Univention Bugzilla – Attachment 8182 Details for
Bug 41231
Add config option for currently hardcoded german LDAP objects/directories/...
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
completely *untested* patch of all modifications
41231_hardcoded_german_names.patch (text/plain), 251.42 KB, created by
Daniel Tröder
on 2016-11-02 17:08:33 CET
(
hide
)
Description:
completely *untested* patch of all modifications
Filename:
MIME Type:
Creator:
Daniel Tröder
Created:
2016-11-02 17:08:33 CET
Size:
251.42 KB
patch
obsolete
>Index: doc/manual/import-hooks-de.xml >=================================================================== >--- doc/manual/import-hooks-de.xml (Revision 74005) >+++ doc/manual/import-hooks-de.xml (Arbeitskopie) >@@ -116,12 +116,20 @@ > zugeordnet wird. > </para> > <para> >- Ãber drei weitere &ucsUCR;-Variablen kann das Verhalten des Hooks gesteuert >+ Ãber vier weitere &ucsUCR;-Variablen kann das Verhalten des Hooks gesteuert > werden: > </para> > <itemizedlist> > <listitem> > <para> >+ <command>ucsschool/import/generate/share/marktplatz/name</command> >+ </para> >+ <para> >+ Diese Variable definiert den Namen der Freigabe. Der Standard ist <literal>Marktplatz</literal>. >+ </para> >+ </listitem> >+ <listitem> >+ <para> > <command>ucsschool/import/generate/share/marktplatz/sharepath</command> > </para> > <para> >Index: doc/manual/performance-de.xml >=================================================================== >--- doc/manual/performance-de.xml (Revision 74005) >+++ doc/manual/performance-de.xml (Arbeitskopie) >@@ -93,6 +93,10 @@ > </simpara> > </listitem> > </itemizedlist> >+ <note> >+ Der Teil des Gruppennamens der hier <Edukativnetz> ist, kann seit &ucsUAS;-Version 4.1 R2 v7 >+ verändert werden. Siehe dazu auch <xref linkend="structure:ldap:container_names"/>. >+ </note> > </para> > </section> > >Index: doc/manual/setup-school-generic-de.xml >=================================================================== >--- doc/manual/setup-school-generic-de.xml (Revision 74005) >+++ doc/manual/setup-school-generic-de.xml (Arbeitskopie) >@@ -39,14 +39,13 @@ > Zugriffsrechte gesetzt werden. Dabei kann der Zugriff für einzelne Benutzer oder ganze Gruppen > erlaubt bzw. gesperrt werden. Um den Schülern den Zugriff auf die physikalischen Drucker zu > verbieten, muss an den Druckerfreigaben für diese Drucker der Zugriff durch Benutzer der >- OU-spezifischen Gruppe >- <systemitem class="groupname">schueler- >- <replaceable>OU</replaceable> >- </systemitem> >- > (z.B. <systemitem class="groupname">schueler-gsmitte</systemitem>) >- verboten werden. Für den PDF-Drucker <systemitem class="resource">PDFDrucker</systemitem> sollten keine >- Einschränkungen >- gemacht werden. >+ OU-spezifischen Gruppe <systemitem class="groupname">schueler-<replaceable>OU</replaceable></systemitem> >+ (z.B. <systemitem class="groupname">schueler-gsmitte</systemitem>) verboten werden. Für den PDF-Drucker >+ <systemitem class="resource">PDFDrucker</systemitem> sollten keine Einschränkungen gemacht werden. >+ <note> >+ Der Teil des Gruppennamens der hier <schueler-> ist, kann seit &ucsUAS;-Version 4.1 R2 v7 verändert >+ werden. Siehe dazu auch <xref linkend="structure:ldap:container_names"/>. >+ </note> > </para> > <para> > Schüler haben damit nur noch die Möglichkeit Druckaufträge an den >@@ -228,6 +227,9 @@ > Anlegen einer OU kann durch das Setzen der &ucsUCRV; > <envar>ucsschool/import/generate/marktplatz</envar> auf den > Wert <literal>no</literal> verhindert werden. >+ <note> >+ Weiterführnde Informationen zur <emphasis>Marktplatz</emphasis>-Freigabe finden sich unter <xref linkend="import:marketplace"/>. >+ </note> > </para> > <para> > Diese Freigaben müssen zwingend auf dem Schulserver bereitgestellt >@@ -280,6 +282,10 @@ > Die Freigabe erlaubt der Gruppe <systemitem class="resource">lehrer-<OU></systemitem> den > administrativen > Zugriff auf das Basisverzeichnis <filename class="directory">/home/<OU>/schueler</filename>. >+ <note> >+ Der Teil des Gruppennamens der hier <schueler-> bzw.<lehrer-> ist, kann seit >+ &ucsUAS;-Version 4.1 R2 v7 verändert werden. Siehe dazu auch <xref linkend="structure:ldap:container_names"/>. >+ </note> > </para> > <para> > Per Voreinstellung wird der Lehrergruppe Lesezugriff gewährt. >@@ -310,23 +316,23 @@ > Option zu Schuladministratoren umgewandelt werden. > <itemizedlist> > <listitem> >- <simpara> >+ <para> > Die zusätzliche Gruppenmitgliedschaft muss manuell über das &ucsUMC;-Modul >- <guimenu>Benutzer</guimenu> >- auf dem &ucsMaster; hinzugefügt werden. Auf dem Reiter >- <guimenu>Gruppen</guimenu> >- muss das Benutzerkonto in die Gruppe >+ <guimenu>Benutzer</guimenu> auf dem &ucsMaster; hinzugefügt werden. Auf dem Reiter >+ <guimenu>Gruppen</guimenu> muss das Benutzerkonto in die Gruppe > <systemitem class="groupname"><replaceable>admins-OU</replaceable></systemitem> > (für die OU <wordasword>gym17</wordasword> ist dies die Gruppe > <systemitem class="groupname">admins-gym17</systemitem>) aufgenommen werden. >- </simpara> >+ <note> >+ Der Teil des Gruppennamens der hier <admins-> ist, kann seit &ucsUAS;-Version 4.1 R2 v7 >+ verändert werden. Siehe dazu auch <xref linkend="structure:ldap:container_names"/>. >+ </note> >+ </para> > </listitem> > <listitem> > <simpara> > Im &ucsUMC;-Modul <guimenu>Benutzer</guimenu> muss auÃerdem im Reiter >- <guimenu>Optionen</guimenu> >- die Option >- <option>UCS@school-Administrator</option> >+ <guimenu>Optionen</guimenu> die Option <option>UCS@school-Administrator</option> > eingeschaltet werden. > </simpara> > </listitem> >Index: doc/manual/structure-de.xml >=================================================================== >--- doc/manual/structure-de.xml (Revision 74005) >+++ doc/manual/structure-de.xml (Arbeitskopie) >@@ -329,6 +329,84 @@ > </note> > </section> > >+ <section id="structure:ldap:container_names"> >+ <title>Gruppen-, Verzeichnis- und Containernamen</title> >+ <para> >+ Seit &ucsUAS;-Version 4.1 R2 v7 können mit Hilfe von UCR-Variablen Teile der Gruppen-, Verzeichnis- und Containernamen >+ <emphasis>vor der Installation der &ucsUAS;-App</emphasis> bestimmt werden. >+ </para> >+ <para> >+ Beispielsweise wird die Gruppe <systemitem class="groupname">Member-Edukativnetz</systemitem> durch Setzen >+ der UCR-Variablen <envar>ucsschool/ldap/default/groupname/all-educational-member=Membre-Enseignement</envar> >+ mit dem Namen <systemitem class="groupname">Membre-Enseignement</systemitem> angelegt. >+ </para> >+ <para> >+ Sollen zum Beispiel die Benutzerkonten von Schülern nicht im Container >+ <uri>cn=schueler,cn=groups,ou=gymmitte,dc=example,dc=com</uri> gespeichert werden, sondern unter >+ <uri>cn=ecolier,cn=groups,ou=gymmitte,dc=example,dc=com</uri>, muss >+ <envar>ucsschool/ldap/default/container/pupils=ecolier</envar> gesetzt werden. >+ </para> >+ <para> >+ Die Bedeutung der aller UCR-Variablen können Sie durch das Lesen der Hilfetexte zu den UCR-Variablen erfahren >+ (siehe <biblioref linkend="ucs-handbuch"/>). >+ </para> >+ <para> >+ <simpara> >+ Die folgenden Teile von Containernamen (z.B. in <uri>cn=admins,cn=groups,ou=gymmitte,dc=example,dc=com</uri>) können gesetzt werden: >+ </simpara> >+ <itemizedlist> >+ <listitem><simpara>admins: <envar>ucsschool/ldap/default/container/admins</envar></simpara></listitem> >+ <listitem><simpara>schueler: <envar>ucsschool/ldap/default/container/pupils</envar></simpara></listitem> >+ <listitem><simpara>mitarbeiter: <envar>ucsschool/ldap/default/container/staff</envar></simpara></listitem> >+ <listitem><simpara>lehrer und mitarbeiter: <envar>ucsschool/ldap/default/container/teachers-and-staff</envar></simpara></listitem> >+ <listitem><simpara>lehrer: <envar>ucsschool/ldap/default/container/teachers</envar></simpara></listitem> >+ <listitem><simpara>klassen: <envar>ucsschool/ldap/default/container/class</envar></simpara></listitem> >+ <listitem><simpara>raeume: <envar>ucsschool/ldap/default/container/rooms</envar></simpara></listitem> >+ <listitem><simpara>examusers: <envar>ucsschool/ldap/default/container/exam</envar></simpara></listitem> >+ </itemizedlist> >+ </para> >+ <para> >+ <simpara> >+ Die folgenden Präfixe von Gruppennamen (z.B. in <systemitem class="groupname">schueler-gymmitte</systemitem>) können gesetzt werden: >+ </simpara> >+ <itemizedlist> >+ <listitem><simpara>schueler-: <envar>ucsschool/ldap/default/groupprefix/pupils</envar></simpara></listitem> >+ <listitem><simpara>lehrer-: <envar>ucsschool/ldap/default/groupprefix/teachers</envar></simpara></listitem> >+ <listitem><simpara>admins-: <envar>ucsschool/ldap/default/groupprefix/admins</envar></simpara></listitem> >+ <listitem><simpara>mitarbeiter-: <envar>ucsschool/ldap/default/groupprefix/staff</envar></simpara></listitem> >+ </itemizedlist> >+ <simpara> >+ Die folgenden Gruppennamen können per UCR gesetzt werden. Bei Namen die <replaceable>%(ou)s</replaceable> enthalten >+ wird dieses vom System durch das jeweilige Schulkürzel ersetzt (z.B. <uri>gymmitte</uri> in >+ <systemitem class="groupname">OUgymmitte-DC-Edukativnetz</systemitem>). >+ </simpara> >+ <itemizedlist> >+ <listitem><simpara>DC-Edukativnetz: <envar>ucsschool/ldap/default/groupname/all-educational-dc</envar></simpara></listitem> >+ <listitem><simpara>Member-Edukativnetz: <envar>ucsschool/ldap/default/groupname/all-educational-member</envar></simpara></listitem> >+ <listitem><simpara>DC-Verwaltungsnetz: <envar>ucsschool/ldap/default/groupname/all-administrativ-dc</envar></simpara></listitem> >+ <listitem><simpara>Member-Verwaltungsnetz: <envar>ucsschool/ldap/default/groupname/all-administrativ-member</envar></simpara></listitem> >+ <listitem><simpara>OU%(ou)s-DC-Edukativnetz: <envar>ucsschool/ldap/default/groupname/ou-educational-dc</envar></simpara></listitem> >+ <listitem><simpara>OU%(ou)s-Member-Edukativnetz: <envar>ucsschool/ldap/default/groupname/ou-educational-member</envar></simpara></listitem> >+ <listitem><simpara>OU%(ou)s-DC-Verwaltungsnetz: <envar>ucsschool/ldap/default/groupname/ou-administrativ-dc</envar></simpara></listitem> >+ <listitem><simpara>OU%(ou)s-Member-Verwaltungsnetz: <envar>ucsschool/ldap/default/groupname/ou-administrativ-member</envar></simpara></listitem> >+ <listitem><simpara>OU%(ou)s-Klassenarbeit: <envar>ucsschool/ldap/default/groupname/exam</envar></simpara></listitem> >+ </itemizedlist> >+ <simpara> >+ Die folgenden Verzeichnisnamen können per UCR gesetzt werden (z.B. <envar>klassen</envar> in <filename class="directory">/home/groups/klassen/3b</filename>): >+ </simpara> >+ <itemizedlist> >+ <listitem><simpara>klassen: <envar>ucsschool/ldap/default/share/class</envar></simpara></listitem> >+ <listitem><simpara>schueler: <envar>ucsschool/ldap/default/share/pupils</envar></simpara></listitem> >+ <listitem><simpara>lehrer: <envar>ucsschool/ldap/default/share/teachers</envar></simpara></listitem> >+ <listitem><simpara>Unterrichtsmaterial: <envar>ucsschool/datadistribution/datadir/sender</envar></simpara></listitem> >+ <listitem><simpara>Unterrichtsmaterial: <envar>ucsschool/datadistribution/datadir/recipient</envar></simpara></listitem> >+ <listitem><simpara>Klassenarbeiten: <envar>ucsschool/ldap/default/share/exams</envar></simpara></listitem> >+ <listitem><simpara>schueler, lehrer, mitarbeiter: <envar>ucsschool/import/roleshare/.*/path</envar></simpara></listitem> >+ <listitem><simpara>Marktplatz: <envar>ucsschool/import/generate/share/marktplatz/name</envar></simpara></listitem> >+ </itemizedlist> >+ </para> >+ </section> >+ > <section id="structure:ldap:global"> > <title>Weitere &ucsUAS;-Objekte</title> > <para> >Index: ucs-school-import/debian/ucs-school-import.univention-config-registry-variables >=================================================================== >--- ucs-school-import/debian/ucs-school-import.univention-config-registry-variables (Revision 74005) >+++ ucs-school-import/debian/ucs-school-import.univention-config-registry-variables (Arbeitskopie) >@@ -4,54 +4,150 @@ > Type=str > Categories=ucsschool-base > >+[ucsschool/ldap/default/container/admins] >+Description[de]=Standard-Container-Name für Administratoren. Standard ist "admins". >+Description[en]=Default container name for administrators. Default is "admins". >+Type=str >+Categories=ucsschool-base >+ >+[ucsschool/ldap/default/container/class] >+Description[de]=Standard-Container-Name für Schulklassen. Standard ist "klassen". >+Description[en]=Default container name for school classes. Default is "klassen". >+Type=str >+Categories=ucsschool-base >+ >+[ucsschool/ldap/default/container/exam] >+Description[de]=Standard-Container-Name für Schüler in einer Prüfung. Standard ist "examusers". >+Description[en]=Default container name name for pupils writing exams. Default is "examusers". >+Type=str >+Categories=ucsschool-base >+ > [ucsschool/ldap/default/container/pupils] >-Description[de]=Standard-Container für Schüler >-Description[en]=Default container for pupils >+Description[de]=Standard-Container-Name für Schüler. Standard ist "schueler". >+Description[en]=Default container name for pupils. Default is "schueler". > Type=str > Categories=ucsschool-base > >+[ucsschool/ldap/default/container/rooms] >+Description[de]=Standard-Container-Name für Klassenräume. Standard ist "raeume". >+Description[en]=Default container name for class rooms. Default is "raeume". >+Type=str >+Categories=ucsschool-base >+ >+[ucsschool/ldap/default/container/staff] >+Description[de]=Standard-Container-Name für Mitarbeiter. Standard ist "mitarbeiter". >+Description[en]=Default container name for staff members. Default is "mitarbeiter". >+Type=str >+Categories=ucsschool-base >+ > [ucsschool/ldap/default/container/teachers] >-Description[de]=Standard-Container für Lehrer >-Description[en]=Default container for teachers >+Description[de]=Standard-Container-Name für Lehrer. Standard ist "lehrer". >+Description[en]=Default container name for teachers. Default is "lehrer". > Type=str > Categories=ucsschool-base > >-[ucsschool/ldap/default/container/admins] >-Description[de]=Standard-Container für Administratoren >-Description[en]=Default container for administrators >+[ucsschool/ldap/default/container/teachers-and-staff] >+Description[de]=Standard-Container-Name für Benutzer die gleichzeitig Lehrer und Mitarbeiter sind. Standard ist "lehrer und mitarbeiter". >+Description[en]=Default container name for users that are both teachers and staff members. Default is "lehrer und mitarbeiter". > Type=str > Categories=ucsschool-base > >-[ucsschool/ldap/default/container/staff] >-Description[de]=Standard-Container für Mitarbeiter >-Description[en]=Default container for staff members >+[ucsschool/ldap/default/groupname/exam] >+Description[de]=Standard Gruppenname für Schüler in einer Prüfung. Das "%(ou)s" im Namen wird mit dem Schulkürzel (OU) ersetzt. Standard ist "OU%(ou)s-Klassenarbeit". >+Description[en]=Default group name for pupils writing exams. The "%(ou)s" in the name will be replaced by the short name of the school (OU). Default is "OU%(ou)s-Klassenarbeit". > Type=str > Categories=ucsschool-base > >-[ucsschool/ldap/default/groupprefix/pupils] >-Description[de]=Standard-Prefix für die Schüler-Gruppen >-Description[en]=Default prefix for pupils groups >+[ucsschool/ldap/default/groupname/all-administrativ-dc] >+Description[de]=Standard Gruppenname für Domain Controller in Verwaltungsnetzen. Standard ist "DC-Verwaltungsnetz". >+Description[en]=Default group name for domain controllers in administrativ networks. Default is "DC-Verwaltungsnetz". > Type=str > Categories=ucsschool-base > >-[ucsschool/ldap/default/groupprefix/teachers] >-Description[de]=Standard-Prefix für die Lehrer-Gruppen >-Description[en]=Default prefix for teacher groups >+[ucsschool/ldap/default/groupname/all-administrativ-member] >+Description[de]=Standard Gruppenname für Member Server in Verwaltungsnetzen. Standard ist "Member-Verwaltungsnetz". >+Description[en]=Default group name for member servers in administrativ networks. Default is "Member-Verwaltungsnetz". > Type=str > Categories=ucsschool-base > >+[ucsschool/ldap/default/groupname/all-educational-dc] >+Description[de]=Standard Gruppenname für Domain Controller in Edukativnetzen. Standard ist "DC-Edukativnetz". >+Description[en]=Default group name for domain controllers in educational networks. Default is "DC-Edukativnetz". >+Type=str >+Categories=ucsschool-base >+ >+[ucsschool/ldap/default/groupname/all-educational-member] >+Description[de]=Standard Gruppenname für Member Server in Edukativnetzen. Standard ist "Member-Edukativnetz". >+Description[en]=Default group name for member servers in educational networks. Default is "Member-Edukativnetz". >+Type=str >+Categories=ucsschool-base >+ >+[ucsschool/ldap/default/groupname/ou-administrativ-dc] >+Description[de]=Standard Gruppenname für Domain Controller im Verwaltungsnetz einer bestimmten Schule. Das "%(ou)s" im Namen wird mit dem Schulkürzel (OU) ersetzt. Standard ist "OU%(ou)s-DC-Verwaltungsnetz". >+Description[en]=Default group name for domain controllers in the administrativ network. The "%(ou)s" in the name will be replaced by the short name of the school (OU). Default is "OU%(ou)s-DC-Verwaltungsnetz". >+Type=str >+Categories=ucsschool-base >+ >+[ucsschool/ldap/default/groupname/ou-administrativ-member] >+Description[de]=Standard Gruppenname für Member Server im Verwaltungsnetz einer bestimmten Schule. Das "%(ou)s" im Namen wird mit dem Schulkürzel (OU) ersetzt. Standard ist "OU%(ou)s-Member-Verwaltungsnetz". >+Description[en]=Default group name for member servers in the administrativ network. The "%(ou)s" in the name will be replaced by the short name of the school (OU). Default is "OU%(ou)s-Member-Verwaltungsnetz". >+Type=str >+Categories=ucsschool-base >+ >+[ucsschool/ldap/default/groupname/ou-educational-dc] >+Description[de]=Standard Gruppenname für Domain Controller im Edukativnetz einer bestimmten Schule. Das "%(ou)s" im Namen wird mit dem Schulkürzel (OU) ersetzt. Standard ist "OU%(ou)s-DC-Edukativnetz". >+Description[en]=Default group name for domain controllers in the educational network. The "%(ou)s" in the name will be replaced by the short name of the school (OU). Default is "OU%(ou)s-DC-Edukativnetz". >+Type=str >+Categories=ucsschool-base >+ >+[ucsschool/ldap/default/groupname/ou-educational-member] >+Description[de]=Standard Gruppenname für Member Server im Edukativnetz einer bestimmten Schule. Das "%(ou)s" im Namen wird mit dem Schulkürzel (OU) ersetzt. Standard ist "OU%(ou)s-Member-Edukativnetz". >+Description[en]=Default group name for member servers in the educational network. The "%(ou)s" in the name will be replaced by the short name of the school (OU). Default is "OU%(ou)s-Member-Edukativnetz". >+Type=str >+Categories=ucsschool-base >+ > [ucsschool/ldap/default/groupprefix/admins] >-Description[de]=Standard-Prefix für die Administrator-Gruppen >-Description[en]=Default prefix for admin groups >+Description[de]=Standard-Prefix für die Administrator-Gruppen. Standard ist "admins-". >+Description[en]=Default prefix for admin groups. Default is "admins-". > Type=str > Categories=ucsschool-base > >+[ucsschool/ldap/default/groupprefix/pupils] >+Description[de]=Standard-Prefix für die Schüler-Gruppen. Standard ist "schueler-". >+Description[en]=Default prefix for pupils groups. Default is "schueler-". >+Type=str >+Categories=ucsschool-base >+ > [ucsschool/ldap/default/groupprefix/staff] >-Description[de]=Standard-Prefix für die Mitarbeiter-Gruppen >-Description[en]=Default prefix for staff groups >+Description[de]=Standard-Prefix für die Mitarbeiter-Gruppen. Standard ist "mitarbeiter-". >+Description[en]=Default prefix for staff groups. Default is "mitarbeiter-". > Type=str > Categories=ucsschool-base > >+[ucsschool/ldap/default/groupprefix/teachers] >+Description[de]=Standard-Prefix für die Lehrer-Gruppen. Standard ist "lehrer-". >+Description[en]=Default prefix for teacher groups. Default is "lehrer-". >+Type=str >+Categories=ucsschool-base >+ >+[ucsschool/ldap/default/share/class] >+Description[de]=Standard Verzeichnisname für die Klassen-Freigabe. Standard ist "klassen". >+Description[en]=Default directory name for the class share. Default is "klassen". >+Type=str >+Categories=ucsschool-base >+ >+[ucsschool/ldap/default/share/pupils] >+Description[de]=Standard Verzeichnisname für die Schüler-Verzeichnisse. Standard ist "schueler". >+Description[en]=Default directory name for the pupils directories. Default is "schueler". >+Type=str >+Categories=ucsschool-base >+ >+[ucsschool/ldap/default/share/teachers] >+Description[de]=Standard Verzeichnisname für die Lehrer-Verzeichnisse. Standard ist "lehrer". >+Description[en]=Default directory name for the teachers directories. Default is "lehrer". >+Type=str >+Categories=ucsschool-base >+ > [ucsschool/ldap/default/dcs] > Description[de]=Spezifiziert welche Schul-DCs beim Erzeugen einer Schule angelegt werden sollen (Werte: edukativ und/oder verwaltung) > Description[en]=Specifies which school DCs are created during the school set up (values: edukativ and/or verwaltung) >@@ -64,6 +160,12 @@ > Type=str > Categories=ucsschool-base > >+[ucsschool/import/generate/share/marktplatz/name] >+Description[de]=Name der Freigabe (Default: "Marktplatz"). >+Description[en]=Name of share (default: "Marktplatz"). >+Type=str >+Categories=ucsschool-base >+ > [ucsschool/import/generate/share/marktplatz/sharepath] > Description[de]=Vorgabepfad der Freigabe "Marktplatz" (Default: /home/$ou/groups/Marktplatz) > Description[en]=Default path of share "Marktplatz" (default: /home/$ou/groups/Marktplatz) >@@ -125,7 +227,7 @@ > Categories=ucsschool-base > > [ucsschool/import/roleshare] >-Description[de]=Falls diese Variable nicht auf "false" oder "no" gesetzt, dann werden Homeverzeichnisse für Benutzer und Klassengruppen in einer rollen- und schulspezifischen Struktur von Unterverzeichnissen angelegt, z.B. unter /home/$ou/schueler/. >+Description[de]=Falls diese Variable nicht auf "false" oder "no" gesetzt wird, werden Homeverzeichnisse für Benutzer und Klassengruppen in einer rollen- und schulspezifischen Struktur von Unterverzeichnissen angelegt, z.B. unter /home/$ou/schueler/. > Description[en]=If this variable is not set to "false" or "no", then home directories for users and class groups will be created in a role and school specific structure of subdirectories, e.g. in /home/$ou/schueler/. > Type=str > Categories=ucsschool-base >Index: ucs-school-import/modules/ucsschool/importer/models/import_user.py >=================================================================== >--- ucs-school-import/modules/ucsschool/importer/models/import_user.py (Revision 74005) >+++ ucs-school-import/modules/ucsschool/importer/models/import_user.py (Arbeitskopie) >@@ -94,7 +94,7 @@ > self.config = Configuration() > self.reader = self.factory.make_reader() > self.logger = get_logger() >- self.username_max_length = 20 - len(self.ucr.get("ucsschool/ldap/default/userprefix/exam", "exam-")) >+ self.username_max_length = 20 - len(Student.get_search_base(school).user_prefix_exam) > self._lo = None > self._userexpiry = None > super(ImportUser, self).__init__(name, school, **kwargs) >Index: ucs-school-import/tests/test_move_domaincontroller_to_ou >=================================================================== >--- ucs-school-import/tests/test_move_domaincontroller_to_ou (Revision 74005) >+++ ucs-school-import/tests/test_move_domaincontroller_to_ou (Arbeitskopie) >@@ -37,6 +37,8 @@ > exit 1 > fi > >+. /usr/share/ucs-school-lib/base.sh >+ > eval "$(ucr shell)" > > ./create_ou test1 dctest1 >@@ -51,8 +53,10 @@ > > udm computers/domaincontroller_slave create --position "cn=computers,$ldap_base" --set name=dctest7-01 > ./create_ou test7 >-udm computers/domaincontroller_slave modify --dn "cn=dctest7-01,cn=computers,$ldap_base" --append groups="cn=OUtest7-DC-Edukativnetz,cn=ucsschool,cn=groups,$ldap_base" > >+test7_dc="$(ucr_names_default ucsschool/ldap/default/groupname/ou-educational-dc test7)" >+udm computers/domaincontroller_slave modify --dn "cn=dctest7-01,cn=computers,$ldap_base" --append groups="cn=$test7_dc,cn=ucsschool,cn=groups,$ldap_base" >+ > echo "TEST: DC is unknown" > ./move_domaincontroller_to_ou --dcname UnKnOwN --ou test1 > echo "EXITCODE: $?" >Index: ucs-school-import/usr/share/ucs-school-import/hooks/ou_create_post.d/52marktplatz_create >=================================================================== >--- ucs-school-import/usr/share/ucs-school-import/hooks/ou_create_post.d/52marktplatz_create (Revision 74005) >+++ ucs-school-import/usr/share/ucs-school-import/hooks/ou_create_post.d/52marktplatz_create (Arbeitskopie) >@@ -1,7 +1,7 @@ > #!