Exemplo n.º 1
0
 def setprimarygroup(self, user_dn, group_dn):
     res = self.lo.search_ext_s(group_dn, ldap.SCOPE_BASE, timeout=10)
     import re
     groupid = (re.search('^(.*)-(.*?)$',
                          s4.decode_sid(
                              res[0][1]['objectSid'][0]))).group(2)
     self.set_attribute(user_dn, 'primaryGroupID', groupid.encode('UTF-8'))
Exemplo n.º 2
0
def sid_to_ucs(s4connector, key, s4_object):
    ud.debug(ud.LDAP, ud.INFO, "sid_to_ucs S4 object: %r" % s4_object)
    ud.debug(ud.LDAP, ud.INFO, "sid_to_ucs S4 key: %r" % key)

    sidAttribute = 'sambaSID'
    if s4connector.configRegistry.is_false('connector/s4/mapping/sid', False):
        ud.debug(
            ud.LDAP, ud.INFO,
            'sid_to_ucs: SID mapping is disabled via UCR: connector/s4/mapping/sid'
        )
        sidAttribute = 'univentionSamba4SID'
    else:
        # This case will be handled by direct mapping
        return

    # modlist
    ml = []

    # object dn is already mapped to the UCS DN:
    if not s4_object.get('dn'):
        return  # ignore
    ucs_dn = s4_object['dn']
    ud.debug(ud.LDAP, ud.INFO, "sid_to_s4: UCS DN %s" % ucs_dn)

    objectSid = s4_object['attributes'].get('objectSid', [None])[0]
    if objectSid:
        objectSid = decode_sid(objectSid)
        ud.debug(ud.LDAP, ud.INFO,
                 'sid_to_ucs: objectSid found: %r' % (objectSid, ))
    else:
        ud.debug(ud.LDAP, ud.INFO,
                 'sid_to_ucs: objectSid not found in attributes!')
        return

    (ucs_dn, ucs_attributes) = s4connector.lo.lo.search(
        base=ucs_dn, scope='base', attr=[sidAttribute, 'objectClass'])[0]

    if not ucs_dn:
        ud.debug(ud.LDAP, ud.WARN,
                 'sid_to_ucs: UCS object (%s) not found' % ucs_dn)
        return

    sambaSID = ucs_attributes.get(sidAttribute)
    if not sambaSID or objectSid.encode('ASCII') not in sambaSID:
        ml.append(
            (sidAttribute, sambaSID, s4_object['attributes'].get('objectSid')))
        s4_ocs = s4_object['attributes'].get('objectClass', [])
        ucs_ocs = ucs_attributes.get('objectClass')
        if b'user' in s4_ocs:
            if b'sambaSamAccount' not in ucs_ocs:
                ml.append(
                    ('objectClass', ucs_ocs, ucs_ocs + [b'sambaSamAccount']))
        if b'group' in s4_ocs:
            if b'sambaGroupMapping' not in ucs_ocs:
                ml.append(
                    ('objectClass', ucs_ocs, ucs_ocs + [b'sambaGroupMapping']))
    if ml:
        ud.debug(ud.LDAP, ud.INFO, 'sid_to_ucs: modlist = %r' % (ml, ))
        s4connector.lo.lo.modify(ucs_dn, ml)
Exemplo n.º 3
0
def sid_to_s4(s4connector, key, object):
    ud.debug(ud.LDAP, ud.INFO, "sid_to_s4 object: %s" % object)

    sidAttribute = 'sambaSID'
    if s4connector.configRegistry.is_false('connector/s4/mapping/sid', False):
        ud.debug(
            ud.LDAP, ud.INFO,
            'sid_to_s4: SID mapping is disabled via UCR: connector/s4/mapping/sid'
        )
        sidAttribute = 'univentionSamba4SID'
    else:
        # This case will be handled by direct mapping
        return

    # object dn was already mapped to the s4 DN:
    s4_dn = object['dn']
    modlist = []

    # search the ucs object via
    if sidAttribute not in object['attributes']:
        ud.debug(ud.LDAP, ud.INFO,
                 'sid_to_s4: UCS object does not have a %s' % sidAttribute)
        return

    sambaSID = object['attributes'][sidAttribute][0].decode('ASCII')
    # get the ad sid
    (s4_dn,
     s4_attributes) = s4connector.lo_s4.lo.search_s(s4_dn, ldap.SCOPE_BASE,
                                                    '(objectSid=*)',
                                                    ['objectSid'])[0]
    objectSid = s4_attributes.get('objectSid')
    if objectSid:
        decoded_s4_sid = decode_sid(objectSid[0])
        if decoded_s4_sid == sambaSID:
            ud.debug(ud.LDAP, ud.INFO,
                     'sid_to_s4: objectSid and %s are equal' % sidAttribute)
            return

        # change objectSID
        #	http://serverfault.com/questions/53717/how-can-i-change-the-sid-of-a-user-account-in-the-active-directory
        #	http://technet.microsoft.com/en-us/library/cc961998.aspx

        ud.debug(
            ud.LDAP, ud.INFO, 'sid_to_s4: changing objectSid from %r to %r' %
            (decoded_s4_sid, sambaSID))
        new_objectSid_ndr = ndr_pack(security.dom_sid(sambaSID))
        modlist.append((ldap.MOD_REPLACE, 'objectSid', new_objectSid_ndr))

