Attachment #4053 for bug #22653

View | Details | Raw Unified | Return to bug 22653
Collapse All | Expand All




#!/bin/sh

eval "$(univention-config-registry shell)"

CONFIGBASENAME="connectorpwdread"

univention-config-registry set  "$CONFIGBASENAME"/ad/autostart?"$connector_ad_autostart" \
                                "$CONFIGBASENAME"/ad/ldap/base?"$connector_ad_ldap_base" \
                                "$CONFIGBASENAME"/ad/ldap/binddn?"$connector_ad_ldap_binddn" \
                                "$CONFIGBASENAME"/ad/ldap/bindpw?"$connector_ad_ldap_bindpw" \
                                "$CONFIGBASENAME"/ad/ldap/certificate?"$connector_ad_ldap_certificate" \
                                "$CONFIGBASENAME"/ad/ldap/host?"$connector_ad_ldap_host" \
                                "$CONFIGBASENAME"/ad/mapping/kerberosdomain?"$connector_ad_mapping_kerberosdomain" \
                                "$CONFIGBASENAME"/ad/mapping/language?"$connector_ad_mapping_language" \
                                "$CONFIGBASENAME"/ad/ldap/port?"$connector_ad_ldap_port" \
                                "$CONFIGBASENAME"/ad/ldap/ssl?"$connector_ad_ldap_ssl" \
                                "$CONFIGBASENAME"/ad/listener/dir?"/var/lib/univention-$CONFIGBASENAME/ad" \
                                "$CONFIGBASENAME"/ad/mapping/group/language?"$connector_ad_mapping_group_language" \
                                "$CONFIGBASENAME"/ad/mapping/group/primarymail?"$connector_ad_mapping_group_primarymail" \
                                "$CONFIGBASENAME"/ad/mapping/group/win2000/description?false \
                                "$CONFIGBASENAME"/ad/mapping/syncmode?read \
                                "$CONFIGBASENAME"/ad/mapping/user/primarymail?false \
                                "$CONFIGBASENAME"/ad/mapping/user/win2000/description?false \
                                "$CONFIGBASENAME"/ad/poll/sleep?5 \
                                "$CONFIGBASENAME"/ad/retryrejected?10 \
                                "$CONFIGBASENAME"/debug/function?0 \
                                "$CONFIGBASENAME"/debug/level?1 \
                                "$CONFIGBASENAME"/password/service/encoding?iso8859-15

mkdir -p /etc/univention/"$CONFIGBASENAME"/ad
cp -a /etc/univention/connector/ad/mapping /etc/univention/"$CONFIGBASENAME"/ad/
sed -i "s|@%@connector/ad/|@%@$CONFIGBASENAME/ad/|g;s|'connector/ad/|'$CONFIGBASENAME/ad/|g" /etc/univention/"$CONFIGBASENAME"/ad/mapping

exit 0




univention-ad-connector-password-read (1.0.5-2) unstable; urgency=low

  * Fixed typo (Ticket #2011032410000222)

 -- Stefan Gohmann <gohmann@univention.de>  Fri, 01 Apr 2011 16:19:10 +0200

univention-ad-connector-password-read (1.0.5-1) unstable; urgency=low

  * Re-initialize the ldap connection to UCS because in some customer
    environments (write mode) the AD connector is modified to connect
    against the ldap/server/name instead of ldap/master
    (Ticket #2011032410000222)

 -- Stefan Gohmann <gohmann@univention.de>  Fri, 01 Apr 2011 16:04:32 +0200

univention-ad-connector-password-read (1.0.4-1) unstable; urgency=low

  * Replace all ucr variables in the new mapping file
    (Ticket #2011032410000222)

 -- Stefan Gohmann <gohmann@univention.de>  Thu, 31 Mar 2011 14:45:47 +0200

univention-ad-connector-password-read (1.0.3-1) unstable; urgency=low

  * Fixed typo in postinst for connector_ad_mapping_group_language
    (Ticket #2011032410000222)

