def __init__(self,
userdn=None,
password=None,
host='localhost',
base=None,
start_tls=2,
access=None,
format=True):
self._cached = {}
self._modules = {}
self._policies = {}
self._format = format
self._bc = ub.baseConfig()
self._bc.load()
self.__reverse = {}
if not base:
self._base = self._bc['ldap/base']
else:
self._base = base
self._position = ua_ldap.position(self._base)
if access:
self._access = access
else:
self._access = ua_ldap.access(host=host,
base=self._base,
binddn=userdn,
bindpw=password,
start_tls=start_tls)
ua_modules.update()
self._config = ua_config.config(host=host)
def postrun():
baseConfig = univention_baseconfig.baseConfig()
baseConfig.load()
if baseConfig.is_true('nscd/group/invalidate_cache_on_changes', False) and baseConfig.is_false('nss/group/cachefile', True):
listener.setuid(0)
try:
univention.debug.debug(univention.debug.LISTENER, univention.debug.INFO, "calling 'nscd -i group'")
listener.run('/usr/sbin/nscd', ['nscd', '-i', 'group'], uid=0)
except:
univention.debug.debug(univention.debug.LISTENER, univention.debug.ERROR, "nscd -i group was not successfull")
listener.unsetuid()
def __init__( self, userdn = None, password = None, host = 'localhost', base = None, start_tls = 2, access = None, format = True ):
self._cached = {}
self._modules = {}
self._policies = {}
self._format = format
self._bc = ub.baseConfig()
self._bc.load()
self.__reverse = {}
if not base:
self._base = self._bc[ 'ldap/base' ]
else:
self._base = base
self._position = ua_ldap.position( self._base )
if access:
self._access = access
else:
self._access = ua_ldap.access( host = host, base = self._base,
binddn = userdn, bindpw = password, start_tls = start_tls )
ua_modules.update()
self._config = ua_config.config( host = host )
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Affero General Public License for more details.
#
# You should have received a copy of the GNU Affero General Public
# License with the Debian GNU/Linux or Univention distribution in file
# /usr/share/common-licenses/AGPL-3; if not, see
# <http://www.gnu.org/licenses/>.
__package__ = '' # workaround for PEP 366
import listener
import os, time, ldap, univention.uldap, sys, string, grp
import univention_baseconfig
import univention.debug
baseConfig = univention_baseconfig.baseConfig()
baseConfig.load()
group_name = baseConfig['local-user-sync/group']
if not group_name:
group_name = 'admin'
if baseConfig.has_key(
'local-user-sync/program') and baseConfig['local-user-sync/program']:
external_program = baseConfig['local-user-sync/program']
use_passwd_file = 1
if baseConfig.has_key(
'local-user-sync/passwd') and baseConfig['local-user-sync/passwd']:
if baseConfig['local-user-sync/passwd'] in [
"TRUE", "True", "true", "1", "YES", "Yes", "yes"
]:
def connect():
daemon()
f=open(STATUSLOGFILE, 'w+')
sys.stdout=f
print time.ctime()
baseConfig=univention_baseconfig.baseConfig()
baseConfig.load()
if not baseConfig.has_key('%s/s4/ldap/host' % CONFIGBASENAME):
print '%s/s4/ldap/host not set' % CONFIGBASENAME
f.close()
sys.exit(1)
if not baseConfig.has_key('%s/s4/ldap/port' % CONFIGBASENAME):
