def clean_ldap_bindpw(self):
cdata = self.cleaned_data
if not cdata.get("ldap_bindpw"):
cdata["ldap_bindpw"] = self.instance.ldap_bindpw
binddn = cdata.get("ldap_binddn")
bindpw = cdata.get("ldap_bindpw")
basedn = cdata.get("ldap_basedn")
hostname = cdata.get("ldap_hostname")
ssl = cdata.get("ldap_ssl")
port = 389
if ssl == "on":
port = 636
if hostname:
parts = hostname.split(':')
hostname = parts[0]
if len(parts) > 1:
port = int(parts[1])
errors = []
certfile = None
if ssl in ('start_tls', 'on'):
certificate = cdata["ldap_certificate"]
certfile = get_certificateauthority_path(certificate)
ret = FreeNAS_LDAP.validate_credentials(
hostname, binddn=binddn, bindpw=bindpw, basedn=basedn,
port=port, certfile=certfile, ssl=ssl, errors=errors
)
if ret is False:
raise forms.ValidationError("%s." % errors[0])
return bindpw
def check_for_samba_schema(self):
self.clean_bindpw()
cdata = self.cleaned_data
binddn = cdata.get("ldap_binddn")
bindpw = cdata.get("ldap_bindpw")
basedn = cdata.get("ldap_basedn")
hostname = cdata.get("ldap_hostname")
certfile = None
ssl = cdata.get("ldap_ssl")
if ssl in ('start_tls', 'on'):
certificate = cdata["ldap_certificate"]
certfile = get_certificateauthority_path(certificate)
fl = FreeNAS_LDAP(host=hostname,
binddn=binddn,
bindpw=bindpw,
basedn=basedn,
certfile=certfile,
ssl=ssl)
if fl.has_samba_schema():
self.instance.ldap_has_samba_schema = True
else:
self.instance.ldap_has_samba_schema = False
def clean_bindpw(self):
cdata = self.cleaned_data
if not cdata.get("ldap_bindpw"):
cdata["ldap_bindpw"] = self.instance.ldap_bindpw
binddn = cdata.get("ldap_binddn")
bindpw = cdata.get("ldap_bindpw")
basedn = cdata.get("ldap_basedn")
hostname = cdata.get("ldap_hostname")
errors = []
certfile = None
ssl = cdata.get("ldap_ssl")
if ssl in ('start_tls', 'on'):
certificate = cdata["ldap_certificate"]
certfile = get_certificateauthority_path(certificate)
ret = FreeNAS_LDAP.validate_credentials(hostname,
binddn=binddn,
bindpw=bindpw,
basedn=basedn,
certfile=certfile,
ssl=ssl,
errors=errors)
if ret is False:
raise forms.ValidationError("%s." % errors[0])
def ldap_conf_ldap(ldap_conf):
try:
ldap = models.LDAP.objects.all()[0]
except:
sys.exit(0)
f = open(ldap_conf, "w")
f.write("uri %s://%s\n" % (
"ldaps" if ldap.ldap_ssl == "on" else "ldap",
ldap.ldap_hostname
))
f.write("base %s\n" % ldap.ldap_basedn)
if ldap.ldap_ssl in ("start_tls", "on"):
f.write("ssl %s\n" % ldap.ldap_ssl)
capath = get_certificateauthority_path(ldap.ldap_certificate)
if capath:
f.write("tls_cacert %s\n" % capath)
f.write("tls_reqcert allow\n")
f.write("scope sub\n")
f.write("timelimit 30\n")
f.write("bind_timelimit 30\n")
f.write("bind_policy soft\n")
# f.write("nss_map_attribute homeDirectory unixHomeDirectory\n")
f.write("nss_override_attribute_value loginShell /bin/sh\n")
if ldap.ldap_auxiliary_parameters:
f.write(ldap.ldap_auxiliary_parameters)
f.close()
os.chmod(ldap_conf, 0644)
def clean_bindpw(self):
cdata = self.cleaned_data
if not cdata.get("ldap_bindpw"):
cdata["ldap_bindpw"] = self.instance.ldap_bindpw
binddn = cdata.get("ldap_binddn")
bindpw = cdata.get("ldap_bindpw")
basedn = cdata.get("ldap_basedn")
hostname = cdata.get("ldap_hostname")
errors = []
certfile = None
ssl = cdata.get("ldap_ssl")
if ssl in ('start_tls', 'on'):
certificate = cdata["ldap_certificate"]
certfile = get_certificateauthority_path(certificate)
ret = FreeNAS_LDAP.validate_credentials(
hostname,
