def clean(self):
cdata = self.cleaned_data
if not cdata.get("ldap_bindpw"):
cdata["ldap_bindpw"] = self.instance.ldap_bindpw
binddn = cdata.get("ldap_binddn")
bindpw = cdata.get("ldap_bindpw")
basedn = cdata.get("ldap_basedn")
hostname = cdata.get("ldap_hostname")
ssl = cdata.get("ldap_ssl")
certfile = None
if ssl in ('start_tls', 'on'):
certificate = cdata["ldap_certificate"]
if not certificate:
raise forms.ValidationError(
"SSL/TLS specified without certificate")
else:
certfile = get_certificateauthority_path(certificate)
port = 389
if ssl == "on":
port = 636
if hostname:
parts = hostname.split(':')
hostname = parts[0]
if len(parts) > 1:
port = int(parts[1])
if cdata.get("ldap_enable") is False:
return cdata
# self.check_for_samba_schema()
try:
FreeNAS_LDAP.validate_credentials(hostname,
binddn=binddn,
bindpw=bindpw,
basedn=basedn,
port=port,
certfile=certfile,
ssl=ssl)
except LDAPError as e:
log.debug("LDAPError: type = %s", type(e))
error = []
try:
error.append(e.args[0]['info'])
error.append(e.args[0]['desc'])
error = ', '.join(error)
except:
error = str(e)
raise forms.ValidationError("{0}".format(error))
except Exception as e:
log.debug("LDAPError: type = %s", type(e))
raise forms.ValidationError("{0}".format(str(e)))
return cdata
def check_for_samba_schema(self):
self.clean_bindpw()
cdata = self.cleaned_data
binddn = cdata.get("ldap_binddn")
bindpw = cdata.get("ldap_bindpw")
basedn = cdata.get("ldap_basedn")
hostname = cdata.get("ldap_hostname")
certfile = None
ssl = cdata.get("ldap_ssl")
if ssl in ('start_tls', 'on'):
certificate = cdata["ldap_certificate"]
certfile = get_certificateauthority_path(certificate)
fl = FreeNAS_LDAP(
host=hostname,
binddn=binddn,
bindpw=bindpw,
basedn=basedn,
certfile=certfile,
ssl=ssl)
if fl.has_samba_schema():
self.instance.ldap_has_samba_schema = True
else:
self.instance.ldap_has_samba_schema = False
class LDAP(TestObject):
def __init__(self, handler=None):
super(self.__class__, self).__init__(handler)
self._name = "LDAP"
self.freenas_ldap = FreeNAS_LDAP(flags=FLAGS_DBINIT)
def Enabled(self):
return ldap_enabled()
def Test(self):
try:
self.freenas_ldap.open()
if self.freenas_ldap._handle.whoami_s():
return self._handler.Pass("LDAP")
else:
return self._handler.Fail("LDAP", "Unable to query the server.")
except LDAPError as e:
# LDAPError is dumb, it returns a list with one element for goodness knows what reason
e = e[0]
error = ""
if 'desc' in e:
error = e['desc']
if 'info' in e:
error = "{0}, {1}".format(error, e['info'])
else:
# LDAPError may have desc and info or just info so making a case that handles just info
if 'info' in e:
error = e['info']
else:
error = str(e)
return self._handler.Fail("LDAP", error)
except Exception as e:
return self._handler.Fail("LDAP", str(e))
def check_for_samba_schema(self):
self.clean_bindpw()
cdata = self.cleaned_data
binddn = cdata.get("ldap_binddn")
bindpw = cdata.get("ldap_bindpw")
basedn = cdata.get("ldap_basedn")
hostname = cdata.get("ldap_hostname")
certfile = None
ssl = cdata.get("ldap_ssl")
if ssl in ('start_tls', 'on'):
certificate = cdata["ldap_certificate"]
certfile = get_certificateauthority_path(certificate)
fl = FreeNAS_LDAP(host=hostname,
binddn=binddn,
bindpw=bindpw,
basedn=basedn,
certfile=certfile,
ssl=ssl)
if fl.has_samba_schema():
self.instance.ldap_has_samba_schema = True
else:
self.instance.ldap_has_samba_schema = False
def check_for_samba_schema(self):
self.clean_bindpw()
cdata = self.cleaned_data
binddn = cdata.get("ldap_binddn")
bindpw = cdata.get("ldap_bindpw")
basedn = cdata.get("ldap_basedn")
hostname = cdata.get("ldap_hostname")
# TODO: Usage of this function has been commented, should it be removed ?
certfile = None
ssl = cdata.get("ldap_ssl")
if ssl in ('start_tls', 'on'):
certificate = cdata["ldap_certificate"]
if certificate:
with client as c:
certificate = c.call('certificateauthority.query',
[['id', '=', certificate.id]],
{'get': True})
certfile = certificate['certificate_path'] if certificate else None
fl = FreeNAS_LDAP(host=hostname,
binddn=binddn,
bindpw=bindpw,
basedn=basedn,
certfile=certfile,
ssl=ssl)
if fl.has_samba_schema():
self.instance.ldap_has_samba_schema = True
else:
self.instance.ldap_has_samba_schema = False
def clean(self):
cdata = self.cleaned_data
if not cdata.get("ldap_bindpw"):
cdata["ldap_bindpw"] = self.instance.ldap_bindpw
binddn = cdata.get("ldap_binddn")
bindpw = cdata.get("ldap_bindpw")
basedn = cdata.get("ldap_basedn")
hostname = cdata.get("ldap_hostname")
ssl = cdata.get("ldap_ssl")
certfile = None
if ssl in ('start_tls', 'on'):
certificate = cdata["ldap_certificate"]
if not certificate:
raise forms.ValidationError(
"SSL/TLS specified without certificate")
else:
certfile = get_certificateauthority_path(certificate)
port = 389
if ssl == "on":
port = 636
if hostname:
parts = hostname.split(':')
hostname = parts[0]
if len(parts) > 1:
port = int(parts[1])
# self.check_for_samba_schema()
try:
FreeNAS_LDAP.validate_credentials(hostname,
binddn=binddn,
bindpw=bindpw,
basedn=basedn,
port=port,
certfile=certfile,
ssl=ssl)
except LDAPError as e:
# LDAPError is dumb, it returns a list with one element for goodness knows what reason
e = e[0]
error = []
desc = e.get('desc')
info = e.get('info')
if desc:
error.append(desc)
if info:
error.append(info)
if error:
error = ', '.join(error)
else:
error = str(e)
raise forms.ValidationError("{0}".format(error))
except Exception as e:
raise forms.ValidationError("{0}".format(str(e)))
return cdata
def clean_ldap_bindpw(self):
cdata = self.cleaned_data
if not cdata.get("ldap_bindpw"):
cdata["ldap_bindpw"] = self.instance.ldap_bindpw
binddn = cdata.get("ldap_binddn")
bindpw = cdata.get("ldap_bindpw")
basedn = cdata.get("ldap_basedn")
hostname = cdata.get("ldap_hostname")
ssl = cdata.get("ldap_ssl")
port = 389
if ssl == "on":
port = 636
if hostname:
parts = hostname.split(':')
hostname = parts[0]
if len(parts) > 1:
port = int(parts[1])
certfile = None
if ssl in ('start_tls', 'on'):
certificate = cdata["ldap_certificate"]
certfile = get_certificateauthority_path(certificate)
try:
FreeNAS_LDAP.validate_credentials(
hostname,
binddn=binddn,
bindpw=bindpw,
basedn=basedn,
port=port,
certfile=certfile,
ssl=ssl
)
except LDAPError as e:
# LDAPError is dumb, it returns a list with one element for goodness knows what reason
e = e[0]
error = []
desc = e.get('desc')
info = e.get('info')
if desc:
error.append(desc)
if info:
error.append(info)
if error:
error = ', '.join(error)
else:
error = str(e)
raise forms.ValidationError("{0}".format(error))
except Exception as e:
raise forms.ValidationError("{0}".format(str(e)))
return bindpw
def directoryservice(self, name):
"""Temporary wrapper to serialize DS connectors"""
if name == 'AD':
ds = FreeNAS_ActiveDirectory(flags=FLAGS_DBINIT)
workgroups = []
domains = ds.get_domains()
for d in domains:
if 'nETBIOSName' in d:
netbiosname = d['nETBIOSName']
workgroups.append(netbiosname)
ds.workgroups = workgroups
elif name == 'LDAP':
ds = FreeNAS_LDAP(flags=FLAGS_DBINIT)
else:
raise ValueError('Unknown ds name {0}'.format(name))
data = {}
for i in ('netbiosname', 'keytab_file', 'keytab_principal',
'domainname', 'use_default_domain', 'dchost', 'basedn',
'binddn', 'bindpw', 'userdn', 'groupdn', 'ssl', 'certfile',
'id', 'ad_idmap_backend', 'ds_type', 'krb_realm', 'krbname',
'kpwdname', 'krb_kdc', 'krb_admin_server',
'krb_kpasswd_server', 'workgroups'):
if hasattr(ds, i):
data[i] = getattr(ds, i)
return data
def clean_bindpw(self):
cdata = self.cleaned_data
if not cdata.get("ldap_bindpw"):
cdata["ldap_bindpw"] = self.instance.ldap_bindpw
binddn = cdata.get("ldap_binddn")
bindpw = cdata.get("ldap_bindpw")
basedn = cdata.get("ldap_basedn")
hostname = cdata.get("ldap_hostname")
errors = []
certfile = None
ssl = cdata.get("ldap_ssl")
if ssl in ('start_tls', 'on'):
certificate = cdata["ldap_certificate"]
certfile = get_certificateauthority_path(certificate)
ret = FreeNAS_LDAP.validate_credentials(
hostname,
binddn=binddn,
bindpw=bindpw,
basedn=basedn,
certfile=certfile,
ssl=ssl,
errors=errors)
if ret is False:
raise forms.ValidationError("%s." % errors[0])
def clean_ldap_bindpw(self):
cdata = self.cleaned_data
if not cdata.get("ldap_bindpw"):
cdata["ldap_bindpw"] = self.instance.ldap_bindpw
binddn = cdata.get("ldap_binddn")
bindpw = cdata.get("ldap_bindpw")
basedn = cdata.get("ldap_basedn")
hostname = cdata.get("ldap_hostname")
ssl = cdata.get("ldap_ssl")
port = 389
if ssl == "on":
port = 636
if hostname:
parts = hostname.split(':')
hostname = parts[0]
if len(parts) > 1:
port = int(parts[1])
errors = []
certfile = None
if ssl in ('start_tls', 'on'):
certificate = cdata["ldap_certificate"]
certfile = get_certificateauthority_path(certificate)
ret = FreeNAS_LDAP.validate_credentials(
hostname, binddn=binddn, bindpw=bindpw, basedn=basedn,
port=port, certfile=certfile, ssl=ssl, errors=errors
)
if ret is False:
raise forms.ValidationError("%s." % errors[0])
return bindpw
def clean_bindpw(self):
cdata = self.cleaned_data
if not cdata.get("ldap_bindpw"):
cdata["ldap_bindpw"] = self.instance.ldap_bindpw
binddn = cdata.get("ldap_binddn")
bindpw = cdata.get("ldap_bindpw")
basedn = cdata.get("ldap_basedn")
hostname = cdata.get("ldap_hostname")
errors = []
certfile = None
ssl = cdata.get("ldap_ssl")
if ssl in ('start_tls', 'on'):
certificate = cdata["ldap_certificate"]
certfile = get_certificateauthority_path(certificate)
ret = FreeNAS_LDAP.validate_credentials(hostname,
binddn=binddn,
bindpw=bindpw,
basedn=basedn,
certfile=certfile,
ssl=ssl,
errors=errors)
if ret is False:
raise forms.ValidationError("%s." % errors[0])
def directoryservice(self, name):
"""Temporary wrapper to serialize DS connectors"""
if name == 'AD':
smb = self.middleware.call_sync('smb.config')
ad = self.middleware.call_sync('activedirectory.config')
data = {
'netbiosname': smb['netbiosname'],
'domainname': ad['domainname'],
'use_default_domain': ad['use_default_domain'],
'ad_idmap_backend': ad['idmap_backend'],
'ds_type': 1,
'krb_realm': ad['kerberos_realm']['krb_realm'],
'workgroups': smb['workgroup'],
}
return data
elif name == 'LDAP':
ds = FreeNAS_LDAP(flags=FLAGS_DBINIT)
else:
raise ValueError('Unknown ds name {0}'.format(name))
data = {}
for i in ('netbiosname', 'keytab_file', 'keytab_principal',
'domainname', 'use_default_domain', 'dchost', 'basedn',
'binddn', 'bindpw', 'userdn', 'groupdn', 'ssl', 'certfile',
'id', 'ad_idmap_backend', 'ds_type', 'krb_realm', 'krbname',
'kpwdname', 'krb_kdc', 'krb_admin_server',
'krb_kpasswd_server', 'workgroups'):
if hasattr(ds, i):
data[i] = getattr(ds, i)
return data
class LDAP(TestObject):
def __init__(self, handler=None):
super(self.__class__, self).__init__(handler)
self._name = "LDAP"
self.freenas_ldap = FreeNAS_LDAP(flags=FLAGS_DBINIT)
def Enabled(self):
return ldap_enabled()
def Test(self):
try:
self.freenas_ldap.open()
if self.freenas_ldap._handle.whoami_s():
return self._handler.Pass("LDAP")
else:
return self._handler.Fail("LDAP", "Unable to query the server.")
except Exception as e:
return self._handler.Fail("LDAP", str(e))
def ldap_status(self):
ret = False
try:
f = FreeNAS_LDAP(flags=FLAGS_DBINIT)
f.open()
if f.isOpen():
ret = True
f.close()
except:
pass
return ret
class LDAP(TestObject):
def __init__(self, handler=None):
super(self.__class__, self).__init__(handler)
self._name = "LDAP"
self.freenas_ldap = FreeNAS_LDAP(flags=FLAGS_DBINIT)
def Enabled(self):
return ldap_enabled()
def Test(self):
try:
self.freenas_ldap.open()
if self.freenas_ldap._handle.whoami_s():
return self._handler.Pass("LDAP")
else:
return self._handler.Fail("LDAP",
"Unable to query the server.")
except LDAPError as e:
# LDAPError is dumb, it returns a list with one element for goodness knows what reason
e = e[0]
error = []
desc = e.get('desc')
info = e.get('info')
if desc:
error.append(desc)
if info:
error.append(info)
if error:
error = ', '.join(error)
else:
error = str(e)
return self._handler.Fail("LDAP", error)
except Exception as e:
return self._handler.Fail("LDAP", str(e))
class LDAP(TestObject):
def __init__(self, handler=None):
super(self.__class__, self).__init__(handler)
self._name = "LDAP"
self.freenas_ldap = FreeNAS_LDAP(flags=FLAGS_DBINIT)
def Enabled(self):
return ldap_enabled()
def Test(self):
try:
self.freenas_ldap.open()
if self.freenas_ldap._handle.whoami_s():
return self._handler.Pass("LDAP")
else:
return self._handler.Fail("LDAP", "Unable to query the server.")
except LDAPError as e:
# LDAPError is dumb, it returns a list with one element for goodness knows what reason
e = e[0]
error = []
desc = e.get('desc')
info = e.get('info')
if desc:
error.append(desc)
if info:
error.append(info)
if error:
error = ', '.join(error)
else:
error = str(e)
return self._handler.Fail("LDAP", error)
except Exception as e:
return self._handler.Fail("LDAP", str(e))
def clean_bindpw(self):
cdata = self.cleaned_data
if not cdata.get("ldap_bindpw"):
cdata["ldap_bindpw"] = self.instance.ldap_bindpw
binddn = cdata.get("ldap_binddn")
bindpw = cdata.get("ldap_bindpw")
hostname = cdata.get("ldap_hostname")
errors = []
ret = FreeNAS_LDAP.validate_credentials(
hostname, binddn=binddn, bindpw=bindpw, errors=errors
)
if ret is False:
raise forms.ValidationError("%s." % errors[0])
def clean_bindpw(self):
cdata = self.cleaned_data
if not cdata.get("ldap_bindpw"):
cdata["ldap_bindpw"] = self.instance.ldap_bindpw
binddn = cdata.get("ldap_binddn")
bindpw = cdata.get("ldap_bindpw")
hostname = cdata.get("ldap_hostname")
errors = []
ret = FreeNAS_LDAP.validate_credentials(hostname,
binddn=binddn,
bindpw=bindpw,
errors=errors)
if ret is False:
raise forms.ValidationError("%s." % errors[0])
def ldap_status(self):
ret = False
try:
f = FreeNAS_LDAP(flags=FLAGS_DBINIT)
f.open()
if f.isOpen():
ret = True
f.close()
except:
pass
return ret
def add_ldap(sc):
ldap = LDAP.objects.all()[0]
cifs = CIFS.objects.all()[0]
ldap_hostname = ldap.ldap_hostname.upper()
parts = ldap_hostname.split('.')
ldap_hostname = parts[0]
ldap_cookie = ldap_hostname
ldap_domain = 'domain/%s' % ldap_cookie
ldap_section = None
for key in sc.keys():
if key == ldap_domain:
ldap_section = sc[key]
break
if not ldap_section:
ldap_section = SSSDSectionDomain(ldap_domain)
ldap_section.description = ldap_cookie
if ldap_section.description != ldap_cookie:
return
ldap_defaults = [{
'enumerate': 'true'
}, {
'cache_credentials': 'true'
}, {
'id_provider': 'ldap'
}, {
'auth_provider': 'ldap'
}, {
'chpass_provider': 'ldap'
}, {
'ldap_schema': 'rfc2307bis'
}, {
'ldap_force_upper_case_realm': 'true'
}, {
'use_fully_qualified_names': 'false'
}]
for d in ldap_defaults:
key = d.keys()[0]
if not key in ldap_section:
setattr(ldap_section, key, d[key])
ldap_section.ldap_schema = ldap.ldap_schema
ldap_section.ldap_uri = "%s://%s" % ("ldaps" if ldap.ldap_ssl == 'on' else
"ldap", ldap.ldap_hostname)
ldap_section.ldap_search_base = ldap.ldap_basedn
if ldap.ldap_usersuffix:
ldap_section.ldap_user_search_base = "%s,%s" % (ldap.ldap_usersuffix,
ldap.ldap_basedn)
else:
ldap_section.ldap_user_search_base = "%s%s" % (
ldap.ldap_basedn, "?subtree?(objectclass=posixAccount)")
if ldap.ldap_groupsuffix:
ldap_section.ldap_group_search_base = "%s,%s" % (ldap.ldap_groupsuffix,
ldap.ldap_basedn)
else:
ldap_section.ldap_group_search_base = "%s%s" % (
ldap.ldap_basedn, "?subtree?(objectclass=posixGroup)")
if ldap.ldap_sudosuffix:
if not sc['sudo']:
sc['sudo'] = SSSDSectionSUDO()
sc['sssd'].add_service('sudo')
ldap_section.sudo_provider = 'ldap'
ldap_section.ldap_sudo_search_base = "%s,%s" % (ldap.ldap_sudosuffix,
ldap.ldap_basedn)
if ldap.ldap_ssl == 'on':
certpath = get_certificateauthority_path(ldap.ldap_certificate)
if certpath:
ldap_section.ldap_tls_cacert = certpath
elif ldap.ldap_ssl == 'start_tls':
ldap_section.tls_reqcert = 'demand'
certpath = get_certificateauthority_path(ldap.ldap_certificate)
if certpath:
ldap_section.ldap_tls_cacert = certpath
ldap_section.ldap_id_use_start_tls = 'true'
if ldap.ldap_auxiliary_parameters:
lines = ldap.ldap_auxiliary_parameters.splitlines()
for l in lines:
parts = l.split('=', 1)
if len(parts) < 2:
continue
setattr(ldap_section, parts[0].strip(), parts[1].strip())
ldap = FreeNAS_LDAP(flags=FLAGS_DBINIT)
if ldap.keytab_name and ldap.kerberos_realm:
ldap_section.auth_provider = 'krb5'
ldap_section.chpass_provider = 'krb5'
ldap_section.ldap_sasl_mech = 'GSSAPI'
ldap_section.ldap_sasl_authid = ldap.keytab_principal
ldap_section.krb5_server = ldap.krb_kdc
ldap_section.krb5_realm = ldap.krb_realm
ldap_section.krb5_canonicalize = 'false'
else:
ldap_section.ldap_default_bind_dn = ldap.binddn
ldap_section.ldap_default_authtok_type = 'password'
ldap_section.ldap_default_authtok = ldap.bindpw
sc[ldap_domain] = ldap_section
sc['sssd'].add_domain(ldap_cookie)
sc['sssd'].add_newline()
def main():
realms = KerberosRealm.objects.all()
try:
settings = KerberosSettings.objects.all()[0]
except:
settings = None
kc = KerberosConfig(settings=settings)
kc.create_default_config()
ad = ldap = None
ldap_objects = LDAP.objects.all()
if ldap_objects and ldap_objects[0].ldap_enable:
ldap = FreeNAS_LDAP(flags=FLAGS_DBINIT)
ad_objects = ActiveDirectory.objects.all()
if ad_objects and ad_objects[0].ad_enable:
ad = FreeNAS_ActiveDirectory(flags=FLAGS_DBINIT)
for kr in realms:
if not kr.krb_realm:
continue
krb_kdc, krb_admin_server, krb_kpasswd_server = get_kerberos_servers(
kr, ad, ldap)
bc = KerberosConfigBindingCollection(name=kr.krb_realm)
if krb_kdc:
bc.append(KerberosConfigBinding(name="kdc", value=krb_kdc))
if krb_admin_server:
bc.append(
KerberosConfigBinding(name="admin_server",
value=krb_admin_server))
if krb_kpasswd_server:
bc.append(
KerberosConfigBinding(name="kpasswd_server",
value=krb_kpasswd_server))
bc.append(
KerberosConfigBinding(name="default_domain", value=kr.krb_realm))
kc.add_bindings(['realms'], bc)
bc = KerberosConfigBindingCollection()
bc.append(
KerberosConfigBinding(name=kr.krb_realm.lower(),
value=kr.krb_realm.upper()))
bc.append(
KerberosConfigBinding(name=".%s" % kr.krb_realm.lower(),
value=kr.krb_realm.upper()))
bc.append(
KerberosConfigBinding(name=kr.krb_realm.upper(),
value=kr.krb_realm.upper()))
bc.append(
KerberosConfigBinding(name=".%s" % kr.krb_realm.upper(),
value=kr.krb_realm.upper()))
kc.add_bindings(['domain_realm'], bc)
fp = open("/etc/krb5.conf", "w+")
kc.generate_krb5_conf(stdout=fp)
fp.close()
def __init__(self, handler=None):
super(self.__class__, self).__init__(handler)
self._name = "LDAP"
self.freenas_ldap = FreeNAS_LDAP(flags=FLAGS_DBINIT)
def __init__(self, handler=None):
super(self.__class__, self).__init__(handler)
self._name = "LDAP"
self.freenas_ldap = FreeNAS_LDAP(flags=FLAGS_DBINIT)
def clean(self):
cdata = self.cleaned_data
if not cdata.get("ldap_bindpw"):
cdata["ldap_bindpw"] = self.instance.ldap_bindpw
binddn = cdata.get("ldap_binddn")
bindpw = cdata.get("ldap_bindpw")
basedn = cdata.get("ldap_basedn")
hostname = cdata.get("ldap_hostname")
ssl = cdata.get("ldap_ssl")
certfile = None
if ssl in ('start_tls', 'on'):
certificate = cdata["ldap_certificate"]
if not certificate:
raise forms.ValidationError(
"SSL/TLS specified without certificate")
else:
certfile = get_certificateauthority_path(certificate)
port = 389
if ssl == "on":
port = 636
if hostname:
parts = hostname.split(':')
hostname = parts[0]
if len(parts) > 1:
port = int(parts[1])
if cdata.get("ldap_enable") is False:
return cdata
# self.check_for_samba_schema()
try:
FreeNAS_LDAP.validate_credentials(
hostname,
binddn=binddn,
bindpw=bindpw,
basedn=basedn,
port=port,
certfile=certfile,
ssl=ssl
)
except LDAPError as e:
log.debug("LDAPError: type = %s", type(e))
error = []
try:
error.append(e.args[0]['info'])
error.append(e.args[0]['desc'])
error = ', '.join(error)
except:
error = str(e)
raise forms.ValidationError("{0}".format(error))
except Exception as e:
log.debug("LDAPError: type = %s", type(e))
raise forms.ValidationError("{0}".format(str(e)))
return cdata
