def clean(self): cdata = self.cleaned_data if not cdata.get("ldap_bindpw"): cdata["ldap_bindpw"] = self.instance.ldap_bindpw binddn = cdata.get("ldap_binddn") bindpw = cdata.get("ldap_bindpw") basedn = cdata.get("ldap_basedn") hostname = cdata.get("ldap_hostname") ssl = cdata.get("ldap_ssl") certfile = None if ssl in ('start_tls', 'on'): certificate = cdata["ldap_certificate"] if not certificate: raise forms.ValidationError( "SSL/TLS specified without certificate") else: certfile = get_certificateauthority_path(certificate) port = 389 if ssl == "on": port = 636 if hostname: parts = hostname.split(':') hostname = parts[0] if len(parts) > 1: port = int(parts[1]) if cdata.get("ldap_enable") is False: return cdata # self.check_for_samba_schema() try: FreeNAS_LDAP.validate_credentials(hostname, binddn=binddn, bindpw=bindpw, basedn=basedn, port=port, certfile=certfile, ssl=ssl) except LDAPError as e: log.debug("LDAPError: type = %s", type(e)) error = [] try: error.append(e.args[0]['info']) error.append(e.args[0]['desc']) error = ', '.join(error) except: error = str(e) raise forms.ValidationError("{0}".format(error)) except Exception as e: log.debug("LDAPError: type = %s", type(e)) raise forms.ValidationError("{0}".format(str(e))) return cdata
def check_for_samba_schema(self): self.clean_bindpw() cdata = self.cleaned_data binddn = cdata.get("ldap_binddn") bindpw = cdata.get("ldap_bindpw") basedn = cdata.get("ldap_basedn") hostname = cdata.get("ldap_hostname") certfile = None ssl = cdata.get("ldap_ssl") if ssl in ('start_tls', 'on'): certificate = cdata["ldap_certificate"] certfile = get_certificateauthority_path(certificate) fl = FreeNAS_LDAP( host=hostname, binddn=binddn, bindpw=bindpw, basedn=basedn, certfile=certfile, ssl=ssl) if fl.has_samba_schema(): self.instance.ldap_has_samba_schema = True else: self.instance.ldap_has_samba_schema = False
class LDAP(TestObject): def __init__(self, handler=None): super(self.__class__, self).__init__(handler) self._name = "LDAP" self.freenas_ldap = FreeNAS_LDAP(flags=FLAGS_DBINIT) def Enabled(self): return ldap_enabled() def Test(self): try: self.freenas_ldap.open() if self.freenas_ldap._handle.whoami_s(): return self._handler.Pass("LDAP") else: return self._handler.Fail("LDAP", "Unable to query the server.") except LDAPError as e: # LDAPError is dumb, it returns a list with one element for goodness knows what reason e = e[0] error = "" if 'desc' in e: error = e['desc'] if 'info' in e: error = "{0}, {1}".format(error, e['info']) else: # LDAPError may have desc and info or just info so making a case that handles just info if 'info' in e: error = e['info'] else: error = str(e) return self._handler.Fail("LDAP", error) except Exception as e: return self._handler.Fail("LDAP", str(e))
def check_for_samba_schema(self): self.clean_bindpw() cdata = self.cleaned_data binddn = cdata.get("ldap_binddn") bindpw = cdata.get("ldap_bindpw") basedn = cdata.get("ldap_basedn") hostname = cdata.get("ldap_hostname") certfile = None ssl = cdata.get("ldap_ssl") if ssl in ('start_tls', 'on'): certificate = cdata["ldap_certificate"] certfile = get_certificateauthority_path(certificate) fl = FreeNAS_LDAP(host=hostname, binddn=binddn, bindpw=bindpw, basedn=basedn, certfile=certfile, ssl=ssl) if fl.has_samba_schema(): self.instance.ldap_has_samba_schema = True else: self.instance.ldap_has_samba_schema = False