binddn=binddn,
bindpw=bindpw,
basedn=basedn,
certfile=certfile,
ssl=ssl,
errors=errors)
if ret is False:
raise forms.ValidationError("%s." % errors[0])
def clean(self):
cdata = self.cleaned_data
if not cdata.get("ldap_bindpw"):
cdata["ldap_bindpw"] = self.instance.ldap_bindpw
binddn = cdata.get("ldap_binddn")
bindpw = cdata.get("ldap_bindpw")
basedn = cdata.get("ldap_basedn")
hostname = cdata.get("ldap_hostname")
ssl = cdata.get("ldap_ssl")
certfile = None
if ssl in ('start_tls', 'on'):
certificate = cdata["ldap_certificate"]
if not certificate:
raise forms.ValidationError(
"SSL/TLS specified without certificate")
else:
certfile = get_certificateauthority_path(certificate)
port = 389
if ssl == "on":
port = 636
if hostname:
parts = hostname.split(':')
hostname = parts[0]
if len(parts) > 1:
port = int(parts[1])
if cdata.get("ldap_enable") is False:
return cdata
# self.check_for_samba_schema()
try:
FreeNAS_LDAP.validate_credentials(hostname,
binddn=binddn,
bindpw=bindpw,
basedn=basedn,
port=port,
certfile=certfile,
ssl=ssl)
except LDAPError as e:
log.debug("LDAPError: type = %s", type(e))
error = []
try:
error.append(e.args[0]['info'])
error.append(e.args[0]['desc'])
error = ', '.join(error)
except:
error = str(e)
raise forms.ValidationError("{0}".format(error))
except Exception as e:
log.debug("LDAPError: type = %s", type(e))
raise forms.ValidationError("{0}".format(str(e)))
return cdata
def check_for_samba_schema(self):
self.clean_bindpw()
cdata = self.cleaned_data
binddn = cdata.get("ldap_binddn")
bindpw = cdata.get("ldap_bindpw")
basedn = cdata.get("ldap_basedn")
hostname = cdata.get("ldap_hostname")
certfile = None
ssl = cdata.get("ldap_ssl")
if ssl in ('start_tls', 'on'):
certificate = cdata["ldap_certificate"]
certfile = get_certificateauthority_path(certificate)
fl = FreeNAS_LDAP(
host=hostname,
binddn=binddn,
bindpw=bindpw,
basedn=basedn,
certfile=certfile,
ssl=ssl)
if fl.has_samba_schema():
self.instance.ldap_has_samba_schema = True
else:
self.instance.ldap_has_samba_schema = False
def clean(self):
cdata = self.cleaned_data
if not cdata.get("ldap_bindpw"):
cdata["ldap_bindpw"] = self.instance.ldap_bindpw
binddn = cdata.get("ldap_binddn")
bindpw = cdata.get("ldap_bindpw")
basedn = cdata.get("ldap_basedn")
hostname = cdata.get("ldap_hostname")
ssl = cdata.get("ldap_ssl")
certfile = None
if ssl in ('start_tls', 'on'):
certificate = cdata["ldap_certificate"]
if not certificate:
raise forms.ValidationError(
"SSL/TLS specified without certificate")
else:
certfile = get_certificateauthority_path(certificate)
port = 389
if ssl == "on":
port = 636
if hostname:
parts = hostname.split(':')
hostname = parts[0]
if len(parts) > 1:
port = int(parts[1])
# self.check_for_samba_schema()
try:
FreeNAS_LDAP.validate_credentials(hostname,
binddn=binddn,
bindpw=bindpw,
basedn=basedn,
port=port,
certfile=certfile,
ssl=ssl)
except LDAPError as e:
# LDAPError is dumb, it returns a list with one element for goodness knows what reason
e = e[0]
error = []
desc = e.get('desc')
info = e.get('info')
if desc:
error.append(desc)
if info:
error.append(info)
if error:
error = ', '.join(error)
else:
error = str(e)
raise forms.ValidationError("{0}".format(error))
except Exception as e:
raise forms.ValidationError("{0}".format(str(e)))
return cdata
def clean_ldap_bindpw(self):
cdata = self.cleaned_data
if not cdata.get("ldap_bindpw"):
cdata["ldap_bindpw"] = self.instance.ldap_bindpw
