def fetch_schema_from_local_ldap(): ucr = ConfigRegistry() ucr.load() ldap_uri = 'ldap://%(hostname)s:%(domainname)s' % ucr return __fetch_schema_from_uri(ldap_uri)
def connect(options):
print(time.ctime())
ucr = ConfigRegistry()
ucr.load()
poll_sleep = int(ucr['%s/s4/poll/sleep' % options.configbasename])
s4_init = None
while not s4_init:
try:
s4 = univention.s4connector.s4.s4.main(
ucr,
options.configbasename,
logfilename=options.log_file,
debug_level=options.debug)
s4.init_ldap_connections()
s4.init_group_cache()
s4_init = True
except ldap.SERVER_DOWN:
print("Warning: Can't initialize LDAP-Connections, wait...")
sys.stdout.flush()
time.sleep(poll_sleep)
# log the active mapping
with open('/var/log/univention/%s-s4-mapping.log' % options.configbasename,
'w+') as fd:
print(repr(univention.s4connector.Mapping(s4.property)), file=fd)
with s4 as s4:
_connect(s4, poll_sleep,
ucr.get('%s/s4/retryrejected' % options.configbasename, 10))
def __init__(self,
userdn=None,
password=None,
host='localhost',
base=None,
start_tls=2,
access=None,
format=None):
self._cached = {}
self._modules = {}
self._policies = {}
self._format = format
self._bc = ConfigRegistry()
self._bc.load()
self.__reverse = {}
if not base:
self._base = self._bc['ldap/base']
else:
self._base = base
self._position = ua_ldap.position(self._base)
if access:
self._access = access
else:
self._access = ua_ldap.access(host=host,
base=self._base,
binddn=userdn,
bindpw=password,
start_tls=start_tls)
ua_modules.update()
def handler(dn, new, old):
ucr = ConfigRegistry()
ucr.load()
idp_config_objectdn = ucr.get(
'saml/idp/configobject',
'id=default-saml-idp,cn=univention,%s' % ucr.get('ldap/base'))
listener.setuid(0)
try:
if idp_config_objectdn == new['entryDN'][0]:
for key in LDAP_UCR_MAPPING.keys():
if key in new:
ucr_value = ""
if key == 'LdapGetAttributes':
ucr_value = "'" + "', '".join(new[key]) + "'"
handler_set(['%s=%s' % (LDAP_UCR_MAPPING[key], ucr_value)])
else:
handler_unset(['%s' % LDAP_UCR_MAPPING[key]])
else:
ud.debug(
ud.LISTENER, ud.WARN,
'An IdP config object was modified, but it is not the object the listener is configured for (%s). Ignoring changes. DN of modified object: %s'
% (idp_config_objectdn, new['entryDN']))
finally:
listener.unsetuid()
def handler(dn, new, old):
# type: (str, dict, dict) -> None
ucr = ConfigRegistry()
ucr.load()
listener.setuid(0)
try:
try:
fqdn = '%s.%s' % (new['cn'][0].decode('UTF-8'), new['associatedDomain'][0].decode('ASCII'))
except (KeyError, IndexError):
return
change = False
if b'univention-saml' in new.get('univentionService', []):
handler_set(['ucs/server/saml-idp-server/%s=%s' % (fqdn, fqdn)])
change = True
elif b'univention-saml' in old.get('univentionService', []):
handler_unset(['ucs/server/saml-idp-server/%s' % (fqdn,)])
change = True
if change:
path_to_cert = ucr.get('saml/idp/certificate/certificate')
path_to_key = ucr.get('saml/idp/certificate/privatekey')
if path_to_cert and os.path.exists(path_to_cert) and path_to_key and os.path.exists(path_to_key):
subprocess.call(['systemctl', 'restart', 'univention-saml'])
finally:
listener.unsetuid()
def getRootDnConnection(start_tls=2, decode_ignorelist=[], reconnect=True):
# type: (int, List[str], bool) -> access
"""
Open a LDAP connection to the local LDAP server with the LDAP root account.