        # objectSid modification for an Samba4 object is only possible with the "provision" control:
        LDB_CONTROL_PROVISION_OID = '1.3.6.1.4.1.7165.4.3.16'
        controls = [LDAPControl(LDB_CONTROL_PROVISION_OID, criticality=0)]
        s4connector.lo_s4.lo.modify_ext_s(s4_dn, modlist, serverctrls=controls)
Exemplo n.º 4
0
    def getprimarygroup(self, user_dn):
        try:
            res = self.lo.search_ext_s(user_dn, ldap.SCOPE_BASE, timeout=10)
        except Exception:
            return None
        primaryGroupID = res[0][1]['primaryGroupID'][0].decode('UTF-8')
        res = self.lo.search_ext_s(self.adldapbase,
                                   ldap.SCOPE_SUBTREE,
                                   'objectClass=group',
                                   timeout=10)

        import re
        regex = '^(.*?)-%s$' % primaryGroupID
        for r in res:
            if r[0] is None or r[0] == 'None':
                continue  # Referral
            if re.search(regex, s4.decode_sid(r[1]['objectSid'][0])):
                return r[0]
Exemplo n.º 5
0
	def getprimarygroup(self, user_dn):
		try:
			res = self.lo.search_ext_s(user_dn, ldap.SCOPE_BASE, timeout=10)
		except:
			return None
		primaryGroupID = res[0][1]['primaryGroupID'][0]
		res = self.lo.search_ext_s(self.adldapbase,
								   ldap.SCOPE_SUBTREE,
								   'objectClass=group'.encode ('utf8'),
								   timeout=10)

		import re
		regex = '^(.*?)-%s$' % primaryGroupID
		for r in res:
			if r[0] == None or r[0] == 'None':
				continue # Referral
			if re.search (regex, s4.decode_sid(r[1]['objectSid'][0])):
				return r[0]
Exemplo n.º 6
0
def sid_to_ucs_mapping(s4connector, key, s4_object):
    ud.debug(ud.LDAP, ud.INFO, "sid_to_ucs_mapping")
    object_sid = decode_sid(s4_object['attributes']['objectSid'][0])
    return [object_sid.split('-')[-1].encode('ASCII')]
Exemplo n.º 7
0
	def setprimarygroup(self, user_dn, group_dn):
		res = self.lo.search_ext_s(group_dn, ldap.SCOPE_BASE, timeout=10)
		import re
		groupid = (re.search ('^(.*)-(.*?)$', s4.decode_sid (res[0][1]['objectSid'][0]))).group (2)
		self.set_attribute (user_dn, 'primaryGroupID', groupid)
def con2ucs(s4connector, key, object):

    ud.debug(ud.LDAP, ud.INFO,
             'dc con2ucs: Object (%s): %s' % (object['dn'], object))

    # Search sambaDomainname object via sambaSID
    object_sid = decode_sid(object['attributes']['objectSid'][0])
    sambadomainnameObject = univention.admin.handlers.settings.sambadomain.lookup(
        None, s4connector.lo, format_escaped('sambaSID={0!e}', object_sid))

    if len(sambadomainnameObject) > 1:
        ud.debug(
            ud.LDAP, ud.WARN,
            'dc con2ucs: Found more than one sambaDomainname object with sambaSID %r'
            % (object_sid, ))
    elif len(sambadomainnameObject) == 1:

        # Use the first sambaDomain
        sambadomainnameObject = sambadomainnameObject[0]

        # Do we modify this UCS object
        modify = False

        sync_times = [('maxPasswordAge', 'maxPwdAge'),
                      ('minPasswordAge', 'minPwdAge'),
                      ('lockoutDuration', 'lockoutDuration')]
        for (ucs_attr, s4_attr) in sync_times:
            ucs_time = _unixTimeInverval2seconds(
                sambadomainnameObject.get(ucs_attr, 0))
            s4_time = _nano2s(
                int(object['attributes'].get(s4_attr, [0])[0]) * -1)

            if ucs_time != s4_time:
                sambadomainnameObject[ucs_attr] = [str(s4_time), 'seconds']
                modify = True

        sync_integers = [('passwordHistory', 'pwdHistoryLength'),
                         ('passwordLength', 'minPwdLength'),
                         ('domainPwdProperties', 'pwdProperties')]
        for (ucs_attr, s4_attr) in sync_integers:
            ucs_val = sambadomainnameObject.get(ucs_attr, 0)
            s4_val = object['attributes'].get(s4_attr, [None])[0]
            if ucs_val != s4_val:
                sambadomainnameObject[ucs_attr] = s4_val.decode('UTF-8')
                modify = True

        if modify:
            sambadomainnameObject.modify()

    if s4connector.configRegistry.is_true('connector/s4/mapping/gpo', True):
        # Search DC object via ldap search

        dn, attr = s4connector.lo.search('objectClass=*', scope='base')[0]
        ml = []

        ucs_val = attr.get('msGPOLink')
        s4_val = object['attributes'].get('gPLink')

        if ucs_val != s4_val:
            if b'msGPO' not in attr.get('objectClass', []):
                ml.append(('objectClass', b'', b'msGPO'))

            ml.append(('msGPOLink', ucs_val, s4_val))

        if ml:
            s4connector.lo.modify(dn, ml)

    return True