def fetch_schema_from_local_ldap(): ucr = ConfigRegistry() ucr.load() ldap_uri = 'ldap://%(hostname)s:%(domainname)s' % ucr return __fetch_schema_from_uri(ldap_uri)
def connect(options): print(time.ctime()) ucr = ConfigRegistry() ucr.load() poll_sleep = int(ucr['%s/s4/poll/sleep' % options.configbasename]) s4_init = None while not s4_init: try: s4 = univention.s4connector.s4.s4.main( ucr, options.configbasename, logfilename=options.log_file, debug_level=options.debug) s4.init_ldap_connections() s4.init_group_cache() s4_init = True except ldap.SERVER_DOWN: print("Warning: Can't initialize LDAP-Connections, wait...") sys.stdout.flush() time.sleep(poll_sleep) # log the active mapping with open('/var/log/univention/%s-s4-mapping.log' % options.configbasename, 'w+') as fd: print(repr(univention.s4connector.Mapping(s4.property)), file=fd) with s4 as s4: _connect(s4, poll_sleep, ucr.get('%s/s4/retryrejected' % options.configbasename, 10))
def __init__(self, userdn=None, password=None, host='localhost', base=None, start_tls=2, access=None, format=None): self._cached = {} self._modules = {} self._policies = {} self._format = format self._bc = ConfigRegistry() self._bc.load() self.__reverse = {} if not base: self._base = self._bc['ldap/base'] else: self._base = base self._position = ua_ldap.position(self._base) if access: self._access = access else: self._access = ua_ldap.access(host=host, base=self._base, binddn=userdn, bindpw=password, start_tls=start_tls) ua_modules.update()
def handler(dn, new, old): ucr = ConfigRegistry() ucr.load() idp_config_objectdn = ucr.get( 'saml/idp/configobject', 'id=default-saml-idp,cn=univention,%s' % ucr.get('ldap/base')) listener.setuid(0) try: if idp_config_objectdn == new['entryDN'][0]: for key in LDAP_UCR_MAPPING.keys(): if key in new: ucr_value = "" if key == 'LdapGetAttributes': ucr_value = "'" + "', '".join(new[key]) + "'" handler_set(['%s=%s' % (LDAP_UCR_MAPPING[key], ucr_value)]) else: handler_unset(['%s' % LDAP_UCR_MAPPING[key]]) else: ud.debug( ud.LISTENER, ud.WARN, 'An IdP config object was modified, but it is not the object the listener is configured for (%s). Ignoring changes. DN of modified object: %s' % (idp_config_objectdn, new['entryDN'])) finally: listener.unsetuid()
def handler(dn, new, old): # type: (str, dict, dict) -> None ucr = ConfigRegistry() ucr.load() listener.setuid(0) try: try: fqdn = '%s.%s' % (new['cn'][0].decode('UTF-8'), new['associatedDomain'][0].decode('ASCII')) except (KeyError, IndexError): return change = False if b'univention-saml' in new.get('univentionService', []): handler_set(['ucs/server/saml-idp-server/%s=%s' % (fqdn, fqdn)]) change = True elif b'univention-saml' in old.get('univentionService', []): handler_unset(['ucs/server/saml-idp-server/%s' % (fqdn,)]) change = True if change: path_to_cert = ucr.get('saml/idp/certificate/certificate') path_to_key = ucr.get('saml/idp/certificate/privatekey') if path_to_cert and os.path.exists(path_to_cert) and path_to_key and os.path.exists(path_to_key): subprocess.call(['systemctl', 'restart', 'univention-saml']) finally: listener.unsetuid()
def getRootDnConnection(start_tls=2, decode_ignorelist=[], reconnect=True): # type: (int, List[str], bool) -> access """ Open a LDAP connection to the local LDAP server with the LDAP root account. :param int start_tls: Negotiate TLS with server. If `2` is given, the command will require the operation to be successful. :param decode_ignorelist: List of LDAP attribute names which shall be handled as binary attributes. :type decode_ignorelist: list[str] :param bool reconnect: Automatically reconect if the connection fails. :return: A LDAP access object. :rtype: univention.uldap.access """ ucr = ConfigRegistry() ucr.load() port = int(ucr.get('slapd/port', '7389').split(',')[0]) host = ucr['hostname'] + '.' + ucr['domainname'] if ucr.get('ldap/server/type', 'dummy') == 'master': bindpw = open('/etc/ldap.secret').read().rstrip('\n') binddn = 'cn=admin,{0}'.format(ucr['ldap/base']) else: bindpw = open('/etc/ldap/rootpw.conf').read().rstrip('\n').replace( 'rootpw "', '', 1)[:-1] binddn = 'cn=update,{0}'.format(ucr['ldap/base']) return access(host=host, port=port, base=ucr['ldap/base'], binddn=binddn, bindpw=bindpw, start_tls=start_tls, decode_ignorelist=decode_ignorelist, reconnect=reconnect)