:param int start_tls: Negotiate TLS with server. If `2` is given, the command will require the operation to be successful.
:param decode_ignorelist: List of LDAP attribute names which shall be handled as binary attributes.
:type decode_ignorelist: list[str]
:param bool reconnect: Automatically reconect if the connection fails.
:return: A LDAP access object.
:rtype: univention.uldap.access
"""
ucr = ConfigRegistry()
ucr.load()
port = int(ucr.get('slapd/port', '7389').split(',')[0])
host = ucr['hostname'] + '.' + ucr['domainname']
if ucr.get('ldap/server/type', 'dummy') == 'master':
bindpw = open('/etc/ldap.secret').read().rstrip('\n')
binddn = 'cn=admin,{0}'.format(ucr['ldap/base'])
else:
bindpw = open('/etc/ldap/rootpw.conf').read().rstrip('\n').replace(
'rootpw "', '', 1)[:-1]
binddn = 'cn=update,{0}'.format(ucr['ldap/base'])
return access(host=host,
port=port,
base=ucr['ldap/base'],
binddn=binddn,
bindpw=bindpw,
start_tls=start_tls,
decode_ignorelist=decode_ignorelist,
reconnect=reconnect)
def get_test_connection(cls, hostname=None, *args, **kwargs):
ucr = ConfigRegistry()
ucr.load()
username = ucr.get('tests/domainadmin/account')
username = username.split(',')[0][len('uid='):]
password = ucr.get('tests/domainadmin/pwd')
return cls(hostname, username, password, *args, **kwargs)
def getAdminConnection(
start_tls=2,
decode_ignorelist=[],
reconnect=True): # type: (int, List[str], bool) -> access
"""
Open a LDAP connection to the Master LDAP server using the admin credentials.
:param int start_tls: Negotiate TLS with server. If `2` is given, the command will require the operation to be successful.
:param decode_ignorelist: List of LDAP attribute names which shall be handled as binary attributes.
:type decode_ignorelist: list[str]
:param bool reconnect: Automatically reconect if the connection fails.
:return: A LDAP access object.
:rtype: univention.uldap.access
"""
ucr = ConfigRegistry()
ucr.load()
bindpw = open('/etc/ldap.secret').read().rstrip('\n')
port = int(ucr.get('ldap/master/port', '7389'))
return access(host=ucr['ldap/master'],
port=port,
base=ucr['ldap/base'],
binddn='cn=admin,' + ucr['ldap/base'],
bindpw=bindpw,
start_tls=start_tls,
decode_ignorelist=decode_ignorelist,
reconnect=reconnect)
def getLDAPURIs(ucr=None):
# type: (Optional[ConfigRegistry]) -> str
"""
Returns a space separated list of all configured |LDAP| servers, according to |UCR| variables
`ldap/server/name` and `ldap/server/addition`.
:param ConfigRegistry ucr: An optional |UCR| instance.
:returns: A space separated list of |LDAP| |URI|.