 -- Stefan Gohmann <gohmann@univention.de>  Wed, 30 Mar 2011 19:58:17 +0200

univention-ad-connector-password-read (1.0.2-1) unstable; urgency=low

  * Fixed excepetion error (Ticket #2011032410000222)
  * Sleep for poll_sleep interval if the AD server is not available
    (Ticket #2011032410000222)

 -- Stefan Gohmann <gohmann@univention.de>  Wed, 30 Mar 2011 11:08:12 +0200

univention-ad-connector-password-read (1.0.1-1) unstable; urgency=low

  * Removed unused debug code
  * Added an exception handling if the user does not exist in UCS, this
    is possible because the AD connector is normally in write mode
  (Ticket #2011032410000222)

 -- Stefan Gohmann <gohmann@univention.de>  Wed, 30 Mar 2011 07:46:43 +0200

univention-ad-connector-password-read (1.0.0-1) unstable; urgency=low

  * Initial Release (Ticket #2011032410000222)

 -- Stefan Gohmann <gohmann@univention.de>  Tue, 29 Mar 2011 06:43:39 +0200


(-)univention-ad-connector-password-read.orig/debian/compat (+1 lines)

Line 0	Link Here




Source: univention-ad-connector-password-read
Section: univention
Priority: optional
Maintainer: Univention GmbH <packages@univention.de>
Standards-Version: 3.5.5
Build-Depends: debhelper (>> 7), univention-config-dev

Package: univention-ad-connector-password-read
Architecture: all
Depends: univention-directory-manager-tools,
 univention-ad-connector,
 ${misc:Depends}
Description: Synchronize password only from AD to UCS
 This package contains a daemon wich synchronize the password from AD to
 UCS. This is useful if the ad connector is configured in write mode (UCS
 -> AD) and only the password must be synchronized back from AD to UCS.
 This package requires a configured AD connector.
 This package is part of Univention Corporate Server (UCS), an
 integrated, directory driven solution for managing corporate
 environments. For more information about UCS, refer to:
 http://www.univention.de/





Copyright 2010-2011 Univention GmbH

http://www.univention.de/

All rights reserved.

The source code of the software contained in this package
as well as the source package itself are made available
under the terms of the GNU Affero General Public License version 3
(GNU AGPL V3) as published by the Free Software Foundation.

Binary versions of this package provided by Univention to you as
well as other copyrighted, protected or trademarked materials like
Logos, graphics, fonts, specific documentations and configurations,
cryptographic keys etc. are subject to a license agreement between
you and Univention and not subject to the GNU AGPL V3.

In the case you use the software under the terms of the GNU AGPL V3,
the program is provided in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU Affero General Public License for more details.

You should have received a copy of the GNU Affero General Public
License with the Debian GNU/Linux or Univention distribution in file
/usr/share/common-licenses/AGPL-3; if not, see
<http://www.gnu.org/licenses/>.





#!/usr/bin/make -f
#
# univention-ad-connector-password-read
#  debhelper script for the debian package
#
# Copyright 2010-2011 Univention GmbH
#
# http://www.univention.de/
#
# All rights reserved.
#
# The source code of this program is made available
# under the terms of the GNU Affero General Public License version 3
# (GNU AGPL V3) as published by the Free Software Foundation.
#
# Binary versions of this program provided by Univention to you as
# well as other copyrighted, protected or trademarked materials like
# Logos, graphics, fonts, specific documentations and configurations,
# cryptographic keys etc. are subject to a license agreement between
# you and Univention and not subject to the GNU AGPL V3.
#
# In the case you use this program under the terms of the GNU AGPL V3,
# the program is provided in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Affero General Public License for more details.
#
# You should have received a copy of the GNU Affero General Public
# License with the Debian GNU/Linux or Univention distribution in file
# /usr/share/common-licenses/AGPL-3; if not, see
# <http://www.gnu.org/licenses/>.

