|
34 |
|
34 |
|
35 |
import ldap |
35 |
import ldap |
36 |
import univention.debug2 as ud |
36 |
import univention.debug2 as ud |
37 |
import univention.s4connector.s4 |
37 |
from ldap.controls import LDAPControl |
|
|
38 |
from samba.dcerpc import security |
39 |
from samba.ndr import ndr_pack, ndr_unpack |
38 |
|
40 |
|
39 |
def sid_to_s4(s4connector, key, object): |
41 |
def sid_to_s4(s4connector, key, object): |
40 |
ud.debug(ud.LDAP, ud.INFO, "sid_to_s4 object: %s" % object) |
42 |
ud.debug(ud.LDAP, ud.INFO, "sid_to_s4 object: %s" % object) |
|
59 |
(s4_dn, s4_attributes) = s4connector.lo_s4.lo.search_s(s4_dn, ldap.SCOPE_BASE, '(objectSid=*)', ['objectSid'] )[0] |
61 |
(s4_dn, s4_attributes) = s4connector.lo_s4.lo.search_s(s4_dn, ldap.SCOPE_BASE, '(objectSid=*)', ['objectSid'] )[0] |
60 |
objectSid = s4_attributes.get('objectSid') |
62 |
objectSid = s4_attributes.get('objectSid') |
61 |
if objectSid: |
63 |
if objectSid: |
62 |
decoded_s4_sid = univention.s4connector.s4.decode_sid(objectSid[0]) |
64 |
# decoded_s4_sid = univention.s4connector.s4.decode_sid(objectSid[0]) |
63 |
if decoded_s4_sid == sambaSID[0]: |
65 |
s4_objectSid = ndr_unpack(security.dom_sid, objectSid[0]) |
64 |
ud.debug(ud.LDAP, ud.INFO, 'sid_to_s4: objectSID and %s are equal' % sidAttribute) |
66 |
decoded_s4_sid = str(s4_objectSid) |
|
|
67 |
if objectSid_str == sambaSID[0]: |
68 |
ud.debug(ud.LDAP, ud.INFO, 'sid_to_s4: objectSid and %s are equal' % sidAttribute) |
65 |
return |
69 |
return |
66 |
|
70 |
|
67 |
# change objectSID |
71 |
### change objectSID |
68 |
# objectSid modification for an AD object seems to be not possible: |
72 |
# objectSid modification for an AD object seems to be not possible: |
69 |
# http://serverfault.com/questions/53717/how-can-i-change-the-sid-of-a-user-account-in-the-active-directory |
73 |
# http://serverfault.com/questions/53717/how-can-i-change-the-sid-of-a-user-account-in-the-active-directory |
70 |
# http://technet.microsoft.com/en-us/library/cc961998.aspx |
74 |
# http://technet.microsoft.com/en-us/library/cc961998.aspx |
71 |
|
75 |
|
72 |
ud.debug(ud.LDAP, ud.INFO, 'sid_to_s4: The objectSid modification in S4 / AD is not allowed.') |
76 |
ud.debug(ud.LDAP, ud.INFO, 'sid_to_s4: changing objectSid from %s to %s' % (decoded_s4_sid, sambaSID[0]) ) |
73 |
#encoded_sambaSID = univention.s4connector.s4.encode_sid(sambaSID[0]) |
77 |
new_objectSid_ndr = ndr_pack(security.dom_sid(sambaSID[0])) |
74 |
#modlist.append((ldap.MOD_REPLACE, 'objectSid', encoded_sambaSID)) |
78 |
modlist.append((ldap.MOD_REPLACE, 'objectSid', new_objectSid_ndr)) |
75 |
#s4connector.lo_s4.lo.modify_ext_s(s4_dn, modlist) |
|
|
76 |
|
79 |
|
|
|
80 |
# objectSid modification for an Samba4 object is only possible with the "provision" control: |
81 |
LDB_CONTROL_PROVISION_OID = '1.3.6.1.4.1.7165.4.3.16' |
82 |
controls = [ LDAPControl(LDB_CONTROL_PROVISION_OID,criticality=0) ] |
83 |
s4connector.lo_s4.lo.modify_ext_s(s4_dn, modlist, serverctrls=controls) |
84 |
|
77 |
pass |
85 |
pass |
78 |
|
86 |
|
79 |
def sid_to_ucs(s4connector, key, s4_object): |
87 |
def sid_to_ucs(s4connector, key, s4_object): |