:rtype: str
"""
if ucr is None:
ucr = ConfigRegistry()
ucr.load()
uri_string = ''
ldaphosts = []
port = ucr.get('ldap/server/port', '7389')
ldap_server_name = ucr.get('ldap/server/name')
ldap_server_addition = ucr.get('ldap/server/addition')
if ldap_server_name:
ldaphosts.append(ldap_server_name)
if ldap_server_addition:
ldaphosts.extend(ldap_server_addition.split())
if ldaphosts:
urilist = ["ldap://%s:%s" % (host, port) for host in ldaphosts]
uri_string = ' '.join(urilist)
return uri_string
def parse_args():
usage = '%prog [options] [master]'
desc = sys.modules[__name__].__doc__
parser = OptionParser(usage=usage, description=desc)
parser.add_option('-m',
'--master',
dest='master',
help='LDAP Server address')
parser.add_option('-s',
'--shema',
dest='cmd',
action='store_const',
const='GET_SCHEMA_ID',
default='GET_ID',
help='Fetch LDAP Schema ID')
(options, args) = parser.parse_args()
if not options.master:
if args:
try:
options.master, = args
except ValueError:
parser.error('incorrect number of arguments')
else:
from univention.config_registry import ConfigRegistry
configRegistry = ConfigRegistry()
configRegistry.load()
options.master = configRegistry.get('ldap/master')
if not options.master:
parser.error('ldap/master or --master not set')
return options
def __init__(self,
listener,
name,
attrs,
ldap_cred,
dn,
adconnection_alias=None):
"""
:param listener: listener object or None
:param name: str, prepend to log messages
:param attrs: {"listener": [attributes, listener, listens, on], ... }
:param ldap_cred: {ldapserver: FQDN, binddn: cn=admin,$ldap_base, basedn: $ldap_base, bindpw: s3cr3t} or None
:param dn of LDAP object to work on
"""
self.listener = listener
self.attrs = attrs
self.udm = UDMHelper(ldap_cred, adconnection_alias)
# self.ldap_cred = ldap_cred
self.dn = dn
self.adconnection_alias = adconnection_alias
logger.debug('adconnection_alias=%r', adconnection_alias)
if self.listener:
self.ucr = self.listener.configRegistry
else:
# allow use of this class outside listener
from univention.config_registry import ConfigRegistry
self.ucr = ConfigRegistry()
self.ucr.load()
self.not_migrated_to_v3 = self.ucr.is_false(
'office365/migrate/adconnectionalias')
self.ah = AzureHandler(self.ucr, name, self.adconnection_alias)
def main() -> None:
"""
Set repository server.
"""
ucr = ConfigRegistry()
ucr.load()
hostdn = ucr.get('ldap/hostdn')
if not hostdn:
# can't query policy without host-dn
exit(0)
online_server = ucr.get('repository/online/server')
mirror_server = ucr.get('repository/mirror/server')
fqdn = '%(hostname)s.%(domainname)s' % ucr
self_update = '%(version/version)s-%(version/patchlevel)s' % ucr
ucr_variables = [] # type: List[str]
new_server, policy_update = query_policy(hostdn)
policy_update or self_update # FIXME: not used - should be pass to `univention-repository-update --updateto=`
if ucr.is_true('local/repository'):
# on a repository server
if not new_server:
ucr_variables.append('repository/online/server?%s' % fqdn)
elif new_server != mirror_server and new_server != fqdn:
ucr_variables.append('repository/mirror/server=%s' % new_server)
else:
# without a local repository
if new_server and new_server != online_server:
ucr_variables.append('repository/online/server=%s' % new_server)
if ucr_variables:
handler_set(ucr_variables)
def getLDAPServersCommaList(ucr=None):
# type: (Optional[ConfigRegistry]) -> str
"""
Returns a comma-separated string with all configured |LDAP| servers,
`ldap/server/name` and `ldap/server/addition`.
:param ConfigRegistry ucr: An optional |UCR| instance.
:returns: A space separated list of |LDAP| host names.
:rtype: str
"""
if ucr is None:
ucr = ConfigRegistry()
ucr.load()
ldap_servers = ''
ldaphosts = []
ldap_server_name = ucr.get('ldap/server/name')
ldap_server_addition = ucr.get('ldap/server/addition')
if ldap_server_name:
ldaphosts.append(ldap_server_name)
if ldap_server_addition:
ldaphosts.extend(ldap_server_addition.split())
if ldaphosts:
ldap_servers = ','.join(ldaphosts)
return ldap_servers
def getBackupConnection(start_tls=2, decode_ignorelist=[]):
ucr = ConfigRegistry()
ucr.load()
bindpw = open('/etc/ldap-backup.secret').read()
if bindpw[-1] == '\n':
bindpw = bindpw[0:-1]
port = int(ucr.get('ldap/master/port', '7389'))
try:
lo = access(host=ucr['ldap/master'],
port=port,
base=ucr['ldap/base'],
binddn='cn=backup,' + ucr['ldap/base'],
bindpw=bindpw,
start_tls=start_tls,
decode_ignorelist=decode_ignorelist)
except ldap.SERVER_DOWN, e:
if ucr['ldap/backup']:
backup = string.split(ucr['ldap/backup'], ' ')[0]
lo = access(host=backup,
port=port,
base=ucr['ldap/base'],
binddn='cn=backup,' + ucr['ldap/base'],
bindpw=bindpw,
start_tls=start_tls,
decode_ignorelist=decode_ignorelist)
else:
raise ldap.SERVER_DOWN, e
def main():
"""Retrive current Univention Directory Notifier transaction ID."""