def check_for_samba_schema(self): self.clean_bindpw() cdata = self.cleaned_data binddn = cdata.get("ldap_binddn") bindpw = cdata.get("ldap_bindpw") basedn = cdata.get("ldap_basedn") hostname = cdata.get("ldap_hostname") # TODO: Usage of this function has been commented, should it be removed ? certfile = None ssl = cdata.get("ldap_ssl") if ssl in ('start_tls', 'on'): certificate = cdata["ldap_certificate"] if certificate: with client as c: certificate = c.call('certificateauthority.query', [['id', '=', certificate.id]], {'get': True}) certfile = certificate['certificate_path'] if certificate else None fl = FreeNAS_LDAP(host=hostname, binddn=binddn, bindpw=bindpw, basedn=basedn, certfile=certfile, ssl=ssl) if fl.has_samba_schema(): self.instance.ldap_has_samba_schema = True else: self.instance.ldap_has_samba_schema = False
def clean(self): cdata = self.cleaned_data if not cdata.get("ldap_bindpw"): cdata["ldap_bindpw"] = self.instance.ldap_bindpw binddn = cdata.get("ldap_binddn") bindpw = cdata.get("ldap_bindpw") basedn = cdata.get("ldap_basedn") hostname = cdata.get("ldap_hostname") ssl = cdata.get("ldap_ssl") certfile = None if ssl in ('start_tls', 'on'): certificate = cdata["ldap_certificate"] if not certificate: raise forms.ValidationError( "SSL/TLS specified without certificate") else: certfile = get_certificateauthority_path(certificate) port = 389 if ssl == "on": port = 636 if hostname: parts = hostname.split(':') hostname = parts[0] if len(parts) > 1: port = int(parts[1]) # self.check_for_samba_schema() try: FreeNAS_LDAP.validate_credentials(hostname, binddn=binddn, bindpw=bindpw, basedn=basedn, port=port, certfile=certfile, ssl=ssl) except LDAPError as e: # LDAPError is dumb, it returns a list with one element for goodness knows what reason e = e[0] error = [] desc = e.get('desc') info = e.get('info') if desc: error.append(desc) if info: error.append(info) if error: error = ', '.join(error) else: error = str(e) raise forms.ValidationError("{0}".format(error)) except Exception as e: raise forms.ValidationError("{0}".format(str(e))) return cdata
def clean_ldap_bindpw(self): cdata = self.cleaned_data if not cdata.get("ldap_bindpw"): cdata["ldap_bindpw"] = self.instance.ldap_bindpw binddn = cdata.get("ldap_binddn") bindpw = cdata.get("ldap_bindpw") basedn = cdata.get("ldap_basedn") hostname = cdata.get("ldap_hostname") ssl = cdata.get("ldap_ssl") port = 389 if ssl == "on": port = 636 if hostname: parts = hostname.split(':') hostname = parts[0] if len(parts) > 1: port = int(parts[1]) certfile = None if ssl in ('start_tls', 'on'): certificate = cdata["ldap_certificate"] certfile = get_certificateauthority_path(certificate) try: FreeNAS_LDAP.validate_credentials( hostname, binddn=binddn, bindpw=bindpw, basedn=basedn, port=port, certfile=certfile, ssl=ssl ) except LDAPError as e: # LDAPError is dumb, it returns a list with one element for goodness knows what reason e = e[0] error = [] desc = e.get('desc') info = e.get('info') if desc: error.append(desc) if info: error.append(info) if error: error = ', '.join(error) else: error = str(e) raise forms.ValidationError("{0}".format(error)) except Exception as e: raise forms.ValidationError("{0}".format(str(e))) return bindpw
def directoryservice(self, name): """Temporary wrapper to serialize DS connectors""" if name == 'AD': ds = FreeNAS_ActiveDirectory(flags=FLAGS_DBINIT) workgroups = [] domains = ds.get_domains() for d in domains: if 'nETBIOSName' in d: netbiosname = d['nETBIOSName'] workgroups.append(netbiosname) ds.workgroups = workgroups elif name == 'LDAP': ds = FreeNAS_LDAP(flags=FLAGS_DBINIT) else: raise ValueError('Unknown ds name {0}'.format(name)) data = {} for i in ('netbiosname', 'keytab_file', 'keytab_principal', 'domainname', 'use_default_domain', 'dchost', 'basedn', 'binddn', 'bindpw', 'userdn', 'groupdn', 'ssl', 'certfile', 'id', 'ad_idmap_backend', 'ds_type', 'krb_realm', 'krbname', 'kpwdname', 'krb_kdc', 'krb_admin_server', 'krb_kpasswd_server', 'workgroups'): if hasattr(ds, i): data[i] = getattr(ds, i) return data