/bin/bash > # > # 52marktplatz_create >-# Creates a Markplatz share for the specified OUs >+# Creates a Marktplatz share for the specified OUs > # > # Depends: ucs-school-import > # >@@ -35,11 +35,14 @@ > [ $# -ne 2 ] && echo "USAGE: $(basename $0) FILE DN" && exit 1 > > . /usr/share/univention-lib/ucr.sh >+. /usr/share/ucs-school-lib/base.sh > > eval "$(ucr shell)" > >+name="$(ucr_names_default ucsschool/import/generate/share/marktplatz/name)" >+ > if ! is_ucr_true "ucsschool/import/generate/share/marktplatz" ; then >- echo "$(basename $0): creation of share 'Marktplatz' has been disabled by ucsschool/import/generate/share/marktplatz" >+ echo "$(basename $0): creation of share '$name' has been disabled by ucsschool/import/generate/share/marktplatz" > exit 0 > fi > >@@ -58,9 +61,9 @@ > sharepath="$ucsschool_import_generate_share_marktplatz_sharepath" > if [ -z "$sharepath" ] ; then > if [ -z "$ucsschool_import_roleshare" ] || is_ucr_true "ucsschool/import/roleshare"; then >- sharepath="/home/$ou/groups/Marktplatz" >+ sharepath="/home/$ou/groups/$name" > else >- sharepath="/home/groups/Marktplatz" >+ sharepath="/home/groups/$name" > fi > fi > >@@ -77,12 +80,12 @@ > > udm shares/share create --ignore_exists \ > --position "cn=shares,ou=${ou}${district},${ldap_base}" \ >- --set name=Marktplatz \ >+ --set name="${name}" \ > --set "host=${dcname}" \ > --set "path=${sharepath}" \ > --set "directorymode=${sharemode}" \ > --set "group=${grpuidnumber}" > >-echo "$(basename $0): added new share Markplatz for server ${dcname}" >+echo "$(basename $0): added new share '$name' for server ${dcname}" > > exit 0 >Index: ucs-school-import/usr/share/ucs-school-import/scripts/ucs-school-import >=================================================================== >--- ucs-school-import/usr/share/ucs-school-import/scripts/ucs-school-import (Revision 74005) >+++ ucs-school-import/usr/share/ucs-school-import/scripts/ucs-school-import (Arbeitskopie) >@@ -77,8 +77,8 @@ > import univention.lib.policy_result > from ucsschool.lib.roles import role_pupil, role_teacher, role_staff > from ucsschool.lib.roleshares import roleshare_home_subdir >-from ucsschool.lib.models.utils import stopped_notifier, add_stream_logger_to_schoollib >-from ucsschool.lib.models.utils import create_passwd >+from ucsschool.lib.models.utils import stopped_notifier, add_stream_logger_to_schoollib, create_passwd >+from ucsschool.lib.models import School, SchoolClass, ClassShare > > > ldap_errors = (ldap.LDAPError, univention.admin.uexceptions.base,) >@@ -106,17 +106,6 @@ > > pwLengthOu = {} > >-cn_pupils = configRegistry.get('ucsschool/ldap/default/container/pupils', 'schueler') >-cn_teachers = configRegistry.get('ucsschool/ldap/default/container/teachers', 'lehrer') >-cn_teachers_staff = configRegistry.get('ucsschool/ldap/default/container/teachers-and-staff', 'lehrer und mitarbeiter') >-cn_admins = configRegistry.get('ucsschool/ldap/default/container/admins', 'admins') >-cn_staff = configRegistry.get('ucsschool/ldap/default/container/staff', 'mitarbeiter') >- >-grp_prefix_pupils = configRegistry.get('ucsschool/ldap/default/groupprefix/pupils', 'schueler-') >-grp_prefix_teachers = configRegistry.get('ucsschool/ldap/default/groupprefix/teachers', 'lehrer-') >-grp_prefix_admins = configRegistry.get('ucsschool/ldap/default/groupprefix/admins', 'admins-') >-grp_prefix_staff = configRegistry.get('ucsschool/ldap/default/groupprefix/staff', 'mitarbeiter-') >- > grp_policy_pupils = configRegistry.get('ucsschool/ldap/default/policy/umc/pupils', 'cn=ucsschool-umc-pupils-default,cn=UMC,cn=policies,%s' % baseDN) > grp_policy_teachers = configRegistry.get('ucsschool/ldap/default/policy/umc/teachers', 'cn=ucsschool-umc-teachers-default,cn=UMC,cn=policies,%s' % baseDN) > grp_policy_admins = configRegistry.get('ucsschool/ldap/default/policy/umc/admins', 'cn=ucsschool-umc-admins-default,cn=UMC,cn=policies,%s' % baseDN) >@@ -134,10 +123,10 @@ > TYPE_DC_EDUCATIONAL = 'educational' > > >-# IP address prefix len conecerning the netmask >+# IP address prefix len concerning the netmask > default_prefixlen = 24 > >-if not (cn_pupils and cn_teachers and cn_teachers_staff and cn_admins and cn_staff): >+if not (cn_pupils and cn_classes): > print '''ERROR: Unable to proceed: one of the following UCR variables is not set correctly: > ucsschool/ldap/default/container/pupils > ucsschool/ldap/default/container/teachers >@@ -265,6 +254,7 @@ > else: > self.allsNrs=[self.sNr] > self.other_sNr=[] >+ self.search_base = School.get_search_base(self.allsNrs[0]) > > # split into multiple class number if comma is present > if ',' in self.cNr: >@@ -319,14 +309,13 @@ > > def getPosition_dn(self): > # resolution order for the position is pupil, teacher, staff >- cn = cn_pupils > if role_teacher in self.getRole() and role_staff in self.getRole(): >- cn = cn_teachers_staff >+ return self.search_base.teachersAndStaff > elif role_teacher in self.getRole (): >- cn = cn_teachers >- elif role_staff in self.getRole (): >- cn = cn_staff >- return "cn=%s,cn=users,%s" % (cn, getDN (self.sNr)) >+ return self.search_base.teachers >+ elif role_staff in self.getRole(): >+ return self.search_base.staff >+ return self.search_base.students > > def getDN(self): > return "uid="+self.login+","+self.getPosition_dn() >@@ -335,19 +324,20 @@ > default_groups=[] > > # default group >- default_groups.append("cn=Domain Users "+self.sNr+",cn=groups,%s" % (getDN (self.sNr), )) >+ default_groups.append("cn=Domain Users %s,%s" % (self.sNr, self.search_base.groups)) > >- for role in self.getRole (): >- user_grp_prefix = { role_teacher:grp_prefix_teachers, >- role_pupil:grp_prefix_pupils, >- role_staff:grp_prefix_staff }[role] >+ grp_dns = { >+ role_teacher: self.search_base.teachers_ou_group, >+ role_pupil: self.search_base.students_ou_group, >+ role_staff: self.search_base.staff_ou_group} >+ for role in self.getRole(): > if role == role_staff and not configRegistry.is_true('ucsschool/ldap/noneducational/create/objects', True): > continue > # class if available > for cnr in self.cNr: >- default_groups.append("cn=" + cnr + ",cn=klassen,cn=%s,cn=groups,%s" % (cn_pupils, getDN (self.sNr))) >+ default_groups.append("cn=%s,%s" % (cnr, self.search_base.classes)) > >- default_groups.append("cn=%s%s,cn=groups,%s"%(user_grp_prefix, self.sNr, getDN (self.sNr))) >+ default_groups.append(grp_dns[role]) > > return default_groups > >@@ -498,21 +488,23 @@ > if district_enabled: > verify_container(getDN (schoolNr, base='district'), ou_module, co, lo, superordinate, baseDN) > >- print "verify ou for school nr %s"%schoolNr >+ print "verify ou for school nr %s" % schoolNr >+ search_base = School.get_search_base(schoolNr) > # list of needed sub-containers, the dictionary-key adds the container as default during create in verify_container >- container={'0printerPath':['cn=printers'], >- '1userPath':['cn=users','cn=%s,cn=users' % cn_pupils,'cn=%s,cn=users' % cn_teachers,'cn=%s,cn=users' % cn_admins], >- '2computerPath':['cn=computers','cn=server,cn=computers','cn=dc,cn=server,cn=computers'], >- '3networkPath':['cn=networks'], >- '4groupPath':['cn=groups','cn=%s,cn=groups' % cn_pupils,'cn=%s,cn=groups' % cn_teachers,'cn=klassen,cn=%s,cn=groups' % cn_pupils,'cn=raeume,cn=groups'], >- '5dhcpPath':['cn=dhcp'], >- '6policyPath':['cn=policies'], >- '7sharePath':['cn=shares','cn=klassen,cn=shares'], >- '8none':['cn=dc,cn=server,cn=computers'] >- } >+ container = { >+ '0printerPath': [search_base.printers], >+ '1userPath': [search_base.users, search_base.students, search_base.teachers, search_base.admins], >+ '2computerPath': [search_base.computers, 'cn=server,{}'.format(search_base.computers), 'cn=dc,cn=server,{}'.format(search_base.computers)], >+ '3networkPath': [search_base.networks], >+ '4groupPath': [search_base.groups, search_base.workgroups, search_base.teachers_group, search_base.classes, search_base.rooms], >+ '5dhcpPath': [search_base.dhcp], >+ '6policyPath': [search_base.policies], >+ '7sharePath': [search_base.shares, search_base.classShares], >+ '8none': ['cn=dc,cn=server,{}'.format(search_base.computers)] >+ } > if configRegistry.is_true('ucsschool/ldap/noneducational/create/objects', True): >- container['1userPath'].extend(['cn=%s,cn=users' % cn_staff, 'cn=%s,cn=users' % cn_teachers_staff]) >- container['4groupPath'].append('cn=%s,cn=groups' % cn_staff) >+ container['1userPath'].extend([search_base.staff, search_base.teachersAndStaff]) >+ container['4groupPath'].append(search_base.staff_group) > # FIXME: die Policies sollten besser mit der Gruppe verknüpft werden, um > # z.B. Mitarbeiter und Lehrer im selben Container pflegen zu können > #container_policies = { 'cn=%s,cn=users' % cn_teachers: ['cn=default-lehrer,cn=UMC,cn=policies,' + baseDN] } >@@ -527,20 +519,13 @@ > dccn = '' > myline = '%s\t%s' % ( schoolNr, dccn ) > hooks.pre( 'ou', 'A', line = myline ) >+ search_base = School.get_search_base(schoolNr) > > # verify global dc groups >- groups_administrative = [ >- "cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,%s" % baseDN, >- "cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,%s" % baseDN] >- groups_education=[ >- "cn=DC-Edukativnetz,cn=ucsschool,cn=groups,%s" % baseDN, >- "cn=Member-Edukativnetz,cn=ucsschool,cn=groups,%s" % baseDN] >- groups_administrativeOU=[ >- "cn=OU%s-DC-Verwaltungsnetz,cn=ucsschool,cn=groups,%s" % (schoolNr.lower(), baseDN), >- "cn=OU%s-Member-Verwaltungsnetz,cn=ucsschool,cn=groups,%s" % (schoolNr.lower(), baseDN)] >- groups_educationOU=[ >- "cn=OU%s-DC-Edukativnetz,cn=ucsschool,cn=groups,%s" % (schoolNr.lower(), baseDN), >- "cn=OU%s-Member-Edukativnetz,cn=ucsschool,cn=groups,%s" % (schoolNr.lower(), baseDN)] >+ groups_administrative = [search_base.administrative_dc_group, search_base.administrative_member_group] >+ groups_education = [search_base.educational_dc_group, search_base.educational_member_group] >+ groups_administrativeOU = [search_base.administrative_ou_dc_group, search_base.administrative_ou_member_group] >+ groups_educationOU = [search_base.educational_ou_dc_group, search_base.educational_ou_member_group] > > if configRegistry.is_true('ucsschool/ldap/noneducational/create/objects', True): > groups = groups_administrative + groups_education + groups_administrativeOU + groups_educationOU >@@ -555,7 +540,7 @@ > dcobject = object_exists( > server_module, co, lo, 'sub', superordinate, baseDN, > univention.admin.filter.expression('cn', dccn), None) >- >+ > if dcobject: > zone = "edukativ" > dcobject.open() >@@ -562,15 +547,15 @@ > # TODO FIXME The following snippet does not make any sense: > # if the DC is member of DC-Verwaltungsnetz then is added again to that group?!? Looks like this code is unused. > for grp in dcobject['groups']: >- if grp.startswith("cn=DC-Verwaltungsnetz,"): >+ if grp.startswith(univention.admin.uldap.explodeDn(search_base.administrative_dc_group)[0]): > zone = "verwaltung" > groups = [] > if zone == "edukativ": >- groups.append("cn=DC-Edukativnetz,cn=ucsschool,cn=groups,%s" % baseDN) >- groups.append("cn=OU%s-DC-Edukativnetz,cn=ucsschool,cn=groups,%s" % (schoolNr.lower(), baseDN)) >+ groups.append(search_base.educational_dc_group) >+ groups.append(search_base.educational_ou_dc_group) > if zone == "verwaltung": >- groups.append("cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,%s" % baseDN) >- groups.append("cn=OU%s-DC-Verwaltungsnetz,cn=ucsschool,cn=groups,%s" % (schoolNr.lower(), baseDN)) >+ groups.append(search_base.administrative_dc_group) >+ groups.append(search_base.administrative_ou_dc_group) > modified = False > for grp in groups: > if not grp in dcobject['groups']: >@@ -578,8 +563,8 @@ > dcobject['groups'].append(grp) > if modified: > dcobject.modify() >- > >+ > created, dn = verify_container(ou_base, ou_module, co, lo, superordinate, baseDN, path='') > if created: > # get name of new dc >@@ -619,24 +604,22 @@ > if displayName is not None: > r = lo.modify(ou_base, [('displayName', lo.get(ou_base, ['displayName']).get('displayName',[]), [displayName])]) > >- keys=container.keys() >- keys.sort() >- for path in keys: >+ for path in sorted(container.keys()): > for dn in container[path]: >- if path[1:]=='none': path=' ' >- verify_container('%s,%s'%(dn,ou_base),cn_module, co, lo, superordinate, baseDN, path=path[1:]) >+ if path[1:] == 'none': >+ path=' ' >+ verify_container(dn, cn_module, co, lo, superordinate, baseDN, path=path[1:]) > > # create groups if not existant >- grp_ouadmins = "cn=%s%s,cn=ouadmins,cn=groups,%s" % (grp_prefix_admins, schoolNr.lower(), baseDN) >- groups=[ ( grp_ouadmins, grp_policy_admins ), >- ( "cn=%s%s,cn=groups,%s" % (grp_prefix_pupils, schoolNr.lower(), getDN(schoolNr)), grp_policy_pupils ), >- ( "cn=%s%s,cn=groups,%s" % (grp_prefix_teachers, schoolNr.lower(), getDN(schoolNr)), grp_policy_teachers ), >- ] >+ grp_ouadmins = search_base.admin_group >+ groups = [ >+ (grp_ouadmins, grp_policy_admins), >+ (search_base.students_ou_group, grp_policy_pupils), >+ (search_base.teachers_ou_group, grp_policy_teachers), >+ ] > > if configRegistry.is_true('ucsschool/ldap/noneducational/create/objects', True): >- groups.append( >- ( "cn=%s%s,cn=groups,%s" % (grp_prefix_staff, schoolNr.lower(), getDN(schoolNr)), grp_policy_staff ), >- ) >+ groups.append((search_base.staff_ou_group, grp_policy_staff)) > if configRegistry.is_true('ucsschool/import/attach/policy/default-umc-users', True): > domain_users_school = "cn=Domain Users %s,cn=groups,%s" % (schoolNr.lower(), getDN(schoolNr)) > groups.append((domain_users_school, "cn=default-umc-users,cn=UMC,cn=policies,%s" % (baseDN,))) >@@ -673,8 +656,7 @@ > else: > dccn = 'dc%s-01' % schoolNr.lower () > >- dcgroups = ["cn=OU%s-DC-Edukativnetz,cn=ucsschool,cn=groups,%s" % (schoolNr.lower (), baseDN), >- "cn=DC-Edukativnetz,cn=ucsschool,cn=groups,%s" % (baseDN, )] >+ dcgroups = [search_base.educational_ou_dc_group, search_base.educational_dc_group] > > if dc == 'verwaltung': > if not configRegistry.is_true('ucsschool/ldap/noneducational/create/objects', True): >@@ -686,8 +668,7 @@ > dccn = configRegistry.get('hostname') > else: > dccn = 'dc%sv-01' % schoolNr.lower () # this is the naming convention, a trailing v for Verwaltungsnetz DCs >- dcgroups = ["cn=OU%s-DC-Verwaltungsnetz,cn=ucsschool,cn=groups,%s" % (schoolNr.lower (), baseDN), >- "cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,%s" % (baseDN, )] >+ dcgroups = [search_base.administrative_ou_dc_group, search_base.administrative_dc_group] > > # create server if not exsistant > objects = univention.admin.modules.lookup(computer_module, co, lo, scope='sub', superordinate=superordinate, base=baseDN, >@@ -708,9 +689,9 @@ > if not server_exists and not dcName: > try: > if dc == 'verwaltung': >- grpdn = 'cn=OU%s-DC-Verwaltungsnetz,cn=ucsschool,cn=groups,%s' % (schoolNr.lower (), baseDN) >+ grpdn = search_base.administrative_ou_dc_group > else: >- grpdn = 'cn=OU%s-DC-Edukativnetz,cn=ucsschool,cn=groups,%s' % (schoolNr.lower (), baseDN) >+ grpdn = search_base.educational_ou_dc_group > hostlist = lo.get(grpdn, ['uniqueMember']).get('uniqueMember',[]) > except ldap.NO_SUCH_OBJECT: > hostlist = [] >@@ -1071,7 +1052,7 @@ > if (schoolNr, classNr.lower()) in verified_group_shares: > return True > >- position_dn="cn=%s,cn=klassen,cn=shares,%s"%(classNr, getDN (schoolNr, basedn=base)) >+ position_dn = ClassShare(school=schoolNr, name=classNr).dn > module = univention.admin.modules.get("shares/share") > position_basedn = univention.admin.uldap.position(baseDN) > univention.admin.modules.init (lo, position_basedn, module) >@@ -1104,7 +1085,9 @@ > print "need to create groupshare %s"%position_dn > > # get gid form corresponding group >- group_dn="cn=%s,cn=klassen,cn=%s,cn=groups,%s"%(classNr, cn_pupils, getDN (schoolNr, basedn=base)) >+ school_class = SchoolClass(school=schoolNr, name=classNr) >+ class_share = ClassShare.from_school_class(school_class) >+ group_dn = school_class.dn > gids=lo.get(group_dn,['gidNumber']) > gid = 0 > if len(gids) > 1: # TODO FIXME This doesn't look correct to me - gids is a dict and not a list! >@@ -1155,10 +1138,7 @@ > object.open() > object["name"] = "%s"%classNr > object["host"] = serverfqdn >- if configRegistry.is_true('ucsschool/import/roleshare', True): >- object["path"] = "/home/" + os.path.join(schoolNr, "groups/klassen/%s" % (classNr,)) >- else: >- object["path"] = "/home/groups/klassen/%s" % (classNr,) >+ object["path"] = class_share.get_share_path() > object["writeable"] = "1" > object["sambaWriteable"] = "1" > object["sambaBrowseable"] = "1" >@@ -1315,11 +1295,17 @@ > # FIXME / TODO > # Test should be following: > # if ( ( ( parts[0].startswith( 'cn=%s' % grp_prefix_pupils) or parts[0].startswith( 'cn=%s' % grp_prefix_pupils) ) and parts[1] == 'cn=groups' and parts[2].startswith('ou=') ) or >- # ( parts[1] == 'cn=klassen' and parts[2] == 'cn=%s' % cn_pupils and parts[3] == 'cn=groups' and parts[4].startswith('ou=') ) ): >+ # ( parts[1] == 'cn=%s' % cn_classes and parts[2] == 'cn=%s' % cn_pupils and parts[3] == 'cn=groups' and parts[4].startswith('ou=') ) ): > >+ search_base = School.get_search_base(None) >+ cn_pupils = ldap.explode_dn(search_base.students, True)[0] >+ cn_classes = ldap.explode_dn(search_base.classes, True)[0] >+ grp_prefix_pupils = search_base.group_prefix_students >+ grp_prefix_teachers = search_base.group_prefix_teachers >+ > if ( parts[0].startswith( 'cn=%s' % grp_prefix_pupils ) or > parts[0].startswith( 'cn=%s' % grp_prefix_teachers ) or >- ( parts[1] == 'cn=klassen' and parts[2] == 'cn=%s' % cn_pupils ) ): >+ (parts[1] == 'cn=%s' % cn_classes and parts[2] == 'cn=%s' % cn_pupils)): > # group looks like a default group, so we don't need it anymore > print "remove from group: %s"%group > remove_groups.append(group) >@@ -1600,12 +1586,13 @@ > main_person.isTeacher = '0' > main_person.isStaff = '0' > >- if object.dn.endswith(',cn=%s,cn=users,%s' % (cn_teachers_staff, getDN(ou))): >+ search_base = School.get_search_base(ou) >+ if object.dn.endswith(',%s' % search_base.teachersAndStaff): > main_person.isTeacher = '1' > main_person.isStaff = '1' >- elif object.dn.endswith(',cn=%s,cn=users,%s' % (cn_teachers, getDN(ou))): >+ elif object.dn.endswith(',%s' % search_base.teachers): > main_person.isTeacher = '1' >- elif object.dn.endswith(',cn=%s,cn=users,%s' % (cn_staff, getDN(ou))): >+ elif object.dn.endswith(',%s' % search_base.staff): > main_person.isStaff = '1' > > if ou in main_person.allsNrs: >@@ -2208,6 +2195,7 @@ > zone = parsed[6] > > verify_school_ou(schoolNr, co, lo, baseDN) >+ search_base = School.get_search_base(schoolNr) > > try: > ip = ipaddr.IPv4Network(IP) >@@ -2224,11 +2212,11 @@ > groups = {} > if ctype == "memberserver": > if zone == "edukativ": >- groups["cn=OU%s-Member-Edukativnetz,cn=ucsschool,cn=groups,%s" % (schoolNr.lower(), baseDN)] = 1 >- groups["cn=Member-Edukativnetz,cn=ucsschool,cn=groups,%s" % baseDN] = 1 >+ groups[search_base.educational_ou_member_group] = 1 >+ groups[search_base.educational_member_group] = 1 > if zone == "verwaltung": >- groups["cn=OU%s-Member-Verwaltungsnetz,cn=ucsschool,cn=groups,%s" % (schoolNr.lower(), baseDN)] = 1 >- groups["cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,%s" % baseDN] = 1 >+ groups[search_base.administrative_ou_member_group] = 1 >+ groups[search_base.administrative_member_group] = 1 > > # invoke pre hooks > hooks.pre( 'computer', 'A', line = line ) >@@ -2331,8 +2319,8 @@ > ClassID = parsed[2] > Descrpt = parsed[3] > >- group_dn="cn=%s,cn=klassen,cn=%s,cn=groups,%s"%(ClassID, cn_pupils, getDN (schoolNr)) >- share_dn="cn=%s,cn=klassen,cn=shares,%s"%(ClassID, getDN (schoolNr)) >+ group_dn = SchoolClass(school=schoolNr, name=ClassID).dn >+ share_dn = ClassShare(school=schoolNr, name=ClassID).dn > > verify_school_ou(schoolNr, co, lo, baseDN) > >@@ -2874,14 +2862,15 @@ > > slave = slaves[0] > ouDn = oulist[0].dn >+ search_base = School.get_search_base(options.ou) > > group_filter = univention.admin.filter.conjunction('&', [ >- univention.admin.filter.conjunction('|', [ >- univention.admin.filter.expression('cn', 'OU%s-DC-Edukativnetz' % options.ou), >- univention.admin.filter.expression('cn', 'OU%s-DC-Verwaltungsnetz' % options.ou), >- ]), >- univention.admin.filter.expression('uniqueMember', slave.dn), >- ]) >+ univention.admin.filter.conjunction('|', [ >+ univention.admin.uldap.explodeDn(search_base.educational_ou_dc_group)[0], >+ univention.admin.uldap.explodeDn(search_base.administrative_ou_dc_group)[0], >+ ]), >+ univention.admin.filter.expression('uniqueMember', slave.dn), >+ ]) > groups = univention.admin.modules.lookup(group_module, co, lo, scope='sub', base=baseDN, filter=group_filter) > if not groups: > print 'ERROR: cannot move domaincontroller slave with hostname "%s" to OU "%s"' % (options.dcname, options.ou) >@@ -2980,15 +2969,12 @@ > print 'ERROR: specified OU %r does not exist' % ou_name > sys.exit(1) > >- >+ search_base = School.get_search_base(ou_name) > # get list of desired group memberships >- group_dn_list = { TYPE_DC_ADMINISTRATIVE: ['cn=OU%s-DC-Verwaltungsnetz,cn=ucsschool,cn=groups,%s' % (ou_name.lower(), baseDN), >- 'cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,%s' % (baseDN,), >- ], >- TYPE_DC_EDUCATIONAL: ['cn=DC-Edukativnetz,cn=ucsschool,cn=groups,%s' % (baseDN,), >- 'cn=OU%s-DC-Edukativnetz,cn=ucsschool,cn=groups,%s' % (ou_name.lower(), baseDN), >- ], >- }[dc_type] >+ group_dn_list = { >+ TYPE_DC_ADMINISTRATIVE: [search_base.administrative_ou_dc_group, search_base.administrative_dc_group], >+ TYPE_DC_EDUCATIONAL: [search_base.educational_dc_group, search_base.educational_ou_dc_group] >+ }[dc_type] > for grpdn in group_dn_list: > verify_group(grpdn, co, lo, superordinate, baseDN) > >Index: ucs-school-import/usr/share/ucs-school-import/scripts/ucs-school-join-secondary-samba4 >=================================================================== >--- ucs-school-import/usr/share/ucs-school-import/scripts/ucs-school-join-secondary-samba4 (Revision 74005) >+++ ucs-school-import/usr/share/ucs-school-import/scripts/ucs-school-join-secondary-samba4 (Arbeitskopie) >@@ -31,6 +31,7 @@ > # <http://www.gnu.org/licenses/>. > > . /usr/share/univention-lib/all.sh >+. /usr/share/ucs-school-lib/base.sh > > display_help() { > cat <<-EOL >@@ -195,11 +196,13 @@ > while read service; do > case "$service" in > "UCS@school Education") >- target_server_ucsschool_type=Edukativnetz >+ target_server_all_dcs="$(ucr_names_default ucsschool/ldap/default/groupname/all-educational-dc)" >+ target_server_ou_dcs="$(ucr_names_default ucsschool/ldap/default/groupname/ou-educational-dc)" > target_server_ucsschool_service="$service" > ;; > "UCS@school Administration") >- target_server_ucsschool_type=Verwaltungsnetz >+ target_server_all_dcs="$(ucr_names_default ucsschool/ldap/default/groupname/all-administrativ-dc)" >+ target_server_ou_dcs="$(ucr_names_default ucsschool/ldap/default/groupname/ou-administrativ-dc)" > target_server_ucsschool_service="$service" > ;; > esac >@@ -258,17 +261,17 @@ > > echo -n "Check group memberschip : " > test_output=$(univention-ssh "$ROOTPWD" "root@${target_school_dc_ip}" \ >- /usr/sbin/udm groups/group list --filter name="DC-$target_server_ucsschool_type" | sed -n "/^ *hosts: $target_ldap_hostdn$/p") >+ /usr/sbin/udm groups/group list --filter name="$target_server_all_dcs" | sed -n "/^ *hosts: $target_ldap_hostdn$/p") > if [ -z "$test_output" ]; then > echo -e "\033[60Gfailed" >- echo "$hostname is not member of the group DC-$target_server_ucsschool_type, this needs to be fixed first manually." >+ echo "$hostname is not member of the group $target_server_all_dcs, this needs to be fixed first manually." > exit 1 > fi > test_output=$(univention-ssh "$ROOTPWD" "root@${target_school_dc_ip}" \ >- /usr/sbin/udm groups/group list --filter name="OU$my_school_ou-DC-$target_server_ucsschool_type" | sed -n "/^ *hosts: $target_ldap_hostdn$/p") >+ /usr/sbin/udm groups/group list --filter name="$(replace_ou "$target_server_ou_dcs" "$my_school_ou")" | sed -n "/^ *hosts: $target_ldap_hostdn$/p") > if [ -z "$test_output" ]; then > echo -e "\033[60Gfailed" >- echo "$hostname is not member of the group OU$my_school_ou-DC-$target_server_ucsschool_type, this needs to be fixed first manually." >+ echo "$hostname is not member of the group $(replace_ou "$target_server_ou_dcs" "$my_school_ou"), this needs to be fixed first manually." > exit 1 > else > echo -e "\033[60Gdone" >Index: ucs-school-import/usr/share/ucs-school-import/scripts/ucs-school-verify-class-memberships >=================================================================== >--- ucs-school-import/usr/share/ucs-school-import/scripts/ucs-school-verify-class-memberships (Revision 74005) >+++ ucs-school-import/usr/share/ucs-school-import/scripts/ucs-school-verify-class-memberships (Arbeitskopie) >@@ -42,6 +42,7 @@ > import univention.admin.handlers.groups.group > import univention.admin.handlers.users.user > import univention.admin.objects >+from ucsschool.lib.models import School, SchoolClass, Staff, Student, Teacher > > > class Problem(Exception): >@@ -160,7 +161,8 @@ > > > def parse_line(lo, line): >- oubase = 'ou=%s,%s' % (line['school'], ucr['ldap/base'],) >+ school = School(name=line['school']) >+ oubase = school.dn > uid = line['name'] > try: > dn = lo.search(filter_format('uid=%s', (uid,)), oubase, unique=True)[0][0] >@@ -173,8 +175,8 @@ > raise StudentDoesNotExists(line, uid) > else: > raise StudentIsInAnotherSchool(line, uid, dn) >- if not dn.endswith(',cn=schueler,cn=users,%s' % (oubase,)): >- if not dn.endswith(',cn=lehrer,cn=users,%s' % (oubase,)) or not dn.endswith(',cn=mitarbeiter,cn=users,%s' % (oubase,)): >+ if not dn.endswith(Student.get_container(school.name)): >+ if not dn.endswith(Teacher.get_container(school.name)) or not dn.endswith(Staff.get_container(school.name)): > print('Ignoring teacher/staff %r' % (uid,)) > return > msg('ERROR: %s (%s %s) is not a student/teacher/staff.' % (uid, line['firstname'], line['lastname'])) >@@ -186,7 +188,7 @@ > correct = False > invalid_groups = set() > for gdn, group in groups: # pylint: disable=W0612 >- if not gdn.endswith(',cn=klassen,cn=schueler,cn=groups,%s' % (oubase,)): >+ if not gdn.endswith(SchoolClass.get_container(school.name)): > if not gdn.endswith(oubase) and re.search(',ou=[^,]+,%s$' % (ucr['ldap/base'],), gdn, re.I): > raise StudentIsInAnotherClassInAnotherSchool(line, uid, dn, gdn) > continue # ignore workgroups / Domain Users >Index: ucs-school-ldap-acls-master/61ucsschool_presettings >=================================================================== >--- ucs-school-ldap-acls-master/61ucsschool_presettings (Revision 74005) >+++ ucs-school-ldap-acls-master/61ucsschool_presettings (Arbeitskopie) >@@ -1,65 +1,95 @@ >+@!