|
|
|---|
| 34 |
|
34 |
|
| 35 |
import ldap |
35 |
import ldap |
| 36 |
import univention.debug2 as ud |
36 |
import univention.debug2 as ud |
| 37 |
import univention.s4connector.s4 |
37 |
from ldap.controls import LDAPControl |
|
|
38 |
from samba.dcerpc import security |
| 39 |
from samba.ndr import ndr_pack, ndr_unpack |
| 38 |
|
40 |
|
| 39 |
def sid_to_s4(s4connector, key, object): |
41 |
def sid_to_s4(s4connector, key, object): |
| 40 |
ud.debug(ud.LDAP, ud.INFO, "sid_to_s4 object: %s" % object) |
42 |
ud.debug(ud.LDAP, ud.INFO, "sid_to_s4 object: %s" % object) |
|
|
|---|
| 59 |
(s4_dn, s4_attributes) = s4connector.lo_s4.lo.search_s(s4_dn, ldap.SCOPE_BASE, '(objectSid=*)', ['objectSid'] )[0] |
61 |
(s4_dn, s4_attributes) = s4connector.lo_s4.lo.search_s(s4_dn, ldap.SCOPE_BASE, '(objectSid=*)', ['objectSid'] )[0] |
| 60 |
objectSid = s4_attributes.get('objectSid') |
62 |
objectSid = s4_attributes.get('objectSid') |
| 61 |
if objectSid: |
63 |
if objectSid: |
| 62 |
decoded_s4_sid = univention.s4connector.s4.decode_sid(objectSid[0]) |
64 |
# decoded_s4_sid = univention.s4connector.s4.decode_sid(objectSid[0]) |
| 63 |
if decoded_s4_sid == sambaSID[0]: |
65 |
s4_objectSid = ndr_unpack(security.dom_sid, objectSid[0]) |
| 64 |
ud.debug(ud.LDAP, ud.INFO, 'sid_to_s4: objectSID and %s are equal' % sidAttribute) |
66 |
decoded_s4_sid = str(s4_objectSid) |
|
|
67 |
if objectSid_str == sambaSID[0]: |
| 68 |
ud.debug(ud.LDAP, ud.INFO, 'sid_to_s4: objectSid and %s are equal' % sidAttribute) |
| 65 |
return |
69 |
return |
| 66 |
|
70 |
|
| 67 |
# change objectSID |
71 |
### change objectSID |
| 68 |
# objectSid modification for an AD object seems to be not possible: |
72 |
# objectSid modification for an AD object seems to be not possible: |
| 69 |
# http://serverfault.com/questions/53717/how-can-i-change-the-sid-of-a-user-account-in-the-active-directory |
73 |
# http://serverfault.com/questions/53717/how-can-i-change-the-sid-of-a-user-account-in-the-active-directory |
| 70 |
# http://technet.microsoft.com/en-us/library/cc961998.aspx |
74 |
# http://technet.microsoft.com/en-us/library/cc961998.aspx |
| 71 |
|
75 |
|
| 72 |
ud.debug(ud.LDAP, ud.INFO, 'sid_to_s4: The objectSid modification in S4 / AD is not allowed.') |
76 |
ud.debug(ud.LDAP, ud.INFO, 'sid_to_s4: changing objectSid from %s to %s' % (decoded_s4_sid, sambaSID[0]) ) |
| 73 |
#encoded_sambaSID = univention.s4connector.s4.encode_sid(sambaSID[0]) |
77 |
new_objectSid_ndr = ndr_pack(security.dom_sid(sambaSID[0])) |
| 74 |
#modlist.append((ldap.MOD_REPLACE, 'objectSid', encoded_sambaSID)) |
78 |
modlist.append((ldap.MOD_REPLACE, 'objectSid', new_objectSid_ndr)) |
| 75 |
#s4connector.lo_s4.lo.modify_ext_s(s4_dn, modlist) |
|
|
| 76 |
|
79 |
|
|
|
80 |
# objectSid modification for an Samba4 object is only possible with the "provision" control: |
| 81 |
LDB_CONTROL_PROVISION_OID = '1.3.6.1.4.1.7165.4.3.16' |
| 82 |
controls = [ LDAPControl(LDB_CONTROL_PROVISION_OID,criticality=0) ] |
| 83 |
s4connector.lo_s4.lo.modify_ext_s(s4_dn, modlist, serverctrls=controls) |
| 84 |
|
| 77 |
pass |
85 |
pass |
| 78 |
|
86 |
|
| 79 |
def sid_to_ucs(s4connector, key, s4_object): |
87 |
def sid_to_ucs(s4connector, key, s4_object): |