Attachment #5403 for bug #29486

View | Details | Raw Unified | Return to bug 29486
Collapse All | Expand All

Lines 34-39 Link Here

(-)conffiles/etc/univention/s4connector/s4/mapping.py (-3 / +17 lines)
34	import univention.s4connector.s4.mapping	34	import univention.s4connector.s4.mapping
35	import univention.s4connector.s4.password	35	import univention.s4connector.s4.password
36	import univention.s4connector.s4.sid_mapping	36	import univention.s4connector.s4.sid_mapping
		37	import univention.s4connector.s4.group_type
37	import univention.s4connector.s4.dns	38	import univention.s4connector.s4.dns
38	import univention.s4connector.s4.dc	39	import univention.s4connector.s4.dc
39	import univention.s4connector.s4.computer	40	import univention.s4connector.s4.computer
Lines 65-71 Link Here
65	'CN=BCKUPKEY_c490e871-a375-4b76-bd24-711e9e49fe5e Secret,CN=System,@%@connector/s4/ldap/base@%@',	66	'CN=BCKUPKEY_c490e871-a375-4b76-bd24-711e9e49fe5e Secret,CN=System,@%@connector/s4/ldap/base@%@',
66	'CN=BCKUPKEY_PREFERRED Secret,CN=System,@%@connector/s4/ldap/base@%@',	67	'CN=BCKUPKEY_PREFERRED Secret,CN=System,@%@connector/s4/ldap/base@%@',
67	'ou=Grp Policy Users,@%@connector/s4/ldap/base@%@',	68	'ou=Grp Policy Users,@%@connector/s4/ldap/base@%@',
68	'cn=Builtin,@%@connector/s4/ldap/base@%@',
69	'cn=ForeignSecurityPrincipals,@%@connector/s4/ldap/base@%@',	69	'cn=ForeignSecurityPrincipals,@%@connector/s4/ldap/base@%@',
70	'cn=Program Data,@%@connector/s4/ldap/base@%@',	70	'cn=Program Data,@%@connector/s4/ldap/base@%@',
71	'cn=Configuration,@%@connector/s4/ldap/base@%@',	71	'cn=Configuration,@%@connector/s4/ldap/base@%@',
Lines 279-288 Link Here
279		279
280	@!@	280	@!@
281	ignore_filter = ''	281	ignore_filter = ''
		282	if configRegistry.is_false('connector/s4/mapping/group/sync/localgroups', True):
		283	ignore_filter += '(sambaGroupType=5)(groupType=5)'
		284
282	for group in configRegistry.get('connector/s4/mapping/group/ignorelist', '').split(','):	285	for group in configRegistry.get('connector/s4/mapping/group/ignorelist', '').split(','):
283	if group:	286	if group:
284	ignore_filter += '(cn=%s)' % (group)	287	ignore_filter += '(cn=%s)' % (group)
285	print " ignore_filter='(\|(sambaGroupType=5)(groupType=5)%s)'," % ignore_filter	288	if ignore_filter:
		289	print " ignore_filter='(\|%s)'," % ignore_filter
286	@!@	290	@!@
287		291
288	ignore_subtree = global_ignore_subtree,	292	ignore_subtree = global_ignore_subtree,
Lines 329-336 Link Here
329	ldap_attribute='mailPrimaryAddress',	333	ldap_attribute='mailPrimaryAddress',
330	con_attribute='mail',	334	con_attribute='mail',
331	reverse_attribute_check = True,	335	reverse_attribute_check = True,
		336	),
		337	@!@
		338	if configRegistry.is_true('connector/s4/mapping/group/sync/localgroups', False):
		339	print '''
		340	'groupType': univention.s4connector.attribute (
		341	ucs_attribute='sambaGroupType',
		342	ldap_attribute='sambaGroupType',
		343	con_attribute='groupType',
		344	mapping=(univention.s4connector.s4.group_type.ucs_to_s4_mapping, univention.s4connector.s4.group_type.s4_to_ucs_mapping),
		345	compare_function=univention.s4connector.s4.group_type.compare,
332	),	346	),
333	@!@	347	'''
334	import univention.s4connector.s4.sid_mapping	348	import univention.s4connector.s4.sid_mapping
335	univention.s4connector.s4.sid_mapping.print_sid_mapping(configRegistry)	349	univention.s4connector.s4.sid_mapping.print_sid_mapping(configRegistry)
336	@!@	350	@!@