binddn = cdata.get("ldap_binddn")
bindpw = cdata.get("ldap_bindpw")
basedn = cdata.get("ldap_basedn")
hostname = cdata.get("ldap_hostname")
ssl = cdata.get("ldap_ssl")
port = 389
if ssl == "on":
port = 636
if hostname:
parts = hostname.split(':')
hostname = parts[0]
if len(parts) > 1:
port = int(parts[1])
certfile = None
if ssl in ('start_tls', 'on'):
certificate = cdata["ldap_certificate"]
certfile = get_certificateauthority_path(certificate)
try:
FreeNAS_LDAP.validate_credentials(
hostname,
binddn=binddn,
bindpw=bindpw,
basedn=basedn,
port=port,
certfile=certfile,
ssl=ssl
)
except LDAPError as e:
# LDAPError is dumb, it returns a list with one element for goodness knows what reason
e = e[0]
error = []
desc = e.get('desc')
info = e.get('info')
if desc:
error.append(desc)
if info:
error.append(info)
if error:
error = ', '.join(error)
else:
error = str(e)
raise forms.ValidationError("{0}".format(error))
except Exception as e:
raise forms.ValidationError("{0}".format(str(e)))
return bindpw
def ldap_conf_activedirectory(ldap_conf):
ad = FreeNAS_ActiveDirectory(flags=FLAGS_DBINIT)
config = { }
config["URI"] = "%s://%s" % (
"ldaps" if ad.ssl == "on" else "ldap",
ad.domainname
)
config["BASE"] = ad.basedn
if ad.ssl in ("start_tls", "on"):
if ad.certfile:
config["TLS_CACERT"] = ad.certfile
config["TLS_REQCERT"] = "allow"
#
# So what if the AD server is configured to use SSL or TLS,
# and the idmap backend is as well? WTF? whaddoyoudo?
#
ad = models.ActiveDirectory.objects.all()[0]
if ad.ad_idmap_backend in ("rfc2307", "ldap"):
idmap = get_idmap_object(ad.ds_type, ad.id, ad.ad_idmap_backend)
idmap_url = idmap.get_url()
idmap_url = re.sub('^(ldaps?://)', '', idmap_url)
config["URI"] = "%s://%s" % (
"ldaps" if idmap.get_ssl() == "on" else "ldap",
idmap_url
)
if idmap.get_ssl() in ('start_tls', 'on'):
capath = get_certificateauthority_path(idmap.get_certificate())
if capath:
config["TLS_CACERT"] = capath
config["TLS_REQCERT"] = "allow"
keys = ["URI", "BASE", "TLS_CACERT", "TLS_REQCERT"]
with open(ldap_conf, "w") as f:
for key in keys:
if key in config:
f.write("%s %s\n" % (key, config[key]))
f.close()
os.chmod(ldap_conf, 0644)
def ldap_conf_ldap(ldap_conf):
try:
ldap = models.LDAP.objects.all()[0]
except:
sys.exit(0)
f = open(ldap_conf, "w")
f.write("URI %s://%s\n" %
("ldaps" if ldap.ldap_ssl == "on" else "ldap", ldap.ldap_hostname))
f.write("BASE %s\n" % ldap.ldap_basedn)
if ldap.ldap_ssl in ("start_tls", "on"):
capath = get_certificateauthority_path(ldap.ldap_certificate)
if capath:
f.write("TLS_CACERT %s\n" % capath)
f.write("TLS_REQCERT allow\n")
f.close()
os.chmod(ldap_conf, 0644)
def ldap_conf_ldap(ldap_conf):
try:
ldap = models.LDAP.objects.all()[0]
except:
sys.exit(0)
f = open(ldap_conf, "w")
f.write("URI %s://%s\n" % (
"ldaps" if ldap.ldap_ssl == "on" else "ldap",
ldap.ldap_hostname
))
f.write("BASE %s\n" % ldap.ldap_basedn)
if ldap.ldap_ssl in ("start_tls", "on"):
capath = get_certificateauthority_path(ldap.ldap_certificate)
if capath:
f.write("TLS_CACERT %s\n" % capath)
f.write("TLS_REQCERT allow\n")
f.close()
os.chmod(ldap_conf, 0644)
def ldap_conf_activedirectory(ldap_conf):
ad = FreeNAS_ActiveDirectory(flags=FLAGS_DBINIT)
config = {}
config["URI"] = "%s://%s" % ("ldaps" if ad.ssl == "on" else "ldap",
ad.domainname)
config["BASE"] = ad.basedn
if ad.ssl in ("start_tls", "on"):
if ad.certfile:
config["TLS_CACERT"] = ad.certfile
config["TLS_REQCERT"] = "allow"