def get_test_connection(cls, hostname=None, *args, **kwargs): ucr = ConfigRegistry() ucr.load() username = ucr.get('tests/domainadmin/account') username = username.split(',')[0][len('uid='):] password = ucr.get('tests/domainadmin/pwd') return cls(hostname, username, password, *args, **kwargs)
def getAdminConnection( start_tls=2, decode_ignorelist=[], reconnect=True): # type: (int, List[str], bool) -> access """ Open a LDAP connection to the Master LDAP server using the admin credentials. :param int start_tls: Negotiate TLS with server. If `2` is given, the command will require the operation to be successful. :param decode_ignorelist: List of LDAP attribute names which shall be handled as binary attributes. :type decode_ignorelist: list[str] :param bool reconnect: Automatically reconect if the connection fails. :return: A LDAP access object. :rtype: univention.uldap.access """ ucr = ConfigRegistry() ucr.load() bindpw = open('/etc/ldap.secret').read().rstrip('\n') port = int(ucr.get('ldap/master/port', '7389')) return access(host=ucr['ldap/master'], port=port, base=ucr['ldap/base'], binddn='cn=admin,' + ucr['ldap/base'], bindpw=bindpw, start_tls=start_tls, decode_ignorelist=decode_ignorelist, reconnect=reconnect)
def getLDAPURIs(ucr=None): # type: (Optional[ConfigRegistry]) -> str """ Returns a space separated list of all configured |LDAP| servers, according to |UCR| variables `ldap/server/name` and `ldap/server/addition`. :param ConfigRegistry ucr: An optional |UCR| instance. :returns: A space separated list of |LDAP| |URI|. :rtype: str """ if ucr is None: ucr = ConfigRegistry() ucr.load() uri_string = '' ldaphosts = [] port = ucr.get('ldap/server/port', '7389') ldap_server_name = ucr.get('ldap/server/name') ldap_server_addition = ucr.get('ldap/server/addition') if ldap_server_name: ldaphosts.append(ldap_server_name) if ldap_server_addition: ldaphosts.extend(ldap_server_addition.split()) if ldaphosts: urilist = ["ldap://%s:%s" % (host, port) for host in ldaphosts] uri_string = ' '.join(urilist) return uri_string
def parse_args(): usage = '%prog [options] [master]' desc = sys.modules[__name__].__doc__ parser = OptionParser(usage=usage, description=desc) parser.add_option('-m', '--master', dest='master', help='LDAP Server address') parser.add_option('-s', '--shema', dest='cmd', action='store_const', const='GET_SCHEMA_ID', default='GET_ID', help='Fetch LDAP Schema ID') (options, args) = parser.parse_args() if not options.master: if args: try: options.master, = args except ValueError: parser.error('incorrect number of arguments') else: from univention.config_registry import ConfigRegistry configRegistry = ConfigRegistry() configRegistry.load() options.master = configRegistry.get('ldap/master') if not options.master: parser.error('ldap/master or --master not set') return options
def __init__(self, listener, name, attrs, ldap_cred, dn, adconnection_alias=None): """ :param listener: listener object or None :param name: str, prepend to log messages :param attrs: {"listener": [attributes, listener, listens, on], ... } :param ldap_cred: {ldapserver: FQDN, binddn: cn=admin,$ldap_base, basedn: $ldap_base, bindpw: s3cr3t} or None :param dn of LDAP object to work on """ self.listener = listener self.attrs = attrs self.udm = UDMHelper(ldap_cred, adconnection_alias) # self.ldap_cred = ldap_cred self.dn = dn self.adconnection_alias = adconnection_alias logger.debug('adconnection_alias=%r', adconnection_alias) if self.listener: self.ucr = self.listener.configRegistry else: # allow use of this class outside listener from univention.config_registry import ConfigRegistry self.ucr = ConfigRegistry() self.ucr.load() self.not_migrated_to_v3 = self.ucr.is_false( 'office365/migrate/adconnectionalias') self.ah = AzureHandler(self.ucr, name, self.adconnection_alias)