#!/usr/bin/python2.6
# -*- coding: utf-8 -*-
#
# Univention S4 Connector
#  groupType 
#
# Copyright 2013 Univention GmbH
#
# http://www.univention.de/
#
# All rights reserved.
#
# The source code of this program is made available
# under the terms of the GNU Affero General Public License version 3
# (GNU AGPL V3) as published by the Free Software Foundation.
#
# Binary versions of this program provided by Univention to you as
# well as other copyrighted, protected or trademarked materials like
# Logos, graphics, fonts, specific documentations and configurations,
# cryptographic keys etc. are subject to a license agreement between
# you and Univention and not subject to the GNU AGPL V3.
#
# In the case you use this program under the terms of the GNU AGPL V3,
# the program is provided in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Affero General Public License for more details.
#
# You should have received a copy of the GNU Affero General Public
# License with the Debian GNU/Linux or Univention distribution in file
# /usr/share/common-licenses/AGPL-3; if not, see
# <http://www.gnu.org/licenses/>.

import univention.debug2 as ud

S4_GROUP_GLOBAL="-2147483646"
S4_GROUP_LOCAL="-2147483644"
S4_GROUP_BUILTIN="-2147483643"
S4_GROUP_UNIVERSAL="-2147483640"

UCS_GROUP_DOMAIN='2'
UCS_GROUP_LOCAL='3'
UCS_GROUP_WELLL_KNOWN='5'

UCS_GROUPS = [ UCS_GROUP_DOMAIN, UCS_GROUP_LOCAL, UCS_GROUP_WELLL_KNOWN ]

GROUP_LIST_GLOBAL = [ S4_GROUP_GLOBAL, S4_GROUP_UNIVERSAL, UCS_GROUP_DOMAIN ]
GROUP_LIST_LOCAL = [ S4_GROUP_LOCAL, UCS_GROUP_LOCAL ]
GROUP_LIST_BUILTIN = [ S4_GROUP_BUILTIN, UCS_GROUP_WELLL_KNOWN ]

def _is_list(val):
	return isinstance(val, list)

def compare(group_type1, group_type2):
	if _is_list(group_type1):
		group_type1 = group_type1[0]
	if _is_list(group_type2):
		group_type2 = group_type2[0]

	if group_type1 in GROUP_LIST_GLOBAL and group_type2 in GROUP_LIST_GLOBAL:
		return True
	if group_type1 in  GROUP_LIST_LOCAL and group_type2 in GROUP_LIST_LOCAL:
		return True
	if group_type1 in GROUP_LIST_BUILTIN and group_type2 in GROUP_LIST_BUILTIN:
		return True

	return False

def s4_to_ucs_mapping(s4connector, key, s4_object):
	ud.debug(ud.LDAP, ud.INFO, 'group_type: s4_to_ucs_mapping')

	# check if the UCS object already exists and don't change the
	# group type in this case
	ucs_object = s4connector.get_ucs_ldap_object(s4_object['dn'])
	if ucs_object:
		ud.debug(ud.LDAP, ud.INFO, 'group_type: object exists already, use the old sambaGroupType')
		return ucs_object.get('sambaGroupType')

	group_type = s4_object['attributes']['groupType'][0]
	ud.debug(ud.LDAP, ud.INFO, 'group_type: sid type: %s' % group_type)

	if group_type in [S4_GROUP_GLOBAL, S4_GROUP_UNIVERSAL]:
		return [UCS_GROUP_DOMAIN]
	if group_type == S4_GROUP_LOCAL:
		return [UCS_GROUP_LOCAL]
	if group_type == S4_GROUP_BUILTIN:
		return [UCS_GROUP_WELLL_KNOWN]

