMAIN + self.domainDN,
ldap.SCOPE_SUBTREE,
'(&(objectClass=mailUser)(!(mail=@%s)))' % self.domain,
attrs.USER_SEARCH_ATTRS,
)
connutils = connUtils.Utils()
connutils.updateAttrSingleValue(self.domainDN, 'domainCurrentUserNumber', len(self.users))
return (True, self.users)
except ldap.NO_SUCH_OBJECT:
#self.conn.add_s(
# attrs.DN_BETWEEN_USER_AND_DOMAIN + self.domainDN,
# iredldif.ldif_group(attrs.GROUP_USERS),
# )
return (False, 'NO_SUCH_OBJECT')
except ldap.SIZELIMIT_EXCEEDED:
return (False, 'EXCEEDED_LDAP_SERVER_SIZELIMIT')
except Exception, e:
return (False, ldaputils.getExceptionDesc(e))
def delete(self, domain, mails=None, keep_mailbox_days=0):
if not mails:
return (False, 'NO_ACCOUNT_SELECTED')
self.domain = web.safestr(domain)
self.mails = [
str(v) for v in mails
if iredutils.is_email(v) and str(v).endswith('@' + self.domain)
]
if not len(self.mails) > 0:
return (False, 'INVALID_MAIL')
if not iredutils.is_domain(self.domain):
return (False, 'INVALID_DOMAIN_NAME')
self.domaindn = ldaputils.convert_keyword_to_dn(self.domain,
accountType='domain')
result = {}
for mail in self.mails:
self.mail = web.safestr(mail)
try:
# Delete user object (ldap.SCOPE_BASE).
self.deleteSingleUser(mail=self.mail,
keep_mailbox_days=keep_mailbox_days)
except ldap.LDAPError as e:
result[self.mail] = ldaputils.getExceptionDesc(e)
if result == {}:
return (True, )
else:
return (False, str(result))
def profile(self, domain, mail, accountType='user'):
self.mail = web.safestr(mail)
self.domain = self.mail.split('@', 1)[-1]
if self.domain != domain:
return web.seeother('/domains?msg=PERMISSION_DENIED')
self.filter = '(&(objectClass=mailUser)(mail=%s))' % (self.mail, )
if accountType == 'catchall':
self.filter = '(&(objectClass=mailUser)(mail=@%s))' % (self.mail, )
else:
if not self.mail.endswith('@' + self.domain):
return web.seeother('/domains?msg=PERMISSION_DENIED')
if attrs.RDN_USER == 'mail':
self.searchdn = ldaputils.convKeywordToDN(self.mail,
accountType=accountType)
self.scope = ldap.SCOPE_BASE
else:
self.searchdn = attrs.DN_BETWEEN_USER_AND_DOMAIN + ldaputils.convKeywordToDN(
self.domain, accountType='domain')
self.scope = ldap.SCOPE_SUBTREE
try:
self.user_profile = self.conn.search_s(
self.searchdn,
self.scope,
self.filter,
attrs.USER_ATTRS_ALL,
)
return (True, self.user_profile)
except Exception, e:
return (False, ldaputils.getExceptionDesc(e))
def profile(self, domain, mail, accountType='user'):
self.mail = web.safestr(mail)
self.domain = self.mail.split('@', 1)[-1]
if self.domain != domain:
return web.seeother('/domains?msg=PERMISSION_DENIED')
self.filter = '(&(objectClass=mailUser)(mail=%s))' % (self.mail,)
if accountType == 'catchall':
self.filter = '(&(objectClass=mailUser)(mail=@%s))' % (self.mail,)
else:
if not self.mail.endswith('@' + self.domain):
return web.seeother('/domains?msg=PERMISSION_DENIED')
if attrs.RDN_USER == 'mail':
self.searchdn = ldaputils.convKeywordToDN(self.mail, accountType=accountType)
self.scope = ldap.SCOPE_BASE
else:
self.searchdn = attrs.DN_BETWEEN_USER_AND_DOMAIN + ldaputils.convKeywordToDN(self.domain, accountType='domain')
self.scope = ldap.SCOPE_SUBTREE
try:
self.user_profile = self.conn.search_s(
self.searchdn,
self.scope,
self.filter,
attrs.USER_ATTRS_ALL,
)
return (True, self.user_profile)
except Exception, e:
return (False, ldaputils.getExceptionDesc(e))
def updateAttrSingleValue(self, dn, attr, value):
self.mod_attrs = [(ldap.MOD_REPLACE, web.safestr(attr), web.safestr(value))]
try:
self.conn.modify_s(web.safestr(dn), self.mod_attrs)
return (True,)
except Exception as e:
return (False, ldaputils.getExceptionDesc(e))
def add(self, data):
# msg: {key: value}
msg = {}
self.domain = web.safestr(data.get('domainName', '')).strip().lower()
# Check domain name.
if not iredutils.is_domain(self.domain):
return (False, 'INVALID_DOMAIN_NAME')
# Check whether domain name already exist (domainName, domainAliasName).
connutils = connUtils.Utils()
if connutils.is_domain_exists(self.domain):
return (False, 'ALREADY_EXISTS')
self.dn = ldaputils.convert_keyword_to_dn(self.domain,
accountType='domain')
if self.dn[0] is False:
return self.dn
self.cn = data.get('cn', None)
ldif = iredldif.ldif_maildomain(
domain=self.domain,
cn=self.cn,
)