def clean_bindpw(self): cdata = self.cleaned_data if not cdata.get("ldap_bindpw"): cdata["ldap_bindpw"] = self.instance.ldap_bindpw binddn = cdata.get("ldap_binddn") bindpw = cdata.get("ldap_bindpw") basedn = cdata.get("ldap_basedn") hostname = cdata.get("ldap_hostname") errors = [] certfile = None ssl = cdata.get("ldap_ssl") if ssl in ('start_tls', 'on'): certificate = cdata["ldap_certificate"] certfile = get_certificateauthority_path(certificate) ret = FreeNAS_LDAP.validate_credentials( hostname, binddn=binddn, bindpw=bindpw, basedn=basedn, certfile=certfile, ssl=ssl, errors=errors) if ret is False: raise forms.ValidationError("%s." % errors[0])
def clean_ldap_bindpw(self): cdata = self.cleaned_data if not cdata.get("ldap_bindpw"): cdata["ldap_bindpw"] = self.instance.ldap_bindpw binddn = cdata.get("ldap_binddn") bindpw = cdata.get("ldap_bindpw") basedn = cdata.get("ldap_basedn") hostname = cdata.get("ldap_hostname") ssl = cdata.get("ldap_ssl") port = 389 if ssl == "on": port = 636 if hostname: parts = hostname.split(':') hostname = parts[0] if len(parts) > 1: port = int(parts[1]) errors = [] certfile = None if ssl in ('start_tls', 'on'): certificate = cdata["ldap_certificate"] certfile = get_certificateauthority_path(certificate) ret = FreeNAS_LDAP.validate_credentials( hostname, binddn=binddn, bindpw=bindpw, basedn=basedn, port=port, certfile=certfile, ssl=ssl, errors=errors ) if ret is False: raise forms.ValidationError("%s." % errors[0]) return bindpw
def clean_bindpw(self): cdata = self.cleaned_data if not cdata.get("ldap_bindpw"): cdata["ldap_bindpw"] = self.instance.ldap_bindpw binddn = cdata.get("ldap_binddn") bindpw = cdata.get("ldap_bindpw") basedn = cdata.get("ldap_basedn") hostname = cdata.get("ldap_hostname") errors = [] certfile = None ssl = cdata.get("ldap_ssl") if ssl in ('start_tls', 'on'): certificate = cdata["ldap_certificate"] certfile = get_certificateauthority_path(certificate) ret = FreeNAS_LDAP.validate_credentials(hostname, binddn=binddn, bindpw=bindpw, basedn=basedn, certfile=certfile, ssl=ssl, errors=errors) if ret is False: raise forms.ValidationError("%s." % errors[0])
def directoryservice(self, name): """Temporary wrapper to serialize DS connectors""" if name == 'AD': smb = self.middleware.call_sync('smb.config') ad = self.middleware.call_sync('activedirectory.config') data = { 'netbiosname': smb['netbiosname'], 'domainname': ad['domainname'], 'use_default_domain': ad['use_default_domain'], 'ad_idmap_backend': ad['idmap_backend'], 'ds_type': 1, 'krb_realm': ad['kerberos_realm']['krb_realm'], 'workgroups': smb['workgroup'], } return data elif name == 'LDAP': ds = FreeNAS_LDAP(flags=FLAGS_DBINIT) else: raise ValueError('Unknown ds name {0}'.format(name)) data = {} for i in ('netbiosname', 'keytab_file', 'keytab_principal', 'domainname', 'use_default_domain', 'dchost', 'basedn', 'binddn', 'bindpw', 'userdn', 'groupdn', 'ssl', 'certfile', 'id', 'ad_idmap_backend', 'ds_type', 'krb_realm', 'krbname', 'kpwdname', 'krb_kdc', 'krb_admin_server', 'krb_kpasswd_server', 'workgroups'): if hasattr(ds, i): data[i] = getattr(ds, i) return data
class LDAP(TestObject): def __init__(self, handler=None): super(self.__class__, self).__init__(handler) self._name = "LDAP" self.freenas_ldap = FreeNAS_LDAP(flags=FLAGS_DBINIT) def Enabled(self): return ldap_enabled() def Test(self): try: self.freenas_ldap.open() if self.freenas_ldap._handle.whoami_s(): return self._handler.Pass("LDAP") else: return self._handler.Fail("LDAP", "Unable to query the server.") except Exception as e: return self._handler.Fail("LDAP", str(e))
def ldap_status(self): ret = False try: f = FreeNAS_LDAP(flags=FLAGS_DBINIT) f.open() if f.isOpen(): ret = True f.close() except: pass return ret