print '%s/s4/ldap/port not set' % CONFIGBASENAME
f.close()
sys.exit(1)
if not baseConfig.has_key('%s/s4/ldap/base' % CONFIGBASENAME):
print '%s/s4/ldap/base not set' % CONFIGBASENAME
f.close()
sys.exit(1)
if not baseConfig.has_key('%s/s4/ldap/certificate' % CONFIGBASENAME) and not (baseConfig.has_key('%s/s4/ldap/ssl' % CONFIGBASENAME) and baseConfig['%s/s4/ldap/ssl' % CONFIGBASENAME] == 'no') :
print '%s/s4/ldap/certificate not set' % CONFIGBASENAME
f.close()
sys.exit(1)
if not baseConfig.has_key('%s/s4/listener/dir' % CONFIGBASENAME):
print '%s/s4/listener/dir not set' % CONFIGBASENAME
f.close()
sys.exit(1)
if not baseConfig.has_key('%s/s4/retryrejected' % CONFIGBASENAME):
baseconfig_retry_rejected=10
else:
baseconfig_retry_rejected=baseConfig['%s/s4/retryrejected' % CONFIGBASENAME]
if baseConfig.get('%s/s4/ldap/bindpw' % CONFIGBASENAME) and os.path.exists(baseConfig['%s/s4/ldap/bindpw' % CONFIGBASENAME]):
s4_ldap_bindpw=open(baseConfig['%s/s4/ldap/bindpw' % CONFIGBASENAME]).read()
if s4_ldap_bindpw[-1] == '\n':
s4_ldap_bindpw=s4_ldap_bindpw[0:-1]
else:
s4_ldap_bindpw=None
poll_sleep=int(baseConfig['%s/s4/poll/sleep' % CONFIGBASENAME])
s4_init=None
while not s4_init:
try:
s4=univention.s4connector.s4.s4( CONFIGBASENAME,
mapping.s4_mapping,
baseConfig,
baseConfig['%s/s4/ldap/host' % CONFIGBASENAME],
baseConfig['%s/s4/ldap/port' % CONFIGBASENAME],
baseConfig['%s/s4/ldap/base' % CONFIGBASENAME],
baseConfig.get('%s/s4/ldap/binddn' % CONFIGBASENAME, None),
s4_ldap_bindpw,
baseConfig['%s/s4/ldap/certificate' % CONFIGBASENAME],
baseConfig['%s/s4/listener/dir' % CONFIGBASENAME])
s4_init=True
except ldap.SERVER_DOWN:
print "Warning: Can't initialize LDAP-Connections, wait..."
sys.stdout.flush()
time.sleep(poll_sleep)
pass
# Initialisierung auf UCS und S4 Seite durchfuehren
s4_init=None
ucs_init=None
while not ucs_init:
try:
s4.initialize_ucs()
ucs_init=True
except ldap.SERVER_DOWN:
print "Can't contact LDAP server during ucs-poll, sync not possible."
sys.stdout.flush()
time.sleep(poll_sleep)
s4.open_s4()
s4.open_ucs()
pass
while not s4_init:
try:
s4.initialize()
s4_init=True
except ldap.SERVER_DOWN:
print "Can't contact LDAP server during ucs-poll, sync not possible."
sys.stdout.flush()
time.sleep(poll_sleep)
s4.open_s4()
s4.open_ucs()
pass
f.close()
retry_rejected=0
connected = True
while connected:
f=open(STATUSLOGFILE, 'w+')
sys.stdout=f
print time.ctime()
# Aenderungen pollen
change_counter=1
while change_counter != 0:
sys.stdout.flush()
try:
change_counter=s4.poll_ucs()
except ldap.SERVER_DOWN:
print "Can't contact LDAP server during ucs-poll, sync not possible."
connected = False
sys.stdout.flush()
change_counter=0
try:
change_counter+=s4.poll()
except ldap.SERVER_DOWN:
print "Can't contact LDAP server during s4-poll, sync not possible."
connected = False
sys.stdout.flush()
change_counter=0
if change_counter > 0:
retry_rejected=0
try:
if str(retry_rejected) == baseconfig_retry_rejected:
s4.resync_rejected_ucs()
s4.resync_rejected()
retry_rejected=0
else:
retry_rejected+=1
except ldap.SERVER_DOWN:
print "Can't contact LDAP server during resync rejected, sync not possible."