def main() -> None: """ Set repository server. """ ucr = ConfigRegistry() ucr.load() hostdn = ucr.get('ldap/hostdn') if not hostdn: # can't query policy without host-dn exit(0) online_server = ucr.get('repository/online/server') mirror_server = ucr.get('repository/mirror/server') fqdn = '%(hostname)s.%(domainname)s' % ucr self_update = '%(version/version)s-%(version/patchlevel)s' % ucr ucr_variables = [] # type: List[str] new_server, policy_update = query_policy(hostdn) policy_update or self_update # FIXME: not used - should be pass to `univention-repository-update --updateto=` if ucr.is_true('local/repository'): # on a repository server if not new_server: ucr_variables.append('repository/online/server?%s' % fqdn) elif new_server != mirror_server and new_server != fqdn: ucr_variables.append('repository/mirror/server=%s' % new_server) else: # without a local repository if new_server and new_server != online_server: ucr_variables.append('repository/online/server=%s' % new_server) if ucr_variables: handler_set(ucr_variables)
def getLDAPServersCommaList(ucr=None): # type: (Optional[ConfigRegistry]) -> str """ Returns a comma-separated string with all configured |LDAP| servers, `ldap/server/name` and `ldap/server/addition`. :param ConfigRegistry ucr: An optional |UCR| instance. :returns: A space separated list of |LDAP| host names. :rtype: str """ if ucr is None: ucr = ConfigRegistry() ucr.load() ldap_servers = '' ldaphosts = [] ldap_server_name = ucr.get('ldap/server/name') ldap_server_addition = ucr.get('ldap/server/addition') if ldap_server_name: ldaphosts.append(ldap_server_name) if ldap_server_addition: ldaphosts.extend(ldap_server_addition.split()) if ldaphosts: ldap_servers = ','.join(ldaphosts) return ldap_servers
def getBackupConnection(start_tls=2, decode_ignorelist=[]): ucr = ConfigRegistry() ucr.load() bindpw = open('/etc/ldap-backup.secret').read() if bindpw[-1] == '\n': bindpw = bindpw[0:-1] port = int(ucr.get('ldap/master/port', '7389')) try: lo = access(host=ucr['ldap/master'], port=port, base=ucr['ldap/base'], binddn='cn=backup,' + ucr['ldap/base'], bindpw=bindpw, start_tls=start_tls, decode_ignorelist=decode_ignorelist) except ldap.SERVER_DOWN, e: if ucr['ldap/backup']: backup = string.split(ucr['ldap/backup'], ' ')[0] lo = access(host=backup, port=port, base=ucr['ldap/base'], binddn='cn=backup,' + ucr['ldap/base'], bindpw=bindpw, start_tls=start_tls, decode_ignorelist=decode_ignorelist) else: raise ldap.SERVER_DOWN, e
def main(): """Retrive current Univention Directory Notifier transaction ID.""" configRegistry = ConfigRegistry() configRegistry.load() master = configRegistry.get('ldap/master') if not master: print >> sys.stderr, 'Error: ldap/master not set' sys.exit(1) try: sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.connect((master, 6669)) sock.send('Version: 2\nCapabilities: \n\n') sock.recv(100) sock.send('MSGID: 1\nGET_ID\n\n') notifier_result = sock.recv(100) if notifier_result: print "%s" % notifier_result.splitlines()[1] except socket.error, ex: print >> sys.stderr, 'Error: %s' % (ex, ) sys.exit(1)
def getBackupConnection(start_tls=2, decode_ignorelist=[], reconnect=True): ucr = ConfigRegistry() ucr.load() bindpw = open('/etc/ldap-backup.secret').read().rstrip('\n') port = int(ucr.get('ldap/master/port', '7389')) try: return access(host=ucr['ldap/master'], port=port, base=ucr['ldap/base'], binddn='cn=backup,' + ucr['ldap/base'], bindpw=bindpw, start_tls=start_tls, decode_ignorelist=decode_ignorelist, reconnect=reconnect) except ldap.SERVER_DOWN: if not ucr['ldap/backup']: raise backup = ucr['ldap/backup'].split(' ')[0] return access(host=backup, port=port, base=ucr['ldap/base'], binddn='cn=backup,' + ucr['ldap/base'], bindpw=bindpw, start_tls=start_tls, decode_ignorelist=decode_ignorelist, reconnect=reconnect)
def call_unjoin_script(unjoin_script_name): print('call_unjoin_script(%r)' % (unjoin_script_name,)) ucr = ConfigRegistry() ucr.load() join_script = '/usr/lib/univention-uninstall/%s' % unjoin_script_name return subprocess.call([join_script, '--binddn', ucr.get('tests/domainadmin/account'), '--bindpwdfile', ucr.get('tests/domainadmin/pwdfile')], shell=False)
