def get_test_connection(cls, hostname=None, *args, **kwargs):
ucr = ConfigRegistry()
ucr.load()
username = ucr.get('tests/domainadmin/account')
username = username.split(',')[0][len('uid='):]
password = ucr.get('tests/domainadmin/pwd')
return cls(hostname, username, password, *args, **kwargs)
def getMachineConnection(start_tls=2, decode_ignorelist=[], ldap_master=True, secret_file="/etc/machine.secret", reconnect=True):
ucr = ConfigRegistry()
ucr.load()
bindpw = open(secret_file).read().rstrip('\n')
if ldap_master:
# Connect to DC Master
port = int(ucr.get('ldap/master/port', '7389'))
return access(host=ucr['ldap/master'], port=port, base=ucr['ldap/base'], binddn=ucr['ldap/hostdn'], bindpw=bindpw, start_tls=start_tls, decode_ignorelist=decode_ignorelist, reconnect=reconnect)
else:
# Connect to ldap/server/name
port = int(ucr.get('ldap/server/port', '7389'))
try:
return access(host=ucr['ldap/server/name'], port=port, base=ucr['ldap/base'], binddn=ucr['ldap/hostdn'], bindpw=bindpw, start_tls=start_tls, decode_ignorelist=decode_ignorelist, reconnect=reconnect)
except ldap.SERVER_DOWN as exc:
# ldap/server/name is down, try next server
if not ucr.get('ldap/server/addition'):
raise
servers = ucr.get('ldap/server/addition', '')
for server in servers.split():
try:
return access(host=server, port=port, base=ucr['ldap/base'], binddn=ucr['ldap/hostdn'], bindpw=bindpw, start_tls=start_tls, decode_ignorelist=decode_ignorelist, reconnect=reconnect)
except ldap.SERVER_DOWN:
pass
raise exc
def handler(dn, new, old):
ucr = ConfigRegistry()
ucr.load()
idp_config_objectdn = ucr.get(
'saml/idp/configobject',
'id=default-saml-idp,cn=univention,%s' % ucr.get('ldap/base'))
listener.setuid(0)
try:
if idp_config_objectdn == new['entryDN'][0]:
for key in LDAP_UCR_MAPPING.keys():
if key in new:
ucr_value = ""
if key == 'LdapGetAttributes':
ucr_value = "'" + "', '".join(new[key]) + "'"
handler_set(['%s=%s' % (LDAP_UCR_MAPPING[key], ucr_value)])
else:
handler_unset(['%s' % LDAP_UCR_MAPPING[key]])
else:
ud.debug(
ud.LISTENER, ud.WARN,
'An IdP config object was modified, but it is not the object the listener is configured for (%s). Ignoring changes. DN of modified object: %s'
% (idp_config_objectdn, new['entryDN']))
finally:
listener.unsetuid()
def main():
"""Retrive current Univention Directory Notifier transaction ID."""
configRegistry = ConfigRegistry()
configRegistry.load()
master = configRegistry.get('ldap/master')
if not master:
print >> sys.stderr, 'Error: ldap/master not set'
sys.exit(1)
try:
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect((master, 6669))
sock.send('Version: 2\nCapabilities: \n\n')
sock.recv(100)
sock.send('MSGID: 1\nGET_ID\n\n')
notifier_result = sock.recv(100)
if notifier_result:
print "%s" % notifier_result.splitlines()[1]
except socket.error, ex:
print >> sys.stderr, 'Error: %s' % (ex,)
sys.exit(1)
def getBackupConnection(start_tls=2, decode_ignorelist=[]):
ucr = ConfigRegistry()
ucr.load()
bindpw = open("/etc/ldap-backup.secret").read()
if bindpw[-1] == "\n":
bindpw = bindpw[0:-1]
port = int(ucr.get("ldap/master/port", "7389"))
try:
lo = access(
host=ucr["ldap/master"],
port=port,
base=ucr["ldap/base"],
binddn="cn=backup," + ucr["ldap/base"],
bindpw=bindpw,
start_tls=start_tls,
decode_ignorelist=decode_ignorelist,
)
except ldap.SERVER_DOWN, e:
if ucr["ldap/backup"]:
backup = string.split(ucr["ldap/backup"], " ")[0]
lo = access(
host=backup,
port=port,
base=ucr["ldap/base"],
binddn="cn=backup," + ucr["ldap/base"],
bindpw=bindpw,
start_tls=start_tls,
decode_ignorelist=decode_ignorelist,
)
else:
raise ldap.SERVER_DOWN, e
def fetch_schema_from_local_ldap():
ucr = ConfigRegistry()
ucr.load()
ldap_uri = 'ldap://%(hostname)s:%(domainname)s' % ucr
return __fetch_schema_from_uri(ldap_uri)
class UCSResync(object):
def __init__(self):
self.configRegistry = ConfigRegistry()
self.configRegistry.load()
self.lo = univention.uldap.getMachineConnection()
def _get_listener_dir(self):
return self.configRegistry.get('connector/s4/listener/dir',
'/var/lib/univention-connector/s4')
def _generate_filename(self):
directory = self._get_listener_dir()
return os.path.join(directory, "%f" % time.time())
def _dump_object_to_file(self, object_data):
filename = self._generate_filename()
with open(filename, 'wb+') as fd:
os.chmod(filename, 0o600)
p = pickle.Pickler(fd)
p.dump(object_data)
p.clear_memo()
def _search_ldap_object_orig(self, ucs_dn):
return self.lo.get(ucs_dn, attr=['*', '+'], required=True)
def resync(self, ucs_dns=None, ldapfilter=None):
treated_dns = []
for dn, new in self.search_ldap(ucs_dns, ldapfilter):
object_data = (dn, new, {}, None)
self._dump_object_to_file(object_data)
treated_dns.append(dn)
return treated_dns
def search_ldap(self, ucs_dns=None, ldapfilter=None):
attr = ('*', '+')
if ucs_dns:
if not ldapfilter:
ldapfilter = '(objectClass=*)'
ldap_result = []
missing_dns = []
for targetdn in ucs_dns:
try:
result = self.lo.search(base=targetdn,
scope='base',
filter=ldapfilter,
attr=attr)
ldap_result.extend(result)
except ldap.NO_SUCH_OBJECT:
missing_dns.append(targetdn)
if missing_dns:
raise ldap.NO_SUCH_OBJECT(1, 'No object: %s' % (missing_dns, ),
[r[0] for r in ldap_result])
else:
ldap_result = self.lo.search(filter=ldapfilter, attr=attr)
return ldap_result
def getLDAPURIs(ucr=None):
# type: (Optional[ConfigRegistry]) -> str
"""
Returns a space separated list of all configured |LDAP| servers, according to |UCR| variables
`ldap/server/name` and `ldap/server/addition`.
