|
1 |
@!@ |
1 |
@!@ |
2 |
from univention.lib.misc import custom_username, custom_groupname |
2 |
from univention.lib.misc import custom_username, custom_groupname |
|
|
3 |
import ldap |
4 |
|
5 |
def print_checked_base(confpart): |
6 |
if not ldap.dn.is_dn(configRegistry['ldap/base']): |
7 |
import sys |
8 |
errmsg = '#Error: ucr key ‘ldap/base’ is not a valid dn!' |
9 |
print >>sys.stderr, errmsg |
10 |
print errmsg |
11 |
print '#', # quote the following template line |
12 |
print confpart |
3 |
|
13 |
|
4 |
ldap_base = configRegistry['ldap/base'] |
14 |
ldap_base = configRegistry['ldap/base'] |
5 |
ldap_port = configRegistry['slapd/port'] |
15 |
ldap_port = configRegistry['slapd/port'] |
Lines 10-16
users_default_administrator = custom_username('Administrator')
|
Link Here
|
---|
|
10 |
|
20 |
|
11 |
print 'authz-regexp' |
21 |
print 'authz-regexp' |
12 |
print ' uid=([^,]*),cn=(gssapi|saml),cn=auth' |
22 |
print ' uid=([^,]*),cn=(gssapi|saml),cn=auth' |
13 |
print ' ldap:///%s??sub?uid=$1' % (ldap_base,) |
23 |
print_checked_base(' ldap:///%s??sub?uid=$1' % (ldap_base,)) |
14 |
print |
24 |
print |
15 |
|
25 |
|
16 |
print 'access to attrs=uid value=root by * none stop' |
26 |
print 'access to attrs=uid value=root by * none stop' |
Lines 20-26
print ' by anonymous auth'
|
Link Here
|
---|
|
20 |
print ' by * none break' |
30 |
print ' by * none break' |
21 |
print '' |
31 |
print '' |
22 |
|
32 |
|
23 |
print 'access to dn="cn=admin,%s"' % (ldap_base) |
33 |
print_checked_base('access to dn="cn=admin,%s"' % (ldap_base)) |
24 |
print ' by self %s' % (usr) |
34 |
print ' by self %s' % (usr) |
25 |
print ' by * none' |
35 |
print ' by * none' |
26 |
print '' |
36 |
print '' |
|
28 |
print 'access to *' |
38 |
print 'access to *' |
29 |
print ' by sockname="PATH=/var/run/slapd/ldapi" %s' % (usr) |
39 |
print ' by sockname="PATH=/var/run/slapd/ldapi" %s' % (usr) |
30 |
if configRegistry['ldap/server/type'] == "slave": |
40 |
if configRegistry['ldap/server/type'] == "slave": |
31 |
print ' by dn.base="cn=admin,%s" %s' % (ldap_base, usr) |
41 |
print_checked_base(' by dn.base="cn=admin,%s" %s' % (ldap_base, usr)) |
32 |
print ' by dn.base="uid=%s,cn=users,%s" %s' % (users_default_administrator, ldap_base, usr) |
42 |
print_checked_base(' by dn.base="uid=%s,cn=users,%s" %s' % (users_default_administrator, ldap_base, usr)) |
33 |
print ' by * none break' |
43 |
print ' by * none break' |
34 |
print '' |
44 |
print '' |
35 |
|
45 |
|
36 |
print 'access to dn="uid=%s,cn=users,%s"' % (users_default_administrator, ldap_base) |
46 |
print_checked_base('access to dn="uid=%s,cn=users,%s"' % (users_default_administrator, ldap_base)) |
37 |
print ' by group/univentionGroup/uniqueMember="cn=%s,cn=groups,%s" %s' % (groups_default_domainadmins, ldap_base, usr) |
47 |
print_checked_base(' by group/univentionGroup/uniqueMember="cn=%s,cn=groups,%s" %s' % (groups_default_domainadmins, ldap_base, usr)) |
38 |
if configRegistry['ldap/server/type'] == "slave": |