configRegistry = ConfigRegistry()
configRegistry.load()
master = configRegistry.get('ldap/master')
if not master:
print >> sys.stderr, 'Error: ldap/master not set'
sys.exit(1)
try:
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect((master, 6669))
sock.send('Version: 2\nCapabilities: \n\n')
sock.recv(100)
sock.send('MSGID: 1\nGET_ID\n\n')
notifier_result = sock.recv(100)
if notifier_result:
print "%s" % notifier_result.splitlines()[1]
except socket.error, ex:
print >> sys.stderr, 'Error: %s' % (ex, )
sys.exit(1)
def getBackupConnection(start_tls=2, decode_ignorelist=[], reconnect=True):
ucr = ConfigRegistry()
ucr.load()
bindpw = open('/etc/ldap-backup.secret').read().rstrip('\n')
port = int(ucr.get('ldap/master/port', '7389'))
try:
return access(host=ucr['ldap/master'],
port=port,
base=ucr['ldap/base'],
binddn='cn=backup,' + ucr['ldap/base'],
bindpw=bindpw,
start_tls=start_tls,
decode_ignorelist=decode_ignorelist,
reconnect=reconnect)
except ldap.SERVER_DOWN:
if not ucr['ldap/backup']:
raise
backup = ucr['ldap/backup'].split(' ')[0]
return access(host=backup,
port=port,
base=ucr['ldap/base'],
binddn='cn=backup,' + ucr['ldap/base'],
bindpw=bindpw,
start_tls=start_tls,
decode_ignorelist=decode_ignorelist,
reconnect=reconnect)
def call_unjoin_script(unjoin_script_name):
print('call_unjoin_script(%r)' % (unjoin_script_name,))
ucr = ConfigRegistry()
ucr.load()
join_script = '/usr/lib/univention-uninstall/%s' % unjoin_script_name
return subprocess.call([join_script, '--binddn', ucr.get('tests/domainadmin/account'), '--bindpwdfile', ucr.get('tests/domainadmin/pwdfile')], shell=False)
def __init__(self):
"""Test Class constructor"""
self.username = None
self.password = None
self.hostname = None
self.client = None
self.ucr = ConfigRegistry()
self.ucr.load()
self.ldap_base = self.ucr.get('ldap/base')
def call_join_script(name, fail_on_error=True):
# type: (str, bool) -> int
"""
Calls the given join script (e.g. name='66foobar.inst').
If fail is true, then the function fail() is called if the exitcode is not zero.
"""
ucr = ConfigRegistry()
ucr.load()
return call_cmd(['/usr/lib/univention-install/%s' % name, '--binddn', ucr.get('tests/domainadmin/account'), '--bindpwdfile', ucr.get('tests/domainadmin/pwdfile')], fail_on_error=fail_on_error)
def getMachineConnection(start_tls=2,
decode_ignorelist=[],
ldap_master=True,
secret_file="/etc/machine.secret",
reconnect=True,
random_server=False):
# type: (int, List[str], bool, str, bool) -> access
"""
Open a LDAP connection using the machine credentials.
:param int start_tls: Negotiate TLS with server. If `2` is given, the command will require the operation to be successful.
:param decode_ignorelist: List of LDAP attribute names which shall be handled as binary attributes.
:type decode_ignorelist: list[str]
:param bool ldap_master: Open a connection to the Master if True, to the preferred LDAP server otherwise.
:param str secret_file: The name of a file containing the password credentials.