@ >+# -*- coding: utf-8 -*- >+import re >+ >+ >+def replace_ucr_variables(template): >+ variable_token = re.compile('@[$]@') >+ >+ dir_ucsschool = { >+ 'ALL_ADM_DC': configRegistry.get('ucsschool/ldap/default/groupname/all-administrativ-dc', 'DC-Verwaltungsnetz'), >+ 'ALL_ADM_MEMBER': configRegistry.get('ucsschool/ldap/default/groupname/all-administrativ-member', 'Member-Verwaltungsnetz'), >+ 'ALL_EDU_DC': configRegistry.get('ucsschool/ldap/default/groupname/all-educational-dc', 'DC-Edukativnetz'), >+ 'ALL_EDU_MEMBER': configRegistry.get('ucsschool/ldap/default/groupname/all-educational-member', 'Member-Edukativnetz'), >+ } >+ >+ while 1: >+ i = variable_token.finditer(template) >+ try: >+ start = i.next() >+ end = i.next() >+ name = template[start.end():end.start()] >+ >+ template = template[:start.start()] + dir_ucsschool.get(name,'') + template[end.end():] >+ except StopIteration: >+ break >+ >+ return template >+ >+ >+aclset += """ > # start 61ucsschool_presettings > > # revert rule from UCS; Bug #41402 > access to attrs=entry,objectClass,uniqueMember,ou,uid,loginShell,homeDirectory,uidNumber,gidNumber,sn,cn,gecos,description,memberUid > by dn.regex=".*cn=computers,ou=([^,]+),(ou=[^,]+,)?@%@ldap/base@%@" none break >- by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" none break >- by group/univentionGroup/uniqueMember="cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" none break >- by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" none break >- by group/univentionGroup/uniqueMember="cn=Member-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" none break >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none break >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none break >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none break >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none break > by set="user/objectClass & ([ucsschoolStudent] | [ucsschoolTeacher] | [ucsschoolStaff] | [ucsschoolAdministrator])" none break > by * +0 break > > # Slave-Controller und Member-Server duerfen Samba-Domaenenobjekt(e) modifizieren > access to filter="(objectClass=sambaDomain)" >- by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >- by group/univentionGroup/uniqueMember="cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >- by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >- by group/univentionGroup/uniqueMember="cn=Member-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write > by * +0 break > > # grant write access to domaincontroller slave/member server for certain univention app center settings > access to dn.regex="^univentionAppID=([^,]+),cn=([^,]+),cn=apps,cn=univention,@%@ldap/base@%@$" filter="(objectClass=univentionApp)" >- by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >- by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >- by group/univentionGroup/uniqueMember="cn=Member-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >- by group/univentionGroup/uniqueMember="cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write > by * +0 break > > access to dn.regex="^cn=([^,]+),cn=apps,cn=univention,@%@ldap/base@%@$" attrs=children,entry >- by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >- by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >- by group/univentionGroup/uniqueMember="cn=Member-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >- by group/univentionGroup/uniqueMember="cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write > by * +0 break > > access to dn="cn=apps,cn=univention,@%@ldap/base@%@" attrs=children,entry >- by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >- by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >- by group/univentionGroup/uniqueMember="cn=Member-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >- by group/univentionGroup/uniqueMember="cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write > by * +0 break > > # Slave controllers and memberservers require write access to virtual machine manager objects > access to dn.regex="^univentionVirtualMachineUUID=([^,]+),cn=Information,cn=Virtual Machine Manager,@%@ldap/base@%@" filter="(objectClass=univentionVirtualMachine)" >- by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >- by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >- by group/univentionGroup/uniqueMember="cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >- by group/univentionGroup/uniqueMember="cn=Member-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write > by * +0 break > > access to dn.regex="^cn=([^,]+),cn=CloudConnection,cn=Virtual Machine Manager,@%@ldap/base@%@" filter="(objectClass=univentionVirtualMachineCloudConnection)" >- by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >- by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >- by group/univentionGroup/uniqueMember="cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >- by group/univentionGroup/uniqueMember="cn=Member-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write > by * +0 break > > access to dn="cn=(Information|CloudConnection),cn=Virtual Machine Manager,@%@ldap/base@%@" attrs=children,entry >- by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >- by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >- by group/univentionGroup/uniqueMember="cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >- by group/univentionGroup/uniqueMember="cn=Member-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write > by dn.regex="^[^,]+,cn=dc,cn=computers,@%@ldap/base@%@$$" write > by dn.regex="^[^,]+,cn=memberserver,cn=computers,@%@ldap/base@%@$$" write > by * +0 break >@@ -66,47 +96,51 @@ > > # Slave-Controller und Member-Server benoetigen idmap-Container > access to dn.base="cn=idmap,cn=univention,@%@ldap/base@%@" >- by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >- by group/univentionGroup/uniqueMember="cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >- by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >- by group/univentionGroup/uniqueMember="cn=Member-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write > by * +0 break > > # Slave-Controller und Member-Server benoetigen ID-Mapping > access to dn.subtree="cn=idmap,cn=univention,@%@ldap/base@%@" filter="(|(&(objectClass=sambaUnixIdPool)(objectClass=organizationalRole)(objectClass=top))(&(objectClass=sambaIdmapEntry)(objectClass=sambaSidEntry)))" >- by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >- by group/univentionGroup/uniqueMember="cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >- by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >- by group/univentionGroup/uniqueMember="cn=Member-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write > by * +0 break > > # Slave-Controller und Member-Server benoetigen nicht alle Container > access to dn.subtree="cn=backup,@%@ldap/base@%@" >- by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" none >- by group/univentionGroup/uniqueMember="cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" none >- by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" none >- by group/univentionGroup/uniqueMember="cn=Member-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" none >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none > by * +0 break > > access to dn.subtree="cn=printers,@%@ldap/base@%@" >- by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" none >- by group/univentionGroup/uniqueMember="cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" none >- by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" none >- by group/univentionGroup/uniqueMember="cn=Member-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" none >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none > by * +0 break > > access to dn.subtree="cn=networks,@%@ldap/base@%@" >- by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" none >- by group/univentionGroup/uniqueMember="cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" none >- by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" none >- by group/univentionGroup/uniqueMember="cn=Member-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" none >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none > by * +0 break > > access to dn.regex="^(.*,)?cn=(cups|ppolicy|packages|services|templates|admin-settings|default containers|saml-serviceprovider),cn=univention,@%@ldap/base@%@$$" >- by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" none >- by group/univentionGroup/uniqueMember="cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" none >- by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" none >- by group/univentionGroup/uniqueMember="cn=Member-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" none >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none > by * +0 break > > # end 61ucsschool_presettings >+""" >+ >+print replace_ucr_variables(aclset) >+@!@ >Index: ucs-school-ldap-acls-master/65ucsschool >=================================================================== >--- ucs-school-ldap-acls-master/65ucsschool (Revision 74005) >+++ ucs-school-ldap-acls-master/65ucsschool (Arbeitskopie) >@@ -13,19 +13,23 @@ > def replace_ucr_variables(template): > variable_token = re.compile('@[$]@') > >- dir_ucsschool = { } >- dir_ucsschool[ 'DISTRICT' ] = '' >- if configRegistry.get('ucsschool/ldap/district/enable','no').lower() in ( 'yes', 'true', '1' ): >- dir_ucsschool[ 'DISTRICT' ] = 'ou=[^,]+,' >- dir_ucsschool[ 'PUPILS' ] = configRegistry.get('ucsschool/ldap/default/container/pupils', 'schueler') >- dir_ucsschool[ 'TEACHERS' ] = configRegistry.get('ucsschool/ldap/default/container/teachers', 'lehrer') >- dir_ucsschool[ 'STAFF' ] = configRegistry.get('ucsschool/ldap/default/container/staff', 'mitarbeiter') >- dir_ucsschool[ 'TEACHERS-STAFF' ] = configRegistry.get('ucsschool/ldap/default/container/teachers-and-staff', 'lehrer und mitarbeiter') >- dir_ucsschool[ 'ADMINS' ] = configRegistry.get('ucsschool/ldap/default/container/admins', 'admins') >- dir_ucsschool[ 'GRPADMINS' ] = configRegistry.get('ucsschool/ldap/default/groupprefix/admins', 'admins-') >- dir_ucsschool[ 'EXAM' ] = configRegistry.get('ucsschool/ldap/default/container/exam', 'examusers') >+ dir_ucsschool = { >+ 'DISTRICT': 'ou=[^,]+,' if configRegistry.is_true('ucsschool/ldap/district/enable') else '', >+ 'PUPILS': configRegistry.get('ucsschool/ldap/default/container/pupils', 'schueler'), >+ 'TEACHERS': configRegistry.get('ucsschool/ldap/default/container/teachers', 'lehrer'), >+ 'STAFF': configRegistry.get('ucsschool/ldap/default/container/staff', 'mitarbeiter'), >+ 'TEACHERS-STAFF': configRegistry.get('ucsschool/ldap/default/container/teachers-and-staff', 'lehrer und mitarbeiter'), >+ 'ADMINS': configRegistry.get('ucsschool/ldap/default/container/admins', 'admins'), >+ 'GRPADMINS': configRegistry.get('ucsschool/ldap/default/groupprefix/admins', 'admins-'), >+ 'EXAM': configRegistry.get('ucsschool/ldap/default/container/exam', 'examusers'), >+ 'CLASS': configRegistry.get('ucsschool/ldap/default/container/class', 'klassen'), >+ 'ROOMS': configRegistry.get('ucsschool/ldap/default/container/rooms', 'raeume'), >+ 'ALL_ADM_DC': configRegistry.get('ucsschool/ldap/default/groupname/all-administrativ-dc', 'DC-Verwaltungsnetz'), >+ 'ALL_ADM_MEMBER': configRegistry.get('ucsschool/ldap/default/groupname/all-administrativ-member', 'Member-Verwaltungsnetz'), >+ 'ALL_EDU_DC': configRegistry.get('ucsschool/ldap/default/groupname/all-educational-dc', 'DC-Edukativnetz'), >+ 'ALL_EDU_MEMBER': configRegistry.get('ucsschool/ldap/default/groupname/all-educational-member', 'Member-Edukativnetz'), >+ } > >- > while 1: > i = variable_token.finditer(template) > try: >@@ -43,20 +47,20 @@ > aclset += """ > # DC Slaves need write access to the members of the group Domain Computers > access to dn.exact="cn=Domain Computers,cn=groups,@%@ldap/base@%@" attrs="uniqueMember,memberUid" >- by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >- by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write > by * +0 break > > # Slave DCs can read and write policy containers for MS GPOs and msPrintConnectionPolicy objects > access to dn.subtree="cn=policies,cn=system,@%@ldap/base@%@" filter="(|(objectClass=msGPOContainer)(objectClass=organizationalRole)(objectClass=msPrintConnectionPolicy))" >- by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >- by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write > by * +0 break > > # Slave DCs can read and write policy containers for MS WMI filter objects > access to dn.subtree="cn=WMIPolicy,cn=system,@%@ldap/base@%@" filter="(|(objectClass=msWMISom)(objectClass=organizationalRole))" >- by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >- by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write > by * +0 break > > # Lehrer, Mitarbeiter und OU-Admins duerfen Schueler-Passwoerter aendern >@@ -70,12 +74,12 @@ > by * +0 break > > # Lehrer, Mitarbeiter und OU-Admins duerfen Raum-Gruppen anlegen und bearbeiten >-access to dn.regex="^cn=raeume,cn=groups,ou=([^,]+),@$@DISTRICT@$@@%@ldap/base@%@$$" attrs=children,entry >+access to dn.regex="^cn=@$@ROOMS@$@,cn=groups,ou=([^,]+),@$@DISTRICT@$@@%@ldap/base@%@$$" attrs=children,entry > by set.expand="[$1] & ([ldap:///]+user/entryDN+[?entryDN?base?%28%7C%28objectClass%3DucsschoolTeacher%29%28objectClass%3DucsschoolAdministrator%29%28objectClass%3DucsschoolStaff%29%29])/ucsschoolSchool" write > @$@# old rule@$@ by dn.regex="^uid=([^,]+),cn=(@$@TEACHERS@$@|@$@TEACHERS-STAFF@$@|@$@STAFF@$@|@$@ADMINS@$@),cn=users,ou=$1,@$@DISTRICT@$@@%@ldap/base@%@$$" write > by * +0 break > >-access to dn.regex="^cn=([^,]+),cn=raeume,cn=groups,ou=([^,]+),@$@DISTRICT@$@@%@ldap/base@%@$$" filter="(&(!(|(uidNumber=*)(objectClass=SambaSamAccount)))(objectClass=univentionGroup))" >+access to dn.regex="^cn=([^,]+),cn=@$@ROOMS@$@,cn=groups,ou=([^,]+),@$@DISTRICT@$@@%@ldap/base@%@$$" filter="(&(!(|(uidNumber=*)(objectClass=SambaSamAccount)))(objectClass=univentionGroup))" > by set.expand="[$2] & ([ldap:///]+user/entryDN+[?entryDN?base?%28%7C%28objectClass%3DucsschoolTeacher%29%28objectClass%3DucsschoolAdministrator%29%28objectClass%3DucsschoolStaff%29%29])/ucsschoolSchool" write > @$@# old rule@$@ by dn.regex="^uid=([^,]+),cn=(@$@TEACHERS@$@|@$@TEACHERS-STAFF@$@|@$@STAFF@$@|@$@ADMINS@$@),cn=users,ou=$2,@$@DISTRICT@$@@%@ldap/base@%@$$" write > by * +0 break >@@ -145,10 +149,10 @@ > by * +0 break > > access to dn.subtree="cn=temporary,cn=univention,@%@ldap/base@%@" >- by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" none >- by group/univentionGroup/uniqueMember="cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" none >- by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" none >- by group/univentionGroup/uniqueMember="cn=Member-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" none >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none > by * +0 break > > # OU-Admins duerfen MAC-Adressen im Rechner- und DHCP-Objekt aendern >@@ -172,24 +176,24 @@ > > # domaincontroller slaves and memberservers of management group are not allowed to replicate pupils and teachers > access to dn.regex="^.+,cn=(@$@TEACHERS@$@|@$@PUPILS@$@),cn=users,ou=[^,]+,@$@DISTRICT@$@@%@ldap/base@%@$$" >- by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" none >- by group/univentionGroup/uniqueMember="cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" none >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none > by * +0 break > > access to filter="(|(objectClass=ucsschoolStudent)(&(objectClass=ucsschoolTeacher)(!(objectClass=ucsschoolStaff))))" >- by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" none >- by group/univentionGroup/uniqueMember="cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" none >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none > by * +0 break > > # domaincontroller slaves and memberservers of educational group are not allowed to replicate staff users > access to dn.regex="^.+,cn=@$@STAFF@$@,cn=users,ou=[^,]+,@$@DISTRICT@$@@%@ldap/base@%@$$" >- by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" none >- by group/univentionGroup/uniqueMember="cn=Member-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" none >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none > by * +0 break > > access to filter="(&(objectClass=ucsschoolStaff)(!(objectClass=ucsschoolTeacher))(!(objectClass=ucsschoolAdministrator)))" >- by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" none >- by group/univentionGroup/uniqueMember="cn=Member-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" none >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none > by * +0 break > > # FIXME: this rule allows to read all passwords underneath of all OU's instead of only the password belonging to the OU; explain why or fix it >@@ -196,41 +200,41 @@ > # TODO: are the following attributes missing here?: 'sambaBadPasswordCount', 'krb5PasswordEnd', 'shadowMax', 'sambaAcctFlags', 'sambaPasswordHistory' > # Memberserver duerfen Passwoerter aller Objekte unterhalb einer Schule lesen > access to dn.regex="^(.+,)?ou=([^,]+),@$@DISTRICT@$@@%@ldap/base@%@$$" attrs=userPassword,krb5Key,krb5KDCFlags,sambaNTPassword,sambaLMPassword,shadowLastChange,sambaPwdLastSet,pwhistory,krb5KeyVersionNumber,sambaPwdCanChange,sambaPwdMustChange >- by group/univentionGroup/uniqueMember="cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" +rscxd >- by group/univentionGroup/uniqueMember="cn=Member-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" +rscxd >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" +rscxd >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" +rscxd > by * +0 break > > # Alle DC-Slaves muessen alle Benutzercontainer und Gruppen jeder Schule lesen koennen > access to dn.regex="^ou=([^,]+),@$@DISTRICT@$@@%@ldap/base@%@$$" filter="objectClass=ucsschoolOrganizationalUnit" >- by group/univentionGroup/uniqueMember.expand="cn=OU$1-DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >- by group/univentionGroup/uniqueMember.expand="cn=OU$1-DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember.expand="cn=OU$1-@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember.expand="cn=OU$1-@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write > by dn.regex="^cn=.*,cn=server,cn=computers,ou=([^,]+),@$@DISTRICT@$@@%@ldap/base@%@$$" +rscxd > by * +0 break > > access to dn.regex="^cn=(users|groups|@$@EXAM@$@),ou=([^,]+),@$@DISTRICT@$@@%@ldap/base@%@$$" >- by group/univentionGroup/uniqueMember.expand="cn=OU$2-DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >- by group/univentionGroup/uniqueMember.expand="cn=OU$2-DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember.expand="cn=OU$2-@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember.expand="cn=OU$2-@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write > by dn.regex="^cn=.*,cn=server,cn=computers,ou=([^,]+),@$@DISTRICT@$@@%@ldap/base@%@$$" +rscxd > by * +0 break > > access to dn.regex="^([^,]+),cn=groups,ou=([^,]+),@$@DISTRICT@$@@%@ldap/base@%@$$" >- by group/univentionGroup/uniqueMember.expand="cn=OU$2-DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >- by group/univentionGroup/uniqueMember.expand="cn=OU$2-DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember.expand="cn=OU$2-@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember.expand="cn=OU$2-@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write > by dn.regex="^cn=.*,cn=server,cn=computers,ou=([^,]+),@$@DISTRICT@$@@%@ldap/base@%@$$" +rscxd > by * +0 break > > access to dn.regex="^cn=(@$@PUPILS@$@|@$@TEACHERS@$@|@$@TEACHERS-STAFF@$@|@$@STAFF@$@|@$@ADMINS@$@),cn=users,ou=([^,]+),@$@DISTRICT@$@@%@ldap/base@%@$$" >- by group/univentionGroup/uniqueMember.expand="cn=OU$2-DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >- by group/univentionGroup/uniqueMember.expand="cn=OU$2-DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember.expand="cn=OU$2-@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember.expand="cn=OU$2-@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write > by dn.regex="^cn=.*,cn=server,cn=computers,ou=([^,]+),@$@DISTRICT@$@@%@ldap/base@%@$$" +rscxd > by * +0 break > > # DC-Slaves muessen die Benutzer ihrer Schule lesen und schreiben duerfen > access to dn.regex="^uid=([^,]+),cn=(@$@PUPILS@$@|@$@TEACHERS@$@|@$@TEACHERS-STAFF@$@|@$@STAFF@$@|@$@ADMINS@$@),cn=users,ou=([^,]+),@$@DISTRICT@$@@%@ldap/base@%@$$" >- by set="([cn=OU]+this/ucsschoolSchool+[-DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@])/uniqueMember & user" write >+ by set="([cn=OU]+this/ucsschoolSchool+[-@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@])/uniqueMember & user" write > by * +0 break > access to dn.regex="^uid=([^,]+),cn=@$@EXAM@$@,ou=([^,]+),@$@DISTRICT@$@@%@ldap/base@%@$$" >- by set="([cn=OU]+this/ucsschoolSchool+[-DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@])/uniqueMember & user" write >+ by set="([cn=OU]+this/ucsschoolSchool+[-@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@])/uniqueMember & user" write > by * +0 break > > # Schul-Slave-Server duerfen nur Eintraege ihrer OU lesen und schreiben (Passwortaenderungen etc.) >@@ -237,13 +241,13 @@ > # Lehrer und Memberserver duerfen sie lesen, ou-eigene bekommen Standard-ACLs, ou-fremde Server/user duerfen nichts > access to dn.regex="^(.+,)?ou=([^,]+),@$@DISTRICT@$@@%@ldap/base@%@$$" > by set.expand="[ldap:///ou=$2,@%@ldap/base@%@?ou?base?