override_dh_auto_install:
	univention-install-config-registry
	dh_auto_install

override_dh_auto_build:
	dh_auto_build
%:
	dh $@






#!/bin/sh
#
# Univention AD Connector
#  init script of ad connector password read
#
# Copyright 2004-2011 Univention GmbH
#
# http://www.univention.de/
#
# All rights reserved.
#
# The source code of this program is made available
# under the terms of the GNU Affero General Public License version 3
# (GNU AGPL V3) as published by the Free Software Foundation.
#
# Binary versions of this program provided by Univention to you as
# well as other copyrighted, protected or trademarked materials like
# Logos, graphics, fonts, specific documentations and configurations,
# cryptographic keys etc. are subject to a license agreement between
# you and Univention and not subject to the GNU AGPL V3.
#
# In the case you use this program under the terms of the GNU AGPL V3,
# the program is provided in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Affero General Public License for more details.
#
# You should have received a copy of the GNU Affero General Public
# License with the Debian GNU/Linux or Univention distribution in file
# /usr/share/common-licenses/AGPL-3; if not, see
# <http://www.gnu.org/licenses/>.

CONFIGBASENAME="connectorpwdread"
ADCONNECTORPID="/var/run/univention-ad-$CONFIGBASENAME"

. /lib/lsb/init-functions

case "$1" in
	start)
		# check ucr autostart setting
		if [ -f "/usr/share/univention-config-registry/init-autostart.lib" ]; then
			source "/usr/share/univention-config-registry/init-autostart.lib"
			check_autostart ad-$CONFIGBASENAME $CONFIGBASENAME/ad/autostart
		fi	
		log_action_msg "Starting univention-ad-connector daemon"
		cat /etc/univention/${CONFIGBASENAME}/ad/mapping | univention-config-registry filter --encode-utf8 >/etc/univention/${CONFIGBASENAME}/ad/mapping.py
		start-stop-daemon --start --quiet --pidfile "$ADCONNECTORPID" -a /usr/sbin/univention-ad-connector-password-read -- --configbase "$CONFIGBASENAME"
		log_action_end_msg 0
		;;
	stop)
		log_action_msg "Stopping univention-ad-connector daemon"
		start-stop-daemon --stop --retry TERM/300/KILL --quiet --pidfile "$ADCONNECTORPID" -a /usr/sbin/univention-ad-connector-password-read
		log_action_end_msg 0
		;;
	restart|force-reload)
		$0 stop
		sleep 1
		$0 start
		;;
	crestart)
		ADCONNECTOR=`cat $ADCONNECTORPID 2>/dev/null`
		if [ -n "$ADCONNECTOR" ]; then
			pgrep -s "$ADCONNECTOR" -f "connector-password-read" && $0 restart
		    ps xaw | grep connector-password-read | grep -q "$ADCONNECTOR" >/dev/null && $0 restart
		fi
		;;
	*)
		echo "Usage: /etc/init.d/univention-ad-connector {start|stop|restart|crestart|force-reload}"
		exit 1
		;;
esac



(-)univention-ad-connector-password-read.orig/debian/univention-ad-connector-password-read.install (+1 lines)

Line 0	Link Here

univention-ad-connector-password-read usr/sbin/




#!/bin/sh
#
# Univention AD Connector
#  postinst script of the ad connector package
#
# Copyright 2004-2010 Univention GmbH
#
# http://www.univention.de/
#
# All rights reserved.
#
# The source code of this program is made available
# under the terms of the GNU Affero General Public License version 3
# (GNU AGPL V3) as published by the Free Software Foundation.
#
# Binary versions of this program provided by Univention to you as
# well as other copyrighted, protected or trademarked materials like
# Logos, graphics, fonts, specific documentations and configurations,
# cryptographic keys etc. are subject to a license agreement between
# you and Univention and not subject to the GNU AGPL V3.
#
# In the case you use this program under the terms of the GNU AGPL V3,
# the program is provided in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Affero General Public License for more details.
#
# You should have received a copy of the GNU Affero General Public
# License with the Debian GNU/Linux or Univention distribution in file
# /usr/share/common-licenses/AGPL-3; if not, see
# <http://www.gnu.org/licenses/>.