:param bool reconnect: Automatically reconnect if the connection fails.
:param bool random_server: Choose a random LDAP server from ldap/server/name and ldap/server/addition.
:return: A LDAP access object.
:rtype: univention.uldap.access
"""
ucr = ConfigRegistry()
ucr.load()
bindpw = open(secret_file).read().rstrip('\n')
if ldap_master:
# Connect to DC Master
port = int(ucr.get('ldap/master/port', '7389'))
return access(host=ucr['ldap/master'],
port=port,
base=ucr['ldap/base'],
binddn=ucr['ldap/hostdn'],
bindpw=bindpw,
start_tls=start_tls,
decode_ignorelist=decode_ignorelist,
reconnect=reconnect)
else:
# Connect to ldap/server/name
port = int(ucr.get('ldap/server/port', '7389'))
servers = [ucr.get('ldap/server/name')]
servers += ucr.get('ldap/server/addition', '').split()
if random_server:
random.shuffle(servers)
for server in servers:
try:
return access(host=server,
port=port,
base=ucr['ldap/base'],
binddn=ucr['ldap/hostdn'],
bindpw=bindpw,
start_tls=start_tls,
decode_ignorelist=decode_ignorelist,
reconnect=reconnect)
#LDAP server down, try next server
except ldap.SERVER_DOWN as exc:
pass
raise exc
def get_ldap_master_connection(user_dn):
ucr = ConfigRegistry()
ucr.load()
return univention.uldap.access(host=ucr.get('ldap/master'),
port=int(ucr.get('ldap/master/port',
'7389')),
base=ucr.get('ldap/base'),
binddn=user_dn,
bindpw='univention')
def __init__(self, name, version, container_version=None, app_directory_suffix=None, package_name=None, build_package=True, call_join_scripts=True):
self.app_name = name
self.app_version = version
self.call_join_scripts = call_join_scripts
if not app_directory_suffix:
self.app_directory_suffix = random_version()
else:
self.app_directory_suffix = app_directory_suffix
self.app_directory = '%s_%s' % (self.app_name, self.app_directory_suffix)
if package_name:
self.package_name = package_name
else:
self.package_name = get_app_name()
self.package_version = '%s.%s' % (version, get_app_version())
self.ucr = ConfigRegistry()
self.ucr.load()
if build_package:
self.package = DebianPackage(name=self.package_name, version=self.package_version)
self.package.build()
else:
self.package = None
self.ini = {}
self.ini['ID'] = self.app_name
self.ini['Code'] = self.app_name[0:2]
self.ini['Name'] = self.app_name
self.ini['Version'] = self.app_version
self.ini['NotifyVendor'] = False
self.ini['Categories'] = 'System services'
self.ini['Logo'] = '%s.svg' % self.app_name
if self.package:
self.ini['DefaultPackages'] = self.package_name
self.ini['ServerRole'] = 'domaincontroller_master,domaincontroller_backup,domaincontroller_slave,memberserver'
self.scripts = {}
if not container_version:
self.ucs_version = self.ucr.get('version/version')
else:
self.ucs_version = container_version
self.ini['SupportedUCSVersions'] = '%s-0,%s-0' % (container_version, self.ucr.get('version/version'))
self.installed = False
self.admin_user = self.ucr.get('tests/domainadmin/account').split(',')[0][len('uid='):]
self.admin_pwdfile = self.ucr.get('tests/domainadmin/pwdfile')
print repr(self)
def __init__(self):
self.configRegistry = ConfigRegistry()
self.configRegistry.load()
lp = LoadParm()
creds = Credentials()
creds.guess(lp)
self.samdb = SamDB(url='/var/lib/samba/private/sam.ldb',
session_info=system_session(),
credentials=creds,
lp=lp)
def getRootDnConnection(start_tls=2, decode_ignorelist=[], reconnect=True):
ucr = ConfigRegistry()
ucr.load()
port = int(ucr.get('slapd/port', '7389').split(',')[0])
host = ucr['hostname'] + '.' + ucr['domainname']
if ucr.get('ldap/server/type', 'dummy') == 'master':
bindpw = open('/etc/ldap.secret').read().rstrip('\n')
binddn = 'cn=admin,{0}'.format(ucr['ldap/base'])
else:
bindpw = open('/etc/ldap/rootpw.conf').read().rstrip('\n').lstrip('rootpw "').rstrip('"')
binddn = 'cn=update,{0}'.format(ucr['ldap/base'])
return access(host=host, port=port, base=ucr['ldap/base'], binddn=binddn, bindpw=bindpw, start_tls=start_tls, decode_ignorelist=decode_ignorelist, reconnect=reconnect)
def config():
"""Test wide Configuration aka UCR
Used to get some defaults if not environment variables are
given. But if UCR is not avaiable, returns an empty dict...
