diff -Nur univention-ad-connector-password-read.orig/connectorpwdread.init.sh univention-ad-connector-password-read/connectorpwdread.init.sh --- univention-ad-connector-password-read.orig/connectorpwdread.init.sh 1970-01-01 01:00:00.000000000 +0100 +++ univention-ad-connector-password-read/connectorpwdread.init.sh 2011-06-08 10:21:53.000000000 +0200 @@ -0,0 +1,34 @@ +#!/bin/sh + +eval "$(univention-config-registry shell)" + +CONFIGBASENAME="connectorpwdread" + +univention-config-registry set "$CONFIGBASENAME"/ad/autostart?"$connector_ad_autostart" \ + "$CONFIGBASENAME"/ad/ldap/base?"$connector_ad_ldap_base" \ + "$CONFIGBASENAME"/ad/ldap/binddn?"$connector_ad_ldap_binddn" \ + "$CONFIGBASENAME"/ad/ldap/bindpw?"$connector_ad_ldap_bindpw" \ + "$CONFIGBASENAME"/ad/ldap/certificate?"$connector_ad_ldap_certificate" \ + "$CONFIGBASENAME"/ad/ldap/host?"$connector_ad_ldap_host" \ + "$CONFIGBASENAME"/ad/mapping/kerberosdomain?"$connector_ad_mapping_kerberosdomain" \ + "$CONFIGBASENAME"/ad/mapping/language?"$connector_ad_mapping_language" \ + "$CONFIGBASENAME"/ad/ldap/port?"$connector_ad_ldap_port" \ + "$CONFIGBASENAME"/ad/ldap/ssl?"$connector_ad_ldap_ssl" \ + "$CONFIGBASENAME"/ad/listener/dir?"/var/lib/univention-$CONFIGBASENAME/ad" \ + "$CONFIGBASENAME"/ad/mapping/group/language?"$connector_ad_mapping_group_language" \ + "$CONFIGBASENAME"/ad/mapping/group/primarymail?"$connector_ad_mapping_group_primarymail" \ + "$CONFIGBASENAME"/ad/mapping/group/win2000/description?false \ + "$CONFIGBASENAME"/ad/mapping/syncmode?read \ + "$CONFIGBASENAME"/ad/mapping/user/primarymail?false \ + "$CONFIGBASENAME"/ad/mapping/user/win2000/description?false \ + "$CONFIGBASENAME"/ad/poll/sleep?5 \ + "$CONFIGBASENAME"/ad/retryrejected?10 \ + "$CONFIGBASENAME"/debug/function?0 \ + "$CONFIGBASENAME"/debug/level?1 \ + "$CONFIGBASENAME"/password/service/encoding?iso8859-15 + +mkdir -p /etc/univention/"$CONFIGBASENAME"/ad +cp -a /etc/univention/connector/ad/mapping /etc/univention/"$CONFIGBASENAME"/ad/ +sed -i "s|@%@connector/ad/|@%@$CONFIGBASENAME/ad/|g;s|'connector/ad/|'$CONFIGBASENAME/ad/|g" /etc/univention/"$CONFIGBASENAME"/ad/mapping + +exit 0 diff -Nur univention-ad-connector-password-read.orig/debian/changelog univention-ad-connector-password-read/debian/changelog --- univention-ad-connector-password-read.orig/debian/changelog 1970-01-01 01:00:00.000000000 +0100 +++ univention-ad-connector-password-read/debian/changelog 2011-04-01 16:19:10.000000000 +0200 @@ -0,0 +1,52 @@ +univention-ad-connector-password-read (1.0.5-2) unstable; urgency=low + + * Fixed typo (Ticket #2011032410000222) + + -- Stefan Gohmann Fri, 01 Apr 2011 16:19:10 +0200 + +univention-ad-connector-password-read (1.0.5-1) unstable; urgency=low + + * Re-initialize the ldap connection to UCS because in some customer + environments (write mode) the AD connector is modified to connect + against the ldap/server/name instead of ldap/master + (Ticket #2011032410000222) + + -- Stefan Gohmann Fri, 01 Apr 2011 16:04:32 +0200 + +univention-ad-connector-password-read (1.0.4-1) unstable; urgency=low + + * Replace all ucr variables in the new mapping file + (Ticket #2011032410000222) + + -- Stefan Gohmann Thu, 31 Mar 2011 14:45:47 +0200 + +univention-ad-connector-password-read (1.0.3-1) unstable; urgency=low + + * Fixed typo in postinst for connector_ad_mapping_group_language + (Ticket #2011032410000222) + + -- Stefan Gohmann Wed, 30 Mar 2011 19:58:17 +0200 + +univention-ad-connector-password-read (1.0.2-1) unstable; urgency=low + + * Fixed excepetion error (Ticket #2011032410000222) + * Sleep for poll_sleep interval if the AD server is not available + (Ticket #2011032410000222) + + -- Stefan Gohmann Wed, 30 Mar 2011 11:08:12 +0200 + +univention-ad-connector-password-read (1.0.1-1) unstable; urgency=low + + * Removed unused debug code + * Added an exception handling if the user does not exist in UCS, this + is possible because the AD connector is normally in write mode + (Ticket #2011032410000222) + + -- Stefan Gohmann Wed, 30 Mar 2011 07:46:43 +0200 + +univention-ad-connector-password-read (1.0.0-1) unstable; urgency=low + + * Initial Release (Ticket #2011032410000222) + + -- Stefan Gohmann Tue, 29 Mar 2011 06:43:39 +0200 + diff -Nur univention-ad-connector-password-read.orig/debian/compat univention-ad-connector-password-read/debian/compat --- univention-ad-connector-password-read.orig/debian/compat 1970-01-01 01:00:00.000000000 +0100 +++ univention-ad-connector-password-read/debian/compat 2011-03-29 06:43:15.000000000 +0200 @@ -0,0 +1 @@ +7 diff -Nur univention-ad-connector-password-read.orig/debian/control univention-ad-connector-password-read/debian/control --- univention-ad-connector-password-read.orig/debian/control 1970-01-01 01:00:00.000000000 +0100 +++ univention-ad-connector-password-read/debian/control 2011-03-29 07:09:55.000000000 +0200 @@ -0,0 +1,22 @@ +Source: univention-ad-connector-password-read +Section: univention +Priority: optional +Maintainer: Univention GmbH +Standards-Version: 3.5.5 +Build-Depends: debhelper (>> 7), univention-config-dev + +Package: univention-ad-connector-password-read +Architecture: all +Depends: univention-directory-manager-tools, + univention-ad-connector, + ${misc:Depends} +Description: Synchronize password only from AD to UCS + This package contains a daemon wich synchronize the password from AD to + UCS. This is useful if the ad connector is configured in write mode (UCS + -> AD) and only the password must be synchronized back from AD to UCS. + This package requires a configured AD connector. + This package is part of Univention Corporate Server (UCS), an + integrated, directory driven solution for managing corporate + environments. For more information about UCS, refer to: + http://www.univention.de/ + diff -Nur univention-ad-connector-password-read.orig/debian/copyright univention-ad-connector-password-read/debian/copyright --- univention-ad-connector-password-read.orig/debian/copyright 1970-01-01 01:00:00.000000000 +0100 +++ univention-ad-connector-password-read/debian/copyright 2011-03-29 06:43:15.000000000 +0200 @@ -0,0 +1,28 @@ +Copyright 2010-2011 Univention GmbH + +http://www.univention.de/ + +All rights reserved. + +The source code of the software contained in this package +as well as the source package itself are made available +under the terms of the GNU Affero General Public License version 3 +(GNU AGPL V3) as published by the Free Software Foundation. + +Binary versions of this package provided by Univention to you as +well as other copyrighted, protected or trademarked materials like +Logos, graphics, fonts, specific documentations and configurations, +cryptographic keys etc. are subject to a license agreement between +you and Univention and not subject to the GNU AGPL V3. + +In the case you use the software under the terms of the GNU AGPL V3, +the program is provided in the hope that it will be useful, +but WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +GNU Affero General Public License for more details. + +You should have received a copy of the GNU Affero General Public +License with the Debian GNU/Linux or Univention distribution in file +/usr/share/common-licenses/AGPL-3; if not, see +. + diff -Nur univention-ad-connector-password-read.orig/debian/rules univention-ad-connector-password-read/debian/rules --- univention-ad-connector-password-read.orig/debian/rules 1970-01-01 01:00:00.000000000 +0100 +++ univention-ad-connector-password-read/debian/rules 2011-03-30 07:37:10.000000000 +0200 @@ -0,0 +1,42 @@ +#!