class LDAP(TestObject): def __init__(self, handler=None): super(self.__class__, self).__init__(handler) self._name = "LDAP" self.freenas_ldap = FreeNAS_LDAP(flags=FLAGS_DBINIT) def Enabled(self): return ldap_enabled() def Test(self): try: self.freenas_ldap.open() if self.freenas_ldap._handle.whoami_s(): return self._handler.Pass("LDAP") else: return self._handler.Fail("LDAP", "Unable to query the server.") except LDAPError as e: # LDAPError is dumb, it returns a list with one element for goodness knows what reason e = e[0] error = [] desc = e.get('desc') info = e.get('info') if desc: error.append(desc) if info: error.append(info) if error: error = ', '.join(error) else: error = str(e) return self._handler.Fail("LDAP", error) except Exception as e: return self._handler.Fail("LDAP", str(e))
def clean_bindpw(self): cdata = self.cleaned_data if not cdata.get("ldap_bindpw"): cdata["ldap_bindpw"] = self.instance.ldap_bindpw binddn = cdata.get("ldap_binddn") bindpw = cdata.get("ldap_bindpw") hostname = cdata.get("ldap_hostname") errors = [] ret = FreeNAS_LDAP.validate_credentials( hostname, binddn=binddn, bindpw=bindpw, errors=errors ) if ret is False: raise forms.ValidationError("%s." % errors[0])
def clean_bindpw(self): cdata = self.cleaned_data if not cdata.get("ldap_bindpw"): cdata["ldap_bindpw"] = self.instance.ldap_bindpw binddn = cdata.get("ldap_binddn") bindpw = cdata.get("ldap_bindpw") hostname = cdata.get("ldap_hostname") errors = [] ret = FreeNAS_LDAP.validate_credentials(hostname, binddn=binddn, bindpw=bindpw, errors=errors) if ret is False: raise forms.ValidationError("%s." % errors[0])
def add_ldap(sc): ldap = LDAP.objects.all()[0] cifs = CIFS.objects.all()[0] ldap_hostname = ldap.ldap_hostname.upper() parts = ldap_hostname.split('.') ldap_hostname = parts[0] ldap_cookie = ldap_hostname ldap_domain = 'domain/%s' % ldap_cookie ldap_section = None for key in sc.keys(): if key == ldap_domain: ldap_section = sc[key] break if not ldap_section: ldap_section = SSSDSectionDomain(ldap_domain) ldap_section.description = ldap_cookie if ldap_section.description != ldap_cookie: return ldap_defaults = [{ 'enumerate': 'true' }, { 'cache_credentials': 'true' }, { 'id_provider': 'ldap' }, { 'auth_provider': 'ldap' }, { 'chpass_provider': 'ldap' }, { 'ldap_schema': 'rfc2307bis' }, { 'ldap_force_upper_case_realm': 'true' }, { 'use_fully_qualified_names': 'false' }] for d in ldap_defaults: key = d.keys()[0] if not key in ldap_section: setattr(ldap_section, key, d[key]) ldap_section.ldap_schema = ldap.ldap_schema ldap_section.ldap_uri = "%s://%s" % ("ldaps" if ldap.ldap_ssl == 'on' else "ldap", ldap.ldap_hostname) ldap_section.ldap_search_base = ldap.ldap_basedn if ldap.ldap_usersuffix: ldap_section.ldap_user_search_base = "%s,%s" % (ldap.ldap_usersuffix, ldap.ldap_basedn) else: ldap_section.ldap_user_search_base = "%s%s" % ( ldap.ldap_basedn, "?subtree?(objectclass=posixAccount)") if ldap.ldap_groupsuffix: ldap_section.ldap_group_search_base = "%s,%s" % (ldap.ldap_groupsuffix, ldap.ldap_basedn) else: ldap_section.ldap_group_search_base = "%s%s" % ( ldap.ldap_basedn, "?subtree?(objectclass=posixGroup)") if ldap.ldap_sudosuffix: if not sc['sudo']: sc['sudo'] = SSSDSectionSUDO() sc['sssd'].add_service('sudo') ldap_section.sudo_provider = 'ldap' ldap_section.ldap_sudo_search_base = "%s,%s" % (ldap.ldap_sudosuffix, ldap.ldap_basedn) if ldap.ldap_ssl == 'on': certpath = get_certificateauthority_path(ldap.ldap_certificate) if certpath: ldap_section.ldap_tls_cacert = certpath elif ldap.ldap_ssl == 'start_tls': ldap_section.tls_reqcert = 'demand' certpath = get_certificateauthority_path(ldap.ldap_certificate) if certpath: ldap_section.ldap_tls_cacert = certpath ldap_section.ldap_id_use_start_tls = 'true' if ldap.ldap_auxiliary_parameters: lines = ldap.ldap_auxiliary_parameters.splitlines() for l in lines: parts = l.split('=', 1) if len(parts) < 2: continue setattr(ldap_section, parts[0].strip(), parts[1].strip()) ldap = FreeNAS_LDAP(flags=FLAGS_DBINIT) if ldap.keytab_name and ldap.kerberos_realm: ldap_section.auth_provider = 'krb5' ldap_section.chpass_provider = 'krb5' ldap_section.ldap_sasl_mech = 'GSSAPI' ldap_section.ldap_sasl_authid = ldap.keytab_principal ldap_section.krb5_server = ldap.krb_kdc ldap_section.krb5_realm = ldap.krb_realm ldap_section.krb5_canonicalize = 'false' else: ldap_section.ldap_default_bind_dn = ldap.binddn ldap_section.ldap_default_authtok_type = 'password' ldap_section.ldap_default_authtok = ldap.bindpw sc[ldap_domain] = ldap_section sc['sssd'].add_domain(ldap_cookie) sc['sssd'].add_newline()
def main(): realms = KerberosRealm.objects.all() try: settings = KerberosSettings.objects.all()[0] except: settings = None kc = KerberosConfig(settings=settings) kc.create_default_config() ad = ldap = None ldap_objects = LDAP.objects.all() if ldap_objects and ldap_objects[0].ldap_enable: ldap = FreeNAS_LDAP(flags=FLAGS_DBINIT) ad_objects = ActiveDirectory.objects.all() if ad_objects and ad_objects[0].ad_enable: ad = FreeNAS_ActiveDirectory(flags=FLAGS_DBINIT) for kr in realms: if not kr.krb_realm: continue krb_kdc, krb_admin_server, krb_kpasswd_server = get_kerberos_servers( kr, ad, ldap) bc = KerberosConfigBindingCollection(name=kr.krb_realm) if krb_kdc: bc.append(KerberosConfigBinding(name="kdc", value=krb_kdc)) if krb_admin_server: bc.append( KerberosConfigBinding(name="admin_server", value=krb_admin_server)) if krb_kpasswd_server: bc.append( KerberosConfigBinding(name="kpasswd_server", value=krb_kpasswd_server)) bc.append( KerberosConfigBinding(name="default_domain", value=kr.krb_realm)) kc.add_bindings(['realms'], bc) bc = KerberosConfigBindingCollection() bc.append( KerberosConfigBinding(name=kr.krb_realm.lower(), value=kr.krb_realm.upper())) bc.append( KerberosConfigBinding(name=".%s" % kr.krb_realm.lower(), value=kr.krb_realm.upper())) bc.append( KerberosConfigBinding(name=kr.krb_realm.upper(), value=kr.krb_realm.upper())) bc.append( KerberosConfigBinding(name=".%s" % kr.krb_realm.upper(), value=kr.krb_realm.upper())) kc.add_bindings(['domain_realm'], bc) fp = open("/etc/krb5.conf", "w+") kc.generate_krb5_conf(stdout=fp) fp.close()
def __init__(self, handler=None): super(self.__class__, self).__init__(handler) self._name = "LDAP" self.freenas_ldap = FreeNAS_LDAP(flags=FLAGS_DBINIT)
def clean(self): cdata = self.cleaned_data if not cdata.get("ldap_bindpw"): cdata["ldap_bindpw"] = self.instance.ldap_bindpw binddn = cdata.get("ldap_binddn") bindpw = cdata.get("ldap_bindpw") basedn = cdata.get("ldap_basedn") hostname = cdata.get("ldap_hostname") ssl = cdata.get("ldap_ssl") certfile = None if ssl in ('start_tls', 'on'): certificate = cdata["ldap_certificate"] if not certificate: raise forms.ValidationError( "SSL/TLS specified without certificate") else: certfile = get_certificateauthority_path(certificate) port = 389 if ssl == "on": port = 636 if hostname: parts = hostname.split(':') hostname = parts[0] if len(parts) > 1: port = int(parts[1]) if cdata.get("ldap_enable") is False: return cdata # self.check_for_samba_schema() try: FreeNAS_LDAP.validate_credentials( hostname, binddn=binddn, bindpw=bindpw, basedn=basedn, port=port, certfile=certfile, ssl=ssl ) except LDAPError as e: log.debug("LDAPError: type = %s", type(e)) error = [] try: error.append(e.args[0]['info']) error.append(e.args[0]['desc']) error = ', '.join(error) except: error = str(e) raise forms.ValidationError("{0}".format(error)) except Exception as e: log.debug("LDAPError: type = %s", type(e)) raise forms.ValidationError("{0}".format(str(e))) return cdata