# Add domain dn.
try:
self.conn.add_s(self.dn, ldif)
web.logger(
msg="Create domain: %s." % (self.domain),
domain=self.domain,
event='create',
)
except ldap.ALREADY_EXISTS:
msg[self.domain] = 'ALREADY_EXISTS'
except ldap.LDAPError as e:
msg[self.domain] = str(e)
# Add default groups under domain.
if len(attrs.DEFAULT_GROUPS) >= 1:
for i in attrs.DEFAULT_GROUPS:
try:
group_dn = 'ou=' + str(i) + ',' + str(self.dn)
group_ldif = iredldif.ldif_group(str(i))
self.conn.add_s(group_dn, group_ldif)
except ldap.ALREADY_EXISTS:
pass
except ldap.LDAPError as e:
msg[i] = str(e)
else:
pass
if len(msg) == 0:
return (True, )
else:
return (False, ldaputils.getExceptionDesc(msg))
def deleteSingleUserFromGroups(self, mail):
self.mail = web.safestr(mail)
if not iredutils.is_email(self.mail):
return (False, 'INVALID_MAIL')
# Get domain name of this account.
self.domain = self.mail.split('@')[-1]
# Get dn of mail user and domain.
self.dnUser = ldaputils.convert_keyword_to_dn(self.mail,
accountType='user')
self.dnDomain = ldaputils.convert_keyword_to_dn(self.domain,
accountType='domain')
if self.dnUser[0] is False:
return self.dnUser
if self.dnDomain[0] is False:
return self.dnDomain
try:
# Get accounts which contains destination email.
objsHasUser = self.conn.search_s(
self.dnDomain,
ldap.SCOPE_SUBTREE,
self.getFilterOfDeleteUserFromGroups(self.mail),
['dn'],
)
if len(objsHasUser) >= 1:
connutils = connUtils.Utils()
for obj in objsHasUser:
if obj[0].endswith(attrs.DN_BETWEEN_ALIAS_AND_DOMAIN + self.dnDomain) or \
obj[0].endswith(attrs.DN_BETWEEN_USER_AND_DOMAIN + self.dnDomain):
# Remove address from alias and user.
connutils.addOrDelAttrValue(
dn=obj[0],
attr='mailForwardingAddress',
value=self.mail,
action='delete',
)
elif obj[0].endswith('ou=Externals,' + self.domaindn):
# Remove address from external member list.
connutils.addOrDelAttrValue(
dn=obj[0],
attr='mail',
value=self.mail,
action='delete',
)
else:
pass
else:
pass
return (True, )
except Exception, e:
return (False, ldaputils.getExceptionDesc(e))
def changePasswd(self, dn, cur_passwd, newpw):
dn = escape_filter_chars(dn)
try:
# Reference: RFC3062 - LDAP Password Modify Extended Operation
self.conn.passwd_s(dn, cur_passwd, newpw)
return (True,)
except ldap.UNWILLING_TO_PERFORM:
return (False, "INCORRECT_OLDPW")
except Exception, e:
return (False, ldaputils.getExceptionDesc(e))
def changePasswd(self, dn, cur_passwd, newpw):
dn = escape_filter_chars(dn)
try:
# Reference: RFC3062 - LDAP Password Modify Extended Operation
self.conn.passwd_s(dn, cur_passwd, newpw)
return (True,)
except ldap.UNWILLING_TO_PERFORM:
return (False, 'INCORRECT_OLDPW')
except Exception, e:
return (False, ldaputils.getExceptionDesc(e))
def update(self, profile_type, mail, data):
self.profile_type = web.safestr(profile_type)
self.mail = web.safestr(mail)
self.username, self.domain = self.mail.split('@', 1)
if session.get('domainGlobalAdmin'
) is not True and session.get('username') != self.mail:
# Don't allow to view/update other admins' profile.
return (False, 'PERMISSION_DENIED')
self.dn = ldaputils.convert_keyword_to_dn(self.mail,
accountType='admin')
if self.dn[0] is False:
return self.dn
mod_attrs = []
if self.profile_type == 'general':
# Get preferredLanguage.
lang = web.safestr(data.get('preferredLanguage', 'en_US'))
mod_attrs += [(ldap.MOD_REPLACE, 'preferredLanguage', lang)]
# Get cn.
cn = data.get('cn', None)
mod_attrs += ldaputils.getSingleModAttr(attr='cn',
value=cn,
default=self.username)
first_name = data.get('first_name', '')
mod_attrs += ldaputils.getSingleModAttr(attr='givenName',
value=first_name,
default=self.username)
last_name = data.get('last_name', '')
mod_attrs += ldaputils.getSingleModAttr(attr='sn',
value=last_name,
default=self.username)
# Get accountStatus.
if 'accountStatus' in data.keys():
accountStatus = 'active'
else:
accountStatus = 'disabled'
mod_attrs += [(ldap.MOD_REPLACE, 'accountStatus', accountStatus)]
try:
# Modify profiles.
self.conn.modify_s(self.dn, mod_attrs)
if session.get('username') == self.mail and \
session.get('lang', 'en_US') != lang:
session['lang'] = lang
except ldap.LDAPError, e:
return (False, ldaputils.getExceptionDesc(e))
def listAccounts(self, attrs=attrs.ADMIN_SEARCH_ATTRS):
filter = "(objectClass=mailAdmin)"
try:
result = self.conn.search_s(
self.domainadmin_dn,
ldap.SCOPE_ONELEVEL,
filter,
attrs,
)
return (True, result)
except Exception, e:
return (False, ldaputils.getExceptionDesc(e))
def listAccounts(self, attrs=attrs.ADMIN_SEARCH_ATTRS):
filter = "(objectClass=mailAdmin)"
try:
result = self.conn.search_s(
self.domainadmin_dn,
ldap.SCOPE_ONELEVEL,
filter,
attrs,
)
return (True, result)
except Exception, e:
return (False, ldaputils.getExceptionDesc(e))
def add(self, data):
self.cn = data.get('cn')
self.mail = web.safestr(data.get('mail')).strip().lower()
if not iredutils.is_email(self.mail):
return (False, 'INVALID_MAIL')
self.domainGlobalAdmin = web.safestr(
data.get('domainGlobalAdmin', 'no'))
if self.domainGlobalAdmin not in [
'yes',
'no',
]:
self.domainGlobalAdmin = 'no'
self.preferredLanguage = web.safestr(
data.get('preferredLanguage', 'en_US'))
# Check password.
self.newpw = web.safestr(data.get('newpw'))
self.confirmpw = web.safestr(data.get('confirmpw'))
result = iredutils.verify_new_password(self.newpw, self.confirmpw)
if result[0] is True:
self.passwd = iredutils.generate_password_hash(result[1])
else:
return result
ldif = iredldif.ldif_mailadmin(
mail=self.mail,
passwd=self.passwd,
cn=self.cn,
preferredLanguage=self.preferredLanguage,
domainGlobalAdmin=self.domainGlobalAdmin)
self.dn = ldaputils.convert_keyword_to_dn(self.mail,
accountType='admin')
if self.dn[0] is False:
return self.dn
try:
self.conn.add_s(self.dn, ldif)
web.logger(
msg="Create admin: %s." % (self.mail),
event='create',
)
return (True, )
except ldap.ALREADY_EXISTS:
return (False, 'ALREADY_EXISTS')
except Exception, e:
return (False, ldaputils.getExceptionDesc(e))
def update(self, profile_type, mail, data):
self.profile_type = web.safestr(profile_type)
self.mail = web.safestr(mail)
self.username, self.domain = self.mail.split('@', 1)
if session.get('domainGlobalAdmin') is not True and session.get('username') != self.mail:
# Don't allow to view/update other admins' profile.
return (False, 'PERMISSION_DENIED')
self.dn = ldaputils.convert_keyword_to_dn(self.mail, accountType='admin')
if self.dn[0] is False:
return self.dn
mod_attrs = []
if self.profile_type == 'general':
# Get preferredLanguage.
lang = web.safestr(data.get('preferredLanguage', 'en_US'))
mod_attrs += [(ldap.MOD_REPLACE, 'preferredLanguage', lang)]
# Get cn.
cn = data.get('cn', None)
mod_attrs += ldaputils.getSingleModAttr(attr='cn',
value=cn,
default=self.username)
first_name = data.get('first_name', '')
mod_attrs += ldaputils.getSingleModAttr(attr='givenName',
value=first_name,
default=self.username)
last_name = data.get('last_name', '')
mod_attrs += ldaputils.getSingleModAttr(attr='sn',
value=last_name,
default=self.username)
# Get accountStatus.
if 'accountStatus' in data.keys():
accountStatus = 'active'
else:
accountStatus = 'disabled'
mod_attrs += [(ldap.MOD_REPLACE, 'accountStatus', accountStatus)]
try:
# Modify profiles.
self.conn.modify_s(self.dn, mod_attrs)
if session.get('username') == self.mail and \
session.get('lang', 'en_US') != lang:
session['lang'] = lang
except ldap.LDAPError, e:
return (False, ldaputils.getExceptionDesc(e))
def verify_bind_dn_pw(dn,
password,
uri=settings.ldap_uri,
close_connection=True):
dn = web.safestr(dn.strip())
password = password.strip()
# Detect STARTTLS support.
starttls = False
if uri.startswith('ldaps://'):
starttls = True
# Rebuild uri, use ldap:// + STARTTLS (with normal port 389)
# instead of ldaps:// (port 636) for secure connection.
uri = uri.replace('ldaps://', 'ldap://')
# Don't check CA cert
ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_NEVER)
conn = ldap.initialize(uri)
# Set LDAP protocol version: LDAP v3.
conn.set_option(ldap.OPT_PROTOCOL_VERSION, ldap.VERSION3)
if starttls:
conn.start_tls_s()
try:
# bind as vmailadmin
conn.bind_s(settings.ldap_bind_dn, settings.ldap_bind_password)
qr = conn.search_s(dn,
ldap.SCOPE_BASE,
'(objectClass=*)',
['userPassword'])
if not qr:
return (False, 'INVALID_CREDENTIALS')
entries = qr[0][1]
qr_password = entries.get('userPassword', [''])[0]
if iredutils.verify_password_hash(qr_password, password):
if close_connection:
conn.unbind_s()
return (True, )
else:
# Return connection
return (True, conn)
else:
return (False, 'INVALID_CREDENTIALS')
except Exception as e:
return (False, ldaputils.getExceptionDesc(e))
def verify_bind_dn_pw(dn,
password,
uri=settings.ldap_uri,
close_connection=True):
dn = web.safestr(dn.strip())
password = password.strip()
# Detect STARTTLS support.
starttls = False
if uri.startswith('ldaps://'):
starttls = True
# Rebuild uri, use ldap:// + STARTTLS (with normal port 389)
# instead of ldaps:// (port 636) for secure connection.
uri = uri.replace('ldaps://', 'ldap://')
# Don't check CA cert
ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_NEVER)
conn = ldap.initialize(uri)