def __init__(self): """Test Class constructor""" self.username = None self.password = None self.hostname = None self.client = None self.ucr = ConfigRegistry() self.ucr.load() self.ldap_base = self.ucr.get('ldap/base')
def call_join_script(name, fail_on_error=True): # type: (str, bool) -> int """ Calls the given join script (e.g. name='66foobar.inst'). If fail is true, then the function fail() is called if the exitcode is not zero. """ ucr = ConfigRegistry() ucr.load() return call_cmd(['/usr/lib/univention-install/%s' % name, '--binddn', ucr.get('tests/domainadmin/account'), '--bindpwdfile', ucr.get('tests/domainadmin/pwdfile')], fail_on_error=fail_on_error)
def getMachineConnection(start_tls=2, decode_ignorelist=[], ldap_master=True, secret_file="/etc/machine.secret", reconnect=True, random_server=False): # type: (int, List[str], bool, str, bool) -> access """ Open a LDAP connection using the machine credentials. :param int start_tls: Negotiate TLS with server. If `2` is given, the command will require the operation to be successful. :param decode_ignorelist: List of LDAP attribute names which shall be handled as binary attributes. :type decode_ignorelist: list[str] :param bool ldap_master: Open a connection to the Master if True, to the preferred LDAP server otherwise. :param str secret_file: The name of a file containing the password credentials. :param bool reconnect: Automatically reconnect if the connection fails. :param bool random_server: Choose a random LDAP server from ldap/server/name and ldap/server/addition. :return: A LDAP access object. :rtype: univention.uldap.access """ ucr = ConfigRegistry() ucr.load() bindpw = open(secret_file).read().rstrip('\n') if ldap_master: # Connect to DC Master port = int(ucr.get('ldap/master/port', '7389')) return access(host=ucr['ldap/master'], port=port, base=ucr['ldap/base'], binddn=ucr['ldap/hostdn'], bindpw=bindpw, start_tls=start_tls, decode_ignorelist=decode_ignorelist, reconnect=reconnect) else: # Connect to ldap/server/name port = int(ucr.get('ldap/server/port', '7389')) servers = [ucr.get('ldap/server/name')] servers += ucr.get('ldap/server/addition', '').split() if random_server: random.shuffle(servers) for server in servers: try: return access(host=server, port=port, base=ucr['ldap/base'], binddn=ucr['ldap/hostdn'], bindpw=bindpw, start_tls=start_tls, decode_ignorelist=decode_ignorelist, reconnect=reconnect) #LDAP server down, try next server except ldap.SERVER_DOWN as exc: pass raise exc
def get_ldap_master_connection(user_dn): ucr = ConfigRegistry() ucr.load() return univention.uldap.access(host=ucr.get('ldap/master'), port=int(ucr.get('ldap/master/port', '7389')), base=ucr.get('ldap/base'), binddn=user_dn, bindpw='univention')
def __init__(self, name, version, container_version=None, app_directory_suffix=None, package_name=None, build_package=True, call_join_scripts=True): self.app_name = name self.app_version = version self.call_join_scripts = call_join_scripts if not app_directory_suffix: self.app_directory_suffix = random_version() else: self.app_directory_suffix = app_directory_suffix self.app_directory = '%s_%s' % (self.app_name, self.app_directory_suffix) if package_name: self.package_name = package_name else: self.package_name = get_app_name() self.package_version = '%s.%s' % (version, get_app_version()) self.ucr = ConfigRegistry() self.ucr.load() if build_package: self.package = DebianPackage(name=self.package_name, version=self.package_version) self.package.build() else: self.package = None self.ini = {} self.ini['ID'] = self.app_name self.ini['Code'] = self.app_name[0:2] self.ini['Name'] = self.app_name self.ini['Version'] = self.app_version self.ini['NotifyVendor'] = False self.ini['Categories'] = 'System services' self.ini['Logo'] = '%s.svg' % self.app_name if self.package: self.ini['DefaultPackages'] = self.package_name self.ini['ServerRole'] = 'domaincontroller_master,domaincontroller_backup,domaincontroller_slave,memberserver' self.scripts = {} if not container_version: self.ucs_version = self.ucr.get('version/version') else: self.ucs_version = container_version self.ini['SupportedUCSVersions'] = '%s-0,%s-0' % (container_version, self.ucr.get('version/version')) self.installed = False self.admin_user = self.ucr.get('tests/domainadmin/account').split(',')[0][len('uid='):] self.admin_pwdfile = self.ucr.get('tests/domainadmin/pwdfile') print repr(self)