:param ConfigRegistry ucr: An optional |UCR| instance.
:returns: A space separated list of |LDAP| |URI|.
:rtype: str
"""
if ucr is None:
ucr = ConfigRegistry()
ucr.load()
uri_string = ''
ldaphosts = []
port = ucr.get('ldap/server/port', '7389')
ldap_server_name = ucr.get('ldap/server/name')
ldap_server_addition = ucr.get('ldap/server/addition')
if ldap_server_name:
ldaphosts.append(ldap_server_name)
if ldap_server_addition:
ldaphosts.extend(ldap_server_addition.split())
if ldaphosts:
urilist = ["ldap://%s:%s" % (host, port) for host in ldaphosts]
uri_string = ' '.join(urilist)
return uri_string
def handler(dn, new, old):
# type: (str, dict, dict) -> None
ucr = ConfigRegistry()
ucr.load()
listener.setuid(0)
try:
try:
fqdn = '%s.%s' % (new['cn'][0].decode('UTF-8'), new['associatedDomain'][0].decode('ASCII'))
except (KeyError, IndexError):
return
change = False
if b'univention-saml' in new.get('univentionService', []):
handler_set(['ucs/server/saml-idp-server/%s=%s' % (fqdn, fqdn)])
change = True
elif b'univention-saml' in old.get('univentionService', []):
handler_unset(['ucs/server/saml-idp-server/%s' % (fqdn,)])
change = True
if change:
path_to_cert = ucr.get('saml/idp/certificate/certificate')
path_to_key = ucr.get('saml/idp/certificate/privatekey')
if path_to_cert and os.path.exists(path_to_cert) and path_to_key and os.path.exists(path_to_key):
subprocess.call(['systemctl', 'restart', 'univention-saml'])
finally:
listener.unsetuid()
def getBackupConnection(start_tls=2, decode_ignorelist=[], reconnect=True):
ucr = ConfigRegistry()
ucr.load()
bindpw = open('/etc/ldap-backup.secret').read().rstrip('\n')
port = int(ucr.get('ldap/master/port', '7389'))
try:
return access(host=ucr['ldap/master'],
port=port,
base=ucr['ldap/base'],
binddn='cn=backup,' + ucr['ldap/base'],
bindpw=bindpw,
start_tls=start_tls,
decode_ignorelist=decode_ignorelist,
reconnect=reconnect)
except ldap.SERVER_DOWN:
if not ucr['ldap/backup']:
raise
backup = ucr['ldap/backup'].split(' ')[0]
return access(host=backup,
port=port,
base=ucr['ldap/base'],
binddn='cn=backup,' + ucr['ldap/base'],
bindpw=bindpw,
start_tls=start_tls,
decode_ignorelist=decode_ignorelist,
reconnect=reconnect)
def main():
"""Retrive current Univention Directory Notifier transaction ID."""
configRegistry = ConfigRegistry()
configRegistry.load()
master = configRegistry.get('ldap/master')
if not master:
print >> sys.stderr, 'Error: ldap/master not set'
sys.exit(1)
try:
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect((master, 6669))
sock.send('Version: 2\nCapabilities: \n\n')
sock.recv(100)
sock.send('MSGID: 1\nGET_ID\n\n')
notifier_result = sock.recv(100)
if notifier_result:
print "%s" % notifier_result.splitlines()[1]
except socket.error, ex:
print >> sys.stderr, 'Error: %s' % (ex, )
sys.exit(1)
def getLDAPServersCommaList(ucr=None):
# type: (Optional[ConfigRegistry]) -> str
"""
Returns a comma-separated string with all configured |LDAP| servers,
`ldap/server/name` and `ldap/server/addition`.
:param ConfigRegistry ucr: An optional |UCR| instance.
:returns: A space separated list of |LDAP| host names.
:rtype: str
"""
if ucr is None:
ucr = ConfigRegistry()
ucr.load()
ldap_servers = ''
ldaphosts = []
ldap_server_name = ucr.get('ldap/server/name')
ldap_server_addition = ucr.get('ldap/server/addition')
if ldap_server_name:
ldaphosts.append(ldap_server_name)
if ldap_server_addition:
ldaphosts.extend(ldap_server_addition.split())
if ldaphosts:
ldap_servers = ','.join(ldaphosts)
return ldap_servers
def getAdminConnection(
start_tls=2,
decode_ignorelist=[],
reconnect=True): # type: (int, List[str], bool) -> access
"""
Open a LDAP connection to the Master LDAP server using the admin credentials.
:param int start_tls: Negotiate TLS with server. If `2` is given, the command will require the operation to be successful.