# Set LDAP protocol version: LDAP v3.
conn.set_option(ldap.OPT_PROTOCOL_VERSION, ldap.VERSION3)
if starttls:
conn.start_tls_s()
try:
# bind as vmailadmin
conn.bind_s(settings.ldap_bind_dn, settings.ldap_bind_password)
qr = conn.search_s(dn,
ldap.SCOPE_BASE,
'(objectClass=*)',
['userPassword'])
if not qr:
return (False, 'INVALID_CREDENTIALS')
entries = qr[0][1]
qr_password = entries.get('userPassword', [''])[0]
if iredutils.verify_password_hash(qr_password, password):
if close_connection:
conn.unbind_s()
return (True, )
else:
# Return connection
return (True, conn)
else:
return (False, 'INVALID_CREDENTIALS')
except Exception, e:
return (False, ldaputils.getExceptionDesc(e))
def listAccounts(self, attrs=attrs.ADMIN_SEARCH_ATTRS):
try:
result_admin = self.conn.search_s(
self.domainadmin_dn, ldap.SCOPE_ONELEVEL, "(objectClass=mailAdmin)", attrs
)
result_user = self.conn.search_s(
self.basedn,
ldap.SCOPE_SUBTREE,
"(&(objectClass=mailUser)(accountStatus=active)(enabledService=domainadmin))",
attrs,
)
return (True, result_admin + result_user)
except Exception, e:
return (False, ldaputils.getExceptionDesc(e))
def deleteSingleUserFromGroups(self, mail):
self.mail = web.safestr(mail)
if not iredutils.isEmail(self.mail):
return (False, 'INVALID_MAIL')
# Get domain name of this account.
self.domain = self.mail.split('@')[-1]
# Get dn of mail user and domain.
self.dnUser = ldaputils.convKeywordToDN(self.mail, accountType='user')
self.dnDomain = ldaputils.convKeywordToDN(self.domain, accountType='domain')
try:
# Get accounts which contains destination email.
objsHasUser = self.conn.search_s(
self.dnDomain,
ldap.SCOPE_SUBTREE,
self.getFilterOfDeleteUserFromGroups(self.mail),
['dn'],
)
if len(objsHasUser) >= 1:
connutils = connUtils.Utils()
for obj in objsHasUser:
if obj[0].endswith(attrs.DN_BETWEEN_ALIAS_AND_DOMAIN + self.dnDomain) or \
obj[0].endswith(attrs.DN_BETWEEN_USER_AND_DOMAIN + self.dnDomain):
# Remove address from alias and user.
connutils.addOrDelAttrValue(
dn=obj[0],
attr='mailForwardingAddress',
value=self.mail,
action='delete',
)
elif obj[0].endswith('ou=Externals,' + self.domaindn):
# Remove address from external member list.
connutils.addOrDelAttrValue(
dn=obj[0],
attr='mail',
value=self.mail,
action='delete',
)
else:
pass
else:
pass
return (True,)
except Exception, e:
return (False, ldaputils.getExceptionDesc(e))
def profile(self, mail):
self.mail = web.safestr(mail)
self.dn = ldaputils.convKeywordToDN(self.mail, accountType='admin')
try:
self.admin_profile = self.conn.search_s(
self.dn,
ldap.SCOPE_BASE,
'(&(objectClass=mailAdmin)(mail=%s))' % self.mail,
attrs.ADMIN_ATTRS_ALL,
)
return (True, self.admin_profile)
except ldap.NO_SUCH_OBJECT:
return (False, 'NO_SUCH_OBJECT')
except Exception, e:
return (False, ldaputils.getExceptionDesc(e))
def profile(self, mail):
self.mail = web.safestr(mail)
self.dn = ldaputils.convKeywordToDN(self.mail, accountType='admin')
try:
self.admin_profile = self.conn.search_s(
self.dn,
ldap.SCOPE_BASE,
'(&(objectClass=mailAdmin)(mail=%s))' % self.mail,
attrs.ADMIN_ATTRS_ALL,
)
return (True, self.admin_profile)
except ldap.NO_SUCH_OBJECT:
return (False, 'NO_SUCH_OBJECT')
except Exception, e:
return (False, ldaputils.getExceptionDesc(e))
def profile(self, mail, attributes=attrs.ADMIN_ATTRS_ALL):
self.mail = web.safestr(mail)
self.dn = ldaputils.convert_keyword_to_dn(self.mail, accountType="admin")
if self.dn[0] is False:
return self.dn
try:
self.admin_profile = self.conn.search_s(
self.dn, ldap.SCOPE_BASE, "(&(objectClass=mailAdmin)(mail=%s))" % self.mail, attributes
)
return (True, self.admin_profile)
except ldap.NO_SUCH_OBJECT:
return (False, "NO_SUCH_OBJECT")
except Exception, e:
return (False, ldaputils.getExceptionDesc(e))
def deleteObjWithDN(self, domain, dn, account, accountType):
self.domain = web.safestr(domain)
if not iredutils.is_domain(self.domain):
return (False, "INVALID_DOMAIN_NAME")
self.dn = escape_filter_chars(dn)
# Used for logger.
self.account = web.safestr(account)
try:
deltree.DelTree(self.conn, self.dn, ldap.SCOPE_SUBTREE)
web.logger(msg="Delete %s: %s." % (str(accountType), self.account), domain=self.domain, event="delete")
return (True,)
except Exception, e:
return (False, ldaputils.getExceptionDesc(e))
def getDomainAccountSetting(self, domain,):
result = self.getAllDomains(
filter='(&(objectClass=mailDomain)(domainName=%s))' % domain,
attrs=['domainName', 'accountSetting',],
)
if result[0] is True:
allDomains = result[1]
else:
return result
# Get accountSetting of current domain.
try:
allAccountSettings = ldaputils.getAccountSettingFromLdapQueryResult(allDomains, key='domainName')
return (True, allAccountSettings.get(domain, {}))
except Exception, e:
return (False, ldaputils.getExceptionDesc(e))
def listAccounts(self, attrs=attrs.ADMIN_SEARCH_ATTRS):
try:
result_admin = self.conn.search_s(
self.domainadmin_dn,
ldap.SCOPE_ONELEVEL,
'(objectClass=mailAdmin)',
attrs,
)
result_user = self.conn.search_s(
self.basedn,
ldap.SCOPE_SUBTREE,
'(&(objectClass=mailUser)(accountStatus=active)(enabledService=domainadmin))',
attrs,
)
return (True, result_admin + result_user)
except Exception as e:
return (False, ldaputils.getExceptionDesc(e))
def update(self, profile_type, domain, data):
self.profile_type = web.safestr(profile_type)
self.domain = web.safestr(domain)
self.domaindn = ldaputils.convert_keyword_to_dn(self.domain,
accountType='domain')
if self.domaindn[0] is False:
return self.domaindn
connutils = connUtils.Utils()
self.accountSetting = []
mod_attrs = []
# Allow normal admin to update profiles.
if self.profile_type == 'general':
cn = data.get('cn', None)
mod_attrs += ldaputils.getSingleModAttr(attr='cn',
value=cn,
default=self.domain)
# Allow global admin to update profiles.
if session.get('domainGlobalAdmin') is True:
if self.profile_type == 'general':
# Get accountStatus.
if 'accountStatus' in data.keys():
accountStatus = 'active'
else:
accountStatus = 'disabled'
mod_attrs += [(ldap.MOD_REPLACE, 'accountStatus',
accountStatus)]
try:
dn = ldaputils.convert_keyword_to_dn(self.domain,
accountType='domain')
if dn[0] is False:
return dn
self.conn.modify_s(dn, mod_attrs)
web.logger(
msg="Update domain profile: %s (%s)." % (domain, profile_type),
domain=domain,
event='update',
)
return (True, )
except Exception, e:
return (False, ldaputils.getExceptionDesc(e))
def getDomainAccountSetting(self, domain,):
result = self.getAllDomains(
filter='(&(objectClass=mailDomain)(domainName=%s))' % domain,
attrs=['domainName', 'accountSetting', ],
)
if result[0] is True:
allDomains = result[1]
else:
return result
# Get accountSetting of current domain.
try:
allAccountSettings = ldaputils.getAccountSettingFromLdapQueryResult(allDomains, key='domainName')
return (True, allAccountSettings.get(domain, {}))
except Exception, e:
return (False, ldaputils.getExceptionDesc(e))
def deleteSingleUserFromGroups(self, mail):
self.mail = web.safestr(mail)
if not iredutils.is_email(self.mail):
return (False, "INVALID_MAIL")
# Get domain name of this account.
self.domain = self.mail.split("@")[-1]
# Get dn of mail user and domain.
self.dnUser = ldaputils.convert_keyword_to_dn(self.mail, accountType="user")
self.dnDomain = ldaputils.convert_keyword_to_dn(self.domain, accountType="domain")
if self.dnUser[0] is False:
return self.dnUser
if self.dnDomain[0] is False:
return self.dnDomain
try:
# Get accounts which contains destination email.
objsHasUser = self.conn.search_s(
self.dnDomain, ldap.SCOPE_SUBTREE, self.getFilterOfDeleteUserFromGroups(self.mail), ["dn"]
)
if len(objsHasUser) >= 1:
connutils = connUtils.Utils()
for obj in objsHasUser:
if obj[0].endswith(attrs.DN_BETWEEN_ALIAS_AND_DOMAIN + self.dnDomain) or obj[0].endswith(
attrs.DN_BETWEEN_USER_AND_DOMAIN + self.dnDomain
):
# Remove address from alias and user.
connutils.addOrDelAttrValue(
dn=obj[0], attr="mailForwardingAddress", value=self.mail, action="delete"
)
elif obj[0].endswith("ou=Externals," + self.domaindn):
# Remove address from external member list.
connutils.addOrDelAttrValue(dn=obj[0], attr="mail", value=self.mail, action="delete")
else:
pass
else:
pass
return (True,)
except Exception, e:
return (False, ldaputils.getExceptionDesc(e))
def profile(self, mail, attributes=attrs.ADMIN_ATTRS_ALL):
self.mail = web.safestr(mail)
self.dn = ldaputils.convert_keyword_to_dn(self.mail, accountType='admin')
if self.dn[0] is False:
return self.dn
try:
self.admin_profile = self.conn.search_s(
self.dn,
ldap.SCOPE_BASE,
'(&(objectClass=mailAdmin)(mail=%s))' % self.mail,
attributes,
)
return (True, self.admin_profile)
except ldap.NO_SUCH_OBJECT:
return (False, 'NO_SUCH_OBJECT')
except Exception as e:
return (False, ldaputils.getExceptionDesc(e))
def update(self, profile_type, mail, data):
self.profile_type = web.safestr(profile_type)
self.mail = web.safestr(mail)
self.username, self.domain = self.mail.split("@", 1)
if session.get("domainGlobalAdmin") is not True and session.get("username") != self.mail:
# Don't allow to view/update other admins' profile.
return (False, "PERMISSION_DENIED")
self.dn = ldaputils.convert_keyword_to_dn(self.mail, accountType="admin")
if self.dn[0] is False:
return self.dn
mod_attrs = []
if self.profile_type == "general":
# Get preferredLanguage.
lang = web.safestr(data.get("preferredLanguage", "en_US"))
mod_attrs += [(ldap.MOD_REPLACE, "preferredLanguage", lang)]
# Get cn.
cn = data.get("cn", None)
mod_attrs += ldaputils.getSingleModAttr(attr="cn", value=cn, default=self.username)
first_name = data.get("first_name", "")
mod_attrs += ldaputils.getSingleModAttr(attr="givenName", value=first_name, default=self.username)
last_name = data.get("last_name", "")
mod_attrs += ldaputils.getSingleModAttr(attr="sn", value=last_name, default=self.username)
# Get accountStatus.
if "accountStatus" in data.keys():
accountStatus = "active"
else:
accountStatus = "disabled"
mod_attrs += [(ldap.MOD_REPLACE, "accountStatus", accountStatus)]
try:
# Modify profiles.
self.conn.modify_s(self.dn, mod_attrs)
if session.get("username") == self.mail and session.get("lang", "en_US") != lang:
session["lang"] = lang
except ldap.LDAPError, e:
return (False, ldaputils.getExceptionDesc(e))
def profile(self, domain):
self.domain = web.safestr(domain)
self.dn = ldaputils.convKeywordToDN(self.domain, accountType='domain')
try:
self.domain_profile = self.conn.search_s(
self.dn,
ldap.SCOPE_BASE,
'(&(objectClass=mailDomain)(domainName=%s))' % self.domain,
attrs.DOMAIN_ATTRS_ALL,
)
if len(self.domain_profile) == 1:
return (True, self.domain_profile)
else:
return (False, 'NO_SUCH_DOMAIN')
except ldap.NO_SUCH_OBJECT:
return (False, 'NO_SUCH_OBJECT')
except Exception, e:
return (False, ldaputils.getExceptionDesc(e))
def add(self, data):
self.cn = data.get("cn")
self.mail = web.safestr(data.get("mail")).strip().lower()
if not iredutils.is_email(self.mail):
return (False, "INVALID_MAIL")
self.domainGlobalAdmin = web.safestr(data.get("domainGlobalAdmin", "no"))
if self.domainGlobalAdmin not in ["yes", "no"]:
self.domainGlobalAdmin = "no"
self.preferredLanguage = web.safestr(data.get("preferredLanguage", "en_US"))
# Check password.
self.newpw = web.safestr(data.get("newpw"))
self.confirmpw = web.safestr(data.get("confirmpw"))
result = iredutils.verify_new_password(self.newpw, self.confirmpw)
if result[0] is True:
self.passwd = iredutils.generate_password_hash(result[1])
else:
return result
ldif = iredldif.ldif_mailadmin(
mail=self.mail,
passwd=self.passwd,
cn=self.cn,
preferredLanguage=self.preferredLanguage,
domainGlobalAdmin=self.domainGlobalAdmin,
)
self.dn = ldaputils.convert_keyword_to_dn(self.mail, accountType="admin")
if self.dn[0] is False:
return self.dn
try:
self.conn.add_s(self.dn, ldif)
web.logger(msg="Create admin: %s." % (self.mail), event="create")
return (True,)
except ldap.ALREADY_EXISTS:
return (False, "ALREADY_EXISTS")
except Exception, e:
return (False, ldaputils.getExceptionDesc(e))
def delete(self, domain, mails=[]):
if mails is None or len(mails) == 0:
return (False, 'NO_ACCOUNT_SELECTED')
self.domain = web.safestr(domain)
self.mails = [
str(v) for v in mails
if iredutils.is_email(v) and str(v).endswith('@' + self.domain)
]
if not len(self.mails) > 0:
return (False, 'INVALID_MAIL')
self.domaindn = ldaputils.convert_keyword_to_dn(self.domain,
accountType='domain')
if self.domaindn[0] is False:
return self.domaindn
if not iredutils.is_domain(self.domain):
return (False, 'INVALID_DOMAIN_NAME')
result = {}
for mail in self.mails:
self.mail = web.safestr(mail)
try:
# Delete user object (ldap.SCOPE_BASE).
self.deleteSingleUser(self.mail, )
# Delete user object and whole sub-tree.
# Get dn of mail user and domain.
"""
self.userdn = ldaputils.convert_keyword_to_dn(self.mail, accountType='user')
deltree.DelTree(self.conn, self.userdn, ldap.SCOPE_SUBTREE)
# Log delete action.
web.logger(
msg="Delete user: %s." % (self.mail),
domain=self.mail.split('@')[1],
event='delete',
)
"""
except ldap.LDAPError, e:
result[self.mail] = ldaputils.getExceptionDesc(e)
def add(self, data):
self.cn = data.get('cn')
self.mail = web.safestr(data.get('mail')).strip().lower()
if not iredutils.is_email(self.mail):
return (False, 'INVALID_MAIL')
self.domainGlobalAdmin = web.safestr(data.get('domainGlobalAdmin', 'no'))
if self.domainGlobalAdmin not in ['yes', 'no', ]:
self.domainGlobalAdmin = 'no'
self.preferredLanguage = web.safestr(data.get('preferredLanguage', 'en_US'))
