def connected_users():
listener.setuid(0)
lo = ul.getMachineConnection()
users = lo.search('univentionOpenvpnAccount=1')
users = map(lambda user: "******" % user[1].get('uid', [None])[0], users)
myname = listener.baseConfig['hostname']
me = lo.search('cn=%s' % myname)
listener.unsetuid()
connected_users = userlist()
# append not connected users
for user in users:
if not any(u['name'] == user for u in connected_users):
connected_users.append({'name': user, 'connected': 0, 'type': 0, 'realip': '', 'virtips': '', 'cons': '', 'conr': '', 'recv': 0, 'sent': 0})
for user in connected_users:
user['cert'] = os.popen("/usr/sbin/univention-certificate dump -name %s|grep 'Not After'|cut -d ':' -f2-" % user['name']).read()
data = {"users": connected_users}
count = str(len(connected_users))
query = web.ctx.query
if query:
# jsonp
queries = query.split('&')
callback = queries[0].split('=')[1]
return '%s({"draw": 1, "recordsTotal": %s, "recordsFiltered": %s, "data": %s});' % (callback, count, count, json.dumps(data))
else:
return '{"data": %s}' % json.dumps(data)
def license_stats():
listener.setuid(0)
lo = ul.getMachineConnection()
users = lo.search('univentionOpenvpnAccount=1')
myname = listener.baseConfig['hostname']
me = lo.search('cn=%s' % myname)
try:
key = me[0][1]['univentionOpenvpnLicense'][0]
except:
key = ""
listener.unsetuid()
connected_users = userlist()
c_connected_users = len(connected_users)
c_users = len(users)
c_licenced = univention_openvpn_common.maxvpnusers(0, key)
try:
l = univention_openvpn_common.license(0, key)
valid = str(date.fromordinal(l['vdate']))
except:
valid = "No valid license on this host"
info = {"expiration": valid, "connected": c_connected_users, "total": c_users, "licenced": c_licenced}
count = str(len(connected_users))
query = web.ctx.query
if query:
# jsonp
queries = query.split('&')
callback = queries[0].split('=')[1]
return '%s({"draw": 1, "recordsTotal": %s, "recordsFiltered": %s, "info": %s});' % (callback, count, count, json.dumps(info))
else:
return '{"info": %s}' % json.dumps(info)
def handler(dn, new, old, cmd):
ud.debug(ud.LISTENER, ud.INFO, '2 master2 handler')
if cmd == 'n':
return
name = new.get('cn', [None])[0]
port = new.get('univentionOpenvpnPort', [None])[0]
addr = new.get('univentionOpenvpnAddress', [None])[0]
if not name or not port or not addr:
return
listener.setuid(0)
lo = ul.getMachineConnection()
vpnusers = lo.search('(univentionOpenvpnAccount=1)')
if not univention_openvpn_common.check_user_count(2):
return # do nothing
for user in vpnusers:
uid = user[1].get('uid', [None])[0]
home = user[1].get('homeDirectory', ['/dev/null'])[0]
ud.debug(ud.LISTENER, ud.INFO, '2 Create new certificate for %s in %s' % (uid, home))
proto = 'udp6' if addr and addr.count(':') else 'udp'
if uid and home:
# update bundle for this openvpn server with new config
try:
listener.run('/usr/lib/openvpn-int/create-bundle', ['create-bundle', 'no', uid, home, name, addr, port, proto], uid=0)
finally:
listener.unsetuid()
listener.unsetuid()
def check_sitetosite(no):
listener.setuid(0)
lo = ul.getMachineConnection()
servers = lo.search('(univentionOpenvpnLicense=*)')
sitetosite = False
for server in servers:
key = server[1].get('univentionOpenvpnLicense', [None])[0]
try:
l = license(no, key)
ud.debug(ud.LISTENER, ud.INFO, '%d Processing license with ID %s:' % (no, l['id']))