/usr/bin/make -f +# +# univention-ad-connector-password-read +# debhelper script for the debian package +# +# Copyright 2010-2011 Univention GmbH +# +# http://www.univention.de/ +# +# All rights reserved. +# +# The source code of this program is made available +# under the terms of the GNU Affero General Public License version 3 +# (GNU AGPL V3) as published by the Free Software Foundation. +# +# Binary versions of this program provided by Univention to you as +# well as other copyrighted, protected or trademarked materials like +# Logos, graphics, fonts, specific documentations and configurations, +# cryptographic keys etc. are subject to a license agreement between +# you and Univention and not subject to the GNU AGPL V3. +# +# In the case you use this program under the terms of the GNU AGPL V3, +# the program is provided in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU Affero General Public License for more details. +# +# You should have received a copy of the GNU Affero General Public +# License with the Debian GNU/Linux or Univention distribution in file +# /usr/share/common-licenses/AGPL-3; if not, see +# . + +override_dh_auto_install: + univention-install-config-registry + dh_auto_install + +override_dh_auto_build: + dh_auto_build +%: + dh $@ + + diff -Nur univention-ad-connector-password-read.orig/debian/univention-ad-connector-password-read.init univention-ad-connector-password-read/debian/univention-ad-connector-password-read.init --- univention-ad-connector-password-read.orig/debian/univention-ad-connector-password-read.init 1970-01-01 01:00:00.000000000 +0100 +++ univention-ad-connector-password-read/debian/univention-ad-connector-password-read.init 2011-03-30 07:35:14.000000000 +0200 @@ -0,0 +1,73 @@ +#!/bin/sh +# +# Univention AD Connector +# init script of ad connector password read +# +# Copyright 2004-2011 Univention GmbH +# +# http://www.univention.de/ +# +# All rights reserved. +# +# The source code of this program is made available +# under the terms of the GNU Affero General Public License version 3 +# (GNU AGPL V3) as published by the Free Software Foundation. +# +# Binary versions of this program provided by Univention to you as +# well as other copyrighted, protected or trademarked materials like +# Logos, graphics, fonts, specific documentations and configurations, +# cryptographic keys etc. are subject to a license agreement between +# you and Univention and not subject to the GNU AGPL V3. +# +# In the case you use this program under the terms of the GNU AGPL V3, +# the program is provided in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU Affero General Public License for more details. +# +# You should have received a copy of the GNU Affero General Public +# License with the Debian GNU/Linux or Univention distribution in file +# /usr/share/common-licenses/AGPL-3; if not, see +# . + +CONFIGBASENAME="connectorpwdread" +ADCONNECTORPID="/var/run/univention-ad-$CONFIGBASENAME" + +. /lib/lsb/init-functions + +case "$1" in + start) + # check ucr autostart setting + if [ -f "/usr/share/univention-config-registry/init-autostart.lib" ]; then + source "/usr/share/univention-config-registry/init-autostart.lib" + check_autostart ad-$CONFIGBASENAME $CONFIGBASENAME/ad/autostart + fi + log_action_msg "Starting univention-ad-connector daemon" + cat /etc/univention/${CONFIGBASENAME}/ad/mapping | univention-config-registry filter --encode-utf8 >/etc/univention/${CONFIGBASENAME}/ad/mapping.py + start-stop-daemon --start --quiet --pidfile "$ADCONNECTORPID" -a /usr/sbin/univention-ad-connector-password-read -- --configbase "$CONFIGBASENAME" + log_action_end_msg 0 + ;; + stop) + log_action_msg "Stopping univention-ad-connector daemon" + start-stop-daemon --stop --retry TERM/300/KILL --quiet --pidfile "$ADCONNECTORPID" -a /usr/sbin/univention-ad-connector-password-read + log_action_end_msg 0 + ;; + restart|force-reload) + $0 stop + sleep 1 + $0 start + ;; + crestart) + ADCONNECTOR=`cat $ADCONNECTORPID 2>/dev/null` + if [ -n "$ADCONNECTOR" ]; then + pgrep -s "$ADCONNECTOR" -f "connector-password-read" && $0 restart + ps xaw | grep connector-password-read | grep -q "$ADCONNECTOR" >/dev/null && $0 restart + fi + ;; + *) + echo "Usage: /etc/init.d/univention-ad-connector {start|stop|restart|crestart|force-reload}" + exit 1 + ;; +esac + + diff -Nur univention-ad-connector-password-read.orig/debian/univention-ad-connector-password-read.install univention-ad-connector-password-read/debian/univention-ad-connector-password-read.install --- univention-ad-connector-password-read.orig/debian/univention-ad-connector-password-read.install 1970-01-01 01:00:00.000000000 +0100 +++ univention-ad-connector-password-read/debian/univention-ad-connector-password-read.install 2011-03-29 07:21:52.000000000 +0200 @@ -0,0 +1 @@ +univention-ad-connector-password-read usr/sbin/ diff -Nur univention-ad-connector-password-read.orig/debian/univention-ad-connector-password-read.postinst univention-ad-connector-password-read/debian/univention-ad-connector-password-read.postinst --- univention-ad-connector-password-read.orig/debian/univention-ad-connector-password-read.postinst 1970-01-01 01:00:00.000000000 +0100 +++ univention-ad-connector-password-read/debian/univention-ad-connector-password-read.postinst 2011-03-31 14:18:38.000000000 +0200 @@ -0,0 +1,83 @@ +#!/bin/sh +# +# Univention AD Connector +# postinst script of the ad connector package +# +# Copyright 2004-2010 Univention GmbH +# +# http://www.univention.de/ +# +# All rights reserved. +# +# The source code of this program is made available +# under the terms of the GNU Affero General Public License version 3 +# (GNU AGPL V3) as published by the Free Software Foundation. +# +# Binary versions of this program provided by Univention to you as +# well as other copyrighted, protected or trademarked materials like +# Logos, graphics, fonts, specific documentations and configurations, +# cryptographic keys etc. are subject to a license agreement between +# you and Univention and not subject to the GNU AGPL V3. +# +# In the case you use this program under the terms of the GNU AGPL V3, +# the program is provided in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU Affero General Public License for more details. +# +# You should have received a copy of the GNU Affero General Public +# License with the Debian GNU/Linux or Univention distribution in file +# /usr/share/common-licenses/AGPL-3; if not, see +# . + +eval "$(ucr shell)" + +CONFIGBASENAME="connectorpwdread" + +createLogfile () { + if [ ! -e $1 ] ; then + touch $1 + chown $2 $1 + chmod $3 $1 + fi +} + +createLogfile "/var/log/univention/${CONFIGBASENAME}.log" "root:adm" 640 +createLogfile "/var/log/univention/${CONFIGBASENAME}-status.log" "root:adm" 640 + +if [ "$1" = "configure" ] && [ -z "$2" ]; then + if [ ! -e /etc/univention/"$CONFIGBASENAME" ]; then + + univention-config-registry set "$CONFIGBASENAME"/ad/autostart?"$connector_ad_autostart" \ + "$CONFIGBASENAME"/ad/ldap/base?"$connector_ad_ldap_base" \ + "$CONFIGBASENAME"/ad/ldap/binddn?"$connector_ad_ldap_binddn" \ + "$CONFIGBASENAME"/ad/ldap/bindpw?"$connector_ad_ldap_bindpw" \ + "$CONFIGBASENAME"/ad/ldap/certificate?"$connector_ad_ldap_certificate" \ + "$CONFIGBASENAME"/ad/ldap/host?"$connector_ad_ldap_host" \ + "$CONFIGBASENAME"/ad/mapping/kerberosdomain?"