:param decode_ignorelist: List of LDAP attribute names which shall be handled as binary attributes.
:type decode_ignorelist: list[str]
:param bool reconnect: Automatically reconect if the connection fails.
:return: A LDAP access object.
:rtype: univention.uldap.access
"""
ucr = ConfigRegistry()
ucr.load()
bindpw = open('/etc/ldap.secret').read().rstrip('\n')
port = int(ucr.get('ldap/master/port', '7389'))
return access(host=ucr['ldap/master'],
port=port,
base=ucr['ldap/base'],
binddn='cn=admin,' + ucr['ldap/base'],
bindpw=bindpw,
start_tls=start_tls,
decode_ignorelist=decode_ignorelist,
reconnect=reconnect)
def getRootDnConnection(start_tls=2, decode_ignorelist=[], reconnect=True):
# type: (int, List[str], bool) -> access
"""
Open a LDAP connection to the local LDAP server with the LDAP root account.
:param int start_tls: Negotiate TLS with server. If `2` is given, the command will require the operation to be successful.
:param decode_ignorelist: List of LDAP attribute names which shall be handled as binary attributes.
:type decode_ignorelist: list[str]
:param bool reconnect: Automatically reconect if the connection fails.
:return: A LDAP access object.
:rtype: univention.uldap.access
"""
ucr = ConfigRegistry()
ucr.load()
port = int(ucr.get('slapd/port', '7389').split(',')[0])
host = ucr['hostname'] + '.' + ucr['domainname']
if ucr.get('ldap/server/type', 'dummy') == 'master':
bindpw = open('/etc/ldap.secret').read().rstrip('\n')
binddn = 'cn=admin,{0}'.format(ucr['ldap/base'])
else:
bindpw = open('/etc/ldap/rootpw.conf').read().rstrip('\n').replace(
'rootpw "', '', 1)[:-1]
binddn = 'cn=update,{0}'.format(ucr['ldap/base'])
return access(host=host,
port=port,
base=ucr['ldap/base'],
binddn=binddn,
bindpw=bindpw,
start_tls=start_tls,
decode_ignorelist=decode_ignorelist,
reconnect=reconnect)
def handler(dn, new, old, command):
configRegistry = ConfigRegistry()
configRegistry.load()
interfaces = Interfaces(configRegistry)
# dymanic module object filter
current_fqdn = "%s.%s" % (configRegistry['hostname'], domainname)
current_ip = str(interfaces.get_default_ip_address().ip)
new_univentionShareHost = new.get('univentionShareHost', [None])[0]
if new and not new_univentionShareHost in (current_fqdn, current_ip):
new = {} ## new object is not for this host
old_univentionShareHost = old.get('univentionShareHost', [None])[0]
if old and not old_univentionShareHost in (current_fqdn, current_ip):
old = {} ## old object is not for this host
if not (new or old):
return
# create tmp dir
tmpDir = os.path.dirname(tmpFile)
listener.setuid(0)
try:
if not os.path.exists(tmpDir):
os.makedirs(tmpDir)
except Exception, e:
univention.debug.debug(
univention.debug.LISTENER, univention.debug.ERROR,
"%s: could not create tmp dir %s (%s)" % (name, tmpDir, str(e)))
return
def handler(dn, new, old, command):
configRegistry = ConfigRegistry()
configRegistry.load()
interfaces = Interfaces(configRegistry)
# dymanic module object filter
current_fqdn = "%s.%s" % (configRegistry['hostname'], domainname)
current_ip = str(interfaces.get_default_ip_address().ip)
new_univentionShareHost = new.get('univentionShareHost', [None])[0]
if new and not new_univentionShareHost in (current_fqdn, current_ip):
new = {} ## new object is not for this host
old_univentionShareHost = old.get('univentionShareHost', [None])[0]
if old and not old_univentionShareHost in (current_fqdn, current_ip):
old = {} ## old object is not for this host
if not (new or old):
return
# create tmp dir
tmpDir = os.path.dirname(tmpFile)
listener.setuid(0)
try:
if not os.path.exists(tmpDir):
os.makedirs(tmpDir)
except Exception, e:
univention.debug.debug(
univention.debug.LISTENER, univention.debug.ERROR,
"%s: could not create tmp dir %s (%s)" % (name, tmpDir, str(e)))
return
def parse_args():
usage = '%prog [options] [master]'
desc = sys.modules[__name__].__doc__
parser = OptionParser(usage=usage, description=desc)
parser.add_option('-m',
'--master',
dest='master',
help='LDAP Server address')
parser.add_option('-s',
'--shema',
dest='cmd',
action='store_const',
const='GET_SCHEMA_ID',
default='GET_ID',
help='Fetch LDAP Schema ID')
(options, args) = parser.parse_args()
if not options.master:
if args:
try:
options.master, = args
except ValueError:
parser.error('incorrect number of arguments')
else:
from univention.config_registry import ConfigRegistry
configRegistry = ConfigRegistry()
configRegistry.load()
options.master = configRegistry.get('ldap/master')
if not options.master:
parser.error('ldap/master or --master not set')
return options
def main() -> None:
"""
Set repository server.