connected = False
sys.stdout.flush()
change_counter=0
retry_rejected+=1
print '- sleep %s seconds (%s/%s until resync) -'%(poll_sleep, retry_rejected, baseconfig_retry_rejected)
sys.stdout.flush()
time.sleep(poll_sleep)
f.close()
s4.close_debug()
def connect():
daemon()
f = open(STATUSLOGFILE, 'w+')
sys.stdout = f
print time.ctime()
baseConfig = univention_baseconfig.baseConfig()
baseConfig.load()
if not baseConfig.has_key('%s/s4/ldap/host' % CONFIGBASENAME):
print '%s/s4/ldap/host not set' % CONFIGBASENAME
f.close()
sys.exit(1)
if not baseConfig.has_key('%s/s4/ldap/port' % CONFIGBASENAME):
print '%s/s4/ldap/port not set' % CONFIGBASENAME
f.close()
sys.exit(1)
if not baseConfig.has_key('%s/s4/ldap/base' % CONFIGBASENAME):
print '%s/s4/ldap/base not set' % CONFIGBASENAME
f.close()
sys.exit(1)
if not baseConfig.has_key(
'%s/s4/ldap/certificate' % CONFIGBASENAME) and not (
baseConfig.has_key('%s/s4/ldap/ssl' % CONFIGBASENAME)
and baseConfig['%s/s4/ldap/ssl' % CONFIGBASENAME] == 'no'):
print '%s/s4/ldap/certificate not set' % CONFIGBASENAME
f.close()
sys.exit(1)
if not baseConfig.has_key('%s/s4/listener/dir' % CONFIGBASENAME):
print '%s/s4/listener/dir not set' % CONFIGBASENAME
f.close()
sys.exit(1)
if not baseConfig.has_key('%s/s4/retryrejected' % CONFIGBASENAME):
baseconfig_retry_rejected = 10
else:
baseconfig_retry_rejected = baseConfig['%s/s4/retryrejected' %
CONFIGBASENAME]
if baseConfig.get('%s/s4/ldap/bindpw' % CONFIGBASENAME) and os.path.exists(
baseConfig['%s/s4/ldap/bindpw' % CONFIGBASENAME]):
s4_ldap_bindpw = open(baseConfig['%s/s4/ldap/bindpw' %
CONFIGBASENAME]).read()
if s4_ldap_bindpw[-1] == '\n':
s4_ldap_bindpw = s4_ldap_bindpw[0:-1]
else:
s4_ldap_bindpw = None
poll_sleep = int(baseConfig['%s/s4/poll/sleep' % CONFIGBASENAME])
s4_init = None
while not s4_init:
try:
s4 = univention.s4connector.s4.s4(
CONFIGBASENAME, mapping.s4_mapping, baseConfig,
baseConfig['%s/s4/ldap/host' % CONFIGBASENAME],
baseConfig['%s/s4/ldap/port' % CONFIGBASENAME],
baseConfig['%s/s4/ldap/base' % CONFIGBASENAME],
baseConfig.get('%s/s4/ldap/binddn' % CONFIGBASENAME,
None), s4_ldap_bindpw,
baseConfig['%s/s4/ldap/certificate' % CONFIGBASENAME],
baseConfig['%s/s4/listener/dir' % CONFIGBASENAME])
s4_init = True
except ldap.SERVER_DOWN:
print "Warning: Can't initialize LDAP-Connections, wait..."
sys.stdout.flush()
time.sleep(poll_sleep)
pass
# Initialisierung auf UCS und S4 Seite durchfuehren
s4_init = None
ucs_init = None
while not ucs_init:
try:
s4.initialize_ucs()
ucs_init = True
except ldap.SERVER_DOWN:
print "Can't contact LDAP server during ucs-poll, sync not possible."
sys.stdout.flush()
time.sleep(poll_sleep)
s4.open_s4()
s4.open_ucs()
pass
while not s4_init:
try:
s4.initialize()
s4_init = True
except ldap.SERVER_DOWN:
print "Can't contact LDAP server during ucs-poll, sync not possible."
sys.stdout.flush()
time.sleep(poll_sleep)
s4.open_s4()
s4.open_ucs()
pass
f.close()
retry_rejected = 0
connected = True
while connected:
f = open(STATUSLOGFILE, 'w+')
sys.stdout = f
print time.ctime()
# Aenderungen pollen
change_counter = 1
while change_counter != 0:
sys.stdout.flush()
try:
change_counter = s4.poll_ucs()
except ldap.SERVER_DOWN:
print "Can't contact LDAP server during ucs-poll, sync not possible."
