def lock_password(password):
# type: (str) -> str
"""
Add prefix to password used for locking.
:param password: password hash.
:returns: the locked password hash.
>>> lock_password('{crypt}$1$foo')
'{crypt}!$1$foo'
>>> lock_password('{LANMAN}')
'{LANMAN}!'
>>> lock_password('{SASL}')
'{SASL}!'
>>> lock_password('{KINIT}')
'{KINIT}!'
>>> lock_password('{BCRYPT}')
'{BCRYPT}!'
>>> lock_password('foo').startswith('{crypt}!$')
True
"""
# cleartext password?
if not RE_PASSWORD_SCHEME.match(password):
if configRegistry.is_true('password/hashing/bcrypt'):
return "{BCRYPT}!%s" % (bcrypt_hash(password))
return "{crypt}!%s" % (crypt(password))
if not is_locked(password):
match = RE_PASSWORD_SCHEME.match(password).groups()
password = '******' % (match[0], match[2])
return password
def ucr_overwrite_properties(module, lo):
# type: (Any, univention.admin.uldap.access) -> None
"""
Overwrite properties in property_descriptions by UCR variables
"""
ucr_prefix = ucr_property_prefix % module.module
if not module:
return
for var in configRegistry.keys():
if not var.startswith(ucr_prefix):
continue
try:
prop_name, attr = var[len(ucr_prefix):].split('/', 1)
# ignore internal attributes
ud.debug(ud.ADMIN, ud.INFO, 'ucr_overwrite_properties: found variable: %s' % var)
if attr.startswith('__'):
continue
if attr == 'default':
# a property object is instantiated with default=...
# but internally uses "base_default" as member variable
# "default" is an instance_method...
attr = 'base_default'
if prop_name in module.property_descriptions:
prop = module.property_descriptions[prop_name]
ud.debug(ud.ADMIN, ud.INFO, 'ucr_overwrite_properties: found property')
if hasattr(prop, attr):
new_prop_val = configRegistry[var]
old_prop_val = getattr(prop, attr)
if old_prop_val is None:
# if the attribute was None the type cast
# will fail. best bet is str as type
old_prop_val = ''
prop_val_type = type(old_prop_val)
ud.debug(ud.ADMIN, ud.INFO, 'ucr_overwrite_properties: set property attribute %s to %s' % (attr, new_prop_val))
if attr in ('syntax', ):
if hasattr(univention.admin.syntax, new_prop_val):
syntax = getattr(univention.admin.syntax, new_prop_val)
setattr(prop, attr, syntax())
else:
if lo.search(filter=filter_format(univention.admin.syntax.LDAP_Search.FILTER_PATTERN, [new_prop_val])):
syntax = univention.admin.syntax.LDAP_Search(new_prop_val)
syntax._load(lo)
setattr(prop, attr, syntax)
else:
syntax = univention.admin.syntax.string()
setattr(prop, attr, syntax())
elif prop_val_type is bool:
setattr(prop, attr, configRegistry.is_true(None, None, new_prop_val))
else:
setattr(prop, attr, prop_val_type(new_prop_val))
ud.debug(ud.ADMIN, ud.INFO, 'ucr_overwrite_properties: get property attribute: %s (type %s)' % (old_prop_val, prop_val_type))
except Exception as exc:
ud.debug(ud.ADMIN, ud.ERROR, 'ucr_overwrite_properties: failed to set property attribute: %s' % (exc,))
continue
def ucr_overwrite_layout(module, ucr_property, tab):
# type: (Any, str, Tab) -> Optional[bool]
"""
Overwrite the advanced setting in the layout
"""
desc = tab['name']
if hasattr(tab['name'], 'data'):
desc = tab.tab['name'].data
# replace invalid characters by underscores
desc = re.sub(univention.config_registry.invalid_key_chars, '_', desc).replace('/', '_')
return configRegistry.is_true('directory/manager/web/modules/%s/layout/%s/%s' % (module, desc, ucr_property), None)
def ntlm(password):
# type: (str) -> Tuple[str, str]
"""
Return tuple with NT and LanMan hash.
:param password: password string.
:returns: 2-tuple (NT, LanMan)
"""
nt = passlib.hash.nthash.hash(password).upper()
if configRegistry.is_true('password/samba/lmhash', False):
lm = passlib.hash.lmhash.hash(password).upper()
else:
lm = ''
return (nt, lm)
def get_password_history(password, pwhistory, pwhlen):
# type: (str, str, int) -> str
"""
Append the given password as hash to the history of password hashes
:param password: the new password.
:param pwhistory: history of previous password hashes.
:param pwhlen: length of the password history.
:returns: modified password hash history.