#
# So what if the AD server is configured to use SSL or TLS,
# and the idmap backend is as well? WTF? whaddoyoudo?
#
ad = models.ActiveDirectory.objects.all()[0]
if ad.ad_idmap_backend in ("rfc2307", "ldap"):
idmap = get_idmap_object(ad.ds_type, ad.id, ad.ad_idmap_backend)
idmap_url = idmap.get_url()
idmap_url = re.sub('^(ldaps?://)', '', idmap_url)
config["URI"] = "%s://%s" % ("ldaps" if idmap.get_ssl() == "on" else
"ldap", idmap_url)
if idmap.get_ssl() in ('start_tls', 'on'):
capath = get_certificateauthority_path(idmap.get_certificate())
if capath:
config["TLS_CACERT"] = capath
config["TLS_REQCERT"] = "allow"
keys = ["URI", "BASE", "TLS_CACERT", "TLS_REQCERT"]
with open(ldap_conf, "w") as f:
for key in keys:
if key in config:
f.write("%s %s\n" % (key, config[key]))
f.close()
os.chmod(ldap_conf, 0644)
def main():
ldap_conf = "/usr/local/etc/openldap/ldap.conf"
try:
ldap = models.LDAP.objects.all()[0]
except:
sys.exit(0)
f = open(ldap_conf, "w")
f.write("HOST %s\n" % ldap.ldap_hostname)
f.write("BASE %s\n" % ldap.ldap_basedn)
if ldap.ldap_ssl in ("start_tls", "on"):
if ldap.ldap_ssl == "on":
f.write("URI ldap://%s\n" % ldap.ldap_hostname)
capath = get_certificateauthority_path(ldap.ldap_certificate)
if capath:
f.write("TLS_CACERT %s\n" % capath)
f.write("TLS_REQCERT allow\n")
f.close()
os.chmod(ldap_conf, 0644)
def main():
ldap_conf = "/usr/local/etc/openldap/ldap.conf"
try:
ldap = models.LDAP.objects.all()[0]
except:
sys.exit(0)
f = open(ldap_conf, "w")
f.write("HOST %s\n" % ldap.ldap_hostname)
f.write("BASE %s\n" % ldap.ldap_basedn)
if ldap.ldap_ssl in ("start_tls", "on"):
if ldap.ldap_ssl == "on":
f.write("URI ldap://%s\n" % ldap.ldap_hostname)
capath = get_certificateauthority_path(ldap.ldap_certificate)
if capath:
f.write("TLS_CACERT %s\n" % capath)
f.write("TLS_REQCERT allow\n")
f.close()
os.chmod(ldap_conf, 0644)
def add_ldap(sc):
ldap = LDAP.objects.all()[0]
cifs = CIFS.objects.all()[0]
ldap_hostname = ldap.ldap_hostname.upper()
parts = ldap_hostname.split('.')
