def clean_ldap_bindpw(self): cdata = self.cleaned_data if not cdata.get("ldap_bindpw"): cdata["ldap_bindpw"] = self.instance.ldap_bindpw binddn = cdata.get("ldap_binddn") bindpw = cdata.get("ldap_bindpw") basedn = cdata.get("ldap_basedn") hostname = cdata.get("ldap_hostname") ssl = cdata.get("ldap_ssl") port = 389 if ssl == "on": port = 636 if hostname: parts = hostname.split(':') hostname = parts[0] if len(parts) > 1: port = int(parts[1]) errors = [] certfile = None if ssl in ('start_tls', 'on'): certificate = cdata["ldap_certificate"] certfile = get_certificateauthority_path(certificate) ret = FreeNAS_LDAP.validate_credentials( hostname, binddn=binddn, bindpw=bindpw, basedn=basedn, port=port, certfile=certfile, ssl=ssl, errors=errors ) if ret is False: raise forms.ValidationError("%s." % errors[0]) return bindpw
def check_for_samba_schema(self): self.clean_bindpw() cdata = self.cleaned_data binddn = cdata.get("ldap_binddn") bindpw = cdata.get("ldap_bindpw") basedn = cdata.get("ldap_basedn") hostname = cdata.get("ldap_hostname") certfile = None ssl = cdata.get("ldap_ssl") if ssl in ('start_tls', 'on'): certificate = cdata["ldap_certificate"] certfile = get_certificateauthority_path(certificate) fl = FreeNAS_LDAP(host=hostname, binddn=binddn, bindpw=bindpw, basedn=basedn, certfile=certfile, ssl=ssl) if fl.has_samba_schema(): self.instance.ldap_has_samba_schema = True else: self.instance.ldap_has_samba_schema = False
def clean_bindpw(self): cdata = self.cleaned_data if not cdata.get("ldap_bindpw"): cdata["ldap_bindpw"] = self.instance.ldap_bindpw binddn = cdata.get("ldap_binddn") bindpw = cdata.get("ldap_bindpw") basedn = cdata.get("ldap_basedn") hostname = cdata.get("ldap_hostname") errors = [] certfile = None ssl = cdata.get("ldap_ssl") if ssl in ('start_tls', 'on'): certificate = cdata["ldap_certificate"] certfile = get_certificateauthority_path(certificate) ret = FreeNAS_LDAP.validate_credentials(hostname, binddn=binddn, bindpw=bindpw, basedn=basedn, certfile=certfile, ssl=ssl, errors=errors) if ret is False: raise forms.ValidationError("%s." % errors[0])
def ldap_conf_ldap(ldap_conf): try: ldap = models.LDAP.objects.all()[0] except: sys.exit(0) f = open(ldap_conf, "w") f.write("uri %s://%s\n" % ( "ldaps" if ldap.ldap_ssl == "on" else "ldap", ldap.ldap_hostname )) f.write("base %s\n" % ldap.ldap_basedn) if ldap.ldap_ssl in ("start_tls", "on"): f.write("ssl %s\n" % ldap.ldap_ssl) capath = get_certificateauthority_path(ldap.ldap_certificate) if capath: f.write("tls_cacert %s\n" % capath) f.write("tls_reqcert allow\n") f.write("scope sub\n") f.write("timelimit 30\n") f.write("bind_timelimit 30\n") f.write("bind_policy soft\n") # f.write("nss_map_attribute homeDirectory unixHomeDirectory\n") f.write("nss_override_attribute_value loginShell /bin/sh\n") if ldap.ldap_auxiliary_parameters: f.write(ldap.ldap_auxiliary_parameters) f.close() os.chmod(ldap_conf, 0644)
def clean_bindpw(self): cdata = self.cleaned_data if not cdata.get("ldap_bindpw"): cdata["ldap_bindpw"] = self.instance.ldap_bindpw binddn = cdata.get("ldap_binddn") bindpw = cdata.get("ldap_bindpw") basedn = cdata.get("ldap_basedn") hostname = cdata.get("ldap_hostname") errors = [] certfile = None ssl = cdata.get("ldap_ssl") if ssl in ('start_tls', 'on'): certificate = cdata["ldap_certificate"] certfile = get_certificateauthority_path(certificate) ret = FreeNAS_LDAP.validate_credentials( hostname, binddn=binddn, bindpw=bindpw, basedn=basedn, certfile=certfile, ssl=ssl, errors=errors) if ret is False: raise forms.ValidationError("%s." % errors[0])