"""
ucr = ConfigRegistry()
ucr.load()
hostdn = ucr.get('ldap/hostdn')
if not hostdn:
# can't query policy without host-dn
exit(0)
online_server = ucr.get('repository/online/server')
mirror_server = ucr.get('repository/mirror/server')
fqdn = '%(hostname)s.%(domainname)s' % ucr
self_update = '%(version/version)s-%(version/patchlevel)s' % ucr
ucr_variables = [] # type: List[str]
new_server, policy_update = query_policy(hostdn)
policy_update or self_update # FIXME: not used - should be pass to `univention-repository-update --updateto=`
if ucr.is_true('local/repository'):
# on a repository server
if not new_server:
ucr_variables.append('repository/online/server?%s' % fqdn)
elif new_server != mirror_server and new_server != fqdn:
ucr_variables.append('repository/mirror/server=%s' % new_server)
else:
# without a local repository
if new_server and new_server != online_server:
ucr_variables.append('repository/online/server=%s' % new_server)
if ucr_variables:
handler_set(ucr_variables)
def connect(options):
print(time.ctime())
ucr = ConfigRegistry()
ucr.load()
poll_sleep = int(ucr['%s/ad/poll/sleep' % options.configbasename])
ad_init = None
while not ad_init:
try:
ad = univention.connector.ad.ad.main(ucr, options.configbasename, logfilename=options.log_file, debug_level=options.debug)
ad.init_ldap_connections()
ad.init_group_cache()
ad_init = True
except ldap.SERVER_DOWN:
print("Warning: Can't initialize LDAP-Connections, wait...")
sys.stdout.flush()
time.sleep(poll_sleep)
# log the active mapping
with open('/var/log/univention/%s-ad-mapping.log' % options.configbasename, 'w+') as fd:
print(repr(univention.connector.Mapping(ad.property)), file=fd)
with ad as ad:
_connect(ad, poll_sleep, ucr.get('%s/ad/retryrejected' % options.configbasename, 10))
def getBackupConnection(start_tls=2, decode_ignorelist=[]):
ucr = ConfigRegistry()
ucr.load()
bindpw = open('/etc/ldap-backup.secret').read()
if bindpw[-1] == '\n':
bindpw = bindpw[0:-1]
port = int(ucr.get('ldap/master/port', '7389'))
try:
lo = access(host=ucr['ldap/master'],
port=port,
base=ucr['ldap/base'],
binddn='cn=backup,' + ucr['ldap/base'],
bindpw=bindpw,
start_tls=start_tls,
decode_ignorelist=decode_ignorelist)
except ldap.SERVER_DOWN, e:
if ucr['ldap/backup']:
backup = string.split(ucr['ldap/backup'], ' ')[0]
lo = access(host=backup,
port=port,
base=ucr['ldap/base'],
binddn='cn=backup,' + ucr['ldap/base'],
bindpw=bindpw,
start_tls=start_tls,
decode_ignorelist=decode_ignorelist)
else:
raise ldap.SERVER_DOWN, e
def call_unjoin_script(unjoin_script_name):
print('call_unjoin_script(%r)' % (unjoin_script_name,))
ucr = ConfigRegistry()
ucr.load()
join_script = '/usr/lib/univention-uninstall/%s' % unjoin_script_name
return subprocess.call([join_script, '--binddn', ucr.get('tests/domainadmin/account'), '--bindpwdfile', ucr.get('tests/domainadmin/pwdfile')], shell=False)
def getMachineConnection(start_tls=2,
decode_ignorelist=[],
ldap_master=True,
secret_file="/etc/machine.secret",
reconnect=True,
random_server=False):
# type: (int, List[str], bool, str, bool) -> access
"""
Open a LDAP connection using the machine credentials.
:param int start_tls: Negotiate TLS with server. If `2` is given, the command will require the operation to be successful.
:param decode_ignorelist: List of LDAP attribute names which shall be handled as binary attributes.
:type decode_ignorelist: list[str]
:param bool ldap_master: Open a connection to the Master if True, to the preferred LDAP server otherwise.
:param str secret_file: The name of a file containing the password credentials.
:param bool reconnect: Automatically reconnect if the connection fails.
:param bool random_server: Choose a random LDAP server from ldap/server/name and ldap/server/addition.
:return: A LDAP access object.
:rtype: univention.uldap.access
"""
ucr = ConfigRegistry()
ucr.load()
bindpw = open(secret_file).read().rstrip('\n')
if ldap_master:
# Connect to DC Master
port = int(ucr.get('ldap/master/port', '7389'))
return access(host=ucr['ldap/master'],
port=port,
base=ucr['ldap/base'],
binddn=ucr['ldap/hostdn'],
bindpw=bindpw,
start_tls=start_tls,
decode_ignorelist=decode_ignorelist,
reconnect=reconnect)
else:
# Connect to ldap/server/name
port = int(ucr.get('ldap/server/port', '7389'))
servers = [ucr.get('ldap/server/name')]
servers += ucr.get('ldap/server/addition', '').split()
if random_server:
random.shuffle(servers)
for server in servers:
try:
return access(host=server,
port=port,
base=ucr['ldap/base'],
binddn=ucr['ldap/hostdn'],
bindpw=bindpw,
start_tls=start_tls,
decode_ignorelist=decode_ignorelist,
reconnect=reconnect)
#LDAP server down, try next server
except ldap.SERVER_DOWN as exc:
pass
raise exc
def call_join_script(name, fail_on_error=True):
# type: (str, bool) -> int
"""
Calls the given join script (e.g. name='66foobar.inst').
If fail is true, then the function fail() is called if the exitcode is not zero.