connected = False
sys.stdout.flush()
change_counter = 0
try:
change_counter += s4.poll()
except ldap.SERVER_DOWN:
print "Can't contact LDAP server during s4-poll, sync not possible."
connected = False
sys.stdout.flush()
change_counter = 0
if change_counter > 0:
retry_rejected = 0
try:
if str(retry_rejected) == baseconfig_retry_rejected:
s4.resync_rejected_ucs()
s4.resync_rejected()
retry_rejected = 0
else:
retry_rejected += 1
except ldap.SERVER_DOWN:
print "Can't contact LDAP server during resync rejected, sync not possible."
connected = False
sys.stdout.flush()
change_counter = 0
retry_rejected += 1
print '- sleep %s seconds (%s/%s until resync) -' % (
poll_sleep, retry_rejected, baseconfig_retry_rejected)
sys.stdout.flush()
time.sleep(poll_sleep)
f.close()
s4.close_debug()
def connect():
daemon()
f = open(STATUSLOGFILE, "w+")
sys.stdout = f
print time.ctime()
baseConfig = univention_baseconfig.baseConfig()
baseConfig.load()
if not baseConfig.has_key("%s/ad/ldap/host" % CONFIGBASENAME):
print "%s/ad/ldap/host not set" % CONFIGBASENAME
f.close()
sys.exit(1)
if not baseConfig.has_key("%s/ad/ldap/port" % CONFIGBASENAME):
print "%s/ad/ldap/port not set" % CONFIGBASENAME
f.close()
sys.exit(1)
if not baseConfig.has_key("%s/ad/ldap/base" % CONFIGBASENAME):
print "%s/ad/ldap/base not set" % CONFIGBASENAME
f.close()
sys.exit(1)
if not baseConfig.has_key("%s/ad/ldap/binddn" % CONFIGBASENAME):
print "%s/ad/ldap/binddn not set" % CONFIGBASENAME
f.close()
sys.exit(1)
if not baseConfig.has_key("%s/ad/ldap/bindpw" % CONFIGBASENAME):
print "%s/ad/ldap/bindpw not set" % CONFIGBASENAME
f.close()
sys.exit(1)
if not baseConfig.has_key("%s/ad/ldap/certificate" % CONFIGBASENAME) and not (
baseConfig.has_key("%s/ad/ldap/ssl" % CONFIGBASENAME) and baseConfig["%s/ad/ldap/ssl" % CONFIGBASENAME] == "no"
):
print "%s/ad/ldap/certificate not set" % CONFIGBASENAME
f.close()
sys.exit(1)
if baseConfig.is_true("%s/ad/ldap/ssl" % CONFIGBASENAME, True) or baseConfig.is_true(
"%s/ad/ldap/ldaps" % CONFIGBASENAME, False
):
# create a new CAcert file, which contains the UCS CA and the AD CA,
# see Bug #17768 for details
# https://forge.univention.org/bugzilla/show_bug.cgi?id=17768
new_ca_filename = "/var/cache/univention-ad-connector/CAcert-%s.pem" % CONFIGBASENAME
new_ca = open(new_ca_filename, "w")
ca = open("/etc/univention/ssl/ucsCA/CAcert.pem", "r")
new_ca.write(string.join(ca.readlines(), ""))
ca.close()
ca = open(baseConfig["%s/ad/ldap/certificate" % CONFIGBASENAME])
new_ca.write(string.join(ca.readlines(), ""))
ca.close()
new_ca.close()
ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, new_ca_filename)
if not baseConfig.has_key("%s/ad/listener/dir" % CONFIGBASENAME):
print "%s/ad/listener/dir not set" % CONFIGBASENAME
f.close()
sys.exit(1)
if not baseConfig.has_key("%s/ad/retryrejected" % CONFIGBASENAME):
baseconfig_retry_rejected = 10
else:
baseconfig_retry_rejected = baseConfig["%s/ad/retryrejected" % CONFIGBASENAME]
ad_ldap_bindpw = open(baseConfig["%s/ad/ldap/bindpw" % CONFIGBASENAME]).read()
if ad_ldap_bindpw[-1] == "\n":
ad_ldap_bindpw = ad_ldap_bindpw[0:-1]
poll_sleep = int(baseConfig["%s/ad/poll/sleep" % CONFIGBASENAME])
ad_init = None
while not ad_init:
try:
ad = univention.connector.ad.ad(
CONFIGBASENAME,
mapping.ad_mapping,
baseConfig,
baseConfig["%s/ad/ldap/host" % CONFIGBASENAME],
baseConfig["%s/ad/ldap/port" % CONFIGBASENAME],
baseConfig["%s/ad/ldap/base" % CONFIGBASENAME],
baseConfig["%s/ad/ldap/binddn" % CONFIGBASENAME],
ad_ldap_bindpw,
baseConfig["%s/ad/ldap/certificate" % CONFIGBASENAME],
baseConfig["%s/ad/listener/dir" % CONFIGBASENAME],
)
ad_init = True
except ldap.SERVER_DOWN:
print "Warning: Can't initialize LDAP-Connections, wait..."