"""
try:
from univention.config_registry import ConfigRegistry
ucr = ConfigRegistry()
ucr.load()
return dict(ucr)
except ImportError:
return {}
def postrun():
baseConfig = ConfigRegistry()
baseConfig.load()
if baseConfig.is_true('nscd/group/invalidate_cache_on_changes', False) and baseConfig.is_false('nss/group/cachefile', True):
listener.setuid(0)
try:
univention.debug.debug(univention.debug.LISTENER, univention.debug.INFO, "calling 'nscd -i group'")
listener.run('/usr/sbin/nscd', ['nscd', '-i', 'group'], uid=0)
except:
univention.debug.debug(univention.debug.LISTENER, univention.debug.ERROR, "nscd -i group was not successful")
listener.unsetuid()
def handler(dn, new, old):
# type: (str, dict, dict) -> None
listener.setuid(0)
try:
change = False
new_has_service = service_name in new.get('univentionService', [])
old_has_service = service_name in old.get('univentionService', [])
if new_has_service and not old_has_service:
try:
fqdn = b'%s.%s' % (new['cn'][0], new['associatedDomain'][0])
except (KeyError, IndexError):
return
ucr = ConfigRegistry()
ucr.load()
old_ucr_value = ucr.get('admin/diary/backend', u'')
fqdn_set = set(old_ucr_value.split())
fqdn_set.add(fqdn.decode('utf-8'))
new_ucr_value = u' '.join(fqdn_set)
handler_set([u'admin/diary/backend=%s' % (new_ucr_value,)])
change = True
elif old_has_service:
try:
fqdn = b'%s.%s' % (old['cn'][0], old['associatedDomain'][0])
except (KeyError, IndexError):
return
ucr = ConfigRegistry()
ucr.load()
old_ucr_value = ucr.get('admin/diary/backend', u'')
fqdn_set = set(old_ucr_value.split())
fqdn_set.discard(fqdn.decode('UTF-8'))
new_ucr_value = u' '.join(fqdn_set)
handler_set([u'admin/diary/backend=%s' % (new_ucr_value,)])
change = True
if change:
subprocess.call(['invoke-rc.d', 'rsyslog', 'try-restart'])
finally:
listener.unsetuid()
def create_udm_adconnection(cls, alias, description=""):
ucr = ConfigRegistry()
ucr.load()
lo, po, mod = cls.init_udm("office365/ad-connection")
po = univention.admin.uldap.position(
"cn=ad-connections,cn=office365,%s" % ucr["ldap/base"])
adconn = mod.object(co=None, lo=lo, position=po)
adconn.open()
adconn['name'] = alias
adconn['description'] = description
dn = adconn.create()
return dn
def __init__(self):
"""
Test class constructor
"""
self.UCR = ConfigRegistry()
self.client = None
self.admin_username = ''
self.admin_password = ''
self.ldap_master = ''
self.gpo_reference = ''
def get_query_limit():
ucr = ConfigRegistry()
ucr.load()
limit = ucr.get('admin/diary/query/limit', '')
default_limit = 1000
try:
limit = int(limit)
except ValueError:
limit = default_limit
else:
if limit < 0:
limit = default_limit
return limit