"""
ucr = ConfigRegistry()
ucr.load()
return call_cmd(['/usr/lib/univention-install/%s' % name, '--binddn', ucr.get('tests/domainadmin/account'), '--bindpwdfile', ucr.get('tests/domainadmin/pwdfile')], fail_on_error=fail_on_error)
def __init__(self,
host='localhost',
port=None,
base='',
binddn='',
bindpw='',
start_tls=2,
ca_certfile=None,
decode_ignorelist=[],
use_ldaps=False,
uri=None,
follow_referral=False):
"""start_tls = 0 (no); 1 (try); 2 (must)"""
ucr = None
self.host = host
self.base = base
self.binddn = binddn
self.bindpw = bindpw
self.start_tls = start_tls
self.ca_certfile = ca_certfile
self.port = port
if not self.port: ## if no explicit port is given
ucr = ConfigRegistry()
ucr.load()
self.port = int(ucr.get('ldap/server/port',
7389)) ## take UCR value
if use_ldaps and self.port == "7389": ## adjust the standard port for ssl
self.port = "7636"
# http://www.openldap.org/faq/data/cache/605.html
self.protocol = 'ldap'
if use_ldaps:
self.protocol = 'ldaps'
self.uri = 'ldaps://%s:%s" % (self.host, self.port)'
elif uri:
self.uri = uri
else:
self.uri = "ldap://%s:%s" % (self.host, self.port)
if not decode_ignorelist or decode_ignorelist == []:
if not ucr:
ucr = ConfigRegistry()
ucr.load()
self.decode_ignorelist = ucr.get(
'ldap/binaryattributes',
'krb5Key,userCertificate;binary').split(',')
else:
self.decode_ignorelist = decode_ignorelist
# python-ldap does not cache the credentials, so we override the
# referral handling if follow_referral is set to true
# https://forge.univention.org/bugzilla/show_bug.cgi?id=9139
self.follow_referral = follow_referral
self.__open(ca_certfile)
def load(self):
# type: () -> None
""" call load() of superclass and save original registry values """
ConfigRegistry.load(self)
if self.__original_registry is None:
self.__original_registry = {
regtype: copy.deepcopy(dict(reg))
for (regtype, reg) in self._walk()
}
def __init__(
self,
host="localhost",
port=None,
base="",
binddn="",
bindpw="",
start_tls=2,
ca_certfile=None,
decode_ignorelist=[],
use_ldaps=False,
uri=None,
follow_referral=False,
):
"""start_tls = 0 (no); 1 (try); 2 (must)"""
ucr = None
self.host = host
self.base = base
self.binddn = binddn
self.bindpw = bindpw
self.start_tls = start_tls
self.ca_certfile = ca_certfile
self.port = port
if not self.port: ## if no explicit port is given
ucr = ConfigRegistry()
ucr.load()
self.port = int(ucr.get("ldap/server/port", 7389)) ## take UCR value
if use_ldaps and self.port == "7389": ## adjust the standard port for ssl
self.port = "7636"
# http://www.openldap.org/faq/data/cache/605.html
self.protocol = "ldap"
if use_ldaps:
self.protocol = "ldaps"
self.uri = 'ldaps://%s:%s" % (self.host, self.port)'
elif uri:
self.uri = uri
else:
self.uri = "ldap://%s:%s" % (self.host, self.port)
if not decode_ignorelist or decode_ignorelist == []:
if not ucr:
ucr = ConfigRegistry()
ucr.load()
self.decode_ignorelist = ucr.get("ldap/binaryattributes", "krb5Key,userCertificate;binary").split(",")
else:
self.decode_ignorelist = decode_ignorelist
# python-ldap does not cache the credentials, so we override the
# referral handling if follow_referral is set to true
# https://forge.univention.org/bugzilla/show_bug.cgi?id=9139
self.follow_referral = follow_referral
self.__open(ca_certfile)
def get_ldap_master_connection(user_dn):
ucr = ConfigRegistry()
ucr.load()
return univention.uldap.access(host=ucr.get('ldap/master'),
port=int(ucr.get('ldap/master/port',
'7389')),
base=ucr.get('ldap/base'),
binddn=user_dn,
bindpw='univention')
def config():
"""Test wide Configuration aka UCR
Used to get some defaults if not environment variables are
given. But if UCR is not avaiable, returns an empty dict...
"""
try:
from univention.config_registry import ConfigRegistry
ucr = ConfigRegistry()
ucr.load()
return dict(ucr)
except ImportError:
return {}
def postrun():
baseConfig = ConfigRegistry()
baseConfig.load()
if baseConfig.is_true('nscd/group/invalidate_cache_on_changes', False) and baseConfig.is_false('nss/group/cachefile', True):
listener.setuid(0)
try:
univention.debug.debug(univention.debug.LISTENER, univention.debug.INFO, "calling 'nscd -i group'")
listener.run('/usr/sbin/nscd', ['nscd', '-i', 'group'], uid=0)
except:
univention.debug.debug(univention.debug.LISTENER, univention.debug.ERROR, "nscd -i group was not successful")
listener.unsetuid()
def getRootDnConnection(start_tls=2, decode_ignorelist=[], reconnect=True):
ucr = ConfigRegistry()
ucr.load()
port = int(ucr.get('slapd/port', '7389').split(',')[0])
host = ucr['hostname'] + '.' + ucr['domainname']
if ucr.get('ldap/server/type', 'dummy') == 'master':
bindpw = open('/etc/ldap.secret').read().rstrip('\n')
binddn = 'cn=admin,{0}'.format(ucr['ldap/base'])
else:
bindpw = open('/etc/ldap/rootpw.conf').read().rstrip('\n').lstrip('rootpw "').rstrip('"')