sys.stdout.flush()
time.sleep(poll_sleep)
pass
# Initialisierung auf UCS und AD Seite durchfuehren
ad_init = None
ucs_init = None
while not ucs_init:
try:
ad.initialize_ucs()
ucs_init = True
except ldap.SERVER_DOWN:
print "Can't contact LDAP server during ucs-poll, sync not possible."
sys.stdout.flush()
time.sleep(poll_sleep)
ad.open_ad()
ad.open_ucs()
pass
while not ad_init:
try:
ad.initialize()
ad_init = True
except ldap.SERVER_DOWN:
print "Can't contact LDAP server during ucs-poll, sync not possible."
sys.stdout.flush()
time.sleep(poll_sleep)
ad.open_ad()
ad.open_ucs()
pass
f.close()
retry_rejected = 0
connected = True
while connected:
f = open(STATUSLOGFILE, "w+")
sys.stdout = f
print time.ctime()
# Aenderungen pollen
change_counter = 1
while change_counter != 0:
sys.stdout.flush()
try:
change_counter = ad.poll_ucs()
except ldap.SERVER_DOWN:
print "Can't contact LDAP server during ucs-poll, sync not possible."
connected = False
sys.stdout.flush()
change_counter = 0
try:
change_counter += ad.poll()
except ldap.SERVER_DOWN:
print "Can't contact LDAP server during ad-poll, sync not possible."
connected = False
sys.stdout.flush()
change_counter = 0
if change_counter > 0:
retry_rejected = 0
try:
if str(retry_rejected) == baseconfig_retry_rejected:
ad.resync_rejected_ucs()
ad.resync_rejected()
retry_rejected = 0
else:
retry_rejected += 1
except ldap.SERVER_DOWN:
print "Can't contact LDAP server during resync rejected, sync not possible."
connected = False
sys.stdout.flush()
change_counter = 0
retry_rejected += 1
print "- sleep %s seconds (%s/%s until resync) -" % (poll_sleep, retry_rejected, baseconfig_retry_rejected)
sys.stdout.flush()
time.sleep(poll_sleep)
f.close()
ad.close_debug()
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Affero General Public License for more details.
#
# You should have received a copy of the GNU Affero General Public
# License with the Debian GNU/Linux or Univention distribution in file
# /usr/share/common-licenses/AGPL-3; if not, see
# <http://www.gnu.org/licenses/>.
__package__='' # workaround for PEP 366
import listener
import os, time, ldap, univention.uldap, sys, string, grp
import univention_baseconfig
import univention.debug
baseConfig=univention_baseconfig.baseConfig()
baseConfig.load()
group_name=baseConfig['local-user-sync/group']
if not group_name:
group_name='admin'
if baseConfig.has_key('local-user-sync/program') and baseConfig['local-user-sync/program']:
external_program=baseConfig['local-user-sync/program']
use_passwd_file=1
if baseConfig.has_key('local-user-sync/passwd') and baseConfig['local-user-sync/passwd']:
if baseConfig['local-user-sync/passwd'] in ["TRUE", "True", "true", "1", "YES", "Yes", "yes"]:
use_passwd_file=1
else:
use_passwd_file=0
FIRST_LDAP_UID=1000