%28%21%28objectClass%3DucsschoolOrganizationalUnit%29%29]/ou" +0 break >- by group/univentionGroup/uniqueMember.expand="cn=OU$2-DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >- by group/univentionGroup/uniqueMember.expand="cn=OU$2-DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember.expand="cn=OU$2-@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember.expand="cn=OU$2-@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write > by group/univentionLDAPACL/univentionLDAPAccessWrite.expand="ou=$2,@$@DISTRICT@$@@%@ldap/base@%@" write > by dn.regex="^uid=([^,]+),cn=(@$@TEACHERS@$@|@$@TEACHERS-STAFF@$@|@$@STAFF@$@|@$@ADMINS@$@),cn=users,ou=$2,@$@DISTRICT@$@@%@ldap/base@%@$$" +rscxd continue > by set.expand="[$2] & ([ldap:///]+user/entryDN+[?entryDN?base?%28%7C%28objectClass%3DucsschoolTeacher%29%28objectClass%3DucsschoolAdministrator%29%28objectClass%3DucsschoolStaff%29%29])/ucsschoolSchool" +rscxd continue >- by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" +0 stop >- by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" +0 stop >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" +0 stop >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" +0 stop > by set.expand="([ldap:///]+user/entryDN+[?entryDN?base?%28%7C%28objectClass%3DucsschoolTeacher%29%28objectClass%3DucsschoolAdministrator%29%28objectClass%3DucsschoolStaff%29%29])/ucsschoolSchool" +0 stop > by dn.regex="^.*,ou=$2,@$@DISTRICT@$@@%@ldap/base@%@$$" +rscxd break > by dn.regex="^.*,ou=([^,]+),@$@DISTRICT@$@@%@ldap/base@%@$$" +0 stop >@@ -250,22 +254,22 @@ > by * +0 break > > # Slave-Controller duerfen Klassen-Gruppen bearbeiten (AUSNAHME! Wird fuer Lehrerzuordnung in UMC benoetigt!) >-access to dn.regex="^cn=klassen,cn=@$@PUPILS@$@,cn=groups,ou=([^,]+),@$@DISTRICT@$@@%@ldap/base@%@$$" attrs=children,entry >- by group/univentionGroup/uniqueMember.expand="cn=OU$1-DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >- by group/univentionGroup/uniqueMember.expand="cn=OU$1-DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+access to dn.regex="^cn=@$@CLASS@$@,cn=@$@PUPILS@$@,cn=groups,ou=([^,]+),@$@DISTRICT@$@@%@ldap/base@%@$$" attrs=children,entry >+ by group/univentionGroup/uniqueMember.expand="cn=OU$1-@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember.expand="cn=OU$1-@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write > by * +0 break > > access to dn.regex="^cn=([^,]+),cn=klassen,cn=@$@PUPILS@$@,cn=groups,ou=([^,]+),@$@DISTRICT@$@@%@ldap/base@%@$$" filter="(&(!(|(uidNumber=*)(objectClass=SambaSamAccount)))(objectClass=univentionGroup))" >- by group/univentionGroup/uniqueMember.expand="cn=OU$2-DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >- by group/univentionGroup/uniqueMember.expand="cn=OU$2-DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember.expand="cn=OU$2-@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember.expand="cn=OU$2-@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write > by * +0 break > > # Schulserver duerfen die Passwoerter aller globalen Objekte replizieren > access to dn.regex="^(.+,)?cn=(users|kerberos|computers),@%@ldap/base@%@$$" >- by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" +rscxd >- by group/univentionGroup/uniqueMember="cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" +rscxd >- by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" +rscxd >- by group/univentionGroup/uniqueMember="cn=Member-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" +rscxd >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" +rscxd >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" +rscxd >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" +rscxd >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" +rscxd > by * +0 break > """ > >Index: ucs-school-ldap-acls-master/70ucsschool-ldap-acls-master.inst >=================================================================== >--- ucs-school-ldap-acls-master/70ucsschool-ldap-acls-master.inst (Revision 74005) >+++ ucs-school-ldap-acls-master/70ucsschool-ldap-acls-master.inst (Arbeitskopie) >@@ -32,6 +32,8 @@ > VERSION=7 > . /usr/share/univention-join/joinscripthelper.lib > . /usr/share/univention-lib/ldap.sh >+. /usr/share/ucs-school-lib/base.sh >+ > joinscript_init > > eval "$(univention-config-registry shell)" >@@ -43,7 +45,11 @@ > --set name="ucsschool" > > # create global groups required for LDAP ACLs for UCS@school >-for grp in "DC-Verwaltungsnetz" "Member-Verwaltungsnetz" "DC-Edukativnetz" "Member-Edukativnetz" ; do >+for grp in \ >+ "$(ucr_names_default ucsschool/ldap/default/groupname/all-administrativ-dc)" \ >+ "$(ucr_names_default ucsschool/ldap/default/groupname/all-administrativ-member)" \ >+ "$(ucr_names_default ucsschool/ldap/default/groupname/all-educational-dc)" \ >+ "$(ucr_names_default ucsschool/ldap/default/groupname/all-educational-member)"; do > univention-directory-manager groups/group create "$@" \ > --ignore_exist \ > --position="cn=ucsschool,cn=groups,$ldap_base" \ >Index: ucs-school-ldap-acls-master/debian/control >=================================================================== >--- ucs-school-ldap-acls-master/debian/control (Revision 74005) >+++ ucs-school-ldap-acls-master/debian/control (Arbeitskopie) >@@ -9,7 +9,7 @@ > > Package: ucs-school-ldap-acls-master > Architecture: all >-Depends: univention-ldap-server, univention-ldap-config >+Depends: univention-ldap-server, univention-ldap-config, shell-ucs-school > Conflicts: univention-server-slave, univention-server-member, univention-mobile-client, univention-managed-client, univention-basesystem > Description: Special LDAP ACLs for UCS@school > This package provides additional LDAP ACLs for slapd >Index: ucs-school-lib/python/models/school.py >=================================================================== >--- ucs-school-lib/python/models/school.py (Revision 74005) >+++ ucs-school-lib/python/models/school.py (Arbeitskopie) >@@ -79,22 +79,18 @@ > def get_container(cls, school=None): > return ucr.get('ldap/base') > >- @classmethod >- def cn_name(cls, name, default): >- ucr_var = 'ucsschool/ldap/default/container/%s' % name >- return ucr.get(ucr_var, default) >- > def create_default_containers(self, lo): >- cn_pupils = self.cn_name('pupils', 'schueler') >- cn_teachers = self.cn_name('teachers', 'lehrer') >- cn_admins = self.cn_name('admins', 'admins') >- cn_classes = self.cn_name('class', 'klassen') >- cn_rooms = self.cn_name('rooms', 'raeume') >+ search_base = self.get_search_base(self.name) >+ cn_pupils = ldap.explode_dn(search_base.students, True)[0] >+ cn_teachers = ldap.explode_dn(search_base.teachers, True)[0] >+ cn_admins = ldap.explode_dn(search_base.admins, True)[0] >+ cn_classes = ldap.explode_dn(search_base.classes, True)[0] >+ cn_rooms = ldap.explode_dn(search_base.rooms, True)[0] > user_containers = [cn_pupils, cn_teachers, cn_admins] > group_containers = [cn_pupils, [cn_classes], cn_teachers, cn_rooms] > if self.shall_create_administrative_objects(): >- cn_staff = self.cn_name('staff', 'mitarbeiter') >- cn_teachers_staff = self.cn_name('teachers-and-staff', 'lehrer und mitarbeiter') >+ cn_staff = ldap.explode_dn(search_base.staff, True)[0] >+ cn_teachers_staff = ldap.explode_dn(search_base.teachersAndStaff, True)[0] > user_containers.extend([cn_staff, cn_teachers_staff]) > group_containers.append(cn_staff) > containers_with_path = { >@@ -126,12 +122,6 @@ > for cn in containers: > last_dn = _add_container(cn, last_dn, self.dn, path, lo) > >- def group_name(self, prefix_var, default_prefix): >- ucr_var = 'ucsschool/ldap/default/groupprefix/%s' % prefix_var >- name_part = ucr.get(ucr_var, default_prefix) >- school_part = self.name.lower() >- return '%s%s' % (name_part, school_part) >- > def get_umc_policy_dn(self, name): > # at least the default ones should exist due to the join script > return ucr.get('ucsschool/ldap/default/policy/umc/%s' % name, 'cn=ucsschool-umc-%s-default,cn=UMC,cn=policies,%s' % (name, ucr.get('ldap/base'))) >@@ -152,8 +142,8 @@ > group.create(lo) > > # cn=ouadmins >- admin_group_container = 'cn=ouadmins,cn=groups,%s' % ucr.get('ldap/base') >- group = BasicGroup.cache(self.group_name('admins', 'admins-'), container=admin_group_container) >+ search_base = self.get_search_base(self.name) >+ group = BasicGroup.cache("{}{}".format(search_base.group_prefix_admins, self.name.lower()), container=search_base.globalGroupContainer) > group.create(lo) > group.add_umc_policy(self.get_umc_policy_dn('admins'), lo) > try: >@@ -168,18 +158,18 @@ > udm_obj.modify() > > # cn=schueler >- group = Group.cache(self.group_name('pupils', 'schueler-'), self.name) >+ group = Group.cache("{}{}".format(search_base.group_prefix_students, self.name.lower()), self.name) > group.create(lo) > group.add_umc_policy(self.get_umc_policy_dn('pupils'), lo) > > # cn=lehrer >- group = Group.cache(self.group_name('teachers', 'lehrer-'), self.name) >+ group = Group.cache("{}{}".format(search_base.group_prefix_teachers, self.name.lower()), self.name) > group.create(lo) > group.add_umc_policy(self.get_umc_policy_dn('teachers'), lo) > > # cn=mitarbeiter > if self.shall_create_administrative_objects(): >- group = Group.cache(self.group_name('staff', 'mitarbeiter-'), self.name) >+ group = Group.cache("{}{}".format(search_base.group_prefix_staff, self.name.lower()), self.name) > group.create(lo) > group.add_umc_policy(self.get_umc_policy_dn('staff'), lo) > >@@ -236,20 +226,34 @@ > return flatten([self.get_administrative_group_name(group_type, True, ou_specific, as_dn), self.get_administrative_group_name(group_type, False, ou_specific, as_dn)]) > if ou_specific == 'both': > return flatten([self.get_administrative_group_name(group_type, domain_controller, False, as_dn), self.get_administrative_group_name(group_type, domain_controller, True, as_dn)]) >+ search_base = self.get_search_base(self.name) >+ base_dn = ucr.get('ldap/base') > if group_type == 'administrative': >- name = 'Verwaltungsnetz' >+ if domain_controller: >+ if ou_specific: >+ dn = search_base.administrative_ou_dc_group >+ else: >+ dn = search_base.administrative_dc_group >+ else: >+ if ou_specific: >+ dn = search_base.administrative_ou_member_group >+ else: >+ dn = search_base.administrative_member_group > else: >- name = 'Edukativnetz' >- if domain_controller: >- name = 'DC-%s' % name >- else: >- name = 'Member-%s' % name >- if ou_specific: >- name = 'OU%s-%s' % (self.name.lower(), name) >+ if domain_controller: >+ if ou_specific: >+ dn = search_base.educational_ou_dc_group >+ else: >+ dn = search_base.educational_dc_group >+ else: >+ if ou_specific: >+ dn = search_base.educational_ou_member_group >+ else: >+ dn = search_base.educational_member_group > if as_dn: >- return 'cn=%s,cn=ucsschool,cn=groups,%s' % (name, ucr.get('ldap/base')) >+ return dn > else: >- return name >+ return ldap.explode_dn(dn, True)[0] > > def get_administrative_server_names(self, lo): > dn = self.get_administrative_group_name('administrative', ou_specific=True, as_dn=True) >Index: ucs-school-lib/python/models/share.py >=================================================================== >--- ucs-school-lib/python/models/share.py (Revision 74005) >+++ ucs-school-lib/python/models/share.py (Arbeitskopie) >@@ -138,6 +138,6 @@ > > def get_share_path(self): > if ucr.is_true('ucsschool/import/roleshare', True): >- return '/home/%s/groups/klassen/%s' % (self.school_group.school, self.name) >+ return '/home/%s/groups/%s/%s' % (self.school_group.school, self.get_search_base(self.school).share_name_class, self.name) > else: >- return '/home/groups/klassen/%s' % self.name >+ return '/home/groups/%s/%s' % (self.get_search_base(self.school).share_name_class, self.name) >Index: ucs-school-lib/python/models/user.py >=================================================================== >--- ucs-school-lib/python/models/user.py (Revision 74005) >+++ ucs-school-lib/python/models/user.py (Arbeitskopie) >@@ -445,15 +445,15 @@ > return [self.get_group_dn('Domain Users %s' % school, school) for school in self.schools] > > def get_students_groups(self): >- prefix = ucr.get('ucsschool/ldap/default/groupprefix/pupils', 'schueler-') >+ prefix = self.get_search_base(self.school).group_prefix_students > return [self.get_group_dn('%s%s' % (prefix, school), school) for school in self.schools] > > def get_teachers_groups(self): >- prefix = ucr.get('ucsschool/ldap/default/groupprefix/teachers', 'lehrer-') >+ prefix = self.get_search_base(self.school).group_prefix_teachers > return [self.get_group_dn('%s%s' % (prefix, school), school) for school in self.schools] > > def get_staff_groups(self): >- prefix = ucr.get('ucsschool/ldap/default/groupprefix/staff', 'mitarbeiter-') >+ prefix = self.get_search_base(self.school).group_prefix_staff > return [self.get_group_dn('%s%s' % (prefix, school), school) for school in self.schools] > > def groups_used(self, lo): >@@ -677,6 +677,6 @@ > > @classmethod > def from_student_dn(cls, lo, school, dn): >- examUserPrefix = ucr.get('ucsschool/ldap/default/userprefix/exam', 'exam-') >+ examUserPrefix = cls.get_search_base(school).user_prefix_exam > dn = 'uid=%s%s,%s' % (escape_dn_chars(examUserPrefix), explode_dn(dn, True)[0], cls.get_container(school)) > return cls.from_dn(dn, school, lo) >Index: ucs-school-lib/python/roleshares.py >=================================================================== >--- ucs-school-lib/python/roleshares.py (Revision 74005) >+++ ucs-school-lib/python/roleshares.py (Arbeitskopie) >@@ -36,7 +36,7 @@ > import univention.config_registry > from ucsschool.lib.roles import role_pupil, role_teacher, role_staff > from ucsschool.lib.i18n import ucs_school_name_i18n >-from ucsschool.lib.models import Group, School >+from ucsschool.lib.models import Group, School, Share > from ucsschool.lib.schoolldap import LDAP_Connection, USER_READ, USER_WRITE, MACHINE_READ > import univention.admin.uexceptions > import univention.admin.uldap as udm_uldap >@@ -147,7 +147,7 @@ > ucr.load() > > school_ou = school.name >- share_container_dn = school.get_search_base(school.name).shares >+ share_container_dn = Share.get_container(school.name) > > teacher_groupname = '-'.join((ucs_school_name_i18n(role_teacher), school_ou)) > teacher_group = Group(name=teacher_groupname, school=school_ou).get_udm_object(ldap_user_read) >Index: ucs-school-lib/python/schoolldap.py >=================================================================== >--- ucs-school-lib/python/schoolldap.py (Revision 74005) >+++ ucs-school-lib/python/schoolldap.py (Arbeitskopie) >@@ -30,29 +30,26 @@ > # /usr/share/common-licenses/AGPL-3; if not, see > # <http://www.gnu.org/licenses/>. > >+import inspect >+import re >+from functools import wraps >+from ldap.filter import escape_filter_chars, filter_format >+ >+import univention.admin.config >+import univention.admin.modules >+import univention.admin.modules as udm_modules > import univention.config_registry > import univention.uldap >-import univention.admin.config >-import univention.admin.modules > from univention.admin.filter import conjunction, parse > from univention.admin.uexceptions import noObject >- >-import univention.admin.modules as udm_modules >-from univention.management.console.protocol.message import Message >- > from univention.lib.i18n import Translation >- >-from functools import wraps >-import re >-import inspect >-from ldap.filter import escape_filter_chars, filter_format >- > from univention.management.console.config import ucr >+from univention.management.console.ldap import get_machine_connection, get_admin_connection, get_user_connection#, reset_cache as reset_connection_cache > from univention.management.console.log import MODULE >-from univention.management.console.ldap import get_machine_connection, get_admin_connection, get_user_connection#, reset_cache as reset_connection_cache > from univention.management.console.modules import Base, UMC_Error > from univention.management.console.modules.decorators import sanitize > from univention.management.console.modules.sanitizers import StringSanitizer >+from univention.management.console.protocol.message import Message > > # load UDM modules > udm_modules.update() >@@ -161,7 +158,16 @@ > self._school = school or availableSchools[0] > self._schoolDN = dn or School.cache(self.school).dn > >- # prefixes >+ # >+ # When adding/updating UCRV defaults, also add/update them in shell/base.sh. >+ # >+ >+ # >+ # When changing any of ucsschool/ldap/default/groupname/all-{administrativ, educational}-{dc, member} >+ # copy the changes to ucs-school-ldap-acls-master/{61ucsschool_presettings, 65ucsschool}. >+ # >+ >+ # containers > self._containerAdmins = ucr.get('ucsschool/ldap/default/container/admins', 'admins') > self._containerStudents = ucr.get('ucsschool/ldap/default/container/pupils', 'schueler') > self._containerStaff = ucr.get('ucsschool/ldap/default/container/staff', 'mitarbeiter') >@@ -170,12 +176,38 @@ > self._containerClass = ucr.get('ucsschool/ldap/default/container/class', 'klassen') > self._containerRooms = ucr.get('ucsschool/ldap/default/container/rooms', 'raeume') > self._examUserContainerName = ucr.get('ucsschool/ldap/default/container/exam', 'examusers') >- self._examGroupNameTemplate = ucr.get('ucsschool/ldap/default/groupname/exam', 'OU%(ou)s-Klassenarbeit') >- >+ # group names >+ self._examGroupName = ucr.get('ucsschool/ldap/default/groupname/exam', >+ 'OU%(ou)s-Klassenarbeit') % {'ou': self._school.lower()} >+ self._all_administrativ_dc = ucr.get('ucsschool/ldap/default/groupname/all-administrativ-dc', >+ 'DC-Verwaltungsnetz') >+ self._all_administrativ_member = ucr.get('ucsschool/ldap/default/groupname/all-administrativ-member', >+ 'Member-Verwaltungsnetz') >+ self._all_educational_dc = ucr.get('ucsschool/ldap/default/groupname/all-educational-dc', >+ 'DC-Edukativnetz') >+ self._all_educational_member = ucr.get('ucsschool/ldap/default/groupname/all-educational-member', >+ 'Member-Edukativnetz') >+ self._ou_administrativ_dc = ucr.get('ucsschool/ldap/default/groupname/ou-administrativ-dc', >+ 'OU%(ou)s-DC-Verwaltungsnetz') % {'ou': self._school.lower()} >+ self._ou_administrativ_member = ucr.get('ucsschool/ldap/default/groupname/ou-administrativ-member', >+ 'OU%(ou)s-Member-Verwaltungsnetz') % {'ou': self._school.lower()} >+ self._ou_educational_dc = ucr.get('ucsschool/ldap/default/groupname/ou-educational-dc', >+ 'OU%(ou)s-DC-Edukativnetz') % {'ou': self._school.lower()} >+ self._ou_educational_member = ucr.get('ucsschool/ldap/default/groupname/ou-educational-member', >+ 'OU%(ou)s-Member-Edukativnetz') % {'ou': self._school.lower()} >+ # group prefixes > self.group_prefix_students = ucr.get('ucsschool/ldap/default/groupprefix/pupils', 'schueler-') > self.group_prefix_teachers = ucr.get('ucsschool/ldap/default/groupprefix/teachers', 'lehrer-') > self.group_prefix_admins = ucr.get('ucsschool/ldap/default/groupprefix/admins', 'admins-') > self.group_prefix_staff = ucr.get('ucsschool/ldap/default/groupprefix/staff', 'mitarbeiter-') >+ # user prefix >+ self.user_prefix_exam = ucr.get('ucsschool/ldap/default/userprefix/exam', 'exam-') >+ # share/directory names >+ self.share_name_class = ucr.get('ucsschool/ldap/default/share/class', 'klassen') >+ self.share_name_pupils = ucr.get('ucsschool/ldap/default/share/pupils', 'schueler') >+ self.share_name_teachers = ucr.get('ucsschool/ldap/default/share/teachers', 'lehrer') >+ self.share_name_exams = ucr.get('ucsschool/ldap/default/share/exams', 'Klassenarbeiten') >+ self.share_name_marktplatz = ucr.get('ucsschool/import/generate/share/marktplatz/name', 'Marktplatz') > > @classmethod > def getOU(cls, dn): >@@ -244,25 +276,65 @@ > > @property > def students(self): >+ """cn=schueler,cn=users,<ou dn>""" > return "cn=%s,cn=users,%s" % (self._containerStudents, self.schoolDN) > > @property >+ def students_group(self): >+ """cn=schueler,cn=groups,<ou dn>""" >+ return "cn=%s,cn=groups,%s" % (self._containerStudents, self.schoolDN) >+ >+ @property >+ def students_ou_group(self): >+ """cn=schueler-%(ou)s,cn=groups,<ou dn> (ou already replaced)""" >+ return "cn=%s%s,cn=groups,%s" % (self.group_prefix_students, self.school, self.schoolDN) >+ >+ @property > def teachers(self): >+ """cn=lehrer,cn=users,<ou dn>""" > return "cn=%s,cn=users,%s" % (self._containerTeachers, self.schoolDN) > > @property >+ def teachers_group(self): >+ """cn=lehrer,cn=groups,<ou dn>""" >+ return "cn=%s,cn=groups,%s" % (self._containerTeachers, self.schoolDN) >+ >+ @property >+ def teachers_ou_group(self): >+ """cn=lehrer-%(ou)s,cn=groups,<ou dn> (ou already replaced)""" >+ return "cn=%s%s,cn=groups,%s" % (self.group_prefix_teachers, self.school, self.schoolDN) >+ >+ @property > def teachersAndStaff(self): >+ """cn=lehrer und mitarbeiter,cn=users,<ou dn>""" > return "cn=%s,cn=users,%s" % (self._containerTeachersAndStaff, self.schoolDN) > > @property > def staff(self): >+ """cn=mitarbeiter,cn=users,<ou dn>""" > return "cn=%s,cn=users,%s" % (self._containerStaff, self.schoolDN) > > @property >+ def staff_group(self): >+ """cn=mitarbeiter,cn=groups,<ou dn>""" >+ return "cn=%s,cn=groups,%s" % (self._containerStaff, self.schoolDN) >+ >+ @property >+ def staff_ou_group(self): >+ """cn=mitarbeiter-%(ou)s,cn=groups,<ou dn> (ou already replaced)""" >+ return "cn=%s%s,cn=groups,%s" % (self.group_prefix_staff, self.school, self.schoolDN) >+ >+ @property > def admins(self): >+ """cn=admins,cn=users,<ou dn>""" > return "cn=%s,cn=users,%s" % (self._containerAdmins, self.schoolDN) > > @property >+ def admin_group(self): >+ """cn=admins-%(ou)s,cn=ouadmins,cn=groups,<ou dn> (ou already replaced)""" >+ return "cn=%s%s,cn=ouadmins,cn=groups,%s" % (self.group_prefix_admins, self.school, self.schoolDN) >+ >+ @property > def classShares(self): > return "cn=%s,cn=shares,%s" % (self._containerClass, self.schoolDN) > >@@ -288,28 +360,72 @@ > > @property > def educationalDCGroup(self): >- return "cn=OU%s-DC-Edukativnetz,cn=ucsschool,cn=groups,%s" % (self.school, self._ldapBase) >+ """deprecated, please use educational_ou_dc_group""" >+ return self.educational_ou_dc_group > > @property > def educationalMemberGroup(self): >- return "cn=OU%s-Member-Edukativnetz,cn=ucsschool,cn=groups,%s" % (self.school, self._ldapBase) >+ """deprecated, please use educational_ou_member_group""" >+ return self.educational_ou_member_group > > @property > def administrativeDCGroup(self): >- return "cn=OU%s-DC-Verwaltungsnetz,cn=ucsschool,cn=groups,%s" % (self.school, self._ldapBase) >+ """deprecated, please use administrative_ou_dc_group""" >+ return self.administrative_ou_dc_group > > @property > def administrativeMemberGroup(self): >- return "cn=OU%s-Member-Verwaltungsnetz,cn=ucsschool,cn=groups,%s" % (self.school, self._ldapBase) >+ """deprecated, please use administrative_ou_member_group""" >+ return self.administrative_ou_member_group > > @property >+ def administrative_dc_group(self): >+ """cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,<ldap base>""" >+ return "cn=%s,cn=ucsschool,cn=groups,%s" % (self._all_administrativ_dc, self._ldapBase) >+ >+ @property >+ def administrative_member_group(self): >+ """cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,<ldap base>""" >+ return "cn=%s,cn=ucsschool,cn=groups,%s" % (self._all_administrativ_member, self._ldapBase) >+ >+ @property >+ def educational_dc_group(self): >+ """cn=DC-Edukativnetz,cn=ucsschool,cn=groups,<ldap base>""" >+ return "cn=%s,cn=ucsschool,cn=groups,%s" % (self._all_educational_dc, self._ldapBase) >+ >+ @property >+ def educational_member_group(self): >+ """cn=Member-Edukativnetz,cn=ucsschool,cn=groups,<ldap base>""" >+ return "cn=%s,cn=ucsschool,cn=groups,%s" % (self._all_educational_member, self._ldapBase) >+ >+ @property >+ def educational_ou_dc_group(self): >+ """cn=OU%(ou)s-DC-Edukativnetz,cn=ucsschool,cn=groups,<ldap base> (ou already replaced)""" >+ return "cn=%s,cn=ucsschool,cn=groups,%s" % (self._ou_educational_dc, self._ldapBase) >+ >+ @property >+ def educational_ou_member_group(self): >+ """cn=OU%(ou)s-Member-Edukativnetz,cn=ucsschool,cn=groups,<ldap base> (ou already replaced)""" >+ return "cn=%s,cn=ucsschool,cn=groups,%s" % (self._ou_educational_member, self._ldapBase) >+ >+ @property >+ def administrative_ou_dc_group(self): >+ """cn=OU%(ou)s-DC-Verwaltungsnetz,cn=ucsschool,cn=groups,<ldap