binddn = 'cn=update,{0}'.format(ucr['ldap/base'])
return access(host=host, port=port, base=ucr['ldap/base'], binddn=binddn, bindpw=bindpw, start_tls=start_tls, decode_ignorelist=decode_ignorelist, reconnect=reconnect)
def getMachineConnection(start_tls=2, decode_ignorelist=[], ldap_master=True, secret_file="/etc/machine.secret"):
ucr = ConfigRegistry()
ucr.load()
bindpw = open(secret_file).read()
if bindpw[-1] == "\n":
bindpw = bindpw[0:-1]
if ldap_master:
# Connect to DC Master
port = int(ucr.get("ldap/master/port", "7389"))
lo = access(
host=ucr["ldap/master"],
port=port,
base=ucr["ldap/base"],
binddn=ucr["ldap/hostdn"],
bindpw=bindpw,
start_tls=start_tls,
decode_ignorelist=decode_ignorelist,
)
else:
# Connect to ldap/server/name
port = int(ucr.get("ldap/server/port", "7389"))
try:
lo = access(
host=ucr["ldap/server/name"],
port=port,
base=ucr["ldap/base"],
binddn=ucr["ldap/hostdn"],
bindpw=bindpw,
start_tls=start_tls,
decode_ignorelist=decode_ignorelist,
)
except ldap.SERVER_DOWN, e:
# ldap/server/name is down, try next server
if not ucr.get("ldap/server/addition"):
raise ldap.SERVER_DOWN, e
for server in ucr.get("ldap/server/addition", []):
try:
lo = access(
host=server,
port=port,
base=ucr["ldap/base"],
binddn=ucr["ldap/hostdn"],
bindpw=bindpw,
start_tls=start_tls,
decode_ignorelist=decode_ignorelist,
)
except ldap.SERVER_DOWN, e:
pass
else:
return lo
raise ldap.SERVER_DOWN, e
def getAdminConnection(start_tls=2, decode_ignorelist=[], reconnect=True):
ucr = ConfigRegistry()
ucr.load()
bindpw = open('/etc/ldap.secret').read().rstrip('\n')
port = int(ucr.get('ldap/master/port', '7389'))
return access(host=ucr['ldap/master'],
port=port,
base=ucr['ldap/base'],
binddn='cn=admin,' + ucr['ldap/base'],
bindpw=bindpw,
start_tls=start_tls,
decode_ignorelist=decode_ignorelist,
reconnect=reconnect)
def get_query_limit():
ucr = ConfigRegistry()
ucr.load()
limit = ucr.get('admin/diary/query/limit', '')
default_limit = 1000
try:
limit = int(limit)
except ValueError:
limit = default_limit
else:
if limit < 0:
limit = default_limit
return limit
def postrun():
ucr = ConfigRegistry()
ucr.load()
if ucr.is_true("dhcpd/autostart", False):
if ucr.is_true('dhcpd/restart/listener', False):
ud.debug(ud.LISTENER, ud.INFO, 'DHCP: Restarting server')
try:
listener.run('/etc/init.d/univention-dhcp', ['univention-dhcp', 'restart'], uid=0)
except Exception, e:
ud.debug(ud.ADMIN, ud.WARN, 'The restart of the DHCP server failed: %s' % str(e))
else:
ud.debug(ud.ADMIN, ud.INFO, 'DHCP: the automatic restart of the dhcp server by the listener is disabled. Set dhcpd/restart/listener to true to enable this option.')
def create_udm_adconnection(cls, alias, description=""):
ucr = ConfigRegistry()
ucr.load()
lo, po, mod = cls.init_udm("office365/ad-connection")
po = univention.admin.uldap.position(
"cn=ad-connections,cn=office365,%s" % ucr["ldap/base"])
adconn = mod.object(co=None, lo=lo, position=po)
adconn.open()
adconn['name'] = alias
adconn['description'] = description
dn = adconn.create()
return dn
class TransactionalUcr(object):
def __init__(self):
self.ucr = ConfigRegistry()
self.ucr.load()
self.changes = {}
def set(self, key, value):
'''
Set the value of key of UCR.
Does not save immediately.
commit() is called at the end of inner_run(). If you need to commit
changes immediately, you can call commit() at any time.
'''
orig_val = self.ucr.get(key)
if orig_val == value:
# in case it was overwritten previously
self.changes.pop(key, None)
else:
self.changes[key] = value
def commit(self):
'''
Saves UCR variables previously set by set_ucr_var(). Also commits
changes (if done any). Is called automatically *if inner_run() did not
raise an exception*. You can call it manually if you need to
do it (e.g. in down()).
'''
if self.changes:
ucr_update(self.ucr, self.changes)
# reset (in case it is called multiple) times in a script
self.changes.clear()
def get(self, key, search_in_changes=True):
'''
Retrieve the value of key from ucr.
If search_in_changes, it first looks in (not yet committed) values.
'''
if search_in_changes:
try:
return self.changes[key]
except KeyError:
pass
return self.ucr.get(key)
def __enter__(self):
return self
def __exit__(self, exc_type, exc_value, traceback):
if exc_type is None:
self.commit()
def getAdminConnection(start_tls=2, decode_ignorelist=[]):
ucr = ConfigRegistry()
ucr.load()
bindpw = open("/etc/ldap.secret").read()
if bindpw[-1] == "\n":
bindpw = bindpw[0:-1]
port = int(ucr.get("ldap/master/port", "7389"))
lo = access(
host=ucr["ldap/master"],
port=port,
base=ucr["ldap/base"],
binddn="cn=admin," + ucr["ldap/base"],
bindpw=bindpw,
start_tls=start_tls,
decode_ignorelist=decode_ignorelist,
)
return lo
def handler(dn, new, old):
"""Called on each change."""