$connector_ad_mapping_kerberosdomain" \ + "$CONFIGBASENAME"/ad/mapping/language?"$connector_ad_mapping_language" \ + "$CONFIGBASENAME"/ad/ldap/port?"$connector_ad_ldap_port" \ + "$CONFIGBASENAME"/ad/ldap/ssl?"$connector_ad_ldap_ssl" \ + "$CONFIGBASENAME"/ad/listener/dir?"/var/lib/univention-$CONFIGBASENAME/ad" \ + "$CONFIGBASENAME"/ad/mapping/group/language?"$connector_ad_mapping_group_language" \ + "$CONFIGBASENAME"/ad/mapping/group/primarymail?"$connector_ad_mapping_group_primarymail" \ + "$CONFIGBASENAME"/ad/mapping/group/win2000/description?false \ + "$CONFIGBASENAME"/ad/mapping/syncmode?read \ + "$CONFIGBASENAME"/ad/mapping/user/primarymail?false \ + "$CONFIGBASENAME"/ad/mapping/user/win2000/description?false \ + "$CONFIGBASENAME"/ad/poll/sleep?5 \ + "$CONFIGBASENAME"/ad/retryrejected?10 \ + "$CONFIGBASENAME"/debug/function?0 \ + "$CONFIGBASENAME"/debug/level?1 \ + "$CONFIGBASENAME"/password/service/encoding?iso8859-15 + + mkdir -p /etc/univention/"$CONFIGBASENAME"/ad + cp -a /etc/univention/connector/ad/mapping /etc/univention/"$CONFIGBASENAME"/ad/ + sed -i "s|@%@connector/ad/|@%@$CONFIGBASENAME/ad/|g;s|'connector/ad/|'$CONFIGBASENAME/ad/|g" /etc/univention/"$CONFIGBASENAME"/ad/mapping + fi + +fi + +#DEBHELPER# + +exit 0 diff -Nur univention-ad-connector-password-read.orig/univention-ad-connector-password-read univention-ad-connector-password-read/univention-ad-connector-password-read --- univention-ad-connector-password-read.orig/univention-ad-connector-password-read 1970-01-01 01:00:00.000000000 +0100 +++ univention-ad-connector-password-read/univention-ad-connector-password-read 2011-04-01 16:17:15.000000000 +0200 @@ -0,0 +1,445 @@ +#!/usr/bin/python2.4 +# -*- coding: utf-8 -*- +# +# Univention AD Connector Password Sync +# +# Copyright 2004-2011 Univention GmbH +# +# http://www.univention.de/ +# +# All rights reserved. +# +# The source code of this program is made available +# under the terms of the GNU Affero General Public License version 3 +# (GNU AGPL V3) as published by the Free Software Foundation. +# +# Binary versions of this program provided by Univention to you as +# well as other copyrighted, protected or trademarked materials like +# Logos, graphics, fonts, specific documentations and configurations, +# cryptographic keys etc. are subject to a license agreement between +# you and Univention and not subject to the GNU AGPL V3. +# +# In the case you use this program under the terms of the GNU AGPL V3, +# the program is provided in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU Affero General Public License for more details. +# +# You should have received a copy of the GNU Affero General Public +# License with the Debian GNU/Linux or Univention distribution in file +# /usr/share/common-licenses/AGPL-3; if not, see +# . + +import sys, string, os, time, signal, shutil +import base64, pdb, copy, types +from optparse import OptionParser + +import ldap, traceback +import univention +import univention.connector +import univention.connector.ad +import univention.uldap +import univention.admin.uldap +import univention.admin.modules +import univention.admin.objects +import univention.debug2 as ud +import univention.admin.uexceptions + +from univention.connector.ad import ad + +import univention_baseconfig + +from ldap.controls import LDAPControl + +# parse commandline options + +parser = OptionParser() +parser.add_option("--configbasename", dest="configbasename", + help="", metavar="CONFIGBASENAME", default="connector") +(options, args) = parser.parse_args() + +CONFIGBASENAME = "connector" +if options.configbasename: + CONFIGBASENAME = options.configbasename +STATUSLOGFILE = "/var/log/univention/%s-status.log" % CONFIGBASENAME + +sys.path=['/etc/univention/%s/ad/' % CONFIGBASENAME]+sys.path + +import mapping + +def daemon(): + try: + pid = os.fork() + except OSError, e: + print 'Daemon Mode Error: %s' % e.strerror + + if (pid == 0): + os.setsid() + signal.signal(signal.SIGHUP, signal.SIG_IGN) + try: + pid = os.fork() + except OSError, e: + print 'Daemon Mode Error: %s' % e.strerror + if (pid == 0): + os.chdir("/") + os.umask(0) + else: + pf=open('/var/run/univention-ad-%s' % CONFIGBASENAME, 'w+') + pf.write(str(pid)) + pf.close() + os._exit(0) + else: + os._exit(0) + + try: + maxfd = os.sysconf("SC_OPEN_MAX") + except (AttributeError, ValueError): + maxfd = 256 # default maximum + + for fd in range(0, maxfd): + try: + os.close(fd) + except OSError: # ERROR (ignore) + pass + + os.open("/dev/null", os.O_RDONLY) + os.open("/dev/null", os.O_RDWR) + os.open("/dev/null", os.O_RDWR) + + +def connect(): + + daemon() + + f=open(STATUSLOGFILE, 'w+') + sys.stdout=f + print time.ctime() + + baseConfig=univention_baseconfig.baseConfig() + baseConfig.load() + + if not baseConfig.has_key('%s/ad/ldap/host' % CONFIGBASENAME): + print '%s/ad/ldap/host not set' % CONFIGBASENAME + f.close() + sys.exit(1) + if not baseConfig.has_key('%s/ad/ldap/port' % CONFIGBASENAME): + print '%s/ad/ldap/port not set' % CONFIGBASENAME + f.close() + sys.exit(1) + if not baseConfig.has_key('%s/ad/ldap/base' % CONFIGBASENAME): + print '%s/ad/ldap/base not set' % CONFIGBASENAME + f.close() + sys.exit(1) + if not baseConfig.has_key('%s/ad/ldap/binddn' % CONFIGBASENAME): + print '%s/ad/ldap/binddn not set' % CONFIGBASENAME + f.close() + sys.exit(1) + if not baseConfig.has_key('%s/ad/ldap/bindpw' % CONFIGBASENAME): + print '%s/ad/ldap/bindpw not set' % CONFIGBASENAME + f.close() + sys.exit(1) + + if not baseConfig.has_key('%s/ad/ldap/certificate' % CONFIGBASENAME) and not (baseConfig.has_key('%s/ad/ldap/ssl' % CONFIGBASENAME) and baseConfig['%s/ad/ldap/ssl' % CONFIGBASENAME] == 'no') : + print '%s/ad/ldap/certificate not set' % CONFIGBASENAME + f.close() + sys.exit(1) + + if baseConfig.is_true('%s/ad/ldap/ssl' % CONFIGBASENAME, True) or baseConfig.is_true('%s/ad/ldap/ldaps' % CONFIGBASENAME, False): + # create a new CAcert file, which contains the UCS CA and the AD CA, + # see Bug #17768 for details + # https://forge.univention.org/bugzilla/show_bug.cgi?id=17768 + new_ca_filename = '/var/cache/univention-ad-connector/CAcert-%s.pem' % CONFIGBASENAME + new_ca = open(new_ca_filename, 'w') + + ca = open('/etc/univention/ssl/ucsCA/CAcert.pem', 'r') + new_ca.write(string.join(ca.readlines(),'')) + ca.close() + + ca = open(baseConfig['%s/ad/ldap/certificate' % CONFIGBASENAME]) + new_ca.write(string.join(ca.readlines(),'')) + ca.close() + + new_ca.close() + + ldap.set_option( ldap.OPT_X_TLS_CACERTFILE, new_ca_filename ) + + + if not baseConfig.has_key('%s/ad/listener/dir' % CONFIGBASENAME): + print '%s/ad/listener/dir not set' % CONFIGBASENAME + f.close() + sys.exit(1) + + if not baseConfig.has_key('%s/ad/retryrejected' % CONFIGBASENAME): + baseconfig_retry_rejected=10 + else: + baseconfig_retry_rejected=baseConfig['%s/ad/retryrejected' % CONFIGBASENAME] + + ad_ldap_bindpw=open(baseConfig['%s/ad/ldap/bindpw' % CONFIGBASENAME]).read() + if ad_ldap_bindpw[-1] == '\n': + ad_ldap_bindpw=ad_ldap_bindpw[0:-1] + + poll_sleep=int(baseConfig['%s/ad/poll/sleep' % CONFIGBASENAME]) + ad_init=None + while not ad_init: + try: + ad_pwd=adpwd( CONFIGBASENAME, + mapping.ad_mapping, + baseConfig, + baseConfig['%s/ad/ldap/host' % CONFIGBASENAME], + baseConfig['%s/ad/ldap/port' % CONFIGBASENAME], + baseConfig['%s/ad/ldap/base' % CONFIGBASENAME], + baseConfig['%s/ad/ldap/binddn' % CONFIGBASENAME], + ad_ldap_bindpw, + baseConfig['%s/ad/ldap/certificate' % CONFIGBASENAME], + baseConfig['%s/ad/listener/dir' % CONFIGBASENAME]) + ad_init=True + except ldap.SERVER_DOWN: + print "Warning: Can't initialize LDAP-Connections, wait..." + sys.stdout.flush() + time.sleep(poll_sleep) + pass + + + ad_init=None + + while not ad_init: + try: + ad_pwd.initialize() + ad_init=True + except ldap.SERVER_DOWN: + time.sleep(poll_sleep) + pass + + f.close() + retry_rejected=0 + connected = True + while connected: + f=open(STATUSLOGFILE, 'w+') + sys.stdout=f + print time.ctime() + # Poll for changes + change_counter=1 + while change_counter != 0: + sys.stdout.flush() + try: + change_counter=ad_pwd.poll() + except ldap.SERVER_DOWN: + print "Can't contact LDAP server during ad-poll, sync not possible." + connected = False + sys.stdout.flush() + time.sleep(poll_sleep) + + if change_counter > 0: + retry_rejected=0 + + if str(retry_rejected) == baseconfig_retry_rejected: + ad_pwd.ad.resync_rejected() + retry_rejected=0 + else: + retry_rejected+=1 + + print '- sleep %s seconds (%s/%s until resync) -'%(poll_sleep, retry_rejected, baseconfig_retry_rejected) + sys.stdout.flush() + time.sleep(poll_sleep) + f.close() + ad_pwd.ad.close_debug() + +class adpwd: + def __init__(self, CONFIGBASENAME, property, baseConfig, ad_ldap_host, ad_ldap_port, ad_ldap_base, ad_ldap_binddn, ad_ldap_bindpw, ad_ldap_certificate, listener_dir): + self.ad = ad(CONFIGBASENAME, property, baseConfig, ad_ldap_host, ad_ldap_port, ad_ldap_base, ad_ldap_binddn, ad_ldap_bindpw, ad_ldap_certificate, listener_dir) + + bindpw=open('/etc/ldap.secret').read() + if bindpw[-1] == '\n': + bindpw=bindpw[0:-1] + + self.ad.lo=univention.admin.uldap.access(host=baseConfig['ldap/master'], base=baseConfig['ldap/base'], binddn='cn=admin,'+baseConfig['ldap/base'], bindpw=bindpw, start_tls=2) + + # load UCS Modules + self.ad.modules={} + for key in self.ad.property.keys(): + if self.ad.property[key].ucs_module: + self.ad.modules[key]=univention.admin.modules.get(self.ad.property[key].ucs_module) + else: + self.ad.modules[key]=None + + def initialize(self): + _d=ud.function('ldap.initialize') + + + print "--------------------------------------" + print "Initialize sync from AD" + self.ad.resync_rejected() + if self.ad._get_lastUSN() == 0: # we startup new + ud.debug(ud.LDAP, ud.INFO, "initialize AD: last USN is 0, sync all") + # query highest USN in LDAP + highestCommittedUSN = self.ad._ad__get_highestCommittedUSN() + + # poll for all objects without deleted objects + polled=self.poll(show_deleted=False) + + # compare highest USN from poll with highest before poll, if the last changes deletes + # the highest USN from poll is to low + self.ad._set_lastUSN(max(highestCommittedUSN,self._get_lastUSN())) + ud.debug(ud.LDAP, ud.INFO, "initialize AD: sync of all objects finished, lastUSN is %d", self.ad._ad__get_highestCommittedUSN()) + else: + polled=self.poll() + print "--------------------------------------" + + def poll(self, show_deleted=True): + ''' + poll for changes in AD + ''' + _d=ud.function('ldap.poll') + # search from last_usn for changes + change_count = 0 + changes = [] + try: + # call private methode + changes = self.ad._ad__search_ad_changes(show_deleted=show_deleted) + except (ldap.SERVER_DOWN, SystemExit): + raise + except: # FIXME: which exception is to be caught? + self._debug_traceback(ud.WARN,"Exception during search_ad_changes") + + print "--------------------------------------" + print "try to sync %s changes from AD" % len(changes) + print "done:", + sys.stdout.flush() + done_counter = 0 + object = None + + for element in changes: + try: + if element[0] == 'None': # referrals + continue + old_element = copy.deepcopy(element) + object = self.ad._ad__object_from_element(element) + except: # FIXME: which exception is to be