eval "$(ucr shell)"

CONFIGBASENAME="connectorpwdread"

createLogfile () {
	if [ ! -e $1 ] ; then
		touch $1
		chown $2 $1
		chmod $3 $1
	fi
}

createLogfile "/var/log/univention/${CONFIGBASENAME}.log" "root:adm" 640
createLogfile "/var/log/univention/${CONFIGBASENAME}-status.log" "root:adm" 640

if [ "$1" = "configure" ] && [ -z "$2" ]; then
	if [ ! -e /etc/univention/"$CONFIGBASENAME" ]; then

		univention-config-registry set	"$CONFIGBASENAME"/ad/autostart?"$connector_ad_autostart" \
										"$CONFIGBASENAME"/ad/ldap/base?"$connector_ad_ldap_base" \
										"$CONFIGBASENAME"/ad/ldap/binddn?"$connector_ad_ldap_binddn" \
										"$CONFIGBASENAME"/ad/ldap/bindpw?"$connector_ad_ldap_bindpw" \
										"$CONFIGBASENAME"/ad/ldap/certificate?"$connector_ad_ldap_certificate" \
										"$CONFIGBASENAME"/ad/ldap/host?"$connector_ad_ldap_host" \
										"$CONFIGBASENAME"/ad/mapping/kerberosdomain?"$connector_ad_mapping_kerberosdomain" \
										"$CONFIGBASENAME"/ad/mapping/language?"$connector_ad_mapping_language" \
										"$CONFIGBASENAME"/ad/ldap/port?"$connector_ad_ldap_port" \
										"$CONFIGBASENAME"/ad/ldap/ssl?"$connector_ad_ldap_ssl" \
										"$CONFIGBASENAME"/ad/listener/dir?"/var/lib/univention-$CONFIGBASENAME/ad" \
										"$CONFIGBASENAME"/ad/mapping/group/language?"$connector_ad_mapping_group_language" \
										"$CONFIGBASENAME"/ad/mapping/group/primarymail?"$connector_ad_mapping_group_primarymail" \
										"$CONFIGBASENAME"/ad/mapping/group/win2000/description?false \
										"$CONFIGBASENAME"/ad/mapping/syncmode?read \
										"$CONFIGBASENAME"/ad/mapping/user/primarymail?false \
										"$CONFIGBASENAME"/ad/mapping/user/win2000/description?false \
										"$CONFIGBASENAME"/ad/poll/sleep?5 \
										"$CONFIGBASENAME"/ad/retryrejected?10 \
										"$CONFIGBASENAME"/debug/function?0 \
										"$CONFIGBASENAME"/debug/level?1 \
										"$CONFIGBASENAME"/password/service/encoding?iso8859-15
		
		mkdir -p /etc/univention/"$CONFIGBASENAME"/ad
		cp -a /etc/univention/connector/ad/mapping /etc/univention/"$CONFIGBASENAME"/ad/
		sed -i "s|@%@connector/ad/|@%@$CONFIGBASENAME/ad/|g;s|'connector/ad/|'$CONFIGBASENAME/ad/|g" /etc/univention/"$CONFIGBASENAME"/ad/mapping
	fi
    
fi

#DEBHELPER#

exit 0




#!/usr/bin/python2.4
# -*- coding: utf-8 -*-
#
# Univention AD Connector Password Sync
#
# Copyright 2004-2011 Univention GmbH
#
# http://www.univention.de/
#
# All rights reserved.
#
# The source code of this program is made available
# under the terms of the GNU Affero General Public License version 3
# (GNU AGPL V3) as published by the Free Software Foundation.
#
# Binary versions of this program provided by Univention to you as
# well as other copyrighted, protected or trademarked materials like
# Logos, graphics, fonts, specific documentations and configurations,
# cryptographic keys etc. are subject to a license agreement between
# you and Univention and not subject to the GNU AGPL V3.
#
# In the case you use this program under the terms of the GNU AGPL V3,
# the program is provided in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Affero General Public License for more details.
#
# You should have received a copy of the GNU Affero General Public
# License with the Debian GNU/Linux or Univention distribution in file
# /usr/share/common-licenses/AGPL-3; if not, see
# <http://www.gnu.org/licenses/>.