base> (ou already replaced)""" >+ return "cn=%s,cn=ucsschool,cn=groups,%s" % (self._ou_administrativ_dc, self._ldapBase) >+ >+ @property >+ def administrative_ou_member_group(self): >+ """cn=OU%(ou)s-Member-Verwaltungsnetz,cn=ucsschool,cn=groups,<ldap base> (ou already replaced)""" >+ return "cn=%s,cn=ucsschool,cn=groups,%s" % (self._ou_administrativ_member, self._ldapBase) >+ >+ @property > def examGroupName(self): >- ## replace '%(ou)s' strings in generic exam_group_name >- ucr_value_keywords = { 'ou': self.school } >- return self._examGroupNameTemplate % ucr_value_keywords >+ """OU%(ou)s-Klassenarbeit (only name, not a DN, ou already replaced)""" >+ return self._examGroupName > > @property > def examGroup(self): >+ """cn=OU%(ou)s-Klassenarbeit,cn=ucsschool,cn=groups,<ldap base> (ou already replaced)""" > return "cn=%s,cn=ucsschool,cn=groups,%s" % (self.examGroupName, self._ldapBase) > > def isWorkgroup(self, groupDN): >Index: ucs-school-lib/shell/base.sh >=================================================================== >--- ucs-school-lib/shell/base.sh (Revision 74005) >+++ ucs-school-lib/shell/base.sh (Arbeitskopie) >@@ -110,7 +110,7 @@ > # > # $ servers_school_ous -h $(ucr get ldap/master) -p $(ucr get ldap/master/port) > # ou=bar,dc=example,dc=com >- local ldap_hostdn ldap_base ldap_server ldap_port IFS >+ local ldap_hostdn ldap_base ldap_server ldap_port IFS res > . /usr/share/univention-lib/ucr.sh > > ldap_base="$(/usr/sbin/univention-config-registry get ldap/base)" >@@ -140,10 +140,9 @@ > res="" > for oudn in $(univention-ldapsearch $ldap_server $ldap_port -xLLL -b "$ldap_base" 'objectClass=ucsschoolOrganizationalUnit' dn | ldapsearch-wrapper | sed -nre 's/^dn: //p') ; do > ouname="$(school_ou "$oudn")" >- if is_ucr_true ucsschool/singlemaster; then >- search_str="(|(cn=OU${ouname}-DC-Edukativnetz)(cn=OU${ouname}-DC-Verwaltungsnetz))" >- else >- search_str="(&(|(cn=OU${ouname}-DC-Edukativnetz)(cn=OU${ouname}-DC-Verwaltungsnetz))(uniqueMember=${ldap_hostdn}))" >+ search_str="(|(cn=$(ucr_names_default ucsschool/ldap/default/groupname/ou-educational-dc ${ouname}))(cn=$(ucr_names_default ucsschool/ldap/default/groupname/ou-administrativ-dc OU${ouname})))" >+ if ! is_ucr_true ucsschool/singlemaster; then >+ search_str="(&${search_str}(uniqueMember=${ldap_hostdn}))" > fi > if univention-ldapsearch $ldap_server $ldap_port -xLLL "$search_str" dn | grep -q "^dn: "; then > res="$res >@@ -152,3 +151,92 @@ > done > echo -n "${res}" | egrep -v "^\s*$" > } >+ >+replace_ou() { >+ # syntax: replace_ou <template> <ou> >+ # >+ # Replace '%(ou)s' in <template> with <ou> >+ # >+ # example: >+ # $ replace_ou "OU%(ou)s-DC-Edukativnetz" "myschool" >+ # "OUmyschool-DC-Edukativnetz >+ if [ "$#" != 2 ]; then >+ echo "syntax: replace_ou <template> <ou>" >+ return 1 >+ fi >+ echo -n "$1" | sed "s/%(ou)s/$2/" >+} >+ >+ucr_names_default() { >+ # syntax: ucr_names_default <ucr> [ou] >+ # >+ # Get UCR value or default, optionally replace '%(ou)s'. >+ # >+ # example: >+ # $ ucr_names_default "ucsschool/ldap/default/container/pupils" >+ # "schueler >+ # $ ucr_names_default "ucsschool/ldap/default/groupname/ou-administrativ-dc" "myschool" >+ # "OUmyschool-DC-Verwaltungsnetz" >+ local res >+ >+ if [ "$#" -lt 1 -o "$#" -gt 2 ]; then >+ echo "syntax: ucr_names_default <ucr> [ou]" >+ return 1 >+ fi >+ if [ $(echo -n "$1" | cut -f 1-3 -d '/') != 'ucsschool/ldap/default' ]; then >+ echo "<ucr> must be a UCR variable from ucsschool/ldap/default/*/*" >+ return 1 >+ fi >+ >+ # >+ # When adding/updating UCRV defaults, also add/update them in python/schoolldap.py. >+ # >+ >+ res="$(ucr get $1)" >+ if [ -z "$res" ]; then >+ case "$1" in >+ # containers >+ 'ucsschool/ldap/default/container/admins') res='admins';; >+ 'ucsschool/ldap/default/container/pupils') res='schueler';; >+ 'ucsschool/ldap/default/container/staff') res='mitarbeiter';; >+ 'ucsschool/ldap/default/container/teachers-and-staff') res='lehrer und mitarbeiter';; >+ 'ucsschool/ldap/default/container/teachers') res='lehrer';; >+ 'ucsschool/ldap/default/container/class') res='klassen';; >+ 'ucsschool/ldap/default/container/rooms') res='raeume';; >+ 'ucsschool/ldap/default/container/exam') res='examusers';; >+ # group names >+ 'ucsschool/ldap/default/groupname/exam') res='OU%(ou)%s-Klassenarbeit';; >+ 'ucsschool/ldap/default/groupname/all-administrativ-dc') res='DC-Verwaltungsnetz';; >+ 'ucsschool/ldap/default/groupname/all-administrativ-member') res='Member-Verwaltungsnetz';; >+ 'ucsschool/ldap/default/groupname/all-educational-dc') res='DC-Edukativnetz';; >+ 'ucsschool/ldap/default/groupname/all-educational-member') res='Member-Edukativnetz';; >+ 'ucsschool/ldap/default/groupname/ou-administrativ-dc') res='OU%(ou)s-DC-Verwaltungsnetz';; >+ 'ucsschool/ldap/default/groupname/ou-administrativ-member') res='OU%(ou)s-Member-Verwaltungsnetz';; >+ 'ucsschool/ldap/default/groupname/ou-educational-dc') res='OU%(ou)s-DC-Edukativnetz';; >+ 'ucsschool/ldap/default/groupname/ou-educational-member') res='OU%(ou)s-Member-Edukativnetz';; >+ # group prefixes >+ 'ucsschool/ldap/default/groupprefix/pupils') res='schueler-';; >+ 'ucsschool/ldap/default/groupprefix/teachers') res='lehrer-';; >+ 'ucsschool/ldap/default/groupprefix/admins') res='admins-';; >+ 'ucsschool/ldap/default/groupprefix/staff') res='mitarbeiter-';; >+ # user prefix >+ 'ucsschool/ldap/default/userprefix/exam') res='exam-';; >+ # share/directory names >+ 'ucsschool/ldap/default/share/class') res='klassen';; >+ 'ucsschool/ldap/default/share/pupils') res='schueler';; >+ 'ucsschool/ldap/default/share/teachers') res='lehrer';; >+ 'ucsschool/ldap/default/share/exams') res='Klassenarbeiten';; >+ 'ucsschool/import/generate/share/marktplatz/name') res='Marktplatz';; >+ esac >+ fi >+ if [ -z "$res" ]; then >+ echo "Error: Unknown UCR $1." >+ return 1 >+ fi >+ >+ if [ -z "$2" ]; then >+ echo -n "$res" >+ else >+ replace_ou "$res" "$2" >+ fi >+} >Index: ucs-school-netlogon-user-logonscripts/99ucs-school-netlogon-user-logonscripts.inst >=================================================================== >--- ucs-school-netlogon-user-logonscripts/99ucs-school-netlogon-user-logonscripts.inst (Revision 74005) >+++ ucs-school-netlogon-user-logonscripts/99ucs-school-netlogon-user-logonscripts.inst (Arbeitskopie) >@@ -32,9 +32,12 @@ > VERSION="1" > > . /usr/share/univention-join/joinscripthelper.lib >+. /usr/share/ucs-school-lib/base.sh >+ > joinscript_init > > eval "$(univention-config-registry shell)" >+share_name="$(ucr_names_default ucsschool/import/generate/share/marktplatz/name)" > > # samba 4 netlogon share > myrealm=$(echo $kerberos_realm | awk '{print tolower($0)}') >@@ -43,9 +46,9 @@ > fi > > univention-config-registry set \ >- ucsschool/userlogon/commonshares?"Marktplatz" \ >- ucsschool/userlogon/commonshares/server/Marktplatz?"$hostname" \ >- ucsschool/userlogon/commonshares/letter/Marktplatz?"M" \ >+ ucsschool/userlogon/commonshares?"$share_name" \ >+ "ucsschool/userlogon/commonshares/server/$share_name?$hostname" \ >+ "ucsschool/userlogon/commonshares/letter/$share_name?M" \ > ucsschool/userlogon/classshareletter?"K" \ > ucsschool/netlogon/ucs-school-netlogon-user-logonscripts/script?'user\%USERNAME%.vbs' > >Index: ucs-school-netlogon-user-logonscripts/debian/control >=================================================================== >--- ucs-school-netlogon-user-logonscripts/debian/control (Revision 74005) >+++ ucs-school-netlogon-user-logonscripts/debian/control (Arbeitskopie) >@@ -13,6 +13,7 @@ > univention-directory-listener, > ucs-school-netlogon, > shell-univention-lib, >+ shell-ucs-school, > univention-config > Description: ucs@school userspecific netlogon scripts > This package provides a listener-module that creates >Index: ucs-school-netlogon-user-logonscripts/debian/ucs-school-netlogon-user-logonscripts.postinst >=================================================================== >--- ucs-school-netlogon-user-logonscripts/debian/ucs-school-netlogon-user-logonscripts.postinst (Revision 74005) >+++ ucs-school-netlogon-user-logonscripts/debian/ucs-school-netlogon-user-logonscripts.postinst (Arbeitskopie) >@@ -33,14 +33,16 @@ > #DEBHELPER# > > . /usr/share/univention-lib/all.sh >+. /usr/share/ucs-school-lib/base.sh > > eval "$(ucr shell)" >+share_name="$(ucr_names_default ucsschool/import/generate/share/marktplatz/name)" > > univention-config-registry set \ > samba/homedirletter?I \ >- ucsschool/userlogon/commonshares?"Marktplatz" \ >- ucsschool/userlogon/commonshares/server/Marktplatz?"$hostname" \ >- ucsschool/userlogon/commonshares/letter/Marktplatz?"M" \ >+ ucsschool/userlogon/commonshares?"$share_name" \ >+ "ucsschool/userlogon/commonshares/server/$share_name?$hostname" \ >+ "ucsschool/userlogon/commonshares/letter/$share_name?M" \ > ucsschool/userlogon/classshareletter?"K" \ > ucsschool/netlogon/ucs-school-netlogon-user-logonscripts/script?'user\%USERNAME%.vbs' \ > ucsschool/userlogon/myshares/enabled?no >Index: ucs-school-umc-computerroom/umc/python/computerroom/__init__.py >=================================================================== >--- ucs-school-umc-computerroom/umc/python/computerroom/__init__.py (Revision 74005) >+++ ucs-school-umc-computerroom/umc/python/computerroom/__init__.py (Arbeitskopie) >@@ -727,7 +727,7 @@ > vset[vunset[-1]] = shareMode > vextract.append('samba/othershares/hosts/deny') > vappend[vextract[-1]] = hosts >- vextract.append('samba/share/Marktplatz/hosts/deny') >+ vextract.append('samba/share/{}/hosts/deny'.format(School.get_search_base(self._italc.school).share_name_marktplatz)) > vappend[vextract[-1]] = hosts > else: > vunset_now.append('samba/sharemode/room/%s' % self._italc.room) >Index: ucs-school-umc-csv-import/umc/python/schoolcsvimport/util.py >=================================================================== >--- ucs-school-umc-csv-import/umc/python/schoolcsvimport/util.py (Revision 74005) >+++ ucs-school-umc-csv-import/umc/python/schoolcsvimport/util.py (Arbeitskopie) >@@ -117,7 +117,7 @@ > firstname = firstname[:5] + '.' > > username = firstname + lastname[:5] >- maxlength = 20 - len(ucr.get('ucsschool/ldap/default/userprefix/exam', 'exam-')) >+ maxlength = 20 - len(self.get_search_base(self.school).user_prefix_exam) > return replace_invalid_chars(username[:maxlength]) > > @classmethod >Index: ucs-school-umc-distribution/debian/ucs-school-umc-distribution.univention-config-registry-variables >=================================================================== >--- ucs-school-umc-distribution/debian/ucs-school-umc-distribution.univention-config-registry-variables (Revision 0) >+++ ucs-school-umc-distribution/debian/ucs-school-umc-distribution.univention-config-registry-variables (Arbeitskopie) >@@ -0,0 +1,11 @@ >+[ucsschool/datadistribution/datadir/recipient] >+Description[de]=Standardname für das Projektverzeichnis in das Unterrichtsmaterial verteilt wird. Standard ist "Unterrichtsmaterial". >+Description[en]=Default name for the project directory into which teaching material will be distributed. Default is "Unterrichtsmaterial". >+Type=str >+Categories=ucsschool-base >+ >+[ucsschool/datadistribution/datadir/sender] >+Description[de]=Standardname für das Projektverzeichnis aus dem Unterrichtsmaterial eingesammelt wird. Standard ist "Unterrichtsmaterial". >+Description[en]=Default name for the project directory from which teaching material will be collected. Default is "Unterrichtsmaterial". >+Type=str >+Categories=ucsschool-base >Index: ucs-school-umc-distribution/umc/python/distribution/util.py >=================================================================== >--- ucs-school-umc-distribution/umc/python/distribution/util.py (Revision 74005) >+++ ucs-school-umc-distribution/umc/python/distribution/util.py (Arbeitskopie) >@@ -291,7 +291,7 @@ > @property > def isDistributed(self): > '''True if files have already been distributed.''' >- # distributed files can still be found in the internal property 'files', >+ # distributed files can still be found in the internal property 'files',Unterrichtsmaterial > # however, upon distribution they are removed from the cache directory; > # thus, if one of the specified files does not exist, the project has > # already been distributed >Index: ucs-school-umc-exam/debian/control >=================================================================== >--- ucs-school-umc-exam/debian/control (Revision 74005) >+++ ucs-school-umc-exam/debian/control (Arbeitskopie) >@@ -31,6 +31,7 @@ > python-ucs-school, > ucs-school-import, > shell-univention-lib, >+ shell-ucs-school, > univention-ldap-config (>= 9.0.27-3), > Description: UMC module delivering backend services for ucs-school-umc-exam > UMC module delivering backend services for ucs-school-umc-exam >Index: ucs-school-umc-exam/hooks/ou_create_post.d/60schoolexam-master >=================================================================== >--- ucs-school-umc-exam/hooks/ou_create_post.d/60schoolexam-master (Revision 74005) >+++ ucs-school-umc-exam/hooks/ou_create_post.d/60schoolexam-master (Arbeitskopie) >@@ -35,6 +35,7 @@ > [ $# -ne 2 ] && echo "USAGE: $(basename $0) FILE DN" && exit 1 > > . /usr/share/univention-lib/ucr.sh >+. /usr/share/ucs-school-lib/base.sh > > eval "$(ucr shell)" > >@@ -43,20 +44,13 @@ > district=",ou=${ou:0:2}" > fi > >-examusers="$ucsschool_ldap_default_container_exam" >-if [ -z "$examusers" ] ; then >- examusers='examusers' >-fi >+examusers="$(ucr_names_default ucsschool/ldap/default/container/exam)" > > udm container/cn create --ignore_exists \ > --position "ou=${ou}${district},${ldap_base}" \ > --set name="${examusers}" \ > >-examgroupname="$ucsschool_ldap_default_groupname_exam" >-if [ -z "$examgroupname" ] ; then >- examgroupname='OU%(ou)s-Klassenarbeit' >-fi >-ou_specific_examgroupname=$(python -c "print '$examgroupname' % {'ou': '$ou'}") >+ou_specific_examgroupname="$(ucr_names_default ucsschool/ldap/default/groupname/exam)" > > udm groups/group create --ignore_exists \ > --position "cn=ucsschool,cn=groups,${ldap_base}" \ >Index: ucs-school-umc-exam/share/exam-and-room-cleanup >=================================================================== >--- ucs-school-umc-exam/share/exam-and-room-cleanup (Revision 74005) >+++ ucs-school-umc-exam/share/exam-and-room-cleanup (Arbeitskopie) >@@ -39,7 +39,7 @@ > import univention.config_registry > import univention.uldap > import univention.admin.uldap >-from ucsschool.lib.schoolldap import SchoolSearchBase >+from ucsschool.lib.models import ExamStudent > from univention.lib.umc_connection import UMCConnection > from univention.admin.uexceptions import noObject > from ldap.filter import escape_filter_chars >@@ -58,7 +58,6 @@ > self.hostname = self.ucr.get('hostname') > self.umcp = self.get_UMCP_connection() > self.lo = self.get_LDAP_connection() >- self.exam_prefix = self.ucr.get('ucsschool/ldap/default/userprefix/exam', 'exam-') > self.DIR_ROOMS = '/var/cache/ucs-school-umc-computerroom' > self.DIR_EXAMS = self.ucr.get('ucsschool/exam/cache', '/var/lib/ucs-school-umc-schoolexam') > >@@ -142,9 +141,9 @@ > ou_list = self.lo.search(filter='(objectClass=ucsschoolOrganizationalUnit)') > for ou_dn, ou_attrs in ou_list: > ou_name = ou_attrs['ou'][0] >- searchbase = SchoolSearchBase([ou_name], dn=ou_dn) >+ exam_prefix = ExamStudent.get_search_base(ou_name).user_prefix_exam > try: >- userlist = mod_user.lookup({}, lo, 'uid=%s*' % (escape_filter_chars(self.exam_prefix),), base=searchbase.examUsers) >+ userlist = mod_user.lookup({}, lo, 'uid=%s*' % (escape_filter_chars(exam_prefix),), base=ExamStudent.get_container(ou_name)) > except noObject: > # no exam users container in this OU > continue >Index: ucs-school-umc-exam/umc/python/schoolexam-master/__init__.py >=================================================================== >--- ucs-school-umc-exam/umc/python/schoolexam-master/__init__.py (Revision 74005) >+++ ucs-school-umc-exam/umc/python/schoolexam-master/__init__.py (Arbeitskopie) >@@ -38,6 +38,7 @@ > import traceback > import re > from ldap.filter import filter_format >+from ldap import explode_dn > > from univention.management.console.config import ucr > from univention.management.console.log import MODULE >@@ -60,8 +61,6 @@ > def __init__(self): > SchoolBaseModule.__init__(self) > >- self._examUserPrefix = ucr.get('ucsschool/ldap/default/userprefix/exam', 'exam-') >- > ## cache objects > self._udm_modules = dict() > self._examGroup = None >@@ -103,9 +102,8 @@ > def examUserContainerDN(self, ldap_admin_write, ldap_position, school): > '''lookup examUserContainerDN, create it if missing''' > if not self._examUserContainerDN: >- search_base = School.get_search_base(school) >- examUsers = search_base.examUsers >- examUserContainerName = search_base._examUserContainerName >+ examUsers = ExamStudent.get_container(school) >+ examUserContainerName = explode_dn(ExamStudent.get_search_base(school).examUsers, True)[0] > try: > ldap_admin_write.searchDn('(objectClass=organizationalRole)', examUsers, scope='base') > except univention.admin.uexceptions.noObject: >@@ -149,7 +147,8 @@ > user_orig = user.get_udm_object(ldap_admin_write) > > ### uid and DN of exam_user >- exam_user_uid = "".join((self._examUserPrefix, user_orig['username'])) >+ exam_user_prefix = ExamStudent.get_search_base(school).user_prefix_exam >+ exam_user_uid = "".join((exam_user_prefix, user_orig['username'])) > exam_user_dn = "uid=%s,%s" % (exam_user_uid, self.examUserContainerDN(ldap_admin_write, ldap_position, user.school)) > > try: >Index: ucs-school-umc-installer/umc/python/schoolinstaller/__init__.py >=================================================================== >--- ucs-school-umc-installer/umc/python/schoolinstaller/__init__.py (Revision 74005) >+++ ucs-school-umc-installer/umc/python/schoolinstaller/__init__.py (Arbeitskopie) >@@ -572,9 +572,9 @@ > for islave in slaves: > islave.open() > # compare group DNs case insensitive >- if search_base.educationalDCGroup.lower() in [x.lower() for x in islave['groups']]: >+ if search_base.educational_ou_dc_group.lower() in [x.lower() for x in islave['groups']]: > values['educational_slaves'].append(islave['name']) >- if search_base.administrativeDCGroup.lower() in [x.lower() for x in islave['groups']]: >+ if search_base.administrative_ou_dc_group.lower() in [x.lower() for x in islave['groups']]: > values['administrative_slaves'].append(islave['name']) > except univention.uldap.ldap.LDAPError as err: > MODULE.warn('LDAP connection to %s failed: %s' % (master, err)) >Index: ucs-test-ucsschool/90_ucsschool/07_printermoderation_check >=================================================================== >--- ucs-test-ucsschool/90_ucsschool/07_printermoderation_check (Revision 74005) >+++ ucs-test-ucsschool/90_ucsschool/07_printermoderation_check (Arbeitskopie) >@@ -21,6 +21,7 @@ > import univention.testing.udm > import univention.testing.utils as utils > from univention.testing.ucsschool import UMCConnection >+from ucsschool.lib.models import SchoolClass > > > def _dir(userName): >@@ -107,10 +108,7 @@ > pattern, > basedn): > if cName != 'None': >- cdn = 'cn=%s,cn=klassen,cn=schueler,cn=groups,ou=%s,%s' % ( >- cName, >- school, >- basedn) >+ cdn = SchoolClass(school=school, name=cName).dn > else: > cdn = cName > param = {'school': school, >@@ -197,12 +195,12 @@ > klasse1_dn = udm.create_object( > 'groups/group', > name='%s-1A' % school, >- position="cn=klassen,cn=schueler,cn=groups,%s" % oudn >+ position=SchoolClass.get_container(oudn) > ) > klasse2_dn = udm.create_object( > 'groups/group', > name='%s-2B' % school, >- position="cn=klassen,cn=schueler,cn=groups,%s" % oudn >+ position=SchoolClass.get_container(school) > ) > tea, teadn = schoolenv.create_user(school, is_teacher=True) > stu1, stu1_dn = schoolenv.create_user(school) >Index: ucs-test-ucsschool/90_ucsschool/101_exam_mode >=================================================================== >--- ucs-test-ucsschool/90_ucsschool/101_exam_mode (Revision 74005) >+++ ucs-test-ucsschool/90_ucsschool/101_exam_mode (Arbeitskopie) >@@ -13,6 +13,7 @@ > import univention.testing.ucr as ucr_test > import univention.testing.ucsschool as utu > import univention.testing.udm >+from ucsschool.lib.models import SchoolClass > > def main(): > with univention.testing.udm.UCSTestUDM() as udm: >@@ -27,7 +28,7 @@ > else: > edudc = ucr.get('hostname') > school, oudn = schoolenv.create_ou(name_edudc=edudc) >- klasse_dn = udm.create_object('groups/group',name='%s-AA1' % school, position="cn=klassen,cn=schueler,cn=groups,%s" % oudn) >+ klasse_dn = udm.create_object('groups/group',name='%s-AA1' % school, position=SchoolClass.get_container(school)) > > tea, teadn = schoolenv.create_user(school, is_teacher=True) > stu, studn = schoolenv.create_user(school) >Index: ucs-test-ucsschool/90_ucsschool/101_exam_mode_group_members >=================================================================== >--- ucs-test-ucsschool/90_ucsschool/101_exam_mode_group_members (Revision 74005) >+++ ucs-test-ucsschool/90_ucsschool/101_exam_mode_group_members (Arbeitskopie) >@@ -15,7 +15,9 @@ > import univention.testing.ucsschool as utu > import univention.testing.udm > import univention.testing.utils as utils >+from ucsschool.lib.models import ExamStudent, SchoolClass > >+ > def main(): > with univention.testing.udm.UCSTestUDM() as udm: > with utu.UCSTestSchool() as schoolenv: >@@ -29,7 +31,7 @@ > klasse_dn = udm.create_object( > 'groups/group', > name='%s-AA1' % school, >- position="cn=klassen,cn=schueler,cn=groups,%s" % oudn >+ position=SchoolClass.get_container(school) > ) > tea, teadn = schoolenv.create_user(school, is_teacher=True) > stu, studn = schoolenv.create_user(school) >@@ -65,11 +67,11 @@ > > try: > expected_memberUid = ["%s$" % pc2.name, "exam-%s" % stu] >- expected_uniqueMember = ["%s" % pc2.dn, "uid=exam-%s,cn=examusers,%s" % (stu, oudn)] >+ expected_uniqueMember = [pc2.dn, ExamStudent(school=school, name=stu).dn] > > # Get the current attributes values > lo = getMachineConnection() >- exam_group_dn = "cn=OU%s-Klassenarbeit,cn=ucsschool,cn=groups,%s" % (school, ucr.get('ldap/base')) >+ exam_group_dn = ExamStudent.get_search_base(school).examGroup > memberUid = lo.search(base=exam_group_dn)[0][1].get('memberUid') > uniqueMember = lo.search(base=exam_group_dn)[0][1].get('uniqueMember') > >Index: ucs-test-ucsschool/90_ucsschool/101_exam_mode_settings >=================================================================== >--- ucs-test-ucsschool/90_ucsschool/101_exam_mode_settings (Revision 74005) >+++ ucs-test-ucsschool/90_ucsschool/101_exam_mode_settings (Arbeitskopie) >@@ -17,7 +17,9 @@ > import univention.testing.ucr as ucr_test > import univention.testing.ucsschool as utu > import univention.testing.udm >+from ucsschool.lib.models import SchoolClass > >+ > def main(): > with univention.testing.udm.UCSTestUDM() as udm: > with utu.UCSTestSchool() as schoolenv: >@@ -32,7 +34,7 @@ > edudc = ucr.get('hostname') > > school, oudn = schoolenv.create_ou(name_edudc=edudc) >- klasse_dn = udm.create_object('groups/group',name='%s-AA1' % school, position="cn=klassen,cn=schueler,cn=groups,%s" % oudn) >+ klasse_dn = udm.create_object('groups/group',name='%s-AA1' % school, position=SchoolClass.get_container(school)) > > tea, teadn = schoolenv.create_user(school, is_teacher=True) > stu, studn = schoolenv.create_user(school) >Index: ucs-test-ucsschool/90_ucsschool/102_rename_class >=================================================================== >--- ucs-test-ucsschool/90_ucsschool/102_rename_class (Revision 74005) >+++ ucs-test-ucsschool/90_ucsschool/102_rename_class (Arbeitskopie) >@@ -16,7 +16,9 @@ > import univention.testing.ucr as ucr_test > import univention.testing.ucsschool as utu > import univention.testing.utils as utils >+from ucsschool.lib.models import ClassShare, SchoolClass > >+ > BACKUP_PATH = '/home/backup/groups' > > def ldap_info(cn): >@@ -46,17 +48,14 @@ > utils.verify_ldap_object(share_dn(new_name, school), should_exist=True) > > def share_dn(class_name, school): >- with ucr_test.UCSTestConfigRegistry() as ucr: >- return 'cn=%s,cn=klassen,cn=shares,ou=%s,%s' % ( >- class_name, school,ucr.get('ldap/base')) >+ return ClassShare(school=school, name=class_name).dn > > def class_dn(class_name, school): >- with