# Check password.
self.newpw = web.safestr(data.get('newpw'))
self.confirmpw = web.safestr(data.get('confirmpw'))
result = iredutils.verify_new_password(self.newpw, self.confirmpw)
if result[0] is True:
self.passwd = ldaputils.generate_ldap_password(result[1])
else:
return result
ldif = iredldif.ldif_mailadmin(
mail=self.mail,
passwd=self.passwd,
cn=self.cn,
preferredLanguage=self.preferredLanguage,
domainGlobalAdmin=self.domainGlobalAdmin,
)
self.dn = ldaputils.convert_keyword_to_dn(self.mail, accountType='admin')
if self.dn[0] is False:
return self.dn
try:
self.conn.add_s(self.dn, ldif)
web.logger(msg="Create admin: %s." % (self.mail), event='create',)
return (True,)
except ldap.ALREADY_EXISTS:
return (False, 'ALREADY_EXISTS')
except Exception, e:
return (False, ldaputils.getExceptionDesc(e))
def addOrDelAttrValue(self, dn, attr, value, action):
"""Used to add or delete value of attribute which can handle multiple values.
@attr: ldap attribute name
@value: value of attr
@action: add, delete.
"""
self.dn = escape_filter_chars(dn)
if action == 'add' or action == 'assign':
try:
self.conn.modify_s(self.dn, [(ldap.MOD_ADD, attr, value)])
return (True,)
except ldap.NO_SUCH_OBJECT:
return (True,)
#return (False, 'OBJECT_NOT_EXIST')
except ldap.TYPE_OR_VALUE_EXISTS:
return (True,)
except Exception, e:
return (False, ldaputils.getExceptionDesc(e))
def getManagedDomains(self, mail, attrs=attrs.ADMIN_ATTRS_ALL, listedOnly=False):
self.mail = web.safestr(mail)
if not iredutils.is_email(self.mail):
return (False, "INCORRECT_USERNAME")
# Pre-defined filter.
filter = "(&(objectClass=mailDomain)(domainAdmin=%s))" % self.mail
if session.get("domainGlobalAdmin") is True and listedOnly is False:
filter = "(objectClass=mailDomain)"
try:
self.managedDomains = self.conn.search_s(self.basedn, ldap.SCOPE_ONELEVEL, filter, attrs)
if listedOnly:
domains = []
for qr in self.managedDomains:
domains += qr[1]["domainName"]
self.managedDomains = domains
return (True, self.managedDomains)
except Exception, e:
return (False, ldaputils.getExceptionDesc(e))
def delete(self, mails):
if mails is None or len(mails) == 0:
return (False, 'NO_ACCOUNT_SELECTED')
result = {}
for mail in mails:
self.mail = web.safestr(mail)
dn = ldaputils.convert_keyword_to_dn(self.mail, accountType='admin')
if dn[0] is False:
return dn
try:
connUtils.delete_ldap_tree(dn=dn, conn=self.conn)
web.logger(msg="Delete admin: %s." % (self.mail,), event='delete',)
except ldap.NO_SUCH_OBJECT:
# This is a mail user admin
dn = ldaputils.convert_keyword_to_dn(self.mail, accountType='user')
try:
connutils = connUtils.Utils()
# Delete enabledService=domainadmin
connutils.addOrDelAttrValue(dn=dn,
attr='enabledService',
value='domainadmin',
action='delete')
# Delete domainGlobalAdmin=yes
connutils.addOrDelAttrValue(dn=dn,
attr='domainGlobalAdmin',
value='yes',
action='delete')
web.logger(msg="Delete admin: %s." % (self.mail), event='delete')
except Exception as e:
result[self.mail] = str(e)
except ldap.LDAPError as e:
result[self.mail] = str(e)
if result == {}:
return (True,)
else:
return (False, ldaputils.getExceptionDesc(result))
def profile(self, domain):
self.domain = web.safestr(domain)
self.dn = ldaputils.convert_keyword_to_dn(self.domain, accountType='domain')
if self.dn[0] is False:
return self.dn
try:
self.domain_profile = self.conn.search_s(
self.dn,
ldap.SCOPE_BASE,
'(&(objectClass=mailDomain)(domainName=%s))' % self.domain,
attrs.DOMAIN_ATTRS_ALL,
)
if len(self.domain_profile) == 1:
return (True, self.domain_profile)
else:
return (False, 'NO_SUCH_DOMAIN')
except ldap.NO_SUCH_OBJECT:
return (False, 'NO_SUCH_OBJECT')
except Exception, e:
return (False, ldaputils.getExceptionDesc(e))
def getNumberOfCurrentAccountsUnderDomain(self, domain, accountType="user", filter=None):
# accountType in ['user', 'list', 'alias',]
self.domain = web.safestr(domain)
self.domaindn = ldaputils.convert_keyword_to_dn(self.domain, accountType="domain")
if filter is not None:
self.searchdn = self.domaindn
self.filter = filter
else:
if accountType == "user":
self.searchdn = attrs.DN_BETWEEN_USER_AND_DOMAIN + self.domaindn
self.filter = "(&(objectClass=mailUser)(!(mail=@%s)))" % self.domain
else:
self.searchdn = self.domaindn
self.filter = "(&(objectClass=mailUser)(!(mail=@%s)))" % self.domain
try:
result = self.conn.search_s(self.searchdn, ldap.SCOPE_SUBTREE, self.filter, ["dn"])
return (True, len(result))
except Exception, e:
return (False, ldaputils.getExceptionDesc(e))
def update(self, profile_type, domain, data):
self.profile_type = web.safestr(profile_type)
self.domain = web.safestr(domain)
self.domaindn = ldaputils.convert_keyword_to_dn(self.domain, accountType='domain')
if self.domaindn[0] is False:
return self.domaindn
connutils = connUtils.Utils()
self.accountSetting = []
mod_attrs = []
# Allow normal admin to update profiles.
if self.profile_type == 'general':
cn = data.get('cn', None)
mod_attrs += ldaputils.getSingleModAttr(attr='cn', value=cn, default=self.domain)
# Allow global admin to update profiles.
if session.get('domainGlobalAdmin') is True:
if self.profile_type == 'general':
# Get accountStatus.
if 'accountStatus' in data.keys():
accountStatus = 'active'
else:
accountStatus = 'disabled'
mod_attrs += [(ldap.MOD_REPLACE, 'accountStatus', accountStatus)]
try:
dn = ldaputils.convert_keyword_to_dn(self.domain, accountType='domain')
if dn[0] is False:
return dn
self.conn.modify_s(dn, mod_attrs)
web.logger(msg="Update domain profile: %s (%s)." % (domain, profile_type),
domain=domain,
event='update',
)
return (True,)
except Exception, e:
return (False, ldaputils.getExceptionDesc(e))
def getAvailableDomainNames(self, domain):
"""Get list of domainName and domainAliasName by quering domainName.
>>> getAvailableDomainNames(domain='example.com')
(True, ['example.com', 'aliasdomain01.com', 'aliasdomain02.com', ...])
"""
domain = web.safestr(domain).strip().lower()
if not iredutils.is_domain(domain):
return (False, "INVALID_DOMAIN_NAME")
dn = ldaputils.convert_keyword_to_dn(domain, accountType="domain")
try:
result = self.conn.search_s(
dn,
ldap.SCOPE_BASE,
"(&(objectClass=mailDomain)(domainName=%s))" % domain,
["domainName", "domainAliasName"],
)
return (True, result[0][1].get("domainName", []) + result[0][1].get("domainAliasName", []))
except Exception, e:
return (False, ldaputils.getExceptionDesc(e))
def update(self, profile_type, domain, data):
self.profile_type = web.safestr(profile_type)
self.domain = web.safestr(domain)
self.domaindn = ldaputils.convKeywordToDN(self.domain, accountType='domain')
connutils = connUtils.Utils()
self.accountSetting = []
mod_attrs = []
# Allow normal admin to update profiles.
if self.profile_type == 'general':
cn = data.get('cn', None)
mod_attrs += ldaputils.getSingleModAttr(attr='cn', value=cn, default=self.domain)
else:
pass
# Allow global admin to update profiles.
if session.get('domainGlobalAdmin') is True:
if self.profile_type == 'general':
# Get accountStatus.
if 'accountStatus' in data.keys():
accountStatus = 'active'
else:
accountStatus = 'disabled'
mod_attrs += [ (ldap.MOD_REPLACE, 'accountStatus', accountStatus) ]
else:
pass
else:
pass
try:
dn = ldaputils.convKeywordToDN(self.domain, accountType='domain')
self.conn.modify_s(dn, mod_attrs)
return (True,)
except Exception, e:
return (False, ldaputils.getExceptionDesc(e))
def getDomainCurrentQuotaSizeFromLDAP(self, domain):
self.domain = web.safestr(domain).strip().lower()
if not iredutils.is_domain(self.domain):
return (False, "INVALID_DOMAIN_NAME")
self.domainDN = ldaputils.convert_keyword_to_dn(self.domain, accountType="domain")
# Initial @domainCurrentQuotaSize
self.domainCurrentQuotaSize = 0
try:
# Use '(!([email protected]))' to hide catch-all account.
self.users = self.conn.search_s(
attrs.DN_BETWEEN_USER_AND_DOMAIN + self.domainDN,
ldap.SCOPE_SUBTREE,
"(&(objectClass=mailUser)(!(mail=@%s)))" % self.domain,
attrs.USER_SEARCH_ATTRS,
)
# Update @domainCurrentUserNumber
self.updateAttrSingleValue(self.domainDN, "domainCurrentUserNumber", len(self.users))
for i in self.users:
quota = i[1].get("mailQuota", ["0"])[0]
if quota.isdigit():
self.domainCurrentQuotaSize += int(quota)
return (True, self.domainCurrentQuotaSize)
except ldap.NO_SUCH_OBJECT:
# self.conn.add_s(
# attrs.DN_BETWEEN_USER_AND_DOMAIN + self.domainDN,
# iredldif.ldif_group(attrs.GROUP_USERS),
# )
return (False, "NO_SUCH_OBJECT")
except ldap.SIZELIMIT_EXCEEDED:
return (False, "EXCEEDED_LDAP_SERVER_SIZELIMIT")
except Exception, e:
return (False, ldaputils.getExceptionDesc(e))
try:
group_dn = 'ou=' + str(i) + ',' + str(self.dn)
group_ldif = iredldif.ldif_group(str(i))
self.conn.add_s(group_dn, group_ldif)
except ldap.ALREADY_EXISTS:
pass
except ldap.LDAPError, e:
msg[i] = str(e)
else:
pass
if len(msg) == 0:
return (True,)
else:
return (False, ldaputils.getExceptionDesc(msg))
# List all domain admins.
def getDomainAdmins(self, domain):
domain = web.safestr(domain)
dn = ldaputils.convKeywordToDN(domain, accountType='domain')
try:
self.domainAdmins = self.conn.search_s(
dn,
ldap.SCOPE_BASE,
'(&(objectClass=mailDomain)(domainName=%s))' % domain,
['domainAdmin'],
)
return self.domainAdmins
except Exception, e:
return str(e)