import sys, string, os, time, signal, shutil
import base64, pdb, copy, types
from optparse import OptionParser

import ldap, traceback
import univention
import univention.connector
import univention.connector.ad
import univention.uldap
import univention.admin.uldap
import univention.admin.modules
import univention.admin.objects
import univention.debug2 as ud
import univention.admin.uexceptions

from univention.connector.ad import ad

import univention_baseconfig

from ldap.controls import LDAPControl

# parse commandline options

parser = OptionParser()
parser.add_option("--configbasename", dest="configbasename",
                  help="", metavar="CONFIGBASENAME", default="connector")
(options, args) = parser.parse_args()

CONFIGBASENAME = "connector"
if options.configbasename:
	CONFIGBASENAME = options.configbasename
STATUSLOGFILE = "/var/log/univention/%s-status.log" % CONFIGBASENAME

sys.path=['/etc/univention/%s/ad/' % CONFIGBASENAME]+sys.path

import mapping

def daemon():
	try:
		pid = os.fork()
	except OSError, e:
		print 'Daemon Mode Error: %s' % e.strerror

	if (pid == 0):
		os.setsid()
		signal.signal(signal.SIGHUP, signal.SIG_IGN)
		try:
			pid = os.fork()
		except OSError, e:
			print 'Daemon Mode Error: %s' % e.strerror
		if (pid == 0):
			os.chdir("/")
			os.umask(0)
		else:
			pf=open('/var/run/univention-ad-%s' % CONFIGBASENAME, 'w+')
			pf.write(str(pid))
			pf.close()
			os._exit(0)
	else:
		os._exit(0)

	try:
		maxfd = os.sysconf("SC_OPEN_MAX")
	except (AttributeError, ValueError):
		maxfd = 256       # default maximum

	for fd in range(0, maxfd):
		try:
			os.close(fd)
		except OSError:   # ERROR (ignore)
			pass

	os.open("/dev/null", os.O_RDONLY)
	os.open("/dev/null", os.O_RDWR)
	os.open("/dev/null", os.O_RDWR)


def connect():

	daemon()

	f=open(STATUSLOGFILE, 'w+')
	sys.stdout=f
	print time.ctime()

	baseConfig=univention_baseconfig.baseConfig()
	baseConfig.load()

	if not baseConfig.has_key('%s/ad/ldap/host' % CONFIGBASENAME):
		print '%s/ad/ldap/host not set' % CONFIGBASENAME
		f.close()
		sys.exit(1)
	if not baseConfig.has_key('%s/ad/ldap/port' % CONFIGBASENAME):
		print '%s/ad/ldap/port not set' % CONFIGBASENAME
		f.close()
		sys.exit(1)
	if not baseConfig.has_key('%s/ad/ldap/base' % CONFIGBASENAME):
		print '%s/ad/ldap/base not set' % CONFIGBASENAME
		f.close()
		sys.exit(1)
	if not baseConfig.has_key('%s/ad/ldap/binddn' % CONFIGBASENAME):
		print '%s/ad/ldap/binddn not set' % CONFIGBASENAME
		f.close()
		sys.exit(1)
	if not baseConfig.has_key('%s/ad/ldap/bindpw' % CONFIGBASENAME):
		print '%s/ad/ldap/bindpw not set' % CONFIGBASENAME
		f.close()
		sys.exit(1)