ldap_hostname = parts[0]
ldap_cookie = ldap_hostname
ldap_domain = 'domain/%s' % ldap_cookie
ldap_section = None
for key in sc.keys():
if key == ldap_domain:
ldap_section = sc[key]
break
if not ldap_section:
ldap_section = SSSDSectionDomain(ldap_domain)
ldap_section.description = ldap_cookie
if ldap_section.description != ldap_cookie:
return
ldap_defaults = [
{ 'enumerate': 'true' },
{ 'cache_credentials': 'true' },
{ 'id_provider': 'ldap'},
{ 'auth_provider': 'ldap' },
{ 'chpass_provider': 'ldap' },
{ 'ldap_schema': 'rfc2307bis' },
{ 'ldap_force_upper_case_realm': 'true' },
{ 'use_fully_qualified_names': 'true' }
]
for d in ldap_defaults:
key = d.keys()[0]
if not key in ldap_section:
setattr(ldap_section, key, d[key])
if ldap.ldap_use_default_domain:
ldap_section.use_fully_qualified_names = 'false'
ldap_section.ldap_uri = "%s://%s" % (
"ldaps" if ldap.ldap_ssl == 'on' else "ldap",
ldap.ldap_hostname
)
ldap_section.ldap_search_base = ldap.ldap_basedn
if ldap.ldap_usersuffix:
ldap_section.ldap_user_search_base = "%s,%s" % (
ldap.ldap_usersuffix, ldap.ldap_basedn
)
else:
ldap_section.ldap_user_search_base = "%s%s" % (
ldap.ldap_basedn,
"?subtree?(objectclass=posixAccount)"
)
if ldap.ldap_groupsuffix:
ldap_section.ldap_group_search_base = "%s,%s" % (
ldap.ldap_groupsuffix, ldap.ldap_basedn
)
else:
ldap_section.ldap_group_search_base = "%s%s" % (
ldap.ldap_basedn,
"?subtree?(objectclass=posixGroup)"
)
if ldap.ldap_sudosuffix:
if not sc['sudo']:
sc['sudo'] = SSSDSectionSUDO()
sc['sssd'].add_service('sudo')
ldap_section.sudo_provider = 'ldap'
ldap_section.ldap_sudo_search_base = "%s,%s" % (
ldap.ldap_sudosuffix,
ldap.ldap_basedn
)
ldap_section.ldap_default_bind_dn = ldap.ldap_binddn
ldap_section.ldap_default_authtok_type = 'password'
ldap_section.ldap_default_authtok = ldap.ldap_bindpw
if ldap.ldap_ssl == 'on':
certpath = get_certificateauthority_path(ldap.ldap_certificate)
if certpath:
ldap_section.ldap_tls_cacert = certpath
elif ldap.ldap_ssl == 'start_tls':
ldap_section.tls_reqcert = 'demand'
certpath = get_certificateauthority_path(ldap.ldap_certificate)
if certpath:
ldap_section.ldap_tls_cacert = certpath
ldap_section.ldap_id_use_start_tls = 'true'
if ldap.ldap_auxiliary_parameters:
lines = ldap.ldap_auxiliary_parameters.splitlines()
for l in lines:
parts = l.split('=')
if len(parts) < 2:
continue
setattr(ldap_section, parts[0].strip(), parts[1].strip())
sc[ldap_domain] = ldap_section
sc['sssd'].add_domain(ldap_cookie)
sc['sssd'].add_newline()
def add_ldap(sc):
ldap = LDAP.objects.all()[0]
cifs = CIFS.objects.all()[0]
ldap_hostname = ldap.ldap_hostname.upper()
parts = ldap_hostname.split('.')
