def handler(dn, new, old, cmd):
ud.debug(ud.LISTENER, ud.INFO, '2 master2 handler')
if cmd == 'n':
return
name = new.get('cn', [None])[0]
port = new.get('univentionOpenvpnPort', [None])[0]
addr = new.get('univentionOpenvpnAddress', [None])[0]
if not name or not port or not addr:
return
listener.setuid(0)
lo = ul.getMachineConnection()
vpnusers = lo.search('(univentionOpenvpnAccount=1)')
if not univention_openvpn_common.check_user_count(2):
return # do nothing
for user in vpnusers:
uid = user[1].get('uid', [None])[0]
home = user[1].get('homeDirectory', ['/dev/null'])[0]
ud.debug(ud.LISTENER, ud.INFO, '2 Create new certificate for %s in %s' % (uid, home))
proto = 'udp6' if addr and addr.count(':') else 'udp'
if uid and home:
# update bundle for this openvpn server with new config
try:
listener.run('/usr/lib/openvpn-int/create-bundle', ['create-bundle', 'no', uid, home, name, addr, port, proto], uid=0)
finally:
listener.unsetuid()
listener.unsetuid()
def handler(dn, new, old, command):
ud.debug(ud.LISTENER, ud.INFO, '3 server handler')
global action
if command == 'n':
action = None
return
if 'univentionOpenvpnActive' in new:
action = 'restart'
else:
action = 'stop'
cn = new.get('cn', [None])[0]
myname = listener.baseConfig['hostname']
if cn != myname:
action = None
return
if not univention_openvpn_common.check_user_count(3):
listener.unsetuid()
if action == 'stop':
ud.debug(ud.LISTENER, ud.INFO, '3 Allowing stop action')
else:
action = None
return # do nothing
#### UCS 3 ('Borgfeld') uses openvpn 2.1 - no explicit ip6 support, later version are ok
relnam = listener.baseConfig.get('version/releasename')
ip6ok = relnam and relnam != 'Borgfeld'
if not ip6ok:
ud.debug(ud.LISTENER, ud.INFO, '3 IPv6 support DISABLED due to version')
cnaddr = new.get('univentionOpenvpnAddress', [None])[0]
ip6conn = True if cnaddr and cnaddr.count(':') else False
# activate config
if not 'univentionOpenvpnActive' in old and os.path.exists(fn_serverconf + '-disabled'):
listener.setuid(0)
try:
os.rename (fn_serverconf + '-disabled', fn_serverconf)
except Exception, e:
listener.unsetuid()
ud.debug(ud.LISTENER, ud.ERROR, '3 Failed to activate server config: %s' % str(e))
return
listener.unsetuid()
def handler(dn, new, old, cmd):
ud.debug(ud.LISTENER, ud.INFO, '1 master handler')
if cmd == 'n':
return
uid = new.get('uid', [None])[0]
uid_old = old.get('uid', [None])[0]
home = new.get('homeDirectory', ['/dev/null'])[0]
home_old = old.get('homeDirectory', ['/dev/null'])[0]
trigger = new.get('univentionOpenvpnAccount', '0')[0] == '1'
trigger_old = old.get('univentionOpenvpnAccount', '0')[0] == '1'
flags = new.get('sambaAcctFlags', [None])[0]
flags_old = old.get('sambaAcctFlags', [None])[0]
if flags and ('L' in flags or not 'U' in flags):
locked = True
else:
locked = False
if flags_old and ('L' in flags_old or not 'U' in flags_old):
locked_old = True
else:
locked_old = False
listener.setuid(0)
lo = ul.getMachineConnection()
servers = lo.search('(univentionOpenvpnActive=1)')
if not univention_openvpn_common.check_user_count(1):
listener.unsetuid()
return # do nothing
if (trigger and not trigger_old and uid and home and not locked) or (locked_old and not locked and uid and home and trigger):
ud.debug(ud.LISTENER, ud.INFO, '1 Create new certificate for %s in %s' % (uid, home))
# create a bundle for each openvpn server
for server in servers:
name = server[1].get('cn', [None])[0]
port = server[1].get('univentionOpenvpnPort', [None])[0]
addr = server[1].get('univentionOpenvpnAddress', [None])[0]
proto = 'udp6' if addr and addr.count(':') else 'udp'
if not name or not port or not addr:
continue
try:
listener.run('/usr/lib/openvpn-int/create-bundle', ['create-bundle', 'yes', uid, home, name, addr, port, proto], uid=0)
finally:
listener.unsetuid()
if (trigger_old and not trigger and uid_old and home_old) or (cmd == 'd' and uid_old and home_old) or (not locked_old and locked and uid_old and home_old):
ud.debug(ud.LISTENER, ud.INFO, '1 Revoke certificate for %s' % (uid_old))
listener.setuid(0)
try:
listener.run('/usr/sbin/univention-certificate', ['univention-certificate', 'revoke', '-name', uid_old + '.openvpn'], uid=0)
finally:
listener.unsetuid()
# remove bundle for each openvpn server
for server in servers:
name = server[1].get('cn', [None])[0]
if not name:
continue
try:
listener.run('/usr/lib/openvpn-int/remove-bundle', ['remove-bundle', uid_old, home_old, name], uid=0)
finally:
listener.unsetuid()
listener.unsetuid()
