Attachment #10951 for bug #54744

View | Details | Raw Unified | Return to bug 54744
Collapse All | Expand All




		grouplist.append(configRegistry.get(key))

userfilter = '(&(|(&(objectClass=posixAccount)(objectClass=shadowAccount))(objectClass=univentionMail)(objectClass=sambaSamAccount)(objectClass=simpleSecurityObject)(&(objectClass=person)(objectClass=organizationalPerson)(objectClass=inetOrgPerson)))(!(uidNumber=0))(!(|%s)))' % uidexcludestr
userfilter_lines = []
i = 0
n = 1024
while i < len(userfilter):
    try:
        j = userfilter[i:i+n].rindex(')')
    except:
        j = n
    userfilter_lines.append(userfilter[i:i+j+1])
    i = i + j + 1
userfilter = "\n    ".join(userfilter_lines)

attr_fallback = 'krb5Key,userPassword,sambaPwdCanChange,sambaPwdMustChange,sambaLMPassword,sambaNTPassword,sambaPwdLastSet,pwhistory,sambaPasswordHistory,krb5KDCFlags,krb5KeyVersionNumber,krb5PasswordEnd,shadowMax,shadowLastChange'
attrlist = configRegistry.get('ldap/acl/user/passwordreset/attributes', attr_fallback)


if grouplist:
	print('# helpdesk access: grant access to specified groups for password reset')
	print('access to dn.sub="%(ldap/base)s" filter="%(userfilter)s"' % {'ldap/base': configRegistry.get('ldap/base'), 'userfilter': userfilter})
	print('    attrs="%(attributelist)s"' % {'attributelist': attrlist})
	for dn in grouplist:
		if nestedgroups:
			print('    by set="user & [%s]/uniqueMember*" %s' % (dn, access))

Return to bug 54744

Lines 22-27 for key in configRegistry.keys(): Link Here

(-)a/management/univention-admingrp-user-passwordreset/conffiles/etc/ldap/slapd.conf.d/65admingrp-user-passwordreset (-1 / +13 lines)
22	grouplist.append(configRegistry.get(key))	22	grouplist.append(configRegistry.get(key))
23		23
24	userfilter = '(&(\|(&(objectClass=posixAccount)(objectClass=shadowAccount))(objectClass=univentionMail)(objectClass=sambaSamAccount)(objectClass=simpleSecurityObject)(&(objectClass=person)(objectClass=organizationalPerson)(objectClass=inetOrgPerson)))(!(uidNumber=0))(!(\|%s)))' % uidexcludestr	24	userfilter = '(&(\|(&(objectClass=posixAccount)(objectClass=shadowAccount))(objectClass=univentionMail)(objectClass=sambaSamAccount)(objectClass=simpleSecurityObject)(&(objectClass=person)(objectClass=organizationalPerson)(objectClass=inetOrgPerson)))(!(uidNumber=0))(!(\|%s)))' % uidexcludestr
		25	userfilter_lines = []
		26	i = 0
		27	n = 1024
		28	while i < len(userfilter):
		29	try:
		30	j = userfilter[i:i+n].rindex(')')
		31	except:
		32	j = n
		33	userfilter_lines.append(userfilter[i:i+j+1])
		34	i = i + j + 1
		35	userfilter = "\n ".join(userfilter_lines)
25		36
26	attr_fallback = 'krb5Key,userPassword,sambaPwdCanChange,sambaPwdMustChange,sambaLMPassword,sambaNTPassword,sambaPwdLastSet,pwhistory,sambaPasswordHistory,krb5KDCFlags,krb5KeyVersionNumber,krb5PasswordEnd,shadowMax,shadowLastChange'	37	attr_fallback = 'krb5Key,userPassword,sambaPwdCanChange,sambaPwdMustChange,sambaLMPassword,sambaNTPassword,sambaPwdLastSet,pwhistory,sambaPasswordHistory,krb5KDCFlags,krb5KeyVersionNumber,krb5PasswordEnd,shadowMax,shadowLastChange'
27	attrlist = configRegistry.get('ldap/acl/user/passwordreset/attributes', attr_fallback)	38	attrlist = configRegistry.get('ldap/acl/user/passwordreset/attributes', attr_fallback)
Lines 30-36 nestedgroups = configRegistry.is_true('ldap/acl/nestedgroups', False) Link Here
30		41
31	if grouplist:	42	if grouplist:
32	print('# helpdesk access: grant access to specified groups for password reset')	43	print('# helpdesk access: grant access to specified groups for password reset')
33	print('access to dn.sub="%(ldap/base)s" filter="%(userfilter)s" attrs="%(attributelist)s"' % {'ldap/base': configRegistry.get('ldap/base'), 'userfilter': userfilter, 'attributelist': attrlist})	44	print('access to dn.sub="%(ldap/base)s" filter="%(userfilter)s"' % {'ldap/base': configRegistry.get('ldap/base'), 'userfilter': userfilter})
		45	print(' attrs="%(attributelist)s"' % {'attributelist': attrlist})
34	for dn in grouplist:	46	for dn in grouplist:
35	if nestedgroups:	47	if nestedgroups:
36	print(' by set="user & [%s]/uniqueMember*" %s' % (dn, access))	48	print(' by set="user & [%s]/uniqueMember*" %s' % (dn, access))