def clean(self): cdata = self.cleaned_data if not cdata.get("ldap_bindpw"): cdata["ldap_bindpw"] = self.instance.ldap_bindpw binddn = cdata.get("ldap_binddn") bindpw = cdata.get("ldap_bindpw") basedn = cdata.get("ldap_basedn") hostname = cdata.get("ldap_hostname") ssl = cdata.get("ldap_ssl") certfile = None if ssl in ('start_tls', 'on'): certificate = cdata["ldap_certificate"] if not certificate: raise forms.ValidationError( "SSL/TLS specified without certificate") else: certfile = get_certificateauthority_path(certificate) port = 389 if ssl == "on": port = 636 if hostname: parts = hostname.split(':') hostname = parts[0] if len(parts) > 1: port = int(parts[1]) if cdata.get("ldap_enable") is False: return cdata # self.check_for_samba_schema() try: FreeNAS_LDAP.validate_credentials(hostname, binddn=binddn, bindpw=bindpw, basedn=basedn, port=port, certfile=certfile, ssl=ssl) except LDAPError as e: log.debug("LDAPError: type = %s", type(e)) error = [] try: error.append(e.args[0]['info']) error.append(e.args[0]['desc']) error = ', '.join(error) except: error = str(e) raise forms.ValidationError("{0}".format(error)) except Exception as e: log.debug("LDAPError: type = %s", type(e)) raise forms.ValidationError("{0}".format(str(e))) return cdata
def check_for_samba_schema(self): self.clean_bindpw() cdata = self.cleaned_data binddn = cdata.get("ldap_binddn") bindpw = cdata.get("ldap_bindpw") basedn = cdata.get("ldap_basedn") hostname = cdata.get("ldap_hostname") certfile = None ssl = cdata.get("ldap_ssl") if ssl in ('start_tls', 'on'): certificate = cdata["ldap_certificate"] certfile = get_certificateauthority_path(certificate) fl = FreeNAS_LDAP( host=hostname, binddn=binddn, bindpw=bindpw, basedn=basedn, certfile=certfile, ssl=ssl) if fl.has_samba_schema(): self.instance.ldap_has_samba_schema = True else: self.instance.ldap_has_samba_schema = False
def clean(self): cdata = self.cleaned_data if not cdata.get("ldap_bindpw"): cdata["ldap_bindpw"] = self.instance.ldap_bindpw binddn = cdata.get("ldap_binddn") bindpw = cdata.get("ldap_bindpw") basedn = cdata.get("ldap_basedn") hostname = cdata.get("ldap_hostname") ssl = cdata.get("ldap_ssl") certfile = None if ssl in ('start_tls', 'on'): certificate = cdata["ldap_certificate"] if not certificate: raise forms.ValidationError( "SSL/TLS specified without certificate") else: certfile = get_certificateauthority_path(certificate) port = 389 if ssl == "on": port = 636 if hostname: parts = hostname.split(':') hostname = parts[0] if len(parts) > 1: port = int(parts[1]) # self.check_for_samba_schema() try: FreeNAS_LDAP.validate_credentials(hostname, binddn=binddn, bindpw=bindpw, basedn=basedn, port=port, certfile=certfile, ssl=ssl) except LDAPError as e: # LDAPError is dumb, it returns a list with one element for goodness knows what reason e = e[0] error = [] desc = e.get('desc') info = e.get('info') if desc: error.append(desc) if info: error.append(info) if error: error = ', '.join(error) else: error = str(e) raise forms.ValidationError("{0}".format(error)) except Exception as e: raise forms.ValidationError("{0}".format(str(e))) return cdata