ucr_test.UCSTestConfigRegistry() as ucr: >- return 'cn=%s,cn=klassen,cn=schueler,cn=groups,ou=%s,%s' % ( >- class_name, school,ucr.get('ldap/base')) >+ return SchoolClass(school=school, name=class_name).dn > > def share_path(class_name, school): >- path = '/home/%s/groups/klassen/%s' % (school, class_name) >+ sc = SchoolClass(school=school, name=class_name) >+ path = ClassShare(school=school, name=class_name, school_group=sc).get_share_path() > if os.path.exists(path): > return path > >Index: ucs-test-ucsschool/90_ucsschool/110_set_default-umc-users >=================================================================== >--- ucs-test-ucsschool/90_ucsschool/110_set_default-umc-users (Revision 74005) >+++ ucs-test-ucsschool/90_ucsschool/110_set_default-umc-users (Arbeitskopie) >@@ -10,6 +10,7 @@ > import ldap > import univention.testing.ucr as ucr_test > import univention.testing.utils as utils >+from ucsschool.lib.models import Group > > > def main(): >@@ -45,7 +46,7 @@ > utils.fail('Attribute %s was not found in ldap object %r' % ( > 'univentionPolicyReference', base)) > except ldap.NO_SUCH_OBJECT as e: >- if "cn=groups,%s" % (schoolenv.get_ou_base_dn(school),) in str(e): >+ if Group.get_container(school) in str(e): > print ('* Cought an expected exception: %r' % e) > else: > utils.fail('Unexpected Exception: %r' % e) >Index: ucs-test-ucsschool/90_ucsschool/131_check_for_nfs_shares >=================================================================== >--- ucs-test-ucsschool/90_ucsschool/131_check_for_nfs_shares (Revision 74005) >+++ ucs-test-ucsschool/90_ucsschool/131_check_for_nfs_shares (Arbeitskopie) >@@ -19,7 +19,7 @@ > for share in Share.get_all(lo, school.name): > share_udm = share.get_udm_object(lo) > if "nfs" in share_udm.options: >- if share.name in ["Marktplatz", "iTALC-Installation"]: >+ if share.name in [Share.get_search_base(school).share_name_marktplatz, "iTALC-Installation"]: > print("*** Ignoring //{}/{} (Bug #42514)".format(school.name, share.name)) > else: > nfs_shares.append((school.name, share.name)) >Index: ucs-test-ucsschool/90_ucsschool/16_s4_slave_automatic_srv_record >=================================================================== >--- ucs-test-ucsschool/90_ucsschool/16_s4_slave_automatic_srv_record (Revision 74005) >+++ ucs-test-ucsschool/90_ucsschool/16_s4_slave_automatic_srv_record (Arbeitskopie) >@@ -132,7 +132,7 @@ > position = "cn=dc,cn=server,cn=computers,%s" % (school.dn,), > domain = ucr.get('domainname'), > service = ("S4 SlavePDC", _local_ucsschool_service), >- groups = ("cn=DC-Edukativnetz,cn=ucsschool,cn=groups,%(ldap/base)s" % ucr) >+ groups = (school.get_search_base(school.name).educational_dc_group) > ) > > positive_test_fqdn = ".".join((positive_test_hostname, ucr.get('domainname'))) >@@ -144,7 +144,7 @@ > position = "cn=dc,cn=server,cn=computers,%s" % (school.dn,), > domain = ucr.get('domainname'), > service = ("S4 SlavePDC", _not_local_ucsschool_service), >- groups = ("cn=DC-Edukativnetz,cn=ucsschool,cn=groups,%(ldap/base)s" % ucr) >+ groups = (school.get_search_base(school.name).educational_dc_group) > ) > > negative_test_fqdn = ".".join((negative_test_hostname, ucr.get('domainname'))) >Index: ucs-test-ucsschool/90_ucsschool/19_available_umc_modules >=================================================================== >--- ucs-test-ucsschool/90_ucsschool/19_available_umc_modules (Revision 74005) >+++ ucs-test-ucsschool/90_ucsschool/19_available_umc_modules (Arbeitskopie) >@@ -11,7 +11,9 @@ > import univention.testing.ucsschool as utu > import univention.testing.udm as udm_test > import univention.testing.utils as utils >+from ucsschool.lib.models import School > >+ > def listUnion(firstList, secondList): > return list(set(firstList).union(set(secondList))) > >@@ -161,8 +163,9 @@ > utils.wait_for_replication_and_postrun() > > basedn = ucr.get('ldap/base') >- position = 'cn=admins,cn=users,ou=%s,%s' % (school, basedn ) >- groups = ["cn=admins-%s,cn=ouadmins,cn=groups,%s" % (school, basedn)] >+ search_base = School.get_search_base(school) >+ position = search_base.admins >+ groups = [search_base.admin_group] > dn, schooladmin = udm.create_user(position=position, groups=groups) > groups = ["cn=Domain Admins,cn=groups,%s" % (basedn,)] > dn, domainadmin = udm.create_user(position=position, groups=groups) >Index: ucs-test-ucsschool/90_ucsschool/213_import-users_modify_with_several_groups >=================================================================== >--- ucs-test-ucsschool/90_ucsschool/213_import-users_modify_with_several_groups (Revision 74005) >+++ ucs-test-ucsschool/90_ucsschool/213_import-users_modify_with_several_groups (Arbeitskopie) >@@ -12,6 +12,7 @@ > import univention.testing.utils as utils > from essential.importusers_cli_v2 import CLI_Import_v2_Tester > from essential.importusers import Person >+from ucsschool.lib.models import SchoolClass, WorkGroup > > > class Test(CLI_Import_v2_Tester): >@@ -38,10 +39,10 @@ > self.log.debug('*** Creating groups...') > global_group_dn, global_group_name = self.udm.create_group() > workgroup_A_dn, workgroup_A_name = self.udm.create_group( >- position='cn=schueler,cn=groups,%s' % (self.ou_A.dn,), >+ position=WorkGroup.get_container(self.ou_A.name), > name="{}-{}".format(self.ou_A.name, uts.random_groupname())) > class_A_dn, class_A_name = self.udm.create_group( >- position='cn=klassen,cn=schueler,cn=groups,%s' % (self.ou_A.dn,), >+ position=SchoolClass.get_container(self.ou_A.name), > name="{}-{}".format(self.ou_A.name, uts.random_groupname())) > cn_A_dn = self.udm.create_object('container/cn', position=self.ou_A.dn, name='kurs-%s' % uts.random_string()) > extra_A_group1_dn, extra_A_group1_name = self.udm.create_group(position=cn_A_dn) >@@ -50,10 +51,10 @@ > name="{}-{}".format(self.ou_A.name, uts.random_groupname())) > > workgroup_B_dn, workgroup_B_name = self.udm.create_group( >- position='cn=schueler,cn=groups,%s' % (self.ou_B.dn,), >+ position=WorkGroup.get_container(self.ou_B.name), > name="{}-{}".format(self.ou_B.name, uts.random_groupname())) > class_B_dn, class_B_name = self.udm.create_group( >- position='cn=klassen,cn=schueler,cn=groups,%s' % (self.ou_B.dn,), >+ position=SchoolClass.get_container(self.ou_B.name), > name="{}-{}".format(self.ou_B.name, uts.random_groupname())) > cn_B_dn = self.udm.create_object('container/cn', position=self.ou_B.dn, name='kurs-%s' % uts.random_string()) > extra_B_group1_dn, extra_B_group1_name = self.udm.create_group(position=cn_B_dn) >Index: ucs-test-ucsschool/90_ucsschool/214_import-users_empty_class_column >=================================================================== >--- ucs-test-ucsschool/90_ucsschool/214_import-users_empty_class_column (Revision 74005) >+++ ucs-test-ucsschool/90_ucsschool/214_import-users_empty_class_column (Arbeitskopie) >@@ -13,6 +13,7 @@ > import univention.testing.utils as utils > from essential.importusers_cli_v2 import CLI_Import_v2_Tester > from essential.importusers import Person >+from ucsschool.lib.models import SchoolClass > > > class Test(CLI_Import_v2_Tester): >@@ -44,7 +45,7 @@ > > def create_user_w_two_classes(record_uid, source_uid, same_ou=True): > cls1_dn, cls1_name = self.udm.create_group( >- position='cn=klassen,cn=schueler,cn=groups,%s' % (self.ou_A.dn,), >+ position=SchoolClass.get_container(self.ou_A.name), > name="{}-{}".format(self.ou_A.name, uts.random_groupname())) > if same_ou: > dn = self.ou_A.dn >@@ -55,7 +56,7 @@ > name = self.ou_B.name > school = sorted([self.ou_A.name, self.ou_B.name])[0] > cls2_dn, cls2_name = self.udm.create_group( >- position='cn=klassen,cn=schueler,cn=groups,%s' % (dn,), >+ position=SchoolClass.get_container(name), > name="{}-{}".format(name, uts.random_groupname())) > person = Person(school, role) > person.update(record_uid=record_uid, source_uid=source_uid, username=uts.random_username()) >Index: ucs-test-ucsschool/90_ucsschool/22_computerroom_two_rooms_settings_interference >=================================================================== >--- ucs-test-ucsschool/90_ucsschool/22_computerroom_two_rooms_settings_interference (Revision 74005) >+++ ucs-test-ucsschool/90_ucsschool/22_computerroom_two_rooms_settings_interference (Arbeitskopie) >@@ -11,6 +11,7 @@ > from essential.computerroom import Room, Computers, add_printer, remove_printer, clean_folder, run_commands > from essential.internetrule import InternetRule > from essential.workgroup import Workgroup >+from ucsschool.lib.models import Share > from univention.testing.ucsschool import UMCConnection > from univention.testing.network import NetworkRedirector > import datetime >@@ -153,7 +154,7 @@ > ucr) > # For DEBUG purposes > # run_commands([['ucr', 'search', room1.name], ['ucr','search', room2.name], ['atq']], {}) >- clean_folder('/home/gsmitte/groups/Marktplatz/') >+ clean_folder('/home/gsmitte/groups/{}/'.format(Share.get_search_base(school).share_name_marktplatz)) > clean_folder('/home/%s/lehrer/%s/' % (school, tea)) > #TODO Exception Errno4 > except httplib.HTTPException as e: >Index: ucs-test-ucsschool/90_ucsschool/40_schoolwizard_school_create >=================================================================== >--- ucs-test-ucsschool/90_ucsschool/40_schoolwizard_school_create (Revision 74005) >+++ ucs-test-ucsschool/90_ucsschool/40_schoolwizard_school_create (Arbeitskopie) >@@ -9,6 +9,7 @@ > > import subprocess > import simplejson as json >+from ucsschool.lib.models import Group > import univention.testing.ucr as ucr_test > import univention.testing.utils as utils > import univention.testing.strings as uts >@@ -46,6 +47,14 @@ > return stdout, stderr, pipe.returncode > > >+def grp_dns(ou_name, edu=True): >+ search_base = Group.get_search_base(ou_name) >+ if edu: >+ return [search_base.educational_ou_dc_group, search_base.educational_dc_group] >+ else: >+ return [search_base.administrative_ou_dc_group, search_base.administrative_dc_group] >+ >+ > def main(): > remove_ous = [] > testschool = UCSTestSchool() >@@ -64,10 +73,7 @@ > utils.verify_ldap_object(dc_dn, expected_attr={'cn': [dc_name]}, strict=True, should_exist=False) > else: > utils.verify_ldap_object(dc_dn, expected_attr={'cn': [dc_name]}, strict=True, should_exist=True) >- for grp_dn in ('cn=OU%(ou)s-DC-Edukativnetz,cn=ucsschool,cn=groups,%(basedn)s', >- 'cn=DC-Edukativnetz,cn=ucsschool,cn=groups,%(basedn)s', >- ): >- grp_dn = grp_dn % {'ou': ou_name, 'basedn': ucr.get('ldap/base')} >+ for grp_dn in grp_dns(ou_name): > utils.verify_ldap_object(grp_dn, expected_attr={'uniqueMember': [dc_dn]}, strict=False, should_exist=True) > > msg = 'new random OU, new random DC' >@@ -80,10 +86,7 @@ > utils.fail('Cannot create %s' % msg) > dc_dn = 'cn=%s,cn=dc,cn=server,cn=computers,%s' % (dc_name, testschool.get_ou_base_dn(ou_name)) > utils.verify_ldap_object(dc_dn, expected_attr={'cn': [dc_name]}, strict=True, should_exist=True) >- for grp_dn in ('cn=OU%(ou)s-DC-Edukativnetz,cn=ucsschool,cn=groups,%(basedn)s', >- 'cn=DC-Edukativnetz,cn=ucsschool,cn=groups,%(basedn)s', >- ): >- grp_dn = grp_dn % {'ou': ou_name, 'basedn': ucr.get('ldap/base')} >+ for grp_dn in grp_dns(ou_name): > utils.verify_ldap_object(grp_dn, expected_attr={'uniqueMember': [dc_dn]}, strict=False, should_exist=True) > > msg = 'new random OU, existing DC in other OU' >@@ -95,10 +98,7 @@ > utils.fail('Cannot create %s' % msg) > # reusing first DC > utils.verify_ldap_object(dc_dn, expected_attr={'cn': [dc_name]}, strict=True, should_exist=True) >- for grp_dn in ('cn=OU%(ou)s-DC-Edukativnetz,cn=ucsschool,cn=groups,%(basedn)s', >- 'cn=DC-Edukativnetz,cn=ucsschool,cn=groups,%(basedn)s', >- ): >- grp_dn = grp_dn % {'ou': ou_name, 'basedn': ucr.get('ldap/base')} >+ for grp_dn in grp_dns(ou_name): > utils.verify_ldap_object(grp_dn, expected_attr={'uniqueMember': [dc_dn]}, strict=False, should_exist=True) > > msg = 'new random OU with existing DC in cn=computers,BASEDN' >@@ -119,10 +119,7 @@ > utils.fail('Cannot create %s' % msg) > > utils.verify_ldap_object(dc_dn, expected_attr={'cn': [dc_name]}, strict=True, should_exist=True) >- for grp_dn in ('cn=OU%(ou)s-DC-Edukativnetz,cn=ucsschool,cn=groups,%(basedn)s', >- 'cn=DC-Edukativnetz,cn=ucsschool,cn=groups,%(basedn)s', >- ): >- grp_dn = grp_dn % {'ou': ou_name, 'basedn': ucr.get('ldap/base')} >+ for grp_dn in grp_dns(ou_name): > utils.verify_ldap_object(grp_dn, expected_attr={'uniqueMember': [dc_dn]}, strict=False, should_exist=True) > > >@@ -136,10 +133,7 @@ > utils.fail('Cannot create %s' % msg) > dc_dn = 'cn=%s,cn=dc,cn=server,cn=computers,%s' % (dc_name, testschool.get_ou_base_dn(ou_name)) > utils.verify_ldap_object(dc_dn, expected_attr={'cn': [dc_name]}, strict=True, should_exist=True) >- for grp_dn in ('cn=OU%(ou)s-DC-Edukativnetz,cn=ucsschool,cn=groups,%(basedn)s', >- 'cn=DC-Edukativnetz,cn=ucsschool,cn=groups,%(basedn)s', >- ): >- grp_dn = grp_dn % {'ou': ou_name, 'basedn': ucr.get('ldap/base')} >+ for grp_dn in grp_dns(ou_name): > utils.verify_ldap_object(grp_dn, expected_attr={'uniqueMember': [dc_dn]}, strict=False, should_exist=True) > > dc_name = uts.random_string() >@@ -148,10 +142,7 @@ > utils.fail('Cannot create %s' % msg) > dc_dn = 'cn=%s,cn=dc,cn=server,cn=computers,%s' % (dc_name, testschool.get_ou_base_dn(ou_name)) > utils.verify_ldap_object(dc_dn, expected_attr={'cn': [dc_name]}, strict=True, should_exist=True) >- for grp_dn in ('cn=OU%(ou)s-DC-Edukativnetz,cn=ucsschool,cn=groups,%(basedn)s', >- 'cn=DC-Edukativnetz,cn=ucsschool,cn=groups,%(basedn)s', >- ): >- grp_dn = grp_dn % {'ou': ou_name, 'basedn': ucr.get('ldap/base')} >+ for grp_dn in grp_dns(ou_name): > utils.verify_ldap_object(grp_dn, expected_attr={'uniqueMember': [dc_dn]}, strict=False, should_exist=True) > > >@@ -167,15 +158,9 @@ > dc_dn = 'cn=%s,cn=dc,cn=server,cn=computers,%s' % (dc_name, testschool.get_ou_base_dn(ou_name)) > dc_dn_administrative = 'cn=%s,cn=dc,cn=server,cn=computers,%s' % (dc_name_administrative, testschool.get_ou_base_dn(ou_name)) > utils.verify_ldap_object(dc_dn_administrative, expected_attr={'cn': [dc_name_administrative]}, strict=True, should_exist=True) >- for grp_dn in ('cn=OU%(ou)s-DC-Edukativnetz,cn=ucsschool,cn=groups,%(basedn)s', >- 'cn=DC-Edukativnetz,cn=ucsschool,cn=groups,%(basedn)s', >- ): >- grp_dn = grp_dn % {'ou': ou_name, 'basedn': ucr.get('ldap/base')} >+ for grp_dn in grp_dns(ou_name): > utils.verify_ldap_object(grp_dn, expected_attr={'uniqueMember': [dc_dn]}, strict=False, should_exist=True) >- for grp_dn in ('cn=OU%(ou)s-DC-Verwaltungsnetz,cn=ucsschool,cn=groups,%(basedn)s', >- 'cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,%(basedn)s', >- ): >- grp_dn = grp_dn % {'ou': ou_name, 'basedn': ucr.get('ldap/base')} >+ for grp_dn in grp_dns(ou_name, False): > utils.verify_ldap_object(grp_dn, expected_attr={'uniqueMember': [dc_dn_administrative]}, strict=False, should_exist=True) > > >@@ -189,10 +174,7 @@ > utils.fail('Cannot create %s' % msg) > dc_dn = 'cn=%s,cn=dc,cn=server,cn=computers,%s' % (dc_name, testschool.get_ou_base_dn(ou_name)) > utils.verify_ldap_object(dc_dn, expected_attr={'cn': [dc_name]}, strict=True, should_exist=True) >- for grp_dn in ('cn=OU%(ou)s-DC-Edukativnetz,cn=ucsschool,cn=groups,%(basedn)s', >- 'cn=DC-Edukativnetz,cn=ucsschool,cn=groups,%(basedn)s', >- ): >- grp_dn = grp_dn % {'ou': ou_name, 'basedn': ucr.get('ldap/base')} >+ for grp_dn in grp_dns(ou_name): > utils.verify_ldap_object(grp_dn, expected_attr={'uniqueMember': [dc_dn]}, strict=False, should_exist=True) > > dc_name_administrative = uts.random_string() >@@ -201,15 +183,9 @@ > utils.fail('Cannot create %s' % msg) > dc_dn_administrative = 'cn=%s,cn=dc,cn=server,cn=computers,%s' % (dc_name_administrative, testschool.get_ou_base_dn(ou_name)) > utils.verify_ldap_object(dc_dn_administrative, expected_attr={'cn': [dc_name_administrative]}, strict=True, should_exist=True) >- for grp_dn in ('cn=OU%(ou)s-DC-Edukativnetz,cn=ucsschool,cn=groups,%(basedn)s', >- 'cn=DC-Edukativnetz,cn=ucsschool,cn=groups,%(basedn)s', >- ): >- grp_dn = grp_dn % {'ou': ou_name, 'basedn': ucr.get('ldap/base')} >+ for grp_dn in grp_dns(ou_name): > utils.verify_ldap_object(grp_dn, expected_attr={'uniqueMember': [dc_dn]}, strict=False, should_exist=True) >- for grp_dn in ('cn=OU%(ou)s-DC-Verwaltungsnetz,cn=ucsschool,cn=groups,%(basedn)s', >- 'cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,%(basedn)s', >- ): >- grp_dn = grp_dn % {'ou': ou_name, 'basedn': ucr.get('ldap/base')} >+ for grp_dn in grp_dns(ou_name, False): > utils.verify_ldap_object(grp_dn, expected_attr={'uniqueMember': [dc_dn_administrative]}, strict=False, should_exist=True) > > msg = 'new random OU with existing administrative DC in cn=computers,BASEDN' >@@ -232,15 +208,9 @@ > > dc_dn = 'cn=%s,cn=dc,cn=server,cn=computers,%s' % (dc_name, testschool.get_ou_base_dn(ou_name)) > utils.verify_ldap_object(dc_dn, expected_attr={'cn': [dc_name]}, strict=True, should_exist=True) >- for grp_dn in ('cn=OU%(ou)s-DC-Edukativnetz,cn=ucsschool,cn=groups,%(basedn)s', >- 'cn=DC-Edukativnetz,cn=ucsschool,cn=groups,%(basedn)s', >- ): >- grp_dn = grp_dn % {'ou': ou_name, 'basedn': ucr.get('ldap/base')} >+ for grp_dn in grp_dns(ou_name): > utils.verify_ldap_object(grp_dn, expected_attr={'uniqueMember': [dc_dn]}, strict=False, should_exist=True) >- for grp_dn in ('cn=OU%(ou)s-DC-Verwaltungsnetz,cn=ucsschool,cn=groups,%(basedn)s', >- 'cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,%(basedn)s', >- ): >- grp_dn = grp_dn % {'ou': ou_name, 'basedn': ucr.get('ldap/base')} >+ for grp_dn in grp_dns(ou_name, False): > utils.verify_ldap_object(grp_dn, expected_attr={'uniqueMember': [dc_dn_administrative]}, strict=False, should_exist=True) > > finally: >Index: ucs-test-ucsschool/90_ucsschool/41_create_marktplatz_share >=================================================================== >--- ucs-test-ucsschool/90_ucsschool/41_create_marktplatz_share (Revision 74005) >+++ ucs-test-ucsschool/90_ucsschool/41_create_marktplatz_share (Arbeitskopie) >@@ -1,29 +1,43 @@ > #!/usr/share/ucs-test/runner python > ## -*- coding: utf-8 -*- >-## desc: computerroom module settings checks >+## desc: check marktplatz creation > ## roles: [domaincontroller_master] > ## tags: [apptest,ucsschool] > ## exposure: dangerous > ## packages: [ucs-school-umc-computerroom] >-## bugs: [40785] >+## bugs: [40785, 41231] > > import univention.testing.ucr as ucr_test > import univention.testing.ucsschool as utu >+import univention.testing.strings as uts > from univention.testing import utils > from univention.config_registry import handler_set, handler_unset > >+ > def main(): > with utu.UCSTestSchool() as schoolenv, ucr_test.UCSTestConfigRegistry() as ucr: >- for should_exist, variable in [(False, None), (True, 'yes'), (False, 'no')]: >+ for should_exist, variable, name in [(False, None, ''), (True, 'yes', 'Marktplatz'), (True, 'yes', uts.random_name()), (False, 'no', '')]: > if variable is None: > handler_unset(['ucsschool/import/generate/share/marktplatz']) > else: >+ print '### Setting ucsschool/import/generate/share/marktplatz=%s.' % variable > handler_set(['ucsschool/import/generate/share/marktplatz=%s' % (variable,)]) > > print '### Creating school. Expecting Marktplatz to exists = %r' % (should_exist,) >+ if should_exist: >+ if name: >+ print '### Setting share name to %r.' % name >+ handler_set(['ucsschool/import/generate/share/marktplatz/name={}'.format(name)]) >+ else: >+ print '### Not setting share name, should be "Marktplatz".' >+ handler_unset(['ucsschool/import/generate/share/marktplatz/name']) >+ > school, oudn = schoolenv.create_ou(name_edudc=ucr.get('hostname')) > utils.wait_for_replication() >- utils.verify_ldap_object('cn=Marktplatz,cn=shares,%s' % (oudn,), strict=True, should_exist=should_exist) >+ utils.verify_ldap_object( >+ 'cn={},cn=shares,{}'.format(name or 'Marktplatz', oudn), >+ strict=True, >+ should_exist=should_exist) > > if __name__ == '__main__': > main() >Index: ucs-test-ucsschool/90_ucsschool/75_ldap_acls_admins >=================================================================== >--- ucs-test-ucsschool/90_ucsschool/75_ldap_acls_admins (Revision 74005) >+++ ucs-test-ucsschool/90_ucsschool/75_ldap_acls_admins (Arbeitskopie) >@@ -12,6 +12,7 @@ > from essential.schoolroom import ComputerRoom > import univention.testing.ucr as ucr_test > import univention.testing.ucsschool as utu >+from ucsschool.lib.models import ClassShare, Share > > > def main(): >@@ -52,11 +53,11 @@ > acl.assert_teacher_group('write') > acl.assert_student_group('write') > >- shares_dn = 'cn=shares,%s' % utu.UCSTestSchool().get_ou_base_dn(school) >+ shares_dn = Share.get_container(school) > acl.assert_shares(shares_dn, 'write') >- shares_dn = 'cn=Marktplatz,cn=shares,%s' % utu.UCSTestSchool().get_ou_base_dn(school) >+ shares_dn = Share(school=school, name=Share.get_search_base(school).share_name_marktplatz).dn > acl.assert_shares(shares_dn, 'write') >- shares_dn = 'cn=klassen,cn=shares,%s' % utu.UCSTestSchool().get_ou_base_dn(school) >+ shares_dn = ClassShare.get_container(school) > acl.assert_shares(shares_dn, 'read') > > acl.assert_temps('write') >Index: ucs-test-ucsschool/90_ucsschool/75_ldap_acls_staff >=================================================================== >--- ucs-test-ucsschool/90_ucsschool/75_ldap_acls_staff (Revision 74005) >+++ ucs-test-ucsschool/90_ucsschool/75_ldap_acls_staff (Arbeitskopie) >@@ -10,6 +10,7 @@ > from essential.acl import Acl > from essential.computerroom import Computers > from essential.schoolroom import ComputerRoom >+from ucsschool.lib.models import Share > import univention.testing.ucr as ucr_test > import univention.testing.ucsschool as utu > >@@ -50,7 +51,7 @@ > share_dn = open_ldap_co.searchDn(filter=filter_format('(&(objectClass=univentionShare)(cn=%s))', (class_name,)))[0] > acl.assert_share_object_access(share_dn, 'read', 'ALLOWED') > acl.assert_share_object_access(share_dn, 'write', 'DENIED') >- share_dn = 'cn=Marktplatz,cn=shares,%s' % (oudn,) >+ share_dn = Share(school=school, name=Share.get_search_base(school).share_name_marktplatz).dn > acl.assert_share_object_access(share_dn, 'read', 'ALLOWED') > acl.assert_share_object_access(share_dn, 'write', 'DENIED') > >Index: ucs-test-ucsschool/90_ucsschool/75_ldap_acls_teacher_and_staff >=================================================================== >--- ucs-test-ucsschool/90_ucsschool/75_ldap_acls_teacher_and_staff (Revision 74005) >+++ ucs-test-ucsschool/90_ucsschool/75_ldap_acls_teacher_and_staff (Arbeitskopie) >@@ -12,6 +12,7 @@ > from essential.schoolroom import ComputerRoom > import univention.testing.ucr as ucr_test > import univention.testing.ucsschool as utu >+from ucsschool.lib.models import ClassShare, Share > > > def main(): >@@ -40,11 +41,11 @@ > acl.assert_teacher_group('write') > acl.assert_student_group('write') > >- shares_dn = 'cn=shares,%s' % utu.UCSTestSchool().get_ou_base_dn(school) >+ shares_dn = Share.get_container(school) > acl.assert_shares(shares_dn, 'write') >- shares_dn = 'cn=Marktplatz,cn=shares,%s' % utu.UCSTestSchool().get_ou_base_dn(school) >+ shares_dn = Share(school=school, name=Share.get_search_base(school).share_name_marktplatz).dn > acl.assert_shares(shares_dn, 'write') >- shares_dn = 'cn=klassen,cn=shares,%s' % utu.UCSTestSchool().get_ou_base_dn(school) >+ shares_dn = ClassShare.get_container(school) > acl.assert_shares(shares_dn, 'read') > > acl.assert_temps('write') >Index: ucs-test-ucsschool/90_ucsschool/75_ldap_acls_teachers >=================================================================== >--- ucs-test-ucsschool/90_ucsschool/75_ldap_acls_teachers (Revision 74005) >+++ ucs-test-ucsschool/90_ucsschool/75_ldap_acls_teachers (Arbeitskopie) >@@ -12,6 +12,7 @@ > from essential.schoolroom import ComputerRoom > import univention.testing.ucr as ucr_test > import univention.testing.ucsschool as utu >+from ucsschool.lib.models import ClassShare, Share > > > def main(): >@@ -41,11 +42,11 @@ > > acl.assert_teacher_group('write') > >- shares_dn = 'cn=shares,%s' % utu.UCSTestSchool().get_ou_base_dn(school) >+ shares_dn = Share.get_container(school) > acl.assert_shares(shares_dn, 'write') >- shares_dn = 'cn=Marktplatz,cn=shares,%s' % utu.UCSTestSchool().get_ou_base_dn(school) >+ shares_dn = Share(school=school, name=Share.get_search_base(school).share_name_marktplatz).dn > acl.assert_shares(shares_dn, 'write') >- shares_dn = 'cn=klassen,cn=shares,%s' % utu.UCSTestSchool().get_ou_base_dn(school) >+ shares_dn = ClassShare.get_container(school) > acl.assert_shares(shares_dn, 'read') > > acl.assert_temps('write') >Index: ucs-test-ucsschool/90_ucsschool/76_ldap_acls >=================================================================== >--- ucs-test-ucsschool/90_ucsschool/76_ldap_acls (Revision 74005) >+++ ucs-test-ucsschool/90_ucsschool/76_ldap_acls (Arbeitskopie) >@@ -14,7 +14,9 @@ > from univention.uldap import getMachineConnection > import univention.testing.ucr as ucr_test > import univention.testing.ucsschool as utu >+from ucsschool.lib.models import Group, Policy > >+ > class FailAcl(Exception): > pass > >@@ -385,15 +387,18 @@ > room = ComputerRoom(school, host_members=computers_dns) > room.add() > >- room_container_dn = 'cn=raeume,cn=groups,%s' % school_dn >- shares_dn = 'cn=shares,%s' % school_dn >+ room_container_dn = ComputerRoom.get_container(school) > >- teacher_group2_dn = 'cn=lehrer-%s,cn=groups,%s' % (school, school_dn) >- student_group2_dn = 'cn=schueler-%s,cn=groups,%s' % (school, school_dn) >+ # unused? >+ # >+ # shares_dn = search_base.shares >+ # >+ # teacher_group2_dn = search_base.teachers_ou_group >+ # student_group2_dn = search_base.students_ou_group >+ # >+ # teacher_group_dn = search_base.teachers_group >+ # student_group_dn = search_base.students_group > >- teacher_group_dn = 'cn=lehrer,cn=groups,%s' % school_dn >- student_group_dn = 'cn=schueler,cn=groups,%s' % school_dn >- > gid_temp_dn = 'cn=gid,cn=temporary,cn=univention,%s' % base_dn > gidNumber_temp_dn = 'cn=gidNumber,cn=temporary,cn=univention,%s' % base_dn > sid_temp_dn = 'cn=sid,cn=temporary,cn=univention,%s' % base_dn >@@ -401,9 +406,9 @@ > mac_temp_dn = 'cn=mac,cn=temporary,cn=univention,%s' % base_dn > > global_univention_dn = 'cn=univention,%s' % base_dn >- global_policies_dn = 'cn=policies,%s' % base_dn >+ global_policies_dn = Policy.get_container(school) > global_dns_dn = 'cn=dns,%s' % base_dn >- global_groups_dn = 'cn=groups,%s' % base_dn >+ global_groups_dn = Group.get_container(school) > > dhcp_dn = 'cn=%s,cn=%s,cn=dhcp,%s' % (computers_hostnames[0], school, base_dn) > >Index: ucs-test-ucsschool/90_ucsschool/78_ldap_acls_dump.oldconfig.61ucsschool_presettings >=================================================================== >--- ucs-test-ucsschool/90_ucsschool/78_ldap_acls_dump.oldconfig.61ucsschool_presettings (Revision 74005) >+++ ucs-test-ucsschool/90_ucsschool/78_ldap_acls_dump.oldconfig.61ucsschool_presettings (Arbeitskopie) >@@ -1,154 +1,184 @@ >+@!