	# Use the default
	return [UCS_GROUP_DOMAIN]

def ucs_to_s4_mapping(s4connector, key, ucs_object):
	ud.debug(ud.LDAP, ud.INFO, 'group_type: ucs_to_s4_mapping')

	group_type = ucs_object['attributes'].get('sambaGroupType', [])[0]
	ud.debug(ud.LDAP, ud.INFO, 'group_type: ucs type: %s' % group_type)

	# It is not possible to create a local or builtin group
	return [S4_GROUP_GLOBAL]

	#if group_type == UCS_GROUP_DOMAIN:
	#	return [S4_GROUP_GLOBAL]
	#if group_type == UCS_GROUP_LOCAL:
	#	return [S4_GROUP_LOCAL]
	#if group_type == UCS_GROUP_WELLL_KNOWN:
	#	return [S4_GROUP_BUILTIN]
	#
	#return [S4_GROUP_GLOBAL]

Lines 195-197 Link Here

(-)debian/univention-s4-connector.univention-config-registry-variables (+6 lines)
195	Description[en]=A static list mapping of group names in UCS LDAP to group names in the Samba 4 user directory. Group names in UCS LDAP are always in English. The mapping "connector/s4/mapping/group/table/'Domain Users'=Domänen-Benutzer" e.g. advises the S4 Connector to synchronise a group object called "Domain Users" in UCS-LDAP with a group object called "Domänen-Benutzer" in the Samba 4 user directory. This variable is used internally by UCS tools and should not be adapted manually.	195	Description[en]=A static list mapping of group names in UCS LDAP to group names in the Samba 4 user directory. Group names in UCS LDAP are always in English. The mapping "connector/s4/mapping/group/table/'Domain Users'=Domänen-Benutzer" e.g. advises the S4 Connector to synchronise a group object called "Domain Users" in UCS-LDAP with a group object called "Domänen-Benutzer" in the Samba 4 user directory. This variable is used internally by UCS tools and should not be adapted manually.
196	Type=str	196	Type=str
197	Categories=service-s4con	197	Categories=service-s4con
		198
		199	[connector/s4/mapping/group/sync/localgroups]
		200	Description[de]=Ist diese Variable aktiviert, werden auch lokale Gruppen synchronisiert. Vor der Aktivierung sollten die Gruppenmitglieder der lokalen Gruppen manuell abgeglichen werden, weitere Details sind in den UCS 3.2 Release Notes zu finden. Ab UCS 3.2 ist die Synchronisiation dieser Gruppen per Default aktiviert.
		201	Description[en]=If this variable is activated local groups will be synchronized as well. The group members should be harmonized manually before activating this setting, for more details see UCS 3.2 release notes. Since UCS 3.2 the local group synchronization is activated by default.
		202	Type=bool
		203	Categories=service-s4con

Lines 58-64 Link Here

(-)debian/changelog (-2 / +2 lines)
58		58
59	univention-s4-connector (8.0.3-1) unstable; urgency=low	59	univention-s4-connector (8.0.3-1) unstable; urgency=low
60		60
61	* Use again two searches for the change list but a faster comparsion.	61	* Use again two searches for the change list but a faster comparison.
62	The order is important first the created objects are needed	62	The order is important first the created objects are needed
63	otherwise the child object is added before the parent object. An	63	otherwise the child object is added before the parent object. An
64	alternative would be to sort the one search result by the dn length	64	alternative would be to sort the one search result by the dn length
Lines 75-81 Link Here
75	univention-s4-connector (8.0.2-1) unstable; urgency=low	75	univention-s4-connector (8.0.2-1) unstable; urgency=low
76		76
77	* Search for uSNCreated and uSNChanged in one search to prevent a slow	77	* Search for uSNCreated and uSNChanged in one search to prevent a slow
78	list comparsion (Bug #32213)	78	list comparison (Bug #32213)
79		79
80	-- Stefan Gohmann <gohmann@univention.de> Mon, 12 Aug 2013 07:41:23 +0200	80	-- Stefan Gohmann <gohmann@univention.de> Mon, 12 Aug 2013 07:41:23 +0200
81		81