ucr = ConfigRegistry()
ucr.load()
value = ucr.get('uvmm/managers','')
debug.debug(debug.LISTENER, debug.ALL, "old hosts: %s" % value)
tls_allowed_dn_list = value.split()
old_host = None
if old and service_names & set(old.get('univentionService', [])):
try:
domain = old['associatedDomain'][0]
except KeyError:
domain = ucr.get('domainname')
old_host = "%s.%s" % (old['cn'][0], domain)
if old_host in tls_allowed_dn_list:
debug.debug(debug.LISTENER, debug.INFO, "removing host %s" % (old_host,))
tls_allowed_dn_list.remove(old_host)
new_host = None
if new and service_names & set(new.get('univentionService', [])):
try:
domain = new['associatedDomain'][0]
except KeyError:
domain = ucr.get('domainname')
new_host = "%s.%s" % (new['cn'][0], domain)
debug.debug(debug.LISTENER, debug.INFO, "+uvmm %s" % (new_host,))
if new_host not in tls_allowed_dn_list:
debug.debug(debug.LISTENER, debug.INFO, "adding host %s" % (new_host,))
tls_allowed_dn_list.append(new_host)
if old_host != new_host:
value = ' '.join(tls_allowed_dn_list)
debug.debug(debug.LISTENER, debug.ALL, "new hosts: %s" % value)
key_value = 'uvmm/managers=%s' % (value,)
listener.setuid(0)
try:
handler_set([key_value])
global need_restart
need_restart = True
finally:
listener.unsetuid()
import os
import re
import shlex
import string
import sys
# defaults
ucr = ConfigRegistry()
# global hashes
include = set()
shares = {}
globals = {}
printers = {}
ucr.load()
class Restrictions( dict ):
INVALID_USERS = 'invalid users'
VALID_USERS = 'valid users'
HOSTS_DENY = 'hosts deny'
HOSTS_ALLOW = 'hosts allow'
def __init__( self, name ):
dict.__init__( self, {
Restrictions.INVALID_USERS : None,
Restrictions.VALID_USERS : None,
Restrictions.HOSTS_DENY : None,
Restrictions.HOSTS_ALLOW : None
} )
self.name = name
class TestEnvironment(object):
"""Test environment for running test cases.
Handels system data, requirements checks, test output.
"""
logger = logging.getLogger('test.env')
def __init__(self, interactive=True, logfile=None):
self.exposure = 'safe'
self.interactive = interactive
self._load_host()
self._load_ucr()
self._load_join()
self._load_apt()
if interactive:
self.tags_required = None
self.tags_prohibited = None
else:
self.tags_required = set()
self.tags_prohibited = set(('SKIP', 'WIP'))
self.log = open(logfile or os.path.devnull, 'a')
def _load_host(self):
"""Load host system informations."""
(_sysname, nodename, _release, _version, machine) = os.uname()
self.hostname = nodename
self.architecture = machine
def _load_ucr(self):
"""Load Univention Config Registry informations."""
self.ucr = ConfigRegistry()
self.ucr.load()
self.role = self.ucr.get('server/role', '')
TestEnvironment.logger.debug('Role=%r' % self.role)
version = self.ucr.get('version/version').split('.', 1)
major, minor = int(version[0]), int(version[1])
patchlevel = int(self.ucr.get('version/patchlevel'))
if (major, minor) < (3, 0):
securitylevel = int(self.ucr.get('version/security-patchlevel', 0))
self.ucs_version = UCSVersion((major, minor, patchlevel,
securitylevel))
else:
erratalevel = int(self.ucr.get('version/erratalevel', 0))
self.ucs_version = UCSVersion((major, minor, patchlevel,
erratalevel))
TestEnvironment.logger.debug('Version=%r' % self.ucs_version)
def _load_join(self):
"""Load join status."""
devnull = open(os.path.devnull, 'w+')
try:
ret = call(('/usr/sbin/univention-check-join-status',),
stdin=devnull, stdout=devnull, stderr=devnull)
self.joined = ret == 0
finally:
devnull.close()
TestEnvironment.logger.debug('Join=%r' % self.joined)
def _load_apt(self):
"""Load package informations."""
self.apt = apt.Cache()
def dump(self, stream=sys.stdout):
"""Dump environment informations."""
print >> stream, 'hostname: %s' % (self.hostname,)
print >> stream, 'architecture: %s' % (self.architecture,)
print >> stream, 'version: %s' % (self.ucs_version,)
print >> stream, 'role: %s' % (self.role,)
print >> stream, 'joined: %s' % (self.joined,)
print >> stream, 'tags_required: %s' % \
(' '.join(self.tags_required) or '-',)
print >> stream, 'tags_prohibited: %s' % \
(' '.join(self.tags_prohibited) or '-',)
def tag(self, require=set(), ignore=set(), prohibit=set()):
"""Update required, ignored, prohibited tags."""
if self.tags_required is not None:
self.tags_required -= set(ignore)
self.tags_required |= set(require)
if self.tags_prohibited is not None:
self.tags_prohibited -= set(ignore)
self.tags_prohibited |= set(prohibit)
TestEnvironment.logger.debug('tags_required=%r tags_prohibited=%r' % \
(self.tags_required, self.tags_prohibited))
def set_exposure(self, exposure):
"""Set maximum allowed exposure level."""
self.exposure = exposure
# you and Univention and not subject to the GNU AGPL V3.
#
# In the case you use this program under the terms of the GNU AGPL V3,
# the program is provided in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Affero General Public License for more details.