@ > # -*- coding: utf-8 -*- >+import re > >+ >+def replace_ucr_variables(template): >+ variable_token = re.compile('@[$]@') >+ >+ dir_ucsschool = { >+ 'ALL_ADM_DC': configRegistry.get('ucsschool/ldap/default/groupname/all-administrativ-dc', 'DC-Verwaltungsnetz'), >+ 'ALL_ADM_MEMBER': configRegistry.get('ucsschool/ldap/default/groupname/all-administrativ-member', 'Member-Verwaltungsnetz'), >+ 'ALL_EDU_DC': configRegistry.get('ucsschool/ldap/default/groupname/all-educational-dc', 'DC-Edukativnetz'), >+ 'ALL_EDU_MEMBER': configRegistry.get('ucsschool/ldap/default/groupname/all-educational-member', 'Member-Edukativnetz'), >+ } >+ >+ while 1: >+ i = variable_token.finditer(template) >+ try: >+ start = i.next() >+ end = i.next() >+ name = template[start.end():end.start()] >+ >+ template = template[:start.start()] + dir_ucsschool.get(name,'') + template[end.end():] >+ except StopIteration: >+ break >+ >+ return template >+ >+ >+aclset += """ >+# -*- coding: utf-8 -*- >+ > # Slave-Controller und Member-Server duerfen Samba-Domaenenobjekt(e) modifizieren > access to filter="(objectClass=sambaDomain)" >- by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >- by group/univentionGroup/uniqueMember="cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >- by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >- by group/univentionGroup/uniqueMember="cn=Member-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write > by * none break > > # Slave-Controller und Memberserver duerfen ausschliesslich den univention-Container replizieren > access to dn="cn=univention,@%@ldap/base@%@" >- by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >- by group/univentionGroup/uniqueMember="cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >- by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >- by group/univentionGroup/uniqueMember="cn=Member-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read > by * none break > > # Slave-Controller may replicate license container > access to dn.subtree="cn=license,cn=univention,@%@ldap/base@%@" >- by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >- by group/univentionGroup/uniqueMember="cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >- by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >- by group/univentionGroup/uniqueMember="cn=Member-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read > by * none break > > # Slave-Controller duerfen custom attributes-Container und dessen Inhalt replizieren > access to dn.subtree="cn=custom attributes,cn=univention,@%@ldap/base@%@" >- by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >- by group/univentionGroup/uniqueMember="cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >- by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >- by group/univentionGroup/uniqueMember="cn=Member-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read > by * none break > > # Slave-Controller benoetigen den Console-Container fuer die Berechtigungen an der Lehrerconsole > access to dn.subtree="cn=console,cn=univention,@%@ldap/base@%@" >- by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >- by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >- by group/univentionGroup/uniqueMember="cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >- by group/univentionGroup/uniqueMember="cn=Member-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read > by * none break > > # Slave-Controller benoetigen den UMC-Container fuer die Berechtigungen an der Lehrerconsole > access to dn.subtree="cn=UMC,cn=univention,@%@ldap/base@%@" >- by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >- by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >- by group/univentionGroup/uniqueMember="cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >- by group/univentionGroup/uniqueMember="cn=Member-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read > by * none break > > # grant write access to domaincontroller slave/member server for certain univention app center settings > access to dn.regex="^univentionAppID=([^,]+),cn=([^,]+),cn=apps,cn=univention,@%@ldap/base@%@$" filter="(objectClass=univentionApp)" >- by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >- by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >- by group/univentionGroup/uniqueMember="cn=Member-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >- by group/univentionGroup/uniqueMember="cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write > by * none break > > access to dn.regex="^cn=([^,]+),cn=apps,cn=univention,@%@ldap/base@%@$" attrs=children,entry >- by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >- by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >- by group/univentionGroup/uniqueMember="cn=Member-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >- by group/univentionGroup/uniqueMember="cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write > by * none break > > access to dn="cn=apps,cn=univention,@%@ldap/base@%@" attrs=children,entry >- by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >- by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >- by group/univentionGroup/uniqueMember="cn=Member-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >- by group/univentionGroup/uniqueMember="cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write > by * none break > > # grant read access to domaincontroller slave/member server for all other univention app center settings > access to dn.subtree="cn=apps,cn=univention,@%@ldap/base@%@" >- by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >- by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >- by group/univentionGroup/uniqueMember="cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >- by group/univentionGroup/uniqueMember="cn=Member-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read > by * none break > > access to dn.subtree="cn=udm_module,cn=univention,@%@ldap/base@%@" >- by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >- by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >- by group/univentionGroup/uniqueMember="cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >- by group/univentionGroup/uniqueMember="cn=Member-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read > by * none break > > access to dn.subtree="cn=udm_hook,cn=univention,@%@ldap/base@%@" >- by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >- by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >- by group/univentionGroup/uniqueMember="cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >- by group/univentionGroup/uniqueMember="cn=Member-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read > by * none break > > access to dn.subtree="cn=udm_syntax,cn=univention,@%@ldap/base@%@" >- by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >- by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >- by group/univentionGroup/uniqueMember="cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >- by group/univentionGroup/uniqueMember="cn=Member-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read > by * none break > > access to dn.subtree="cn=ldapacl,cn=univention,@%@ldap/base@%@" >- by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >- by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >- by group/univentionGroup/uniqueMember="cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >- by group/univentionGroup/uniqueMember="cn=Member-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read > by * none break > > access to dn.subtree="cn=ldapschema,cn=univention,@%@ldap/base@%@" >- by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >- by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >- by group/univentionGroup/uniqueMember="cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >- by group/univentionGroup/uniqueMember="cn=Member-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read > by * none break > > # Slave-Controller und Member-Server benoetigen idmap-Container > access to dn.base="cn=idmap,cn=univention,@%@ldap/base@%@" >- by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >- by group/univentionGroup/uniqueMember="cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >- by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >- by group/univentionGroup/uniqueMember="cn=Member-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write > by * none break > > # Slave-Controller und Member-Server benoetigen ID-Mapping > access to dn.subtree="cn=idmap,cn=univention,@%@ldap/base@%@" filter="(|(&(objectClass=sambaUnixIdPool)(objectClass=organizationalRole)(objectClass=top))(&(objectClass=sambaIdmapEntry)(objectClass=sambaSidEntry)))" >- by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >- by group/univentionGroup/uniqueMember="cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >- by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >- by group/univentionGroup/uniqueMember="cn=Member-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write > by * none break > > # Slave-Controller und Memberserver duerfen samba-Container und dessen Inhalt replizieren > access to dn.subtree="cn=samba,@%@ldap/base@%@" >- by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >- by group/univentionGroup/uniqueMember="cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >- by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >- by group/univentionGroup/uniqueMember="cn=Member-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read > by * none break > > # Slave-Controller needs the builtin groups > access to dn.subtree="cn=Builtin,@%@ldap/base@%@" >- by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >- by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >- by group/univentionGroup/uniqueMember="cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >- by group/univentionGroup/uniqueMember="cn=Member-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read > by * none break > > # sonst duerfen sie nichts aus cn=univention,BASEDN replizieren > access to dn.subtree="cn=univention,@%@ldap/base@%@" >- by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" none >- by group/univentionGroup/uniqueMember="cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" none >- by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" none >- by group/univentionGroup/uniqueMember="cn=Member-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" none >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none > by * none break >Index: ucs-test-ucsschool/90_ucsschool/78_ldap_acls_dump.oldconfig.65ucsschool >=================================================================== >--- ucs-test-ucsschool/90_ucsschool/78_ldap_acls_dump.oldconfig.65ucsschool (Revision 74005) >+++ ucs-test-ucsschool/90_ucsschool/78_ldap_acls_dump.oldconfig.65ucsschool (Arbeitskopie) >@@ -13,18 +13,21 @@ > def replace_ucr_variables(template): > variable_token = re.compile('@[$]@') > >- dir_ucsschool = { } >- dir_ucsschool[ 'DISTRICT' ] = '' >- if configRegistry.get('ucsschool/ldap/district/enable','no').lower() in ( 'yes', 'true', '1' ): >- dir_ucsschool[ 'DISTRICT' ] = 'ou=[^,]+,' >- dir_ucsschool[ 'PUPILS' ] = configRegistry.get('ucsschool/ldap/default/container/pupils', 'schueler') >- dir_ucsschool[ 'TEACHERS' ] = configRegistry.get('ucsschool/ldap/default/container/teachers', 'lehrer') >- dir_ucsschool[ 'STAFF' ] = configRegistry.get('ucsschool/ldap/default/container/staff', 'mitarbeiter') >- dir_ucsschool[ 'TEACHERS-STAFF' ] = configRegistry.get('ucsschool/ldap/default/container/teachers-and-staff', 'lehrer und mitarbeiter') >- dir_ucsschool[ 'ADMINS' ] = configRegistry.get('ucsschool/ldap/default/container/admins', 'admins') >- dir_ucsschool[ 'GRPADMINS' ] = configRegistry.get('ucsschool/ldap/default/groupprefix/admins', 'admins-') >+ dir_ucsschool = { >+ 'DISTRICT': 'ou=[^,]+,' if configRegistry.is_true('ucsschool/ldap/district/enable') else '', >+ 'PUPILS': configRegistry.get('ucsschool/ldap/default/container/pupils', 'schueler'), >+ 'TEACHERS': configRegistry.get('ucsschool/ldap/default/container/teachers', 'lehrer'), >+ 'STAFF': configRegistry.get('ucsschool/ldap/default/container/staff', 'mitarbeiter'), >+ 'TEACHERS-STAFF': configRegistry.get('ucsschool/ldap/default/container/teachers-and-staff', 'lehrer und mitarbeiter'), >+ 'ADMINS': configRegistry.get('ucsschool/ldap/default/container/admins', 'admins'), >+ 'GRPADMINS': configRegistry.get('ucsschool/ldap/default/groupprefix/admins', 'admins-'), >+ 'ROOMS': configRegistry.get('ucsschool/ldap/default/container/rooms', 'raeume'), >+ 'ALL_ADM_DC': configRegistry.get('ucsschool/ldap/default/groupname/all-administrativ-dc', 'DC-Verwaltungsnetz'), >+ 'ALL_ADM_MEMBER': configRegistry.get('ucsschool/ldap/default/groupname/all-administrativ-member', 'Member-Verwaltungsnetz'), >+ 'ALL_EDU_DC': configRegistry.get('ucsschool/ldap/default/groupname/all-educational-dc', 'DC-Edukativnetz'), >+ 'ALL_EDU_MEMBER': configRegistry.get('ucsschool/ldap/default/groupname/all-educational-member', 'Member-Edukativnetz'), >+ } > >- > while 1: > i = variable_token.finditer(template) > try: >@@ -39,15 +42,14 @@ > return template > > >- >-if configRegistry.get('ucsschool/ldap/district/enable','no').lower() in ( 'yes', 'true', '1' ): >+if configRegistry.is_true('ucsschool/ldap/district/enable','no'): > aclset += """ > # DCs und Memberserver erhalten Lesezugriff auf das OU-Objekt selbst (im DISTRICT-Mode notwendig) > access to dn.regex="^ou=([^,]+),@%@ldap/base@%@$$" >- by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >- by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >- by group/univentionGroup/uniqueMember="cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >- by group/univentionGroup/uniqueMember="cn=Member-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read > by * none break > > """ >@@ -61,28 +63,28 @@ > > # Slave controllers and memberservers require write access to virtual machine manager objects > access to dn.regex="^univentionVirtualMachineUUID=([^,]+),cn=Information,cn=Virtual Machine Manager,@%@ldap/base@%@" filter="(objectClass=univentionVirtualMachine)" >- by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >- by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >- by group/univentionGroup/uniqueMember="cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >- by group/univentionGroup/uniqueMember="cn=Member-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write > by dn.regex="^[^,]+,cn=dc,cn=computers,@%@ldap/base@%@$$" write > by dn.regex="^[^,]+,cn=memberserver,cn=computers,@%@ldap/base@%@$$" write > by * read break > > access to dn.regex="^cn=([^,]+),cn=CloudConnection,cn=Virtual Machine Manager,@%@ldap/base@%@" filter="(objectClass=univentionVirtualMachineCloudConnection)" >- by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >- by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >- by group/univentionGroup/uniqueMember="cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >- by group/univentionGroup/uniqueMember="cn=Member-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write > by dn.regex="^[^,]+,cn=dc,cn=computers,@%@ldap/base@%@$$" write > by dn.regex="^[^,]+,cn=memberserver,cn=computers,@%@ldap/base@%@$$" write > by * read break > > access to dn="cn=(Information|CloudConnection),cn=Virtual Machine Manager,@%@ldap/base@%@" attrs=children,entry >- by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >- by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >- by group/univentionGroup/uniqueMember="cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >- by group/univentionGroup/uniqueMember="cn=Member-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write > by dn.regex="^[^,]+,cn=dc,cn=computers,@%@ldap/base@%@$$" write > by dn.regex="^[^,]+,cn=memberserver,cn=computers,@%@ldap/base@%@$$" write > by * read break >@@ -89,18 +91,18 @@ > > # Slave controller and memberservers may replicate the Virtual Machine Manager container > access to dn.subtree="cn=Virtual Machine Manager,@%@ldap/base@%@" >- by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >- by group/univentionGroup/uniqueMember="cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >- by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >- by group/univentionGroup/uniqueMember="cn=Member-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read > by * read break > > # Slave controller and memberservers may replicate the mail container > access to dn.subtree="cn=mail,@%@ldap/base@%@" >- by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >- by group/univentionGroup/uniqueMember="cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >- by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >- by group/univentionGroup/uniqueMember="cn=Member-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read > by * read break > > access to dn.regex="^@%@ldap/base@%@$$" >@@ -109,34 +111,34 @@ > > # DC Slaves need write access to the members of the group Domain Computers > access to dn.exact="cn=Domain Computers,cn=groups,@%@ldap/base@%@" attrs="uniqueMember,memberUid" >- by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >- by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write > by * none break > > # Slave-Controller und Memberserver duerfen globale Container computers, shares, dns, dhcp, kerberos und policies sowie Benutzer lesen > access to dn.regex="(^(.+,)?cn=(groups|dns|dhcp|policies|computers|kerberos|shares),|^(uid=[^,]+,|)cn=users,|^)@%@ldap/base@%@$$" >- by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >- by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >- by group/univentionGroup/uniqueMember="cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >- by group/univentionGroup/uniqueMember="cn=Member-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read > by * none break > > # Slave DCs can read MS system container > access to dn.base="cn=system,@%@ldap/base@%@" >- by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >- by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read > by * none break > > # Slave DCs can read and write policy containers for MS GPOs and msPrintConnectionPolicy objects > access to dn.subtree="cn=policies,cn=system,@%@ldap/base@%@" filter="(|(objectClass=msGPOContainer)(objectClass=organizationalRole)(objectClass=msPrintConnectionPolicy))" >- by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >- by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write > by * none break > > # Slave DCs can read and write policy containers for MS WMI filter objects > access to dn.subtree="cn=WMIPolicy,cn=system,@%@ldap/base@%@" filter="(|(objectClass=msWMISom)(objectClass=organizationalRole))" >- by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >- by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write > by * none break > > # Lehrer, Mitarbeiter und OU-Admins duerfen Schueler-Passwoerter aendern >@@ -145,11 +147,11 @@ > by * none break > > # Lehrer und ouadmins duerfen Raum-Gruppen anlegen und bearbeiten >-access to dn.regex="^cn=raeume,cn=groups,ou=([^,]+),@$@DISTRICT@$@@%@ldap/base@%@$$" attrs=children,entry >+access to dn.regex="^cn=@$@ROOMS@$@,cn=groups,ou=([^,]+),@$@DISTRICT@$@@%@ldap/base@%@$$" attrs=children,entry > by dn.regex="^uid=([^,]+),cn=(@$@TEACHERS@$@|@$@TEACHERS-STAFF@$@|@$@STAFF@$@|@$@ADMINS@$@),cn=users,ou=$1,@$@DISTRICT@$@@%@ldap/base@%@$$" write > by * none break > >-access to dn.regex="^cn=([^,]+),cn=raeume,cn=groups,ou=([^,]+),@$@DISTRICT@$@@%@ldap/base@%@$$" filter="(&(!(|(uidNumber=*)(objectClass=SambaSamAccount)))(objectClass=univentionGroup))" >+access to dn.regex="^cn=([^,]+),cn=@$@ROOMS@$@,cn=groups,ou=([^,]+),@$@DISTRICT@$@@%@ldap/base@%@$$" filter="(&(!(|(uidNumber=*)(objectClass=SambaSamAccount)))(objectClass=univentionGroup))" > by dn.regex="^uid=([^,]+),cn=(@$@TEACHERS@$@|@$@TEACHERS-STAFF@$@|@$@STAFF@$@|@$@ADMINS@$@),cn=users,ou=$2,@$@DISTRICT@$@@%@ldap/base@%@$$" write > by * none break > >@@ -224,40 +226,40 @@ > > # domaincontroller slaves and memberservers of management group are not allowed to replicate pupils and teachers > access to dn.regex="^.+,cn=(@$@TEACHERS@$@|@$@PUPILS@$@),cn=users,ou=[^,]+,@$@DISTRICT@$@@%@ldap/base@%@$$" >- by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" none >- by group/univentionGroup/uniqueMember="cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" none >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none > by * none break > > # domaincontroller slaves and memberservers of educational group are not allowed to replicate staff users > access to dn.regex="^.+,cn=@$@STAFF@$@,cn=users,ou=[^,]+,@$@DISTRICT@$@@%@ldap/base@%@$$" >- by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" none >- by group/univentionGroup/uniqueMember="cn=Member-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" none >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none > by * none break > > # domaincontroller slaves and memberservers may replicate the OU "domain controllers" > access to dn.subtree="ou=domain controllers,@%@ldap/base@%@" >- by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >- by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >- by group/univentionGroup/uniqueMember="cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >- by group/univentionGroup/uniqueMember="cn=Member-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read > by * read break > > # Memberserver duerfen bestimmte Attribute lesen > access to dn.regex="^(.