def clean_ldap_bindpw(self): cdata = self.cleaned_data if not cdata.get("ldap_bindpw"): cdata["ldap_bindpw"] = self.instance.ldap_bindpw binddn = cdata.get("ldap_binddn") bindpw = cdata.get("ldap_bindpw") basedn = cdata.get("ldap_basedn") hostname = cdata.get("ldap_hostname") ssl = cdata.get("ldap_ssl") port = 389 if ssl == "on": port = 636 if hostname: parts = hostname.split(':') hostname = parts[0] if len(parts) > 1: port = int(parts[1]) certfile = None if ssl in ('start_tls', 'on'): certificate = cdata["ldap_certificate"] certfile = get_certificateauthority_path(certificate) try: FreeNAS_LDAP.validate_credentials( hostname, binddn=binddn, bindpw=bindpw, basedn=basedn, port=port, certfile=certfile, ssl=ssl ) except LDAPError as e: # LDAPError is dumb, it returns a list with one element for goodness knows what reason e = e[0] error = [] desc = e.get('desc') info = e.get('info') if desc: error.append(desc) if info: error.append(info) if error: error = ', '.join(error) else: error = str(e) raise forms.ValidationError("{0}".format(error)) except Exception as e: raise forms.ValidationError("{0}".format(str(e))) return bindpw
def ldap_conf_activedirectory(ldap_conf): ad = FreeNAS_ActiveDirectory(flags=FLAGS_DBINIT) config = { } config["URI"] = "%s://%s" % ( "ldaps" if ad.ssl == "on" else "ldap", ad.domainname ) config["BASE"] = ad.basedn if ad.ssl in ("start_tls", "on"): if ad.certfile: config["TLS_CACERT"] = ad.certfile config["TLS_REQCERT"] = "allow" # # So what if the AD server is configured to use SSL or TLS, # and the idmap backend is as well? WTF? whaddoyoudo? # ad = models.ActiveDirectory.objects.all()[0] if ad.ad_idmap_backend in ("rfc2307", "ldap"): idmap = get_idmap_object(ad.ds_type, ad.id, ad.ad_idmap_backend) idmap_url = idmap.get_url() idmap_url = re.sub('^(ldaps?://)', '', idmap_url) config["URI"] = "%s://%s" % ( "ldaps" if idmap.get_ssl() == "on" else "ldap", idmap_url ) if idmap.get_ssl() in ('start_tls', 'on'): capath = get_certificateauthority_path(idmap.get_certificate()) if capath: config["TLS_CACERT"] = capath config["TLS_REQCERT"] = "allow" keys = ["URI", "BASE", "TLS_CACERT", "TLS_REQCERT"] with open(ldap_conf, "w") as f: for key in keys: if key in config: f.write("%s %s\n" % (key, config[key])) f.close() os.chmod(ldap_conf, 0644)
def ldap_conf_ldap(ldap_conf): try: ldap = models.LDAP.objects.all()[0] except: sys.exit(0) f = open(ldap_conf, "w") f.write("URI %s://%s\n" % ("ldaps" if ldap.ldap_ssl == "on" else "ldap", ldap.ldap_hostname)) f.write("BASE %s\n" % ldap.ldap_basedn) if ldap.ldap_ssl in ("start_tls", "on"): capath = get_certificateauthority_path(ldap.ldap_certificate) if capath: f.write("TLS_CACERT %s\n" % capath) f.write("TLS_REQCERT allow\n") f.close() os.chmod(ldap_conf, 0644)
def ldap_conf_ldap(ldap_conf): try: ldap = models.LDAP.objects.all()[0] except: sys.exit(0) f = open(ldap_conf, "w") f.write("URI %s://%s\n" % ( "ldaps" if ldap.ldap_ssl == "on" else "ldap", ldap.ldap_hostname )) f.write("BASE %s\n" % ldap.ldap_basedn) if ldap.ldap_ssl in ("start_tls", "on"): capath = get_certificateauthority_path(ldap.ldap_certificate) if capath: f.write("TLS_CACERT %s\n" % capath) f.write("TLS_REQCERT allow\n") f.close() os.chmod(ldap_conf, 0644)