	if not baseConfig.has_key('%s/ad/ldap/certificate' % CONFIGBASENAME) and not (baseConfig.has_key('%s/ad/ldap/ssl' % CONFIGBASENAME) and baseConfig['%s/ad/ldap/ssl' % CONFIGBASENAME] == 'no') :
		print '%s/ad/ldap/certificate not set' % CONFIGBASENAME
		f.close()
		sys.exit(1)

	if baseConfig.is_true('%s/ad/ldap/ssl' % CONFIGBASENAME, True) or baseConfig.is_true('%s/ad/ldap/ldaps' % CONFIGBASENAME, False):
		# create a new CAcert file, which contains the UCS CA and the AD CA,
		# see Bug #17768 for details
		#  https://forge.univention.org/bugzilla/show_bug.cgi?id=17768
		new_ca_filename = '/var/cache/univention-ad-connector/CAcert-%s.pem' % CONFIGBASENAME
		new_ca = open(new_ca_filename, 'w')

		ca = open('/etc/univention/ssl/ucsCA/CAcert.pem', 'r')
		new_ca.write(string.join(ca.readlines(),''))
		ca.close()

		ca = open(baseConfig['%s/ad/ldap/certificate' % CONFIGBASENAME])
		new_ca.write(string.join(ca.readlines(),''))
		ca.close()

		new_ca.close()
		
		ldap.set_option( ldap.OPT_X_TLS_CACERTFILE, new_ca_filename )
	

	if not baseConfig.has_key('%s/ad/listener/dir' % CONFIGBASENAME):
		print '%s/ad/listener/dir not set' % CONFIGBASENAME
		f.close()
		sys.exit(1)

	if not baseConfig.has_key('%s/ad/retryrejected' % CONFIGBASENAME):
		baseconfig_retry_rejected=10
	else:
		baseconfig_retry_rejected=baseConfig['%s/ad/retryrejected' % CONFIGBASENAME]

	ad_ldap_bindpw=open(baseConfig['%s/ad/ldap/bindpw' % CONFIGBASENAME]).read()
	if ad_ldap_bindpw[-1] == '\n':
		ad_ldap_bindpw=ad_ldap_bindpw[0:-1]
	
	poll_sleep=int(baseConfig['%s/ad/poll/sleep' % CONFIGBASENAME])
	ad_init=None
	while not ad_init:
		try:
			ad_pwd=adpwd(	CONFIGBASENAME,
						mapping.ad_mapping,
						baseConfig,
						baseConfig['%s/ad/ldap/host' % CONFIGBASENAME],
						baseConfig['%s/ad/ldap/port' % CONFIGBASENAME],
						baseConfig['%s/ad/ldap/base' % CONFIGBASENAME],
						baseConfig['%s/ad/ldap/binddn' % CONFIGBASENAME],
						ad_ldap_bindpw,
						baseConfig['%s/ad/ldap/certificate' % CONFIGBASENAME],
						baseConfig['%s/ad/listener/dir' % CONFIGBASENAME])
			ad_init=True
		except ldap.SERVER_DOWN:
			print "Warning: Can't initialize LDAP-Connections, wait..."
			sys.stdout.flush()
			time.sleep(poll_sleep)
			pass


	ad_init=None

	while not ad_init:
		try:
			ad_pwd.initialize()
			ad_init=True
		except ldap.SERVER_DOWN:
			time.sleep(poll_sleep)
			pass

	f.close()
	retry_rejected=0
	connected = True
	while connected:
		f=open(STATUSLOGFILE, 'w+')
		sys.stdout=f
		print time.ctime()
		# Poll for changes
		change_counter=1
		while change_counter != 0:
			sys.stdout.flush()
			try:
				change_counter=ad_pwd.poll()
			except ldap.SERVER_DOWN:
				print "Can't contact LDAP server during ad-poll, sync not possible."
				connected = False
 				sys.stdout.flush()
				time.sleep(poll_sleep)