ldap_hostname = parts[0]
ldap_cookie = ldap_hostname
ldap_domain = 'domain/%s' % ldap_cookie
ldap_section = None
for key in sc.keys():
if key == ldap_domain:
ldap_section = sc[key]
break
if not ldap_section:
ldap_section = SSSDSectionDomain(ldap_domain)
ldap_section.description = ldap_cookie
if ldap_section.description != ldap_cookie:
return
ldap_defaults = [
{ 'enumerate': 'true' },
{ 'cache_credentials': 'true' },
{ 'id_provider': 'ldap'},
{ 'auth_provider': 'ldap' },
{ 'chpass_provider': 'ldap' },
{ 'ldap_schema': 'rfc2307bis' },
{ 'ldap_force_upper_case_realm': 'true' },
{ 'use_fully_qualified_names': 'true' }
]
for d in ldap_defaults:
key = d.keys()[0]
if not key in ldap_section:
setattr(ldap_section, key, d[key])
if ldap.ldap_use_default_domain:
ldap_section.use_fully_qualified_names = 'false'
ldap_section.ldap_uri = "%s://%s" % (
"ldaps" if ldap.ldap_ssl == 'on' else "ldap",
ldap.ldap_hostname
)
ldap_section.ldap_search_base = ldap.ldap_basedn
if ldap.ldap_usersuffix:
ldap_section.ldap_user_search_base = "%s,%s" % (
ldap.ldap_usersuffix, ldap.ldap_basedn
)
else:
ldap_section.ldap_user_search_base = "%s%s" % (
ldap.ldap_basedn,
"?subtree?(objectclass=posixAccount)"
)
if ldap.ldap_groupsuffix:
ldap_section.ldap_group_search_base = "%s,%s" % (
ldap.ldap_groupsuffix, ldap.ldap_basedn
)
else:
ldap_section.ldap_group_search_base = "%s%s" % (
ldap.ldap_basedn,
"?subtree?(objectclass=posixGroup)"
)
if ldap.ldap_sudosuffix:
if not sc['sudo']:
sc['sudo'] = SSSDSectionSUDO()
sc['sssd'].add_service('sudo')
ldap_section.sudo_provider = 'ldap'
ldap_section.ldap_sudo_search_base = "%s,%s" % (
ldap.ldap_sudosuffix,
ldap.ldap_basedn
)
ldap_section.ldap_default_bind_dn = ldap.ldap_binddn
ldap_section.ldap_default_authtok_type = 'password'
ldap_section.ldap_default_authtok = ldap.ldap_bindpw
if ldap.ldap_ssl == 'on':
certpath = get_certificateauthority_path(ldap.ldap_certificate)
if certpath:
ldap_section.ldap_tls_cacert = certpath
elif ldap.ldap_ssl == 'start_tls':
ldap_section.tls_reqcert = 'demand'
certpath = get_certificateauthority_path(ldap.ldap_certificate)
if certpath:
ldap_section.ldap_tls_cacert = certpath
ldap_section.ldap_id_use_start_tls = 'true'
sc[ldap_domain] = ldap_section
sc['sssd'].add_domain(ldap_cookie)
sc['sssd'].add_newline()
def clean(self):
cdata = self.cleaned_data
if not cdata.get("ldap_bindpw"):
cdata["ldap_bindpw"] = self.instance.ldap_bindpw
binddn = cdata.get("ldap_binddn")
bindpw = cdata.get("ldap_bindpw")
basedn = cdata.get("ldap_basedn")
hostname = cdata.get("ldap_hostname")
ssl = cdata.get("ldap_ssl")
certfile = None
if ssl in ('start_tls', 'on'):
certificate = cdata["ldap_certificate"]
if not certificate:
raise forms.ValidationError(
"SSL/TLS specified without certificate")
else:
certfile = get_certificateauthority_path(certificate)
port = 389
if ssl == "on":
port = 636
if hostname:
parts = hostname.split(':')
hostname = parts[0]
if len(parts) > 1:
port = int(parts[1])
if cdata.get("ldap_enable") is False:
return cdata
# self.check_for_samba_schema()
try:
FreeNAS_LDAP.validate_credentials(
hostname,
binddn=binddn,
bindpw=bindpw,
basedn=basedn,
port=port,
certfile=certfile,
ssl=ssl
)
except LDAPError as e:
log.debug("LDAPError: type = %s", type(e))
error = []
try:
error.append(e.args[0]['info'])
error.append(e.args[0]['desc'])
error = ', '.join(error)
except:
error = str(e)
raise forms.ValidationError("{0}".format(error))
except Exception as e:
log.debug("LDAPError: type = %s", type(e))
raise forms.ValidationError("{0}".format(str(e)))
return cdata
def add_ldap_section(sc):
ldap = LDAP.objects.all()[0]
ldap_hostname = ldap.ldap_hostname.upper()
parts = ldap_hostname.split('.')