ud.debug(ud.LISTENER, ud.INFO, '%d Valid until: %s' % (no, date.fromordinal(l['vdate'])))
ud.debug(ud.LISTENER, ud.INFO, '%d Users: %s' % (no, l['u']))
ud.debug(ud.LISTENER, ud.INFO, '%d Site-2-Site: %s' % (no, l['s2s']))
if l.get('s2s'): sitetosite = True
break
except:
pass
listener.unsetuid()
if not sitetosite:
ud.debug(ud.LISTENER, ud.INFO, '%d Skipping actions' % no)
return False
else:
return True
def change_net(network, netmask, ccd, fn_ips, ipv6):
if ipv6:
option = "ifconfig-ipv6-push"
appendix = "/" + network.split('/')[1] + "\n"
else:
option = "ifconfig-push"
appendix = " " + netmask + "\n"
ip_map_new = []
listener.setuid(0)
lo = ul.getMachineConnection()
users = lo.search('univentionOpenvpnAccount=1')
listener.unsetuid()
users = map(lambda user: user[1].get('uid', [None])[0], users)
for name in users:
ip_new = generate_ip(network, ip_map_new)
ip_map_new.append((name, ip_new))
# write entry in ccd
cc = univention_openvpn_common.load_rc(3, ccd + name + ".openvpn")
if cc is None:
cc = []
else:
cc = [x for x in cc if not re.search(option, x)]
cc.append(option + " " + ip_new + appendix)
univention_openvpn_common.write_rc(3, cc, ccd + name + ".openvpn")
univention_openvpn_common.write_ip_map(3, ip_map_new, fn_ips)
def to_dict(self, package_manager):
ucr.load()
res = copy.copy(self._options)
res['component_id'] = self.component_id
res['cannot_install_reason'], res['cannot_install_reason_detail'] = self.cannot_install_reason(package_manager)
cannot_install_reason = res['cannot_install_reason']
res['can_update'] = self.can_be_updated() and cannot_install_reason == 'installed'
res['can_install'] = cannot_install_reason is None
res['is_installed'] = res['can_uninstall'] = cannot_install_reason == 'installed'
res['allows_using'] = LICENSE.allows_using(self.get('notifyvendor'))
res['is_joined'] = os.path.exists('/var/univention-join/joined')
res['is_master'] = ucr.get('server/role') == 'domaincontroller_master'
res['show_ldap_schema_confirmation'] = not res['is_master']
if res['is_master']:
try:
import univention.admin.handlers.computers.domaincontroller_backup
lo = uldap.getMachineConnection()
res['show_ldap_schema_confirmation'] = 0 < len(univention.admin.handlers.computers.domaincontroller_backup.lookup(None, lo, None))
del lo
except (LDAPError, ImportError):
res['show_ldap_schema_confirmation'] = True
res['server'] = self.get_server()
res['server_version'] = ucr.get('version/version')
return res
def to_dict(self, package_manager):
ucr.load()
res = copy.copy(self._options)
res['component_id'] = self.component_id
res['cannot_install_reason'], res[
'cannot_install_reason_detail'] = self.cannot_install_reason(
package_manager)
cannot_install_reason = res['cannot_install_reason']
res['can_update'] = self.can_be_updated(
) and cannot_install_reason == 'installed'
res['can_install'] = cannot_install_reason is None
res['is_installed'] = res[
'can_uninstall'] = cannot_install_reason == 'installed'
res['allows_using'] = LICENSE.allows_using(self.get('notifyvendor'))
res['is_joined'] = os.path.exists('/var/univention-join/joined')
res['is_master'] = ucr.get('server/role') == 'domaincontroller_master'
res['show_ldap_schema_confirmation'] = not res['is_master']
if res['is_master']:
try:
import univention.admin.handlers.computers.domaincontroller_backup
lo = uldap.getMachineConnection()
res['show_ldap_schema_confirmation'] = 0 < len(
univention.admin.handlers.computers.
domaincontroller_backup.lookup(None, lo, None))
del lo
except (LDAPError, ImportError):
res['show_ldap_schema_confirmation'] = True
res['server'] = self.get_server()
res['server_version'] = ucr.get('version/version')
return res
def check_user_count(no):
listener.setuid(0)
lo = ul.getMachineConnection()
servers = lo.search('(univentionOpenvpnLicense=*)')
vpnusers = lo.search('(univentionOpenvpnAccount=1)')
vpnuc = len(vpnusers)
maxu = 5
for server in servers:
key = server[1].get('univentionOpenvpnLicense', [None])[0]
try:
l = license(no, key)
ud.debug(ud.LISTENER, ud.INFO, '%d Processing license with ID %s:' % (no, l['id']))
ud.debug(ud.LISTENER, ud.INFO, '%d Valid until: %s' % (no, date.fromordinal(l['vdate'])))
ud.debug(ud.LISTENER, ud.INFO, '%d Users: %s' % (no, l['u']))
ud.debug(ud.LISTENER, ud.INFO, '%d Site-2-Site: %s' % (no, l['s2s']))
except:
pass
mu = maxvpnusers(no, key)
if mu > maxu: maxu = mu
ud.debug(ud.LISTENER, ud.INFO, '%d Found %u active openvpn users (%u allowed)' % (no, vpnuc, maxu))
listener.unsetuid()
if vpnuc > maxu:
ud.debug(ud.LISTENER, ud.INFO, '%d Skipping actions' % no)
return False
else:
return True
def main():
usage = "usage: %prog [options]"
parser = optparse.OptionParser(usage=usage, description=__doc__)
parser.add_option("-f",
"--filter",
help="resync objects from master found by this filter")
parser.add_option("-r",
"--remove",
action="store_true",
help="remove objects in local database before resync")
parser.add_option("-s",
"--simulate",
action="store_true",
help="dry run, do not remove or add")
opts, args = parser.parse_args()
ucr = univention.config_registry.ConfigRegistry()
ucr.load()
base = ucr.get("ldap/base")
binddn = "cn=update,%s" % base
with open("/etc/ldap/rootpw.conf", "r") as fh:
for line in fh:
line = line.strip()
if line.startswith('rootpw '):
bindpw = line[7:].strip('"')
break
else:
exit(1)
if not opts.filter:
opts.filter = '(uid=%s$)' % ucr['hostname']
# get local and master connection
local = uldap.access(binddn=binddn,
bindpw=bindpw,
start_tls=0,
host="localhost",
port=389)
if ucr.get("server/role", "") == "domaincontroller_backup":
master = uldap.getAdminConnection()
else:
master = uldap.getMachineConnection(ldap_master=True)
# delete local
if opts.remove:
res = local.search(base=base, filter=opts.filter)
for dn, data in res:
print("remove from local: %s" % (dn, ))
if not opts.simulate:
local.delete(dn)
# resync from master
res = master.search(base=base, filter=opts.filter)
for dn, data in res:
print("resync from master: %s" % (dn, ))
if not opts.simulate:
local.add(dn, ldap.modlist.addModlist(data))
def lookup_user(self, username):
try:
ldap = getMachineConnection(ldap_master=True)
ldap_filter = filter_format("(&(objectClass=person)(uid=%s))",
(username, ))
result = ldap.searchDn(ldap_filter)
self.binddn = result[0]
except LDAPError as ex:
self.logger.warn("Failed LDAP search for '%s': %s", username, ex)
self.available = False
def reload(self, force=False):
if self.uuid is not None and not force:
# license with uuid has already been found
return
self.uuid = None
# last time we checked, no uuid was found
# but maybe the user installed a new license?
try:
_lo = uldap.getMachineConnection(ldap_master=False)
data = _lo.search('objectClass=univentionLicense')
del _lo
self.uuid = data[0][1]['univentionLicenseKeyID'][0]
except Exception as e:
# no licensing available
MODULE.warn('Failed to load license information: %s' % e)
def reload(self, force=False):
if self.uuid is not None and not force:
# license with uuid has already been found
return
self.uuid = None
# last time we checked, no uuid was found
# but maybe the user installed a new license?
try:
_lo = uldap.getMachineConnection(ldap_master=False)
data = _lo.search('objectClass=univentionLicense')
del _lo
self.uuid = data[0][1]['univentionLicenseKeyID'][0]
except Exception as e:
# no licensing available
MODULE.warn('Failed to load license information: %s' % e)
def dump_data(self):
# we could return infos we have in this object itself.
# but dont be too clever here. just dump
# everything we have in LDAP.
try:
_lo = uldap.getMachineConnection()
data = _lo.search('objectClass=univentionLicense')
del _lo
# just one license (should be always the case)
# return the dictionary without the dn
data = ldif.CreateLDIF(data[0][0], data[0][1])
return data
except Exception as e:
# no udm, no ldap, malformed return value, whatever
MODULE.error('getting License from LDAP failed: %s' % e)
return None
def dump_data(self):
# we could return infos we have in this object itself.
# but dont be too clever here. just dump
# everything we have in LDAP.
try:
_lo = uldap.getMachineConnection()
data = _lo.search('objectClass=univentionLicense')
del _lo
# just one license (should be always the case)
# return the dictionary without the dn
data = ldif.CreateLDIF(data[0][0], data[0][1])
return data
except Exception as e:
# no udm, no ldap, malformed return value, whatever
MODULE.error('getting License from LDAP failed: %s' % e)
return None
def main():
usage = "usage: %prog [options]"
parser = optparse.OptionParser(usage=usage, description=__doc__)
parser.add_option("-l",
"--ldif",
action="store_true",
help="Create LDIF file")
parser.add_option("-s",
"--schema",
action="store_true",
help="Update LDAP schema [%s]" % SCHEMA)
parser.add_option("-o",
"--outfile",
default=LDIF,
help="File to store gzip LDIF data [%default]")
parser.add_option("-p",
"--pagesize",
type=int,
default=1000,
help="page size to use for LDAP paged search")
parser.add_option("-v",
"--verbose",
action="count",
help="Increase verbosity")
opts, args = parser.parse_args()
logging.basicConfig(
stream=sys.stderr,
level=logging.DEBUG if opts.verbose else logging.WARNING)
ucr = univention.config_registry.ConfigRegistry()
ucr.load()
base = ucr.get("ldap/base")
if ucr.get("server/role", "") == "domaincontroller_backup":
lo = uldap.getAdminConnection()
else:
lo = uldap.getMachineConnection(ldap_master=True)
if opts.schema:
update_schema(lo)
if opts.ldif:
create_ldif_from_master(lo, opts.outfile, base, opts.pagesize)
def _save_external_portal(dn=None):
if dn is None:
dn = 'cn=local,cn=portal,cn=univention,%s' % ucr.get('ldap/base')
lo = uldap.getMachineConnection()
try:
dn, attrs = lo.search(base=dn)[0]
except ldap.NO_SUCH_OBJECT:
ud.debug(ud.LISTENER, ud.WARN, 'DN %s not found! Falling back to hard coded values' % dn)
attrs = {
'univentionPortalDisplayName': ['en_US Startsite for {hostname}', 'de_DE Startseite für {hostname}', 'fr_FR page d\'accueil pour {hostname}'],
'univentionPortalShowMenu': ['TRUE'],
'univentionPortalShowSearch': ['TRUE'],
'univentionPortalShowLogin': ['FALSE'],
'univentionPortalShowApps': ['TRUE'],
'univentionPortalShowServers': ['TRUE'],
}
obj = _make_obj(attrs)
_save(dn, obj)
_write_css(attrs)
def assert_member_server(self, access):
"""Mitglieder der lokalen Administratoren duerfen den DC-Slave und Memberserver
joinen (benoetigt Passwortaenderung)
"""
base_dn = self.ucr.get('ldap/base')
attrs = [
'krb5KeyVersionNumber',
'krb5KDCFlags',
'krb5Key',
'krb5PasswordEnd',
'sambaAcctFlags',
'sambaPwdLastSet',
'sambaLMPassword',
'sambaNTPassword',
'shadowLastChange',
'shadowMax',
'userPassword',
'pwhistory',
'sambaPwdCanChange',
'sambaPwdMustChange',
'sambaPasswordHistory',
]
singlemaster = self.ucr.is_true('ucsschool/singlemaster')
lo = getMachineConnection()
if not singlemaster:
slave_found = lo.search(
filter=
"(|(univentionObjectType=computers/domaincontroller_slave)(univentionObjectType=computers/memberserver))",
base=utu.UCSTestSchool().get_ou_base_dn(self.school))
if slave_found:
slave_dn = slave_found[0][0]
self.assert_acl(slave_dn, access, attrs)
attrs = ['sOARecord']
zoneName = lo.search(base='cn=dns,%s' % base_dn,
scope='base+one',
attr=['uid'])
for (target_dn, d) in zoneName:
if 'zoneName' in target_dn:
self.assert_acl(target_dn, access, attrs)
break
def __init__(self,
school,
connection=None,
ulConnection=None,
ucr=None,
name=None,
description=None,
members=None):
self.school = school
self.name = name if name else uts.random_string()
self.description = description if description else uts.random_string()
self.members = members if members else []
self.ucr = ucr if ucr else ucr_test.UCSTestConfigRegistry()
self.ucr.load()
if ulConnection:
self.ulConnection = ulConnection
else:
self.ulConnection = uu.getMachineConnection(ldap_master=False)
if connection:
self.client = connection
else:
self.client = Client.get_test_connection()
def main():
usage = "usage: %prog [options]"
parser = optparse.OptionParser(usage=usage, description=__doc__)
parser.add_option(
"-f",
"--filter",
help=
"resync objects from master found by this filter. Default: (uid=<hostname>$)"
)
parser.add_option("-r",
"--remove",
action="store_true",
help="remove objects in local database before resync")
parser.add_option("-s",
"--simulate",
action="store_true",
help="dry run, do not remove or add")
parser.add_option("-u",
"--update",
action="store_true",
help="update/modify existing objects")
opts, args = parser.parse_args()
ucr = univention.config_registry.ConfigRegistry()
ucr.load()
base = ucr.get("ldap/base")
server_role = ucr.get("server/role", "")
if server_role == 'domaincontroller_master':
print('local ldap is master server, nothing todo')
return
if server_role not in [
'domaincontroller_backup', 'domaincontroller_slave'
]:
print(
'server role ("{}") has no ldap, nothing todo'.format(server_role))
return
if not opts.filter:
opts.filter = '(uid=%s$)' % ucr['hostname']
# get local and master connection
local = uldap.getRootDnConnection()
if server_role == "domaincontroller_backup":
master = uldap.getAdminConnection()
else:
master = uldap.getMachineConnection(ldap_master=True)
# delete local
if opts.remove:
res = local.search(base=base, filter=opts.filter)
if not res:
print('object does not exist local')
for dn, data in res:
print("remove from local: %s" % (dn, ))
if not opts.simulate:
local.delete(dn)
# resync from master
res = master.search(base=base, filter=opts.filter)
if not res:
print('object does not exist on master')
for dn, data in res:
print("resync from master: %s" % (dn, ))
try:
local_res = local.search(base=dn)
except ldap.NO_SUCH_OBJECT:
local_res = None
if local_res and opts.remove and opts.simulate:
local_res = None
if not local_res and not opts.update:
print(' ==> adding object')
if not opts.simulate:
local.add(dn, ldap.modlist.addModlist(data))
elif not local_res and opts.update:
print(' ==> object does not exist, can not update')
elif local_res and opts.update:
modlist = []
local_data = local_res[0][1]
for key in set(data.keys()) | set(local_data.keys()):
if set(local_data.get(key, [])).symmetric_difference(
set(data.get(key, []))):
modlist.append(
[key, local_data.get(key, []),
data.get(key, [])])
if not modlist:
print(' ==> no change')
else:
print(' ==> modifying object')
if not opts.simulate:
local.modify(dn, modlist)
elif local_res and not opts.update:
print(' ==> object does exist, can not create')
# FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
# COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
# BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS
# OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
# ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR
# TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
# USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
from os import system
import univention.uldap as ul
from univention_openvpn_common import maxvpnusers
lo = ul.getMachineConnection()
maxu = 5
lobs = lo.search("(univentionOpenvpnLicense=*)")
for lob in lobs:
key = lob[1].get("univentionOpenvpnLicense", [None])[0]
mu = maxvpnusers(0, key)
if mu > maxu:
maxu = mu
vpnusers = lo.search("(univentionOpenvpnAccount=1)")
if len(vpnusers) > maxu:
exit()
vpnservers = lo.search("(&(objectClass=univentionOpenvpn)(univentionOpenvpnActive=1))")
from univention.uldap import getMachineConnection
lo = getMachineConnection()
for dn, attr in lo.search("(cn=admin)", attr=["dn"]):
print(dn)
for dn in lo.searchDn("(cn=admin)"):
print(dn)
def handler(dn, new, old, cmd):
ud.debug(ud.LISTENER, ud.INFO, '1 master handler')
if cmd == 'n':
return
uid = new.get('uid', [None])[0]
uid_old = old.get('uid', [None])[0]
home = new.get('homeDirectory', ['/dev/null'])[0]
home_old = old.get('homeDirectory', ['/dev/null'])[0]
trigger = new.get('univentionOpenvpnAccount', '0')[0] == '1'
trigger_old = old.get('univentionOpenvpnAccount', '0')[0] == '1'
flags = new.get('sambaAcctFlags', [None])[0]
flags_old = old.get('sambaAcctFlags', [None])[0]
if flags and ('L' in flags or not 'U' in flags):
locked = True
else:
locked = False
if flags_old and ('L' in flags_old or not 'U' in flags_old):
locked_old = True
else:
locked_old = False
listener.setuid(0)
lo = ul.getMachineConnection()
servers = lo.search('(univentionOpenvpnActive=1)')
if not univention_openvpn_common.check_user_count(1):
listener.unsetuid()
return # do nothing
if (trigger and not trigger_old and uid and home and not locked) or (locked_old and not locked and uid and home and trigger):
ud.debug(ud.LISTENER, ud.INFO, '1 Create new certificate for %s in %s' % (uid, home))
# create a bundle for each openvpn server
for server in servers:
name = server[1].get('cn', [None])[0]
port = server[1].get('univentionOpenvpnPort', [None])[0]
addr = server[1].get('univentionOpenvpnAddress', [None])[0]
proto = 'udp6' if addr and addr.count(':') else 'udp'
if not name or not port or not addr:
continue
try:
listener.run('/usr/lib/openvpn-int/create-bundle', ['create-bundle', 'yes', uid, home, name, addr, port, proto], uid=0)
finally:
listener.unsetuid()
if (trigger_old and not trigger and uid_old and home_old) or (cmd == 'd' and uid_old and home_old) or (not locked_old and locked and uid_old and home_old):
ud.debug(ud.LISTENER, ud.INFO, '1 Revoke certificate for %s' % (uid_old))
listener.setuid(0)
try:
listener.run('/usr/sbin/univention-certificate', ['univention-certificate', 'revoke', '-name', uid_old + '.openvpn'], uid=0)
finally:
listener.unsetuid()
# remove bundle for each openvpn server
for server in servers:
name = server[1].get('cn', [None])[0]
if not name:
continue
try:
listener.run('/usr/lib/openvpn-int/remove-bundle', ['remove-bundle', uid_old, home_old, name], uid=0)
finally:
listener.unsetuid()
listener.unsetuid()