def ldap_conf_activedirectory(ldap_conf): ad = FreeNAS_ActiveDirectory(flags=FLAGS_DBINIT) config = {} config["URI"] = "%s://%s" % ("ldaps" if ad.ssl == "on" else "ldap", ad.domainname) config["BASE"] = ad.basedn if ad.ssl in ("start_tls", "on"): if ad.certfile: config["TLS_CACERT"] = ad.certfile config["TLS_REQCERT"] = "allow" # # So what if the AD server is configured to use SSL or TLS, # and the idmap backend is as well? WTF? whaddoyoudo? # ad = models.ActiveDirectory.objects.all()[0] if ad.ad_idmap_backend in ("rfc2307", "ldap"): idmap = get_idmap_object(ad.ds_type, ad.id, ad.ad_idmap_backend) idmap_url = idmap.get_url() idmap_url = re.sub('^(ldaps?://)', '', idmap_url) config["URI"] = "%s://%s" % ("ldaps" if idmap.get_ssl() == "on" else "ldap", idmap_url) if idmap.get_ssl() in ('start_tls', 'on'): capath = get_certificateauthority_path(idmap.get_certificate()) if capath: config["TLS_CACERT"] = capath config["TLS_REQCERT"] = "allow" keys = ["URI", "BASE", "TLS_CACERT", "TLS_REQCERT"] with open(ldap_conf, "w") as f: for key in keys: if key in config: f.write("%s %s\n" % (key, config[key])) f.close() os.chmod(ldap_conf, 0644)
def main(): ldap_conf = "/usr/local/etc/openldap/ldap.conf" try: ldap = models.LDAP.objects.all()[0] except: sys.exit(0) f = open(ldap_conf, "w") f.write("HOST %s\n" % ldap.ldap_hostname) f.write("BASE %s\n" % ldap.ldap_basedn) if ldap.ldap_ssl in ("start_tls", "on"): if ldap.ldap_ssl == "on": f.write("URI ldap://%s\n" % ldap.ldap_hostname) capath = get_certificateauthority_path(ldap.ldap_certificate) if capath: f.write("TLS_CACERT %s\n" % capath) f.write("TLS_REQCERT allow\n") f.close() os.chmod(ldap_conf, 0644)
def add_ldap(sc): ldap = LDAP.objects.all()[0] cifs = CIFS.objects.all()[0] ldap_hostname = ldap.ldap_hostname.upper() parts = ldap_hostname.split('.') ldap_hostname = parts[0] ldap_cookie = ldap_hostname ldap_domain = 'domain/%s' % ldap_cookie ldap_section = None for key in sc.keys(): if key == ldap_domain: ldap_section = sc[key] break if not ldap_section: ldap_section = SSSDSectionDomain(ldap_domain) ldap_section.description = ldap_cookie if ldap_section.description != ldap_cookie: return ldap_defaults = [ { 'enumerate': 'true' }, { 'cache_credentials': 'true' }, { 'id_provider': 'ldap'}, { 'auth_provider': 'ldap' }, { 'chpass_provider': 'ldap' }, { 'ldap_schema': 'rfc2307bis' }, { 'ldap_force_upper_case_realm': 'true' }, { 'use_fully_qualified_names': 'true' } ] for d in ldap_defaults: key = d.keys()[0] if not key in ldap_section: setattr(ldap_section, key, d[key]) if ldap.ldap_use_default_domain: ldap_section.use_fully_qualified_names = 'false' ldap_section.ldap_uri = "%s://%s" % ( "ldaps" if ldap.ldap_ssl == 'on' else "ldap", ldap.ldap_hostname ) ldap_section.ldap_search_base = ldap.ldap_basedn if ldap.ldap_usersuffix: ldap_section.ldap_user_search_base = "%s,%s" % ( ldap.ldap_usersuffix, ldap.ldap_basedn ) else: ldap_section.ldap_user_search_base = "%s%s" % ( ldap.ldap_basedn, "?subtree?(objectclass=posixAccount)" ) if ldap.ldap_groupsuffix: ldap_section.ldap_group_search_base = "%s,%s" % ( ldap.ldap_groupsuffix, ldap.ldap_basedn ) else: ldap_section.ldap_group_search_base = "%s%s" % ( ldap.ldap_basedn, "?subtree?(objectclass=posixGroup)" ) if ldap.ldap_sudosuffix: if not sc['sudo']: sc['sudo'] = SSSDSectionSUDO() sc['sssd'].add_service('sudo') ldap_section.sudo_provider = 'ldap' ldap_section.ldap_sudo_search_base = "%s,%s" % ( ldap.ldap_sudosuffix, ldap.ldap_basedn ) ldap_section.ldap_default_bind_dn = ldap.ldap_binddn ldap_section.ldap_default_authtok_type = 'password' ldap_section.ldap_default_authtok = ldap.ldap_bindpw if ldap.ldap_ssl == 'on': certpath = get_certificateauthority_path(ldap.ldap_certificate) if certpath: ldap_section.ldap_tls_cacert = certpath elif ldap.ldap_ssl == 'start_tls': ldap_section.tls_reqcert = 'demand' certpath = get_certificateauthority_path(ldap.ldap_certificate) if certpath: ldap_section.ldap_tls_cacert = certpath ldap_section.ldap_id_use_start_tls = 'true' if ldap.ldap_auxiliary_parameters: lines = ldap.ldap_auxiliary_parameters.splitlines() for l in lines: parts = l.split('=') if len(parts) < 2: continue setattr(ldap_section, parts[0].strip(), parts[1].strip()) sc[ldap_domain] = ldap_section sc['sssd'].add_domain(ldap_cookie) sc['sssd'].add_newline()
def add_ldap(sc): ldap = LDAP.objects.all()[0] cifs = CIFS.objects.all()[0] ldap_hostname = ldap.ldap_hostname.upper() parts = ldap_hostname.split('.') ldap_hostname = parts[0] ldap_cookie = ldap_hostname ldap_domain = 'domain/%s' % ldap_cookie ldap_section = None for key in sc.keys(): if key == ldap_domain: ldap_section = sc[key] break if not ldap_section: ldap_section = SSSDSectionDomain(ldap_domain) ldap_section.description = ldap_cookie if ldap_section.description != ldap_cookie: return ldap_defaults = [ { 'enumerate': 'true' }, { 'cache_credentials': 'true' }, { 'id_provider': 'ldap'}, { 'auth_provider': 'ldap' }, { 'chpass_provider': 'ldap' }, { 'ldap_schema': 'rfc2307bis' }, { 'ldap_force_upper_case_realm': 'true' }, { 'use_fully_qualified_names': 'true' } ] for d in ldap_defaults: key = d.keys()[0] if not key in ldap_section: setattr(ldap_section, key, d[key]) if ldap.ldap_use_default_domain: ldap_section.use_fully_qualified_names = 'false' ldap_section.ldap_uri = "%s://%s" % ( "ldaps" if ldap.ldap_ssl == 'on' else "ldap", ldap.ldap_hostname ) ldap_section.ldap_search_base = ldap.ldap_basedn if ldap.ldap_usersuffix: ldap_section.ldap_user_search_base = "%s,%s" % ( ldap.ldap_usersuffix, ldap.ldap_basedn ) else: ldap_section.ldap_user_search_base = "%s%s" % ( ldap.ldap_basedn, "?subtree?(objectclass=posixAccount)" ) if ldap.ldap_groupsuffix: ldap_section.ldap_group_search_base = "%s,%s" % ( ldap.ldap_groupsuffix, ldap.ldap_basedn ) else: ldap_section.ldap_group_search_base = "%s%s" % ( ldap.ldap_basedn, "?subtree?(objectclass=posixGroup)" ) if ldap.ldap_sudosuffix: if not sc['sudo']: sc['sudo'] = SSSDSectionSUDO() sc['sssd'].add_service('sudo') ldap_section.sudo_provider = 'ldap' ldap_section.ldap_sudo_search_base = "%s,%s" % ( ldap.ldap_sudosuffix, ldap.ldap_basedn ) ldap_section.ldap_default_bind_dn = ldap.ldap_binddn ldap_section.ldap_default_authtok_type = 'password' ldap_section.ldap_default_authtok = ldap.ldap_bindpw if ldap.ldap_ssl == 'on': certpath = get_certificateauthority_path(ldap.ldap_certificate) if certpath: ldap_section.ldap_tls_cacert = certpath elif ldap.ldap_ssl == 'start_tls': ldap_section.tls_reqcert = 'demand' certpath = get_certificateauthority_path(ldap.ldap_certificate) if certpath: ldap_section.ldap_tls_cacert = certpath ldap_section.ldap_id_use_start_tls = 'true' sc[ldap_domain] = ldap_section sc['sssd'].add_domain(ldap_cookie) sc['sssd'].add_newline()