			if change_counter > 0:
				retry_rejected=0

		if str(retry_rejected) == baseconfig_retry_rejected:
			ad_pwd.ad.resync_rejected()
			retry_rejected=0
		else:
			retry_rejected+=1

		print '- sleep %s seconds (%s/%s until resync) -'%(poll_sleep, retry_rejected, baseconfig_retry_rejected)
		sys.stdout.flush()
		time.sleep(poll_sleep)
		f.close()
	ad_pwd.ad.close_debug()

class adpwd:
	def __init__(self, CONFIGBASENAME, property, baseConfig, ad_ldap_host, ad_ldap_port, ad_ldap_base, ad_ldap_binddn, ad_ldap_bindpw, ad_ldap_certificate, listener_dir):
		self.ad = ad(CONFIGBASENAME, property, baseConfig, ad_ldap_host, ad_ldap_port, ad_ldap_base, ad_ldap_binddn, ad_ldap_bindpw, ad_ldap_certificate, listener_dir)

		bindpw=open('/etc/ldap.secret').read()
		if bindpw[-1] == '\n':
			bindpw=bindpw[0:-1]

		self.ad.lo=univention.admin.uldap.access(host=baseConfig['ldap/master'], base=baseConfig['ldap/base'], binddn='cn=admin,'+baseConfig['ldap/base'], bindpw=bindpw, start_tls=2)

		# load UCS Modules
		self.ad.modules={}
		for key in self.ad.property.keys():
			if self.ad.property[key].ucs_module:
				self.ad.modules[key]=univention.admin.modules.get(self.ad.property[key].ucs_module)
			else:
				self.ad.modules[key]=None

	def initialize(self):
		_d=ud.function('ldap.initialize')


		print "--------------------------------------"
		print "Initialize sync from AD"
		self.ad.resync_rejected()
		if self.ad._get_lastUSN() == 0: # we startup new
			ud.debug(ud.LDAP, ud.INFO, "initialize AD: last USN is 0, sync all")
			# query highest USN in LDAP
			highestCommittedUSN = self.ad._ad__get_highestCommittedUSN()

			# poll for all objects without deleted objects
			polled=self.poll(show_deleted=False)

			# compare highest USN from poll with highest before poll, if the last changes deletes
			# the highest USN from poll is to low
			self.ad._set_lastUSN(max(highestCommittedUSN,self._get_lastUSN()))
			ud.debug(ud.LDAP, ud.INFO, "initialize AD: sync of all objects finished, lastUSN is %d", self.ad._ad__get_highestCommittedUSN())
		else:
			polled=self.poll()		
		print "--------------------------------------"

	def poll(self, show_deleted=True):
		'''
		poll for changes in AD
		'''
		_d=ud.function('ldap.poll')
		# search from last_usn for changes
		change_count = 0
		changes = []
		try:
			# call private methode
			changes = self.ad._ad__search_ad_changes(show_deleted=show_deleted)
		except (ldap.SERVER_DOWN, SystemExit):
			raise		
		except: # FIXME: which exception is to be caught?
			self._debug_traceback(ud.WARN,"Exception during search_ad_changes")

		print "--------------------------------------"
		print "try to sync %s changes from AD" % len(changes)
		print "done:",
		sys.stdout.flush()
		done_counter = 0
		object = None

		for element in changes:
			try:
				if element[0] == 'None': # referrals
					continue
				old_element = copy.deepcopy(element)
				object = self.ad._ad__object_from_element(element)
			except: # FIXME: which exception is to be caught?
				#ud.debug(ud.LDAP, ud.ERROR, "Exception during poll/object-mapping, tried to map element: %s" % old_element[0])
				#ud.debug(ud.LDAP, ud.ERROR, "This object will not be synced again!")
				# debug-trace may lead to a segfault here :(
				self._debug_traceback(ud.ERROR,"Exception during poll/object-mapping, object will not be synced again!")
				