48 |
if configRegistry['ldap/server/type'] == "slave": |
39 |
print ' by dn.base="cn=admin,%s" %s' % (ldap_base, usr) |
49 |
print_checked_base(' by dn.base="cn=admin,%s" %s' % (ldap_base, usr)) |
40 |
print ' by self %s' % (usr) |
50 |
print ' by self %s' % (usr) |
41 |
print ' by * +0 break' |
51 |
print ' by * +0 break' |
42 |
print '' |
52 |
print '' |
43 |
|
53 |
|
44 |
print 'access to dn="uid=join-backup,cn=users,%s"' % (ldap_base) |
54 |
print_checked_base('access to dn="uid=join-backup,cn=users,%s"' % (ldap_base)) |
45 |
print ' by group/univentionGroup/uniqueMember="cn=%s,cn=groups,%s" %s' % (groups_default_domainadmins, ldap_base, usr) |
55 |
print_checked_base(' by group/univentionGroup/uniqueMember="cn=%s,cn=groups,%s" %s' % (groups_default_domainadmins, ldap_base, usr)) |
46 |
if configRegistry['ldap/server/type'] == "slave": |
56 |
if configRegistry['ldap/server/type'] == "slave": |
47 |
print ' by dn.base="cn=admin,%s" %s' % (ldap_base, usr) |
57 |
print_checked_base(' by dn.base="cn=admin,%s" %s' % (ldap_base, usr)) |
48 |
print ' by self %s' % (usr) |
58 |
print ' by self %s' % (usr) |
49 |
print ' by * +0 break' |
59 |
print ' by * +0 break' |
50 |
print '' |
60 |
print '' |
51 |
|
61 |
|
52 |
print 'access to dn="uid=join-slave,cn=users,%s"' % (ldap_base) |
62 |
print_checked_base('access to dn="uid=join-slave,cn=users,%s"' % (ldap_base)) |
53 |
print ' by group/univentionGroup/uniqueMember="cn=%s,cn=groups,%s" %s' % (groups_default_domainadmins, ldap_base, usr) |
63 |
print_checked_base(' by group/univentionGroup/uniqueMember="cn=%s,cn=groups,%s" %s' % (groups_default_domainadmins, ldap_base, usr)) |
54 |
if configRegistry['ldap/server/type'] == "slave": |
64 |
if configRegistry['ldap/server/type'] == "slave": |
55 |
print ' by dn.base="cn=admin,%s" %s' % (ldap_base, usr) |
65 |
print_checked_base(' by dn.base="cn=admin,%s" %s' % (ldap_base, usr)) |
56 |
print ' by self %s' % (usr) |
66 |
print ' by self %s' % (usr) |
57 |
print ' by * +0 break' |
67 |
print ' by * +0 break' |
58 |
print '' |
68 |
print '' |
59 |
|
69 |
|
60 |
print 'access to attrs=entry,objectClass,uniqueMember,ou,uid,loginShell,homeDirectory,uidNumber,gidNumber,sn,cn,gecos,description,memberUid' |
70 |
print 'access to attrs=entry,objectClass,uniqueMember,ou,uid,loginShell,homeDirectory,uidNumber,gidNumber,sn,cn,gecos,description,memberUid' |
61 |
print ' by group/univentionGroup/uniqueMember="cn=%s,cn=groups,%s" %s' % (groups_default_domainadmins, ldap_base, usr) |
71 |
print_checked_base(' by group/univentionGroup/uniqueMember="cn=%s,cn=groups,%s" %s' % (groups_default_domainadmins, ldap_base, usr)) |
62 |
if configRegistry['ldap/server/type'] == "slave": |
72 |
if configRegistry['ldap/server/type'] == "slave": |
63 |
print ' by dn.base="cn=admin,%s" %s' % (ldap_base, usr) |
73 |
print_checked_base(' by dn.base="cn=admin,%s" %s' % (ldap_base, usr)) |
64 |
print ' by * +0 break' |
74 |
print ' by * +0 break' |
65 |
print '' |
75 |
print '' |
66 |
|
76 |
|