ldap_hostname = parts[0]
ldap_cookie = ldap_hostname
ldap_domain = 'domain/%s' % ldap_cookie
ldap_section = None
for key in sc.keys():
if key == ldap_domain:
ldap_section = sc[key]
break
if not ldap_section:
ldap_section = SSSDSectionDomain(ldap_domain)
ldap_section.description = ldap_cookie
if ldap_section.description != ldap_cookie:
return
ldap_defaults = [
{'enumerate': 'true'},
{'cache_credentials': 'true'},
{'id_provider': 'ldap'},
{'auth_provider': 'ldap'},
{'chpass_provider': 'ldap'},
{'ldap_schema': 'rfc2307bis'},
{'ldap_force_upper_case_realm': 'true'},
{'use_fully_qualified_names': 'false'}
]
for d in ldap_defaults:
key = d.keys()[0]
if key not in ldap_section:
setattr(ldap_section, key, d[key])
ldap_section.ldap_schema = ldap.ldap_schema
ldap_section.ldap_uri = "%s://%s" % (
"ldaps" if ldap.ldap_ssl == 'on' else "ldap",
ldap.ldap_hostname
)
ldap_section.ldap_search_base = ldap.ldap_basedn
if ldap.ldap_usersuffix:
ldap_section.ldap_user_search_base = "%s,%s" % (
ldap.ldap_usersuffix, ldap.ldap_basedn
)
else:
ldap_section.ldap_user_search_base = "%s%s" % (
ldap.ldap_basedn,
"?subtree?(objectclass=posixAccount)"
)
if ldap.ldap_groupsuffix:
ldap_section.ldap_group_search_base = "%s,%s" % (
ldap.ldap_groupsuffix, ldap.ldap_basedn
)
else:
ldap_section.ldap_group_search_base = "%s%s" % (
ldap.ldap_basedn,
"?subtree?(objectclass=posixGroup)"
)
if ldap.ldap_sudosuffix:
if not sc['sudo']:
sc['sudo'] = SSSDSectionSUDO()
sc['sssd'].add_service('sudo')
ldap_section.sudo_provider = 'ldap'
ldap_section.ldap_sudo_search_base = "%s,%s" % (
ldap.ldap_sudosuffix,
ldap.ldap_basedn
)
if ldap.ldap_ssl == 'on':
certpath = get_certificateauthority_path(ldap.ldap_certificate)
if certpath:
ldap_section.ldap_tls_cacert = certpath
elif ldap.ldap_ssl == 'start_tls':
ldap_section.tls_reqcert = 'demand'
certpath = get_certificateauthority_path(ldap.ldap_certificate)
if certpath:
ldap_section.ldap_tls_cacert = certpath
ldap_section.ldap_id_use_start_tls = 'true'
ldap_save = ldap
ldap = FreeNAS_LDAP(flags=FLAGS_DBINIT)
if ldap.keytab_file and ldap.keytab_principal:
ldap_section.auth_provider = 'krb5'
ldap_section.chpass_provider = 'krb5'
ldap_section.ldap_sasl_mech = 'GSSAPI'
ldap_section.ldap_sasl_authid = ldap.keytab_principal
ldap_section.ldap_krb5_keytab = ldap.keytab_file
ldap_section.krb5_server = ldap.krb_kdc
ldap_section.krb5_realm = ldap.krb_realm
ldap_section.krb5_canonicalize = 'false'
else:
ldap_section.ldap_default_bind_dn = ldap.binddn
ldap_section.ldap_default_authtok_type = 'password'
ldap_section.ldap_default_authtok = ldap.bindpw
sc[ldap_domain] = ldap_section
sc['sssd'].add_domain(ldap_cookie)
sc['sssd'].add_newline()
ldap = ldap_save
if ldap.ldap_auxiliary_parameters:
path = tempfile.mktemp(dir='/tmp')
with open(path, 'wb+') as f:
f.write(ldap.ldap_auxiliary_parameters)
f.close()
aux_sc = SSSDConf(path=path, cookie=sc.cookie)
os.unlink(path)
sc.merge_config(aux_sc)
def add_ldap(sc):
ldap = LDAP.objects.all()[0]
cifs = CIFS.objects.all()[0]
ldap_hostname = ldap.ldap_hostname.upper()
parts = ldap_hostname.split('.')