caught? + #ud.debug(ud.LDAP, ud.ERROR, "Exception during poll/object-mapping, tried to map element: %s" % old_element[0]) + #ud.debug(ud.LDAP, ud.ERROR, "This object will not be synced again!") + # debug-trace may lead to a segfault here :( + self._debug_traceback(ud.ERROR,"Exception during poll/object-mapping, object will not be synced again!") + + if object: + property_key = self.ad._ad__identify(object) + if property_key: + + if self.ad._ignore_object(property_key,object): + # call private methode + self.ad._ad__update_lastUSN(object) + done_counter += 1 + print "%s"%done_counter, + continue + + sync_successfull = False + try: + ud.debug(ud.LDAP, ud.INFO, "Sync object (%s) property_key: %s" % (object['dn'], property_key)) + if property_key == 'user' and object['modtype'] == 'modify': + if not self.ad._ignore_object(property_key,object): + property_ucs = self.ad._ad__identify(object) + object_ucs = self.ad._object_mapping(property_key,object) + + try: + univention.connector.ad.password.password_sync(self.ad, property_key, object_ucs) + except univention.admin.uexceptions.noObject: + # This is possible if the user does not exist in UCS (the main AD connector is in write mode) + ud.debug(ud.LDAP, ud.INFO, "Object (%s) was not found in UCS (ignore)" % (object['dn'])) + pass + sync_successfull = True + else: + sync_successfull = True + else: + sync_successfull = True + except (ldap.SERVER_DOWN, SystemExit): + raise + except univention.admin.uexceptions.ldapError, msg: + ud.debug(ud.LDAP, ud.INFO, "Exception during poll with message (1) %s"%msg) + if msg == "Can't contact LDAP server": + raise ldap.SERVER_DOWN + else: + self._debug_traceback(ud.WARN,"Exception during poll/sync_to_ucs") + except univention.admin.uexceptions.ldapError, msg: + ud.debug(ud.LDAP, ud.INFO, "Exception during poll with message (2) %s"%msg) + if msg == "Can't contact LDAP server": + raise ldap.SERVER_DOWN + else: + self._debug_traceback(ud.WARN,"Exception during poll") + except: # FIXME: which exception is to be caught? + self.ad._debug_traceback(ud.WARN, "Exception during poll/sync_to_ucs") + + + + if not sync_successfull: + ud.debug(ud.LDAP, ud.WARN, + "sync to ucs was not successfull, save rejected") + ud.debug(ud.LDAP, ud.WARN, + "object was: %s"%object['dn']) + + if sync_successfull: + change_count+=1 + # call private methode + self.ad._ad__update_lastUSN(object) + try: + GUID = old_element[1]['objectGUID'][0] + self.ad._set_DN_for_GUID(GUID,old_element[0]) + except (ldap.SERVER_DOWN, SystemExit): + raise + except: # FIXME: which exception is to be caught? + self._debug_traceback(ud.WARN, + "Exception during set_DN_for_GUID") + + else: + self.ad.save_rejected(object) + else: + # call private methode + self.ad._ad__update_lastUSN(object) + + done_counter += 1 + print "%s"%done_counter, + else: + done_counter += 1 + print "(%s)"%done_counter, + sys.stdout.flush() + + print "" + + # return number of synced objects + rejected = self.ad._list_rejected() + if rejected: + print "Changes from AD: %s (%s saved rejected)" % (change_count, len(rejected)) + else: + print "Changes from AD: %s (%s saved rejected)" % (change_count, '0') + print "--------------------------------------" + sys.stdout.flush() + return change_count + + +def main(): + while True: + try: + connect() + except SystemExit: + raise + except: + f=open(STATUSLOGFILE, 'w+') + sys.stdout=f + print time.ctime() + + text = '' + exc_info = sys.exc_info() + lines = apply(traceback.format_exception, exc_info) + text = text + '\n' + for line in lines: + text += line + print " --- connect failed, failure was: ---" + print text + print " --- retry in 30 seconds ---" + sys.stdout.flush() + time.sleep(30) + + f.close() + + +if __name__ == "__main__": + main() +