			if object:
				property_key = self.ad._ad__identify(object)
				if property_key:
					
					if self.ad._ignore_object(property_key,object):
						# call private methode
						self.ad._ad__update_lastUSN(object)
						done_counter += 1
						print "%s"%done_counter,
						continue

					sync_successfull = False
					try:
						ud.debug(ud.LDAP, ud.INFO, "Sync object (%s) property_key: %s" % (object['dn'], property_key))
						if property_key == 'user' and object['modtype'] == 'modify':
							if not self.ad._ignore_object(property_key,object):
								property_ucs = self.ad._ad__identify(object)
								object_ucs = self.ad._object_mapping(property_key,object)

								try:
									univention.connector.ad.password.password_sync(self.ad, property_key, object_ucs)
								except univention.admin.uexceptions.noObject:
									# This is possible if the user does not exist in UCS (the main AD connector is in write mode)
									ud.debug(ud.LDAP, ud.INFO, "Object (%s) was not found in UCS (ignore)" % (object['dn']))
									pass
								sync_successfull = True
							else:
								sync_successfull = True
						else:
							sync_successfull = True
					except (ldap.SERVER_DOWN, SystemExit):
						raise
					except univention.admin.uexceptions.ldapError, msg:
						ud.debug(ud.LDAP, ud.INFO, "Exception during poll with message (1) %s"%msg)
						if msg == "Can't contact LDAP server":
							raise ldap.SERVER_DOWN
						else:
							self._debug_traceback(ud.WARN,"Exception during poll/sync_to_ucs")
					except univention.admin.uexceptions.ldapError, msg:
						ud.debug(ud.LDAP, ud.INFO, "Exception during poll with message (2) %s"%msg)
						if msg == "Can't contact LDAP server":
							raise ldap.SERVER_DOWN
						else:
							self._debug_traceback(ud.WARN,"Exception during poll")
					except: # FIXME: which exception is to be caught?
						self.ad._debug_traceback(ud.WARN, "Exception during poll/sync_to_ucs")



					if not sync_successfull:
						ud.debug(ud.LDAP, ud.WARN,
											   "sync to ucs was not successfull, save rejected")
						ud.debug(ud.LDAP, ud.WARN,
											   "object was: %s"%object['dn'])

					if sync_successfull:
						change_count+=1
						# call private methode
						self.ad._ad__update_lastUSN(object)
						try:
							GUID = old_element[1]['objectGUID'][0]
							self.ad._set_DN_for_GUID(GUID,old_element[0])
						except (ldap.SERVER_DOWN, SystemExit):
							raise
						except: # FIXME: which exception is to be caught?
							self._debug_traceback(ud.WARN,
									      "Exception during set_DN_for_GUID")

					else:
						self.ad.save_rejected(object)
				else:
					# call private methode
					self.ad._ad__update_lastUSN(object)

				done_counter += 1
				print "%s"%done_counter,
			else:
				done_counter += 1
				print "(%s)"%done_counter,
			sys.stdout.flush()
				
		print ""

		# return number of synced objects
		rejected = self.ad._list_rejected()
		if rejected:
			print "Changes from AD:  %s (%s saved rejected)" % (change_count, len(rejected))
		else:
			print "Changes from AD:  %s (%s saved rejected)" % (change_count, '0')
		print "--------------------------------------"
		sys.stdout.flush()
		return change_count


def main():
	while True:
		try:
			connect()
		except SystemExit:
			raise
		except:
			f=open(STATUSLOGFILE, 'w+')
			sys.stdout=f
			print time.ctime()
			
			text = ''
			exc_info = sys.exc_info()
			lines = apply(traceback.format_exception, exc_info)
			text = text + '\n'
			for line in lines:
				text += line
			print " --- connect failed, failure was: ---"
			print text
			print " ---     retry in 30 seconds      ---"
			sys.stdout.flush()
			time.sleep(30)

			f.close()


if __name__ == "__main__":
	main()


Return to bug 22653