ldap_hostname = parts[0]
ldap_cookie = ldap_hostname
ldap_domain = 'domain/%s' % ldap_cookie
ldap_section = None
for key in sc.keys():
if key == ldap_domain:
ldap_section = sc[key]
break
if not ldap_section:
ldap_section = SSSDSectionDomain(ldap_domain)
ldap_section.description = ldap_cookie
if ldap_section.description != ldap_cookie:
return
ldap_defaults = [{
'enumerate': 'true'
}, {
'cache_credentials': 'true'
}, {
'id_provider': 'ldap'
}, {
'auth_provider': 'ldap'
}, {
'chpass_provider': 'ldap'
}, {
'ldap_schema': 'rfc2307bis'
}, {
'ldap_force_upper_case_realm': 'true'
}, {
'use_fully_qualified_names': 'false'
}]
for d in ldap_defaults:
key = d.keys()[0]
if not key in ldap_section:
setattr(ldap_section, key, d[key])
ldap_section.ldap_schema = ldap.ldap_schema
ldap_section.ldap_uri = "%s://%s" % ("ldaps" if ldap.ldap_ssl == 'on' else
"ldap", ldap.ldap_hostname)
ldap_section.ldap_search_base = ldap.ldap_basedn
if ldap.ldap_usersuffix:
ldap_section.ldap_user_search_base = "%s,%s" % (ldap.ldap_usersuffix,
ldap.ldap_basedn)
else:
ldap_section.ldap_user_search_base = "%s%s" % (
ldap.ldap_basedn, "?subtree?(objectclass=posixAccount)")
if ldap.ldap_groupsuffix:
ldap_section.ldap_group_search_base = "%s,%s" % (ldap.ldap_groupsuffix,
ldap.ldap_basedn)
else:
ldap_section.ldap_group_search_base = "%s%s" % (
ldap.ldap_basedn, "?subtree?(objectclass=posixGroup)")
if ldap.ldap_sudosuffix:
if not sc['sudo']:
sc['sudo'] = SSSDSectionSUDO()
sc['sssd'].add_service('sudo')
ldap_section.sudo_provider = 'ldap'
ldap_section.ldap_sudo_search_base = "%s,%s" % (ldap.ldap_sudosuffix,
ldap.ldap_basedn)
if ldap.ldap_ssl == 'on':
certpath = get_certificateauthority_path(ldap.ldap_certificate)
if certpath:
ldap_section.ldap_tls_cacert = certpath
elif ldap.ldap_ssl == 'start_tls':
ldap_section.tls_reqcert = 'demand'
certpath = get_certificateauthority_path(ldap.ldap_certificate)
if certpath:
ldap_section.ldap_tls_cacert = certpath
ldap_section.ldap_id_use_start_tls = 'true'
if ldap.ldap_auxiliary_parameters:
lines = ldap.ldap_auxiliary_parameters.splitlines()
for l in lines:
parts = l.split('=', 1)
if len(parts) < 2:
continue
setattr(ldap_section, parts[0].strip(), parts[1].strip())
ldap = FreeNAS_LDAP(flags=FLAGS_DBINIT)
if ldap.keytab_name and ldap.kerberos_realm:
ldap_section.auth_provider = 'krb5'
ldap_section.chpass_provider = 'krb5'
ldap_section.ldap_sasl_mech = 'GSSAPI'
ldap_section.ldap_sasl_authid = ldap.keytab_principal
ldap_section.krb5_server = ldap.krb_kdc
ldap_section.krb5_realm = ldap.krb_realm
ldap_section.krb5_canonicalize = 'false'
else:
ldap_section.ldap_default_bind_dn = ldap.binddn
ldap_section.ldap_default_authtok_type = 'password'
ldap_section.ldap_default_authtok = ldap.bindpw
sc[ldap_domain] = ldap_section
sc['sssd'].add_domain(ldap_cookie)
sc['sssd'].add_newline()