>>> get_password_history("a", "b", 0)
'b'
>>> len(get_password_history("a", "", 1).split(' '))
1
>>> len(get_password_history("a", "b", 1).split(' '))
1
>>> len(get_password_history("a", "b", 2).split(' '))
2
"""
# create hash
if configRegistry.is_true('password/hashing/bcrypt'):
newpwhash = "{BCRYPT}%s" % (bcrypt_hash(password))
else:
newpwhash = crypt(password)
# this preserves a temporary disabled history
if pwhlen > 0:
# split the history
pwlist = pwhistory.strip().split(' ')
# append new hash
pwlist.append(newpwhash)
# strip old hashes
pwlist = pwlist[-pwhlen:]
# build history
pwhistory = ' '.join(pwlist)
return pwhistory
def ucr_overwrite_module_layout(module):
# type: (Any) -> None
"""
Overwrite the tab layout through |UCR| variables.
"""
ud.debug(ud.ADMIN, ud.INFO, "layout overwrite")
# there are modules without a layout definition
if not hasattr(module, 'layout'):
return
new_layout = []
for tab in module.layout[:]:
desc = tab.label
if hasattr(tab.label, 'data'):
desc = tab.label.data
# replace invalid characters by underscores
desc = re.sub(univention.config_registry.invalid_key_chars, '_', desc).replace('/', '_')
tab_layout = configRegistry.get('directory/manager/web/modules/%s/layout/%s' % (module.module, desc))
ud.debug(ud.ADMIN, ud.INFO, "layout overwrite: tab_layout='%s'" % tab_layout)
tab_name = configRegistry.get('directory/manager/web/modules/%s/layout/%s/name' % (module.module, desc))
ud.debug(ud.ADMIN, ud.INFO, "layout overwrite: tab_name='%s'" % tab_name)
tab_descr = configRegistry.get('directory/manager/web/modules/%s/layout/%s/description' % (module.module, desc))
ud.debug(ud.ADMIN, ud.INFO, "layout overwrite: tab_descr='%s'" % tab_descr)
if tab_name:
tab['name'] = tab_name
if tab_descr:
tab['description'] = tab_descr
# for now the layout modification from UCS 2.4 is disabled (see Bug #26673)
# (this piece of code does not respect the tab-group-hierarchie of UCS 3.0)
# if tab_layout and tab_layout.lower() != 'none':
# layout = []
# for row in tab_layout.split( ';' ):
# line = []
# for col in row.split( ',' ):
# col = col.strip()
# if not col:
# continue
# if col in module.property_descriptions:
# line.append( col )
# else:
# ud.debug( ud.ADMIN, ud.ERROR, "layout overwrite: unknown property: %s" % col )
# layout.append( line )
# tab[ 'layout' ] = { 'label' : _( 'General' ), 'layout' : layout }
if not tab_layout or tab_layout.lower() != 'none':
# disable specified properties via UCR
ud.debug(ud.ADMIN, ud.INFO, 'ucr_overwrite_module_layout: trying to hide properties on tab %s' % (desc))
ucr_prefix = ucr_property_prefix % module.module
for var in configRegistry.keys():
if not var.startswith(ucr_prefix):
continue
prop, attr = var[len(ucr_prefix):].split('/', 1)
# ignore invalid/unknown UCR variables
if '/' in attr:
continue
if attr in ('__hidden') and configRegistry.is_true(var):
removed, layout = tab.remove(prop)
ud.debug(ud.ADMIN, ud.INFO, 'ucr_overwrite_module_layout: tried to hide property: %s (found=%s)' % (prop, removed))
new_layout.append(tab)
del module.layout
module.layout = new_layout
# sort tabs: All apps occur alphabetical after the "Apps" / "Options" tab
app_tabs = [x for x in module.layout if x.is_app_tab]
app_tabs.sort(key=lambda x: x.label.lower())
layout = [x for x in module.layout if not x.is_app_tab]
pos = ([i for i, x in enumerate(layout, 1) if x.label == 'Apps'] or [len(layout)])[0]
layout[pos:pos] = app_tabs
module.layout = layout
def ldap_filter_not_objectflag(flag_string_list):
ldap_filter_parts = []
for flag_string in flag_string_list:
ldap_filter_parts.append(
filter_format('(univentionObjectFlag=%s)', [flag_string]))
if not ldap_filter_parts:
return ''
elif len(ldap_filter_parts) == 1:
return '(!%s)' % ''.join(ldap_filter_parts)
else:
return '(!(|%s))' % ''.join(ldap_filter_parts)
user_exclude_objectflags = ['temporary', 'functional', 'hidden']
managedclient_exclude_objectflags = []
if configRegistry.is_true('ad/member'):
user_exclude_objectflags.append('synced')
managedclient_exclude_objectflags.append('synced')
class License(object):
(ACCOUNT, CLIENT, DESKTOP, GROUPWARE) = range(4)
(USERS, SERVERS, MANAGEDCLIENTS, CORPORATECLIENTS, VIRTUALDESKTOPUSERS,
VIRTUALDESKTOPCLIENTS) = range(6)
SYSACCOUNTS = 5
def __init__(self):
if _license:
raise Exception('never create this object directly')
self.new_license = False
class groupNameAlreadyUsed(base):
if configRegistry.is_true('directory/manager/user_group/uniqueness', True):
message = _('The groupname is already in use as groupname or as username')
else:
message = _('The groupname is already in use')