+,)?ou=([^,]+),@$@DISTRICT@$@@%@ldap/base@%@$$" attrs=userPassword,krb5Key,krb5KDCFlags,sambaNTPassword,sambaLMPassword,shadowLastChange,sambaPwdLastSet,pwhistory,krb5KeyVersionNumber,univentionWindowsReinstall,sambaPwdCanChange,sambaPwdMustChange >- by group/univentionGroup/uniqueMember="cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >- by group/univentionGroup/uniqueMember="cn=Member-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read > by * none break > > # Slave-Controller duerfen Eintraege Ihrer ou lesen und schreiben (Passwortaenderungen etc.) > # Lehrer und Memberserver duerfen sie lesen, ou-eigene bekommen Standard-ACLs, ou-fremde Server/user duerfen nichts > access to dn.regex="^(.+,)?ou=([^,]+),@$@DISTRICT@$@@%@ldap/base@%@$$" >- by group/univentionGroup/uniqueMember.expand="cn=OU$2-DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >- by group/univentionGroup/uniqueMember.expand="cn=OU$2-DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember.expand="cn=OU$2-@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember.expand="cn=OU$2-@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write > by group/univentionLDAPACL/univentionLDAPAccessWrite.expand="ou=$2,@$@DISTRICT@$@@%@ldap/base@%@" write >- by group/univentionGroup/uniqueMember.expand="cn=OU$2-Member-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >- by group/univentionGroup/uniqueMember.expand="cn=OU$2-Member-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >- by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" none >- by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" none >+ by group/univentionGroup/uniqueMember.expand="cn=OU$2-@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >+ by group/univentionGroup/uniqueMember.expand="cn=OU$2-@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none > by dn.regex="^uid=([^,]+),cn=(@$@TEACHERS@$@|@$@TEACHERS-STAFF@$@|@$@STAFF@$@|@$@ADMINS@$@),cn=users,ou=$2,@$@DISTRICT@$@@%@ldap/base@%@$$" read > by dn.regex="^uid=(.+,)?cn=users,ou=$2,@$@DISTRICT@$@@%@ldap/base@%@$$" none break > by dn.regex="^uid=(.+,)?ou=([^,]+),@$@DISTRICT@$@@%@ldap/base@%@$$" none >@@ -265,21 +267,21 @@ > > # Slave-Controller duerfen Klassen-Gruppen bearbeiten (AUSNAHME! Wird fuer Lehrerzuordnung in UMC benoetigt!) > access to dn.regex="^cn=klassen,cn=@$@PUPILS@$@,cn=groups,ou=([^,]+),@$@DISTRICT@$@@%@ldap/base@%@$$" attrs=children,entry >- by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >- by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write > by * none break > > access to dn.regex="^cn=([^,]+),cn=klassen,cn=@$@PUPILS@$@,cn=groups,ou=([^,]+),@$@DISTRICT@$@@%@ldap/base@%@$$" filter="(&(!(|(uidNumber=*)(objectClass=SambaSamAccount)))(objectClass=univentionGroup))" >- by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >- by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write > by * none break > > # Slave-Controller duerfen nagios-Container und Inhalt replizieren > access to dn.subtree="cn=nagios,@%@ldap/base@%@" >- by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >- by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >- by group/univentionGroup/uniqueMember="cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >- by group/univentionGroup/uniqueMember="cn=Member-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read > by * none break > > # Schüler, Lehrer, Mitarbeiter, Admins duerfen globale Container univention, policies, groups und dns lesen >@@ -290,10 +292,10 @@ > > # Slave-Controller und normale Lehrer duerfen sonst nichts lesen, Schueler sowieso nicht > access to * >- by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" none >- by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" none >- by group/univentionGroup/uniqueMember="cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" none >- by group/univentionGroup/uniqueMember="cn=Member-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" none >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none > by * none break > > """ >Index: ucs-test-ucsschool/90_ucsschool/80_move_users_into_another_ou >=================================================================== >--- ucs-test-ucsschool/90_ucsschool/80_move_users_into_another_ou (Revision 74005) >+++ ucs-test-ucsschool/90_ucsschool/80_move_users_into_another_ou (Arbeitskopie) >@@ -5,6 +5,7 @@ > ## bugs: [40870, 41601, 41609, 41620] > ## exposure: dangerous > >+import os.path > from univention.testing.ucsschool import UCSTestSchool > from univention.testing.ucr import UCSTestConfigRegistry > from univention.testing.udm import UCSTestUDM >@@ -31,35 +32,32 @@ > # TODO: change school and uid at once! > # TODO: user without classes > >- base = ucr['ldap/base'] >- domain_users_school = 'cn=Domain Users %s,cn=groups,ou=%s,%s' % (b, b, base) >- teacher_group = 'cn=lehrer-%s,cn=groups,ou=%s,%s' % (b, b, base) >- staff_group = 'cn=mitarbeiter-%s,cn=groups,ou=%s,%s' % (b, b, base) >- students_group = 'cn=schueler-%s,cn=groups,ou=%s,%s' % (b, b, base) >+ search_base = User.get_search_base(b) >+ domain_users_school = 'cn=Domain Users {},{}'.format(b, search_base.groups) >+ teacher_group = search_base.teachers_ou_group >+ staff_group = search_base.staff_ou_group >+ students_group = search_base.students_ou_group > grp1_name = uts.random_username() > grp2_name = uts.random_username() > two_klasses = '{0}-{1},{0}-{2}'.format(a, grp1_name, grp2_name) >- workgroup_dn, workgroup_name = udm.create_group(position='cn=schueler,cn=groups,%s' % (a_dn,)) >+ workgroup_dn, workgroup_name = udm.create_group(position=WorkGroup.get_container(a)) > global_group_dn, global_group_name = udm.create_group() > >+ search_base = User.get_search_base(a) > users = [ >- (env.create_user(a, classes=two_klasses), 'schueler', >- [students_group, domain_users_school, global_group_dn]), >- (env.create_user(a, is_teacher=True, classes=two_klasses), 'lehrer', >- [domain_users_school, teacher_group, global_group_dn]), >- (env.create_user(a, is_staff=True), 'mitarbeiter', >- [domain_users_school, staff_group, global_group_dn]), >- (env.create_user(a, is_teacher=True, is_staff=True, classes=two_klasses), 'lehrer', >- [domain_users_school, teacher_group, staff_group, global_group_dn]), >+ (env.create_user(a, classes=two_klasses), [students_group, domain_users_school, global_group_dn]), >+ (env.create_user(a, is_teacher=True, classes=two_klasses), [domain_users_school, teacher_group, global_group_dn]), >+ (env.create_user(a, is_staff=True), [domain_users_school, staff_group, global_group_dn]), >+ (env.create_user(a, is_teacher=True, is_staff=True, classes=two_klasses), [domain_users_school, teacher_group, staff_group, global_group_dn]), > ] > lo = env.open_ldap_connection() > workgroup = WorkGroup.from_dn(workgroup_dn, a, lo) >- users_dns = [dn for (user, dn,), roleshare_path, groups in users] >+ users_dns = [dn for (user, dn,), groups in users] > udm.modify_object('groups/group', dn=global_group_dn, append={'users': users_dns}) > workgroup.users.extend(users_dns) > workgroup.modify(lo) > >- for (user, dn,), roleshare_path, groups in users: >+ for (user, dn,), groups in users: > > print '################################' > print '#### moving user at', dn, 'to', b >@@ -67,7 +65,7 @@ > > user = User.from_dn(dn, a, lo) > attrs = { >- 'homeDirectory': ['/home/%s/%s/%s' % (b, roleshare_path, user.name)], >+ 'homeDirectory': [os.path.join('/home/', user.get_roleshare_home_subdir(), user.name)], > 'ucsschoolSchool': [b], > 'departmentNumber': [b], > # TODO: add sambaHomeDrive sambaHomePath sambaLogonScript sambaProfilePath >Index: ucs-test-ucsschool/90_ucsschool/98_samba4_evaluate_windows_gpo >=================================================================== >--- ucs-test-ucsschool/90_ucsschool/98_samba4_evaluate_windows_gpo (Revision 74005) >+++ ucs-test-ucsschool/90_ucsschool/98_samba4_evaluate_windows_gpo (Arbeitskopie) >@@ -26,7 +26,7 @@ > > from datetime import datetime, timedelta > from ucsschool.lib.schoolldap import SchoolSearchBase >-from ucsschool.lib.models import School >+from ucsschool.lib.models import School, SchoolClass > from essential.computerroom import Room > from essential.exam import Exam > >@@ -566,7 +566,7 @@ > klasse_dn = udm.create_object( > 'groups/group', > name=schoolclassname, >- position="cn=klassen,cn=schueler,cn=groups,%s" % school_dn >+ position=SchoolClass.get_container(school) > ) > > student_pwd = "univention" >Index: ucs-test-ucsschool/90_ucsschool/essential/acl.py >=================================================================== >--- ucs-test-ucsschool/90_ucsschool/essential/acl.py (Revision 74005) >+++ ucs-test-ucsschool/90_ucsschool/essential/acl.py (Arbeitskopie) >@@ -13,6 +13,7 @@ > import univention.testing.ucr as ucr_test > import univention.testing.ucsschool as utu > import univention.testing.strings as uts >+from ucsschool.lib.models import ComputerRoom, School > > > class FailAcl(Exception): >@@ -122,6 +123,7 @@ > self.access_allowance = access_allowance > self.ucr = ucr_test.UCSTestConfigRegistry() > self.ucr.load() >+ self.search_base = School.get_search_base(self.school) > > def assert_acl(self, target_dn, access, attrs, access_allowance=None): > """Test ACL rule:\n >@@ -203,7 +205,7 @@ > def assert_room(self, room_dn, access): > """Lehrer und ouadmins duerfen Raum-Gruppen anlegen und bearbeiten > """ >- target_dn = 'cn=raeume,cn=groups,%s' % utu.UCSTestSchool().get_ou_base_dn(self.school) >+ target_dn = ComputerRoom.get_container(self.school) > attrs = [ > 'children', > 'entry', >@@ -230,7 +232,7 @@ > """Lehrer, Mitarbeiter und Mitglieder der lokalen Administratoren > duerfen Arbeitsgruppen anlegen und aendern > """ >- group_dn = 'cn=lehrer,cn=groups,%s' % utu.UCSTestSchool().get_ou_base_dn(self.school) >+ group_dn = self.search_base.teachers_group > attrs = [ > 'children', > 'entry', >@@ -260,7 +262,7 @@ > self.assert_acl(group_dn, access, attrs) > > def assert_student_group(self, access): >- group_dn = 'cn=schueler,cn=groups,%s' % utu.UCSTestSchool().get_ou_base_dn(self.school) >+ group_dn = self.search_base.students_group > attrs = [ > 'children', > 'entry', >Index: ucs-test-ucsschool/90_ucsschool/essential/computerroom.py >=================================================================== >--- ucs-test-ucsschool/90_ucsschool/essential/computerroom.py (Revision 74005) >+++ ucs-test-ucsschool/90_ucsschool/essential/computerroom.py (Arbeitskopie) >@@ -7,6 +7,8 @@ > from ucsschool.lib.models import IPComputer as IPComputerLib > from ucsschool.lib.models import MacComputer as MacComputerLib > from ucsschool.lib.models import WindowsComputer as WindowsComputerLib >+from ucsschool.lib.models import School as SchoolLib >+from ucsschool.lib.models import ComputerRoom as ComputerRoomLib > from univention.testing.ucsschool import UMCConnection > import copy > import datetime >@@ -92,10 +94,10 @@ > def __init__(self, school, name=None, dn=None, description=None, host_members=None): > self.school = school > self.name = name if name else uts.random_name() >- self.dn = dn if dn else 'cn=%s-%s,cn=raeume,cn=groups,%s' % ( >- school, self.name, utu.UCSTestSchool().get_ou_base_dn(school)) >+ self.dn = dn if dn else ComputerRoomLib(school=school, name='{}-{}'.format(school, self.name)).dn > self.description = description if description else uts.random_name() > self.host_members = host_members or [] >+ self.marktplatz_name = SchoolLib.get_search_base(self.school).share_name_marktplatz > > def get_room_user(self, umc_connection): > print 'Executing command: computerroom/rooms in school:', self.school >@@ -286,35 +288,37 @@ > utils.fail('Write to home directory result (%r), expected (%r)' % (write[0], expected_result)) > > def check_marktplatz_read(self, user, ip_address, passwd='univention', expected_result=0): >- print '.... Check Marktplatz read ....' >- cmd_read_marktplatz = ['smbclient', '//%(ip)s/Marktplatz', '-U', '%(user)s', '-c', 'dir'] >+ print '.... Check Marktplatz ({}) read ....'.format(self.marktplatz_name) >+ cmd_read_marktplatz = ['smbclient', '//%(ip)s/%(marktplatz_name)s', '-U', '%(user)s', '-c', 'dir'] > read = run_commands( > [cmd_read_marktplatz], > { > 'ip': ip_address, >- 'user': '{0}%{1}'.format(user, passwd) >+ 'user': '{0}%{1}'.format(user, passwd), >+ 'marktplatz_name': self.marktplatz_name > } > ) > if read[0] != expected_result: >- print 'FAIL .. Read Marktplatz directory result (%r), expected (%r)' % (read[0], expected_result) >- utils.fail('Read Marktplatz directory result (%r), expected (%r)' % (read[0], expected_result)) >+ print 'FAIL .. Read Marktplatz (%s) directory result (%r), expected (%r)' % (self.marktplatz_name, read[0], expected_result) >+ utils.fail('Read Marktplatz (%s) directory result (%r), expected (%r)' % (self.marktplatz_name, read[0], expected_result)) > > def check_marktplatz_write(self, user, ip_address, passwd='univention', expected_result=0): >- print '.... Check Marktplatz write ....' >+ print '.... Check Marktplatz ({}) write ....'.format(self.marktplatz_name) > f = tempfile.NamedTemporaryFile(dir='/tmp') >- cmd_write_marktplatz = ['smbclient', '//%(ip)s/Marktplatz', '-U', '%(user)s', '-c', 'put %(filename)s'] >+ cmd_write_marktplatz = ['smbclient', '//%(ip)s/%(marktplatz_name)s', '-U', '%(user)s', '-c', 'put %(filename)s'] > write = run_commands( > [cmd_write_marktplatz], > { > 'ip': ip_address, > 'user': '{0}%{1}'.format(user, passwd), >- 'filename': '%s %s' % (f.name, f.name.split('/')[-1]) >+ 'filename': '%s %s' % (f.name, f.name.split('/')[-1]), >+ 'marktplatz_name': self.marktplatz_name > } > ) > f.close() > if write[0] != expected_result: >- print 'FAIL .. Write to Marktplatz directory result (%r), expected (%r)' % (write[0], expected_result) >- utils.fail('Write to Marktplatz directory result (%r), expected (%r)' % (write[0], expected_result)) >+ print 'FAIL .. Write to Marktplatz (%s) directory result (%r), expected (%r)' % (self.marktplatz_name, write[0], expected_result) >+ utils.fail('Write to Marktplatz (%s) directory result (%r), expected (%r)' % (self.marktplatz_name, write[0], expected_result)) > > def check_share_access(self, user, ip_address, expected_home_result, expected_marktplatz_result): > self.check_home_read(user, ip_address, expected_result=expected_home_result) >Index: ucs-test-ucsschool/90_ucsschool/essential/distribution.py >=================================================================== >--- ucs-test-ucsschool/90_ucsschool/essential/distribution.py (Revision 74005) >+++ ucs-test-ucsschool/90_ucsschool/essential/distribution.py (Arbeitskopie) >@@ -14,6 +14,7 @@ > import univention.testing.strings as uts > import univention.testing.ucr as ucr_test > import univention.testing.utils as utils >+from ucsschool.lib.models import School > > > class Distribution(object): >@@ -608,24 +609,32 @@ > path = '' > self.ucr.load() > roleshare = self.ucr.get('ucsschool/import/roleshare') >+ collect_from = self.ucr.get('ucsschool/datadistribution/datadir/sender', 'Unterrichtsmaterial') >+ distribute_to = self.ucr.get('ucsschool/datadistribution/datadir/recipient', 'Unterrichtsmaterial') >+ search_base = School.get_search_base(self.school) > if purpose == 'distribute': > if roleshare == 'no' or roleshare is False: >- path = '/home/{0}/Unterrichtsmaterial/{1}/'.format(user, self.name) >+ path = '/home/{}/{}/{}/'.format(user, distribute_to, self.name) > else: >- path = '/home/{0}/schueler/{1}/Unterrichtsmaterial/{2}'.format( >+ path = '/home/{}/{}/{}/{}/{}'.format( > self.school, >+ search_base.share_name_pupils, > user, >+ distribute_to, > self.name) > elif purpose == 'collect': > if roleshare == 'no' or roleshare is False: >- path = '/home/{0}/Unterrichtsmaterial/{1}/{2}/'.format( >+ path = '/home/{}/{}/{}/{}/'.format( > self.sender, >+ collect_from, > self.name, > user) > else: >- path = '/home/{0}/lehrer/{1}/Unterrichtsmaterial/{2}/{3}'.format( >+ path = '/home/{}/{}/{}/{}/{}/{}'.format( > self.school, >+ search_base.share_name_teachers, > self.sender, >+ collect_from, > self.name, > user) > return path >Index: ucs-test-ucsschool/90_ucsschool/essential/exam.py >=================================================================== >--- ucs-test-ucsschool/90_ucsschool/essential/exam.py (Revision 74005) >+++ ucs-test-ucsschool/90_ucsschool/essential/exam.py (Arbeitskopie) >@@ -17,6 +17,7 @@ > import univention.testing.strings as uts > import univention.testing.ucr as ucr_test > import univention.testing.utils as utils >+from ucsschool.lib.models import School > > > class StartFail(Exception): >@@ -122,6 +123,7 @@ > self.shareMode = shareMode > self.internetRule = internetRule > self.customRule = customRule >+ self.search_base = School.get_search_base(self.school) > > if umcConnection: > self.umcConnection = umcConnection >@@ -291,7 +293,7 @@ > def check_collect(self): > account = utils.UCSTestDomainAdminCredentials() > admin = account.username >- path = '/home/%s/Klassenarbeiten/%s' % (admin, self.name) >+ path = '/home/%s/%s/%s' % (admin, self.search_base.share_name_exams, self.name) > path_files = get_dir_files(path) > if not set(self.files).issubset(set(path_files)): > utils.fail('%r were not collected to %r' % (self.files, path)) >@@ -303,7 +305,7 @@ > utils.fail('%r were not uploaded to %r' % (self.files, path)) > > def check_distribute(self): >- path = '/home/%s/schueler' % self.school >+ path = '/home/%s/%s' % (self.school, self.search_base.share_name_pupils) > path_files = get_dir_files(path) > if not set(self.files).issubset(set(path_files)): > utils.fail('%r were not uploaded to %r' % (self.files, path)) >Index: ucs-test-ucsschool/90_ucsschool/essential/importcomputers.py >=================================================================== >--- ucs-test-ucsschool/90_ucsschool/essential/importcomputers.py (Revision 74005) >+++ ucs-test-ucsschool/90_ucsschool/essential/importcomputers.py (Arbeitskopie) >@@ -144,11 +144,11 @@ > print 'verify computer: %s' % self.name > > utils.verify_ldap_object(self.dn, expected_attr=self.expected_attributes(), should_exist=True) >- >- verwaltung_member_group1 = 'cn=OU%s-Member-Verwaltungsnetz,cn=ucsschool,cn=groups,%s' % (self.school, configRegistry.get('ldap/base')) >- verwaltung_member_group2 = 'cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,%s' % (configRegistry.get('ldap/base')) >- edukativ_member_group1 = 'cn=OU%s-Member-Edukativnetz,cn=ucsschool,cn=groups,%s' % (self.school, configRegistry.get('ldap/base')) >- edukativ_member_group2 = 'cn=Member-Edukativnetz,cn=ucsschool,cn=groups,%s' % (configRegistry.get('ldap/base')) >+ search_base = SchoolLib.get_search_base(self.school) >+ verwaltung_member_group1 = search_base.administrative_ou_member_group >+ verwaltung_member_group2 = search_base.administrative_member_group >+ edukativ_member_group1 = search_base.educational_ou_member_group >+ edukativ_member_group2 = search_base.educational_member_group > if self.zone == 'verwaltung': > utils.verify_ldap_object(verwaltung_member_group1, expected_attr={'uniqueMember': [self.dn]}, strict=False, should_exist=True) > utils.verify_ldap_object(verwaltung_member_group2, expected_attr={'uniqueMember': [self.dn]}, strict=False, should_exist=True) >Index: ucs-test-ucsschool/90_ucsschool/essential/importgroups.py >=================================================================== >--- ucs-test-ucsschool/90_ucsschool/essential/importgroups.py (Revision 74005) >+++ ucs-test-ucsschool/90_ucsschool/essential/importgroups.py (Arbeitskopie) >@@ -8,6 +8,7 @@ > import univention.testing.strings as uts > from ucsschool.lib.models import SchoolClass as GroupLib > from ucsschool.lib.models import School as SchoolLib >+from ucsschool.lib.models import ClassShare as ClassShareLib > import ucsschool.lib.models.utils > > from essential.importou import remove_ou, get_school_base >@@ -26,9 +27,7 @@ > configRegistry = univention.config_registry.ConfigRegistry() > configRegistry.load() > >-cn_pupils = configRegistry.get('ucsschool/ldap/default/container/pupils', 'schueler') > >- > class Group: > > def __init__(self, school): >@@ -39,8 +38,8 @@ > > self.school_base = get_school_base(self.school) > >- self.dn = 'cn=%s,cn=klassen,cn=%s,cn=groups,%s' % (self.name, cn_pupils, self.school_base) >- self.share_dn = 'cn=%s,cn=klassen,cn=shares,%s' % (self.name, self.school_base) >+ self.dn = GroupLib(school=self.school, name=self.name).dn >+ self.share_dn = ClassShareLib(school=self.school, name=self.name).dn > > def set_mode_to_modify(self): > self.mode = 'M' >Index: ucs-test-ucsschool/90_ucsschool/essential/importou.py >=================================================================== >--- ucs-test-ucsschool/90_ucsschool/essential/importou.py (Revision 74005) >+++ ucs-test-ucsschool/90_ucsschool/essential/importou.py (Arbeitskopie) >@@ -11,6 +11,7 @@ > import random > import subprocess > import string >+import ldap > import univention.admin.modules > import univention.admin.filter > univention.admin.modules.update() >@@ -299,12 +300,15 @@ > old_dhcpd_ldap_base = ucr.get('dhcpd/ldap/base') > lo = univention.uldap.getMachineConnection() > base_dn = ucr.get('ldap/base') >+ search_base = School.get_search_base(ou) > >- cn_pupils = ucr.get('ucsschool/ldap/default/container/pupils', 'schueler') >- cn_teachers = ucr.get('ucsschool/ldap/default/container/teachers', 'lehrer') >- cn_teachers_staff = ucr.get('ucsschool/ldap/default/container/teachers-and-staff', 'lehrer und mitarbeiter') >- cn_admins = ucr.get('ucsschool/ldap/default/container/admins', 'admins') >- cn_staff = ucr.get('ucsschool/ldap/default/container/staff', 'mitarbeiter') >+ cn_pupils = ldap.explode_dn(search_base.students, True)[0] >+ cn_teachers = ldap.explode_dn(search_base.teachers, True)[0] >+ cn_teachers_staff = ldap.explode_dn(search_base.teachersAndStaff, True)[0] >+ cn_admins = ldap.explode_dn(search_base.admins, True)[0] >+ cn_staff = ldap.explode_dn(search_base.staff, True)[0] >+ cn_class = ldap.explode_dn(search_base.classes, True)[0] >+ cn_rooms = ldap.explode_dn(search_base.rooms, True)[0] > > singlemaster = ucr.is_true('ucsschool/singlemaster') > noneducational_create_objects = ucr.is_true('ucsschool/ldap/noneducational/create/objects') >@@ -332,43 +336,42 @@ > > utils.verify_ldap_object(ou_base, expected_attr={'ou': [ou], 'ucsschoolClassShareFileServer': [sharefileserver_dn], 'ucsschoolHomeShareFileServer': [sharefileserver_dn]}, should_exist=must_exist) > >- utils.verify_ldap_object('cn=printers,%s' % ou_base, expected_attr={'cn': ['printers']}, should_exist=must_exist) >- utils.verify_ldap_object('cn=users,%s' % ou_base, expected_attr={'cn': ['users']}, should_exist=must_exist) >- utils.verify_ldap_object('cn=%s,cn=users,%s' % (cn_pupils, ou_base), expected_attr={'cn': [cn_pupils]}, should_exist=must_exist) >- utils.verify_ldap_object('cn=%s,cn=users,%s' % (cn_teachers, ou_base), expected_attr={'cn': [cn_teachers]}, should_exist=must_exist) >- utils.verify_ldap_object('cn=%s,cn=users,%s' % (cn_admins, ou_base), expected_attr={'cn': [cn_admins]}, should_exist=must_exist) >- utils.verify_ldap_object('cn=%s,cn=users,%s' % (cn_admins, ou_base), expected_attr={'cn': [cn_admins]}, should_exist=must_exist) >+ utils.verify_ldap_object(search_base.printers, expected_attr={'cn': ['printers']}, should_exist=must_exist) >+ utils.verify_ldap_object(search_base.users, expected_attr={'cn': ['users']}, should_exist=must_exist) >+ utils.verify_ldap_object(search_base.students, expected_attr={'cn': [cn_pupils]}, should_exist=must_exist) >+ utils.verify_ldap_object(search_base.teachers, expected_attr={'cn': [cn_teachers]}, should_exist=must_exist) >+ utils.verify_ldap_object(search_base.admins, expected_attr={'cn': [cn_admins]}, should_exist=must_exist) > >- utils.verify_ldap_object('cn=computers,%s' % ou_base, expected_attr={'cn': ['computers']}, should_exist=must_exist) >+ utils.verify_ldap_object(search_base.computers, expected_attr={'cn': ['computers']}, should_exist=must_exist) > utils.verify_ldap_object('cn=server,cn=computers,%s' % ou_base, expected_attr={'cn': ['server']}, should_exist=must_exist) > utils.verify_ldap_object('cn=dc,cn=server,cn=computers,%s' % ou_base, expected_attr={'cn': ['dc']}, should_exist=must_exist) >- utils.verify_ldap_object('cn=networks,%s' % ou_base, expected_attr={'cn': ['networks']}, should_exist=must_exist) >- utils.verify_ldap_object('cn=groups,%s' % ou_base, expected_attr={'cn': ['groups']}, should_exist=must_exist) >- utils.verify_ldap_object('cn=%s,cn=groups,%s' % (cn_pupils, ou_base), expected_attr={'cn': [cn_pupils]}, should_exist=must_exist) >- utils.verify_ldