def get_only_udm_obj(cls, lo, filter_str, superordinate=None, base=None):
'''Returns the one UDM object of class cls._meta.udm_module that
matches a given filter.
If more than one is found, a MultipleObjectsError is raised
If none is found, None is returned
'''
cls.init_udm_module(lo)
if cls._meta.udm_filter:
filter_str = '(&(%s)(%s))' % (cls._meta.udm_filter, filter_str)
logger.debug('Getting %s UDM object by filter: %s', cls.__name__,
filter_str)
objs = udm_modules.lookup(cls._meta.udm_module,
None,
lo,
scope='sub',
base=base or ucr.get('ldap/base'),
filter=str(filter_str),
superordinate=superordinate)
if len(objs) == 0:
return None
if len(objs) > 1:
raise MultipleObjectsError(objs)
obj = objs[0]
obj.open()
return obj
def printers(self, request, ldap_user_read=None):
"""List all available printers except PDF printers
return: [{'id': <spool host>://<printer name>, 'label': <display name>}, ...]
"""
try:
printers = udm_modules.lookup(
'shares/printer',
None,
ldap_user_read,
scope='sub',
base=School.get_search_base(
request.options['school']).printers)
except udm_errors.noObject:
printers = []
result = []
for prt in printers:
# ignore PDF printers
uri = prt.info.get('uri', [])
if uri and uri[0].startswith('cups-pdf'):
continue
name = prt.info['name']
spool_host = prt.info['spoolHost'][0]
# allways prefer myself
if self.fqdn in prt.info['spoolHost']:
spool_host = self.fqdn
result.append({
'id': '%s://%s' % (spool_host, name),
'label': name
})
self.finished(request.id, result)
def share_servers(self, request, ldap_user_read=None):
# udm/syntax/choices UCSSchool_Server_DN
ret = [{'id': '', 'label': ''}]
for module in ['computers/domaincontroller_master', 'computers/domaincontroller_backup', 'computers/domaincontroller_slave', 'computers/memberserver']:
for obj in udm_modules.lookup(module, None, ldap_user_read, scope='sub'):
obj.open()
ret.append({'id': obj.dn, 'label': obj.info.get('fqdn', obj.info['name'])})
return ret
def _read_groups(self, ldap_connection=None, ldap_position=None):
try:
groups = udm_modules.lookup('settings/default', None, ldap_connection, scope='sub')
except udm_errors.noObject:
groups = None
if not groups:
self.groups = None
else:
self.groups = groups[0]
def _read_directories(self, ldap_connection=None, ldap_position=None):
try:
directories = udm_modules.lookup('settings/directory', None, ldap_connection, scope='sub')
except udm_errors.noObject:
directories = None
if not directories:
self.directory = None
else:
self.directory = directories[0]
def lookup(cls, lo, school, filter_s='', superordinate=None):
try:
return udm_modules.lookup(cls._meta.udm_module,
None,
lo,
filter=filter_s,
base=cls.get_container(school),
scope='sub',
superordinate=superordinate)
except noObject:
logger.warning(
'Error while getting all %s of %s: probably %r does not exist!',
cls.__name__, school, cls.get_container(school))
return []
def lookup(cls, lo, school, filter_s='', superordinate=None):
filter_object_type = conjunction('&', [
parse(cls.type_filter),
parse(filter_format('ucsschoolSchool=%s', [school]))
])
if filter_s:
filter_object_type = conjunction(
'&', [filter_object_type, parse(filter_s)])
objects = udm_modules.lookup(cls._meta.udm_module,
None,
lo,
filter=unicode(filter_object_type),
scope='sub',
superordinate=superordinate)
objects.extend(obj for obj in super(User, cls).lookup(
lo, school, filter_s, superordinate=superordinate)
if not any(obj.dn == x.dn for x in objects))
return objects
def get_udm_object(self, lo):
'''Returns the UDM object that corresponds to self.
If self._meta.name_is_unique it searches for any UDM object
with self.name.
If not (which is the default) it searches for self.old_dn or self.dn
Returns None if no object was found. Caches the result, even None
If you want to re-search, you need to explicitely set
self._udm_obj_searched = False
'''
self.init_udm_module(lo)
if self._udm_obj_searched is False or (
self._udm_obj and self._udm_obj.lo.binddn != lo.binddn):
dn = self.old_dn or self.dn
superordinate = self.get_superordinate(lo)
if dn is None:
logger.debug('Getting %s UDM object: No DN!',
self.__class__.__name__)
return
if self._meta.name_is_unique:
if self.name is None:
return None
udm_name = self._attributes['name'].udm_name
name = self.get_name_from_dn(dn)
filter_str = '%s=%s' % (udm_name, escape_filter_chars(name))
self._udm_obj = self.get_first_udm_obj(lo, filter_str,
superordinate)
else:
logger.debug('Getting %s UDM object by dn: %s',
self.__class__.__name__, dn)
try:
self._udm_obj = udm_modules.lookup(
self._meta.udm_module,
None,
lo,
scope='base',
base=dn,
superordinate=superordinate)[0]
except (noObject, IndexError):
self._udm_obj = None
else:
self._udm_obj.open()
self._udm_obj_searched = True
return self._udm_obj
def query(self):
udm_modules.update()
lo, po = get_machine_connection()
servers = udm_modules.lookup(
'computers/computer',
None,
lo,
filter=
'(&(|(objectClass=univentionDomainController)(objectClass=univentionMemberServer))(!(univentionObjectFlag=docker)))',
base=ucr['ldap/base'],
scope='sub')
result = [
dict(
dn=i.dn,
hostname=i.info.get('name'),
domain=i.info.get('domain'),
ip=i.info.get('ip'),
version=i.info.get('operatingSystemVersion'),
serverRole=i.info.get('serverRole'),
) for i in servers
]
return result
def from_dn(cls, dn, school, lo, superordinate=None):
'''Returns a new instance based on the UDM object found at dn
raises noObject if the udm_module does not match the dn
or dn is not found
'''
cls.init_udm_module(lo)
if school is None and cls.supports_school():
school = cls.get_school_from_dn(dn)
if school is None:
logger.warn('Unable to guess school from %r', dn)
try:
logger.debug('Looking up %s with dn %r', cls.__name__, dn)
udm_obj = udm_modules.lookup(cls._meta.udm_module,
None,
lo,
filter=cls._meta.udm_filter,
base=dn,
scope='base',
superordinate=superordinate)[0]
except IndexError:
# happens when cls._meta.udm_module does not "match" the dn
raise WrongObjectType(dn, cls)
return cls.from_udm_obj(udm_obj, school, lo)
def _read_groups( self, ldap_connection = None, ldap_position = None ): try: groups = udm_modules.lookup( 'settings/default', None, ldap_connection, scope = 'sub' ) except ( LDAPError, udm_errors.ldapError ), e: raise e
def _read_directories( self, ldap_connection = None, ldap_position = None ): try: directories = udm_modules.lookup( 'settings/directory', None, ldap_connection, scope = 'sub' ) except ( LDAPError, udm_errors.ldapError ), e: raise e
def test_script_lock_expired_accounts(stopped_s4_connector,
udm): # TODO: parametrize
"""Check cron job script lock_expired_accounts"""
# bugs: [35088]
print(time.ctime())
udm_modules.update()
lo, position = univention.admin.uldap.getAdminConnection()
udm_modules.init(lo, position, udm_modules.get('users/user'))
def create_user(expiry_days_delta, locked_status):
expiry_time = datetime.utcnow() + timedelta(days=expiry_days_delta)
userdn, username = udm.create_user(
userexpiry=expiry_time.strftime("%Y-%m-%d"),
check_for_drs_replication=False,
wait_for=False)
if locked_status == '1':
locktime = time.strftime("%Y%m%d%H%M%SZ", time.gmtime())
subprocess.check_call([
'/usr/bin/python2.7', '-m', 'univention.lib.account', 'lock',
'--dn', userdn, '--lock-time', locktime
])
return username
userdata = {}
for delta, initial_state, expected_state in [
[-9, '0', '0'],
[-8, '0', '0'],
# [-7, '0', '0'], disabled due to bug #36210
# [-6, '0', '1'], disabled due to bug #36210
[-5, '0', '1'],
[-4, '0', '1'],
[-3, '0', '1'],
[-2, '0', '1'],
[-1, '0', '1'],
# [0, '0', '1'], disabled due to bug #36210
[1, '0', '0'],
[2, '0', '0'],
[-4, '1', '1'],
# [0, '1', '1'], disabled due to bug #36210
[2, '1', '1'],
]:
userdata[create_user(delta,
initial_state)] = [initial_state, expected_state]
ldap_filter = '(|(uid=' + ')(uid='.join(userdata.keys()) + '))'
results = udm_modules.lookup('users/user',
None,
lo,
scope='sub',
filter=ldap_filter)
if len(results) != len(userdata):
print('RESULTS: %r' %
(pprint.PrettyPrinter(indent=2).pformat(results), ))
utils.fail('Did not find all users prior to script execution!')
for entry in results:
entry.open()
if not entry['locked'] == userdata[entry['username']][0]:
utils.fail(
'uid=%s should not be locked for posix prior to script execution!'
% (entry['username'], ))
print('Calling lock_expired_accounts...')
subprocess.check_call([
'/usr/share/univention-directory-manager-tools/lock_expired_accounts',
'--only-last-week'
])
print('DONE')
results = udm_modules.lookup('users/user',
None,
lo,
scope='sub',
filter=ldap_filter)
if len(results) != len(userdata):
print('RESULTS: %r' %
(pprint.PrettyPrinter(indent=2).pformat(results), ))
utils.fail('Did not find all users after script execution!')
for entry in results:
entry.open()
if not entry['locked'] == userdata[entry['username']][1]:
utils.fail(
'The account uid=%r is not in expected locking state: expected=%r current=%r'
% (entry['username'], userdata[entry['username']][1],
entry['locked']))
def modify_share(self,
sharename,
accessmode,
ldap_user_read=None,
ldap_user_write=None,
ldap_position=None,
search_base=None):
result = {}
supported_accessmodes = ("none", "read", "read,write")
if accessmode not in supported_accessmodes:
MODULE.error('%s.modify: invalid access mode: %s' % (
self.module_name,
accessmode,
))
return result # TODO: How to communicate the error?
# sanitize the sharename to match only role shares
if not self.valid_role_from_roleshare_name(sharename):
MODULE.error('%s.modify: sharename is not a role share: %s' % (
self.module_name,
sharename,
))
return result # TODO: How to communicate the error?
school_ou = self.valid_school_from_roleshare_name(
sharename, search_base.availableSchools)
if not school_ou:
MODULE.error(
'%s.modify: sharename "%s" is not in an accessible school (%s)'
% (
self.module_name,
sharename,
search_base.availableSchools,
))
return result # TODO: How to communicate the error?
udm_modules.init(ldap_user_read, ldap_position,
udm_modules.get(self.udm_module_name))
udm_filter = "name=%s" % (sharename, )
res = udm_modules.lookup(self.udm_module_name,
None,
ldap_user_read,
base=ucr['ldap/base'],
scope='sub',
filter=udm_filter)
if not res:
MODULE.error('%s.modify: share note found: %s' % (
self.module_name,
sharename,
))
return result # TODO: How to communicate the error?
teacher_groupname = "-".join(
(ucs_school_name_i18n(role_teacher), school_ou))
udm_obj = res[0]
if accessmode == "read":
udm_obj['sambaWriteable'] = 0
udm_obj['group'] = grp.getgrnam(teacher_groupname).gr_gid
elif accessmode == "read,write":
udm_obj['sambaWriteable'] = 1
udm_obj['group'] = grp.getgrnam(teacher_groupname).gr_gid
elif accessmode == "none":
udm_obj['sambaWriteable'] = 0
udm_obj['group'] = grp.getgrnam('nogroup').gr_gid
udm_obj.modify()
return result # TODO: How to communicate the success?
def get_shares(self,
pattern,
ldap_user_read=None,
ldap_position=None,
search_base=None):
result = {}
result['shares'] = []
if not search_base.availableSchools:
MODULE.error('%s.query: No schools available to this user!' %
(self.module_name, ))
return result # empty
# sanitize the search pattern to match only role shares and only in ou
role_specified = self.valid_role_from_roleshare_name(pattern)
school_ou_specified = self.valid_school_from_roleshare_name(
pattern, search_base.availableSchools)
udm_filter = None
if school_ou_specified:
if role_specified:
udm_filter = pattern
else:
hints = []
for role in supported_roles:
hints.append(expression('name', "-".join((role, pattern))))
udm_filter = conjunction('&', hints)
else:
if role_specified:
hints = []
for school_ou in search_base.availableSchools:
hints.append(
expression('name', "-".join((pattern, school_ou))))
if hints:
udm_filter = conjunction('&', hints)
else:
# invalid pattern, ignore
hints = []
for role in supported_roles:
for school_ou in search_base.availableSchools:
hints.append(
expression('name', "-".join((role, school_ou))))
if hints:
udm_filter = conjunction('&', hints)
if not udm_filter:
MODULE.error('%s.query: invalid search filter: %s' % (
self.module_name,
pattern,
))
return result # empty
udm_modules.init(ldap_user_read, ldap_position,
udm_modules.get(self.udm_module_name))
res = udm_modules.lookup(self.udm_module_name,
None,
ldap_user_read,
base=ucr['ldap/base'],
scope='sub',
filter=udm_filter)
result['shares'] = [obj['name'] for obj in res]
return result