#
# You should have received a copy of the GNU Affero General Public
# License with the Debian GNU/Linux or Univention distribution in file
# /usr/share/common-licenses/AGPL-3; if not, see
# <http://www.gnu.org/licenses/>.
from univention.config_registry import ConfigRegistry
configRegistry = ConfigRegistry()
configRegistry.load()
# Update package cache
cmd_update = configRegistry.get('update/commands/update', 'apt-get update')
# Show package information
cmd_show = configRegistry.get('update/commands/show', 'apt-cache show')
# Upgrade only installed packages
cmd_upgrade = configRegistry.get('update/commands/upgrade', 'apt-get -o DPkg::Options::=--force-confold -o DPkg::Options::=--force-overwrite -o DPkg::Options::=--force-overwrite-dir --trivial-only=no --assume-yes --quiet=1 -u upgrade')
cmd_upgrade_sim = configRegistry.get('update/commands/upgrade/simulate', 'apt-get -o DPkg::Options::=--force-confold -o DPkg::Options::=--force-overwrite -o DPkg::Options::=--force-overwrite-dir --trivial-only=no --assume-yes --quiet=1 -us upgrade')
# Upgrade system, may install new packages to satisfy dependencies
cmd_dist_upgrade = configRegistry.get('update/commands/distupgrade', 'apt-get -o DPkg::Options::=--force-confold -o DPkg::Options::=--force-overwrite -o DPkg::Options::=--force-overwrite-dir --trivial-only=no --assume-yes --quiet=1 -u dist-upgrade')
cmd_dist_upgrade_sim = configRegistry.get('update/commands/distupgrade/simulate', 'apt-get -o DPkg::Options::=--force-confold -o DPkg::Options::=--force-overwrite -o DPkg::Options::=--force-overwrite-dir --trivial-only=no --assume-yes --quiet=1 -us dist-upgrade')
def handler(*args, **kw):
log.info("kolab.handler(args(%d): %r, kw: %r)" % (len(args), args, kw))
auth = Auth()
auth.connect()
if len(args) == 4:
# moddn
dn = args[0]
new = utils.normalize(args[1])
old = utils.normalize(args[2])
command = args[4]
pass
elif len(args) == 3:
dn = args[0]
new = utils.normalize(args[1])
old = utils.normalize(args[2])
if isinstance(old, dict) and len(old.keys()) > 0:
# Two options:
# - entry changed
# - entry deleted
log.info("user %r, old is dict" % (dn))
if isinstance(new, dict) and len(new.keys()) > 0:
log.info("Modify entry %r" % (dn))
mailserver_attribute = conf.get('ldap', 'mailserver_attribute').lower()
if mailserver_attribute == None:
log.error("Mail server attribute is not set")
return
if old.has_key(mailserver_attribute):
log.info("Modified entry %r has mail server attribute %s: %r" % (dn, mailserver_attribute, new[mailserver_attribute]))
if not old[mailserver_attribute] == constants.fqdn:
# Even though the new mailserver can be us, it is the
# *current* mail server that needs to push for the XFER.
log.info("The mail server for user %r is set, and it is not me (%r)" % (dn, old[mailserver_attribute]))
return
else:
# If old has no mailserver attribute, but new does, we need to create
# the user locally.
if new.has_key(mailserver_attribute):
if not new[mailserver_attribute] == constants.fqdn:
log.info("The mail server for user %r is set (in new, not old), but it is not me (%r)" % (dn, new[mailserver_attribute]))
return
else:
log.info("Entry %r does not have a mail server attribute." % (dn))
return
auth._auth._synchronize_callback(
change_type = 'modify',
previous_dn = None,
change_number = None,
dn = dn,
entry = new
)
else:
log.info("Delete entry %r" % (dn))
# See if the mailserver_attribute exists
mailserver_attribute = conf.get('ldap', 'mailserver_attribute').lower()
if mailserver_attribute == None:
log.error("Mail server attribute is not set")
# TODO: Perhaps, query for IMAP servers. If there is only one,
# we know what to do.
return
if old.has_key(mailserver_attribute):
log.info("Deleted entry %r has mail server attribute %s: %r" % (dn, mailserver_attribute, old[mailserver_attribute]))
if not old[mailserver_attribute] == constants.fqdn:
log.info("The mail server for user %r is set, and it is not me (%r)" % (dn, old[mailserver_attribute]))
return
else:
log.info("Entry deletion notification for %r does not have a mail server attribute specified." % (dn))
cfg = ConfigRegistry()
cfg.load()
if cfg.is_true('mail/cyrus/mailbox/delete', True):
auth._auth._synchronize_callback(
change_type = 'delete',
previous_dn = None,
change_number = None,
dn = dn,
entry = old
)
elif isinstance(new, dict) and len(new.keys()) > 0:
# Old is not a dict (or empty), so the entry is just created
log.info("Add entry %r" % (dn))
# See if the mailserver_attribute exists
mailserver_attribute = conf.get('ldap', 'mailserver_attribute').lower()
if mailserver_attribute == None:
log.error("Mail server attribute is not set")
# TODO: Perhaps, query for IMAP servers. If there is only one,
# we know what to do.
return
if new.has_key(mailserver_attribute):
log.info("Added entry %r has mail server attribute %s: %r" % (dn, mailserver_attribute, new[mailserver_attribute]))
if not new[mailserver_attribute] == constants.fqdn:
log.info("The mail server for user %r is set, and it is not me (%r)" % (dn, new[mailserver_attribute]))
return
else:
log.info("Added entry %r does not have a mail server attribute set." % (dn))
return
auth._auth._synchronize_callback(
change_type = 'add',
previous_dn = None,
change_number = None,
dn = dn,
entry = new
)
else:
log.info("entry %r changed, but no new or old attributes" % (dn))
import ldap
from univention.config_registry import ConfigRegistry
from ldap.controls import LDAPControl
import ldap.modlist as modlist
try:
from univention.connector.ad import compatible_modstring
except ImportError, e:
try:
from univention.s4connector.s4 import compatible_modstring
except ImportError, e:
def compatible_modstring(dn):
return dn
baseConfig = ConfigRegistry()
baseConfig.load()
def get_rdn(dn):
index = dn.find(',')
if index == -1:
return dn
else:
return dn[0:index]
def get_parent_dn(dn):
index = dn.find(',')
if index == -1:
return None
else:
return dn[index+1:len(dn)]
class LDAPConnection(object):