Lines 38-43 Link Here

(-)debian/univention-s4-connector.postinst (-1 / +9 lines)
38		38
39	#DEBHELPER#	39	#DEBHELPER#
40		40
		41	if [ "$1" = "configure" -a -n "$2" ] && dpkg --compare-versions "$2" lt 8.0.0-1; then
		42	ucr set connector/s4/mapping/group/sync/localgroups?false
		43	fi
		44
41	univention-config-registry set connector/s4/listener/dir?/var/lib/univention-connector/s4 \	45	univention-config-registry set connector/s4/listener/dir?/var/lib/univention-connector/s4 \
42	connector/s4/poll/sleep?5 \	46	connector/s4/poll/sleep?5 \
43	connector/s4/retryrejected?10 \	47	connector/s4/retryrejected?10 \
Lines 49-58 Link Here
49	connector/s4/mapping/syncmode?sync \	53	connector/s4/mapping/syncmode?sync \
50	connector/s4/mapping/sid?true \	54	connector/s4/mapping/sid?true \
51	connector/s4/mapping/gpo?true \	55	connector/s4/mapping/gpo?true \
		56	connector/s4/mapping/group/sync/localgroups?true \
52	connector/s4/mapping/user/ignorelist?"root,pcpatch,ucs-s4sync" \	57	connector/s4/mapping/user/ignorelist?"root,pcpatch,ucs-s4sync" \
53	connector/s4/mapping/group/ignorelist?"Windows Hosts,Authenticated Users,World Authority,Everyone,Null Authority,Nobody,Enterprise Domain Controllers" \	58	connector/s4/mapping/group/ignorelist?"Windows Hosts,Authenticated Users,World Authority,Everyone,Null Authority,Nobody,Enterprise Domain Controllers" \
54	connector/s4/mapping/container/ignorelist?"mail,kerberos,MicrosoftDNS" \	59	connector/s4/mapping/container/ignorelist?"mail,kerberos,MicrosoftDNS" \
55	connector/s4/mapping/dns/ignorelist?"DC=_ldap._tcp.Default-First-Site-Name._site"	60	connector/s4/mapping/dns/ignorelist?"DC=_ldap._tcp.Default-First-Site-Name._site" \
		61	connector/s4/mapping/group/table/Printer-Admins?"Print Operators" \
		62	connector/s4/mapping/group/table/Replicators?"Replicator" \
		63	"connector/s4/mapping/group/table/System Operators?Server Operators"
56		64
57	if [ ! -d /var/lib/univention-connector/s4 ]; then	65	if [ ! -d /var/lib/univention-connector/s4 ]; then
58	mkdir -p /var/lib/univention-connector/s4	66	mkdir -p /var/lib/univention-connector/s4

Return to bug 29486

Line 0 Link Here

(-)modules/univention/s4connector/s4/group_type.py (+108 lines)
		1	#!/usr/bin/python2.6
		2	# -- coding: utf-8 --
		3	#
		4	# Univention S4 Connector
		5	# groupType
		6	#
		7	# Copyright 2013 Univention GmbH
		8	#
		9	# http://www.univention.de/
		10	#
		11	# All rights reserved.
		12	#
		13	# The source code of this program is made available
		14	# under the terms of the GNU Affero General Public License version 3
		15	# (GNU AGPL V3) as published by the Free Software Foundation.
		16	#
		17	# Binary versions of this program provided by Univention to you as
		18	# well as other copyrighted, protected or trademarked materials like
		19	# Logos, graphics, fonts, specific documentations and configurations,
		20	# cryptographic keys etc. are subject to a license agreement between
		21	# you and Univention and not subject to the GNU AGPL V3.
		22	#
		23	# In the case you use this program under the terms of the GNU AGPL V3,
		24	# the program is provided in the hope that it will be useful,
		25	# but WITHOUT ANY WARRANTY; without even the implied warranty of
		26	# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
		27	# GNU Affero General Public License for more details.
		28	#
		29	# You should have received a copy of the GNU Affero General Public
		30	# License with the Debian GNU/Linux or Univention distribution in file
		31	# /usr/share/common-licenses/AGPL-3; if not, see
		32	# <http://www.gnu.org/licenses/>.
		33
		34	import univention.debug2 as ud
		35
		36	S4_GROUP_GLOBAL="-2147483646"
		37	S4_GROUP_LOCAL="-2147483644"
		38	S4_GROUP_BUILTIN="-2147483643"
		39	S4_GROUP_UNIVERSAL="-2147483640"
		40
		41	UCS_GROUP_DOMAIN='2'
		42	UCS_GROUP_LOCAL='3'
		43	UCS_GROUP_WELLL_KNOWN='5'
		44
		45	UCS_GROUPS = [ UCS_GROUP_DOMAIN, UCS_GROUP_LOCAL, UCS_GROUP_WELLL_KNOWN ]
		46
		47	GROUP_LIST_GLOBAL = [ S4_GROUP_GLOBAL, S4_GROUP_UNIVERSAL, UCS_GROUP_DOMAIN ]
		48	GROUP_LIST_LOCAL = [ S4_GROUP_LOCAL, UCS_GROUP_LOCAL ]
		49	GROUP_LIST_BUILTIN = [ S4_GROUP_BUILTIN, UCS_GROUP_WELLL_KNOWN ]
		50
		51	def _is_list(val):
		52	return isinstance(val, list)
		53
		54	def compare(group_type1, group_type2):
		55	if _is_list(group_type1):
		56	group_type1 = group_type1[0]
		57	if _is_list(group_type2):
		58	group_type2 = group_type2[0]
		59
		60	if group_type1 in GROUP_LIST_GLOBAL and group_type2 in GROUP_LIST_GLOBAL:
		61	return True
		62	if group_type1 in GROUP_LIST_LOCAL and group_type2 in GROUP_LIST_LOCAL:
		63	return True
		64	if group_type1 in GROUP_LIST_BUILTIN and group_type2 in GROUP_LIST_BUILTIN:
65	return True
66
67	return False
68
69	def s4_to_ucs_mapping(s4connector, key, s4_object):
70	ud.debug(ud.LDAP, ud.INFO, 'group_type: s4_to_ucs_mapping')
71
72	# check if the UCS object already exists and don't change the
73	# group type in this case
74	ucs_object = s4connector.get_ucs_ldap_object(s4_object['dn'])
75	if ucs_object:
76	ud.debug(ud.LDAP, ud.INFO, 'group_type: object exists already, use the old sambaGroupType')
77	return ucs_object.get('sambaGroupType')
78
79	group_type = s4_object['attributes']['groupType'][0]
80	ud.debug(ud.LDAP, ud.INFO, 'group_type: sid type: %s' % group_type)
81
82	if group_type in [S4_GROUP_GLOBAL, S4_GROUP_UNIVERSAL]:
83	return [UCS_GROUP_DOMAIN]
84	if group_type == S4_GROUP_LOCAL:
85	return [UCS_GROUP_LOCAL]
86	if group_type == S4_GROUP_BUILTIN:
87	return [UCS_GROUP_WELLL_KNOWN]
88
89	# Use the default
90	return [UCS_GROUP_DOMAIN]
91
92	def ucs_to_s4_mapping(s4connector, key, ucs_object):
93	ud.debug(ud.LDAP, ud.INFO, 'group_type: ucs_to_s4_mapping')
94
95	group_type = ucs_object['attributes'].get('sambaGroupType', [])[0]
96	ud.debug(ud.LDAP, ud.INFO, 'group_type: ucs type: %s' % group_type)
97
98	# It is not possible to create a local or builtin group
99	return [S4_GROUP_GLOBAL]
100
101	#if group_type == UCS_GROUP_DOMAIN:
102	# return [S4_GROUP_GLOBAL]
103	#if group_type == UCS_GROUP_LOCAL:
104	# return [S4_GROUP_LOCAL]
105	#if group_type == UCS_GROUP_WELLL_KNOWN:
106	# return [S4_GROUP_BUILTIN]
107	#
108	#return [S4_GROUP_GLOBAL]