def __init__(self): self.configRegistry = ConfigRegistry() self.configRegistry.load() lp = LoadParm() creds = Credentials() creds.guess(lp) self.samdb = SamDB(url='/var/lib/samba/private/sam.ldb', session_info=system_session(), credentials=creds, lp=lp)
def getRootDnConnection(start_tls=2, decode_ignorelist=[], reconnect=True): ucr = ConfigRegistry() ucr.load() port = int(ucr.get('slapd/port', '7389').split(',')[0]) host = ucr['hostname'] + '.' + ucr['domainname'] if ucr.get('ldap/server/type', 'dummy') == 'master': bindpw = open('/etc/ldap.secret').read().rstrip('\n') binddn = 'cn=admin,{0}'.format(ucr['ldap/base']) else: bindpw = open('/etc/ldap/rootpw.conf').read().rstrip('\n').lstrip('rootpw "').rstrip('"') binddn = 'cn=update,{0}'.format(ucr['ldap/base']) return access(host=host, port=port, base=ucr['ldap/base'], binddn=binddn, bindpw=bindpw, start_tls=start_tls, decode_ignorelist=decode_ignorelist, reconnect=reconnect)
def config(): """Test wide Configuration aka UCR Used to get some defaults if not environment variables are given. But if UCR is not avaiable, returns an empty dict... """ try: from univention.config_registry import ConfigRegistry ucr = ConfigRegistry() ucr.load() return dict(ucr) except ImportError: return {}
def postrun(): baseConfig = ConfigRegistry() baseConfig.load() if baseConfig.is_true('nscd/group/invalidate_cache_on_changes', False) and baseConfig.is_false('nss/group/cachefile', True): listener.setuid(0) try: univention.debug.debug(univention.debug.LISTENER, univention.debug.INFO, "calling 'nscd -i group'") listener.run('/usr/sbin/nscd', ['nscd', '-i', 'group'], uid=0) except: univention.debug.debug(univention.debug.LISTENER, univention.debug.ERROR, "nscd -i group was not successful") listener.unsetuid()
def handler(dn, new, old): # type: (str, dict, dict) -> None listener.setuid(0) try: change = False new_has_service = service_name in new.get('univentionService', []) old_has_service = service_name in old.get('univentionService', []) if new_has_service and not old_has_service: try: fqdn = b'%s.%s' % (new['cn'][0], new['associatedDomain'][0]) except (KeyError, IndexError): return ucr = ConfigRegistry() ucr.load() old_ucr_value = ucr.get('admin/diary/backend', u'') fqdn_set = set(old_ucr_value.split()) fqdn_set.add(fqdn.decode('utf-8')) new_ucr_value = u' '.join(fqdn_set) handler_set([u'admin/diary/backend=%s' % (new_ucr_value,)]) change = True elif old_has_service: try: fqdn = b'%s.%s' % (old['cn'][0], old['associatedDomain'][0]) except (KeyError, IndexError): return ucr = ConfigRegistry() ucr.load() old_ucr_value = ucr.get('admin/diary/backend', u'') fqdn_set = set(old_ucr_value.split()) fqdn_set.discard(fqdn.decode('UTF-8')) new_ucr_value = u' '.join(fqdn_set) handler_set([u'admin/diary/backend=%s' % (new_ucr_value,)]) change = True if change: subprocess.call(['invoke-rc.d', 'rsyslog', 'try-restart']) finally: listener.unsetuid()
def create_udm_adconnection(cls, alias, description=""): ucr = ConfigRegistry() ucr.load() lo, po, mod = cls.init_udm("office365/ad-connection") po = univention.admin.uldap.position( "cn=ad-connections,cn=office365,%s" % ucr["ldap/base"]) adconn = mod.object(co=None, lo=lo, position=po) adconn.open() adconn['name'] = alias adconn['description'] = description dn = adconn.create() return dn
def __init__(self): """ Test class constructor """ self.UCR = ConfigRegistry() self.client = None self.admin_username = '' self.admin_password = '' self.ldap_master = '' self.gpo_reference = ''
def get_query_limit(): ucr = ConfigRegistry() ucr.load() limit = ucr.get('admin/diary/query/limit', '') default_limit = 1000 try: limit = int(limit) except ValueError: limit = default_limit else: if limit < 0: limit = default_limit return limit