def clean(self): cdata = self.cleaned_data if not cdata.get("ldap_bindpw"): cdata["ldap_bindpw"] = self.instance.ldap_bindpw binddn = cdata.get("ldap_binddn") bindpw = cdata.get("ldap_bindpw") basedn = cdata.get("ldap_basedn") hostname = cdata.get("ldap_hostname") ssl = cdata.get("ldap_ssl") certfile = None if ssl in ('start_tls', 'on'): certificate = cdata["ldap_certificate"] if not certificate: raise forms.ValidationError( "SSL/TLS specified without certificate") else: certfile = get_certificateauthority_path(certificate) port = 389 if ssl == "on": port = 636 if hostname: parts = hostname.split(':') hostname = parts[0] if len(parts) > 1: port = int(parts[1]) if cdata.get("ldap_enable") is False: return cdata # self.check_for_samba_schema() try: FreeNAS_LDAP.validate_credentials( hostname, binddn=binddn, bindpw=bindpw, basedn=basedn, port=port, certfile=certfile, ssl=ssl ) except LDAPError as e: log.debug("LDAPError: type = %s", type(e)) error = [] try: error.append(e.args[0]['info']) error.append(e.args[0]['desc']) error = ', '.join(error) except: error = str(e) raise forms.ValidationError("{0}".format(error)) except Exception as e: log.debug("LDAPError: type = %s", type(e)) raise forms.ValidationError("{0}".format(str(e))) return cdata
def add_ldap_section(sc): ldap = LDAP.objects.all()[0] ldap_hostname = ldap.ldap_hostname.upper() parts = ldap_hostname.split('.') ldap_hostname = parts[0] ldap_cookie = ldap_hostname ldap_domain = 'domain/%s' % ldap_cookie ldap_section = None for key in sc.keys(): if key == ldap_domain: ldap_section = sc[key] break if not ldap_section: ldap_section = SSSDSectionDomain(ldap_domain) ldap_section.description = ldap_cookie if ldap_section.description != ldap_cookie: return ldap_defaults = [ {'enumerate': 'true'}, {'cache_credentials': 'true'}, {'id_provider': 'ldap'}, {'auth_provider': 'ldap'}, {'chpass_provider': 'ldap'}, {'ldap_schema': 'rfc2307bis'}, {'ldap_force_upper_case_realm': 'true'}, {'use_fully_qualified_names': 'false'} ] for d in ldap_defaults: key = d.keys()[0] if key not in ldap_section: setattr(ldap_section, key, d[key]) ldap_section.ldap_schema = ldap.ldap_schema ldap_section.ldap_uri = "%s://%s" % ( "ldaps" if ldap.ldap_ssl == 'on' else "ldap", ldap.ldap_hostname ) ldap_section.ldap_search_base = ldap.ldap_basedn if ldap.ldap_usersuffix: ldap_section.ldap_user_search_base = "%s,%s" % ( ldap.ldap_usersuffix, ldap.ldap_basedn ) else: ldap_section.ldap_user_search_base = "%s%s" % ( ldap.ldap_basedn, "?subtree?(objectclass=posixAccount)" ) if ldap.ldap_groupsuffix: ldap_section.ldap_group_search_base = "%s,%s" % ( ldap.ldap_groupsuffix, ldap.ldap_basedn ) else: ldap_section.ldap_group_search_base = "%s%s" % ( ldap.ldap_basedn, "?subtree?(objectclass=posixGroup)" ) if ldap.ldap_sudosuffix: if not sc['sudo']: sc['sudo'] = SSSDSectionSUDO() sc['sssd'].add_service('sudo') ldap_section.sudo_provider = 'ldap' ldap_section.ldap_sudo_search_base = "%s,%s" % ( ldap.ldap_sudosuffix, ldap.ldap_basedn ) if ldap.ldap_ssl == 'on': certpath = get_certificateauthority_path(ldap.ldap_certificate) if certpath: ldap_section.ldap_tls_cacert = certpath elif ldap.ldap_ssl == 'start_tls': ldap_section.tls_reqcert = 'demand' certpath = get_certificateauthority_path(ldap.ldap_certificate) if certpath: ldap_section.ldap_tls_cacert = certpath ldap_section.ldap_id_use_start_tls = 'true' ldap_save = ldap ldap = FreeNAS_LDAP(flags=FLAGS_DBINIT) if ldap.keytab_file and ldap.keytab_principal: ldap_section.auth_provider = 'krb5' ldap_section.chpass_provider = 'krb5' ldap_section.ldap_sasl_mech = 'GSSAPI' ldap_section.ldap_sasl_authid = ldap.keytab_principal ldap_section.ldap_krb5_keytab = ldap.keytab_file ldap_section.krb5_server = ldap.krb_kdc ldap_section.krb5_realm = ldap.krb_realm ldap_section.krb5_canonicalize = 'false' else: ldap_section.ldap_default_bind_dn = ldap.binddn ldap_section.ldap_default_authtok_type = 'password' ldap_section.ldap_default_authtok = ldap.bindpw sc[ldap_domain] = ldap_section sc['sssd'].add_domain(ldap_cookie) sc['sssd'].add_newline() ldap = ldap_save if ldap.ldap_auxiliary_parameters: path = tempfile.mktemp(dir='/tmp') with open(path, 'wb+') as f: f.write(ldap.ldap_auxiliary_parameters) f.close() aux_sc = SSSDConf(path=path, cookie=sc.cookie) os.unlink(path) sc.merge_config(aux_sc)
def add_ldap(sc): ldap = LDAP.objects.all()[0] cifs = CIFS.objects.all()[0] ldap_hostname = ldap.ldap_hostname.upper() parts = ldap_hostname.split('.') ldap_hostname = parts[0] ldap_cookie = ldap_hostname ldap_domain = 'domain/%s' % ldap_cookie ldap_section = None for key in sc.keys(): if key == ldap_domain: ldap_section = sc[key] break if not ldap_section: ldap_section = SSSDSectionDomain(ldap_domain) ldap_section.description = ldap_cookie if ldap_section.description != ldap_cookie: return ldap_defaults = [{ 'enumerate': 'true' }, { 'cache_credentials': 'true' }, { 'id_provider': 'ldap' }, { 'auth_provider': 'ldap' }, { 'chpass_provider': 'ldap' }, { 'ldap_schema': 'rfc2307bis' }, { 'ldap_force_upper_case_realm': 'true' }, { 'use_fully_qualified_names': 'false' }] for d in ldap_defaults: key = d.keys()[0] if not key in ldap_section: setattr(ldap_section, key, d[key]) ldap_section.ldap_schema = ldap.ldap_schema ldap_section.ldap_uri = "%s://%s" % ("ldaps" if ldap.ldap_ssl == 'on' else "ldap", ldap.ldap_hostname) ldap_section.ldap_search_base = ldap.ldap_basedn if ldap.ldap_usersuffix: ldap_section.ldap_user_search_base = "%s,%s" % (ldap.ldap_usersuffix, ldap.ldap_basedn) else: ldap_section.ldap_user_search_base = "%s%s" % ( ldap.ldap_basedn, "?subtree?(objectclass=posixAccount)") if ldap.ldap_groupsuffix: ldap_section.ldap_group_search_base = "%s,%s" % (ldap.ldap_groupsuffix, ldap.ldap_basedn) else: ldap_section.ldap_group_search_base = "%s%s" % ( ldap.ldap_basedn, "?subtree?(objectclass=posixGroup)") if ldap.ldap_sudosuffix: if not sc['sudo']: sc['sudo'] = SSSDSectionSUDO() sc['sssd'].add_service('sudo') ldap_section.sudo_provider = 'ldap' ldap_section.ldap_sudo_search_base = "%s,%s" % (ldap.ldap_sudosuffix, ldap.ldap_basedn) if ldap.ldap_ssl == 'on': certpath = get_certificateauthority_path(ldap.ldap_certificate) if certpath: ldap_section.ldap_tls_cacert = certpath elif ldap.ldap_ssl == 'start_tls': ldap_section.tls_reqcert = 'demand' certpath = get_certificateauthority_path(ldap.ldap_certificate) if certpath: ldap_section.ldap_tls_cacert = certpath ldap_section.ldap_id_use_start_tls = 'true' if ldap.ldap_auxiliary_parameters: lines = ldap.ldap_auxiliary_parameters.splitlines() for l in lines: parts = l.split('=', 1) if len(parts) < 2: continue setattr(ldap_section, parts[0].strip(), parts[1].strip()) ldap = FreeNAS_LDAP(flags=FLAGS_DBINIT) if ldap.keytab_name and ldap.kerberos_realm: ldap_section.auth_provider = 'krb5' ldap_section.chpass_provider = 'krb5' ldap_section.ldap_sasl_mech = 'GSSAPI' ldap_section.ldap_sasl_authid = ldap.keytab_principal ldap_section.krb5_server = ldap.krb_kdc ldap_section.krb5_realm = ldap.krb_realm ldap_section.krb5_canonicalize = 'false' else: ldap_section.ldap_default_bind_dn = ldap.binddn ldap_section.ldap_default_authtok_type = 'password' ldap_section.ldap_default_authtok = ldap.bindpw sc[ldap_domain] = ldap_section sc['sssd'].add_domain(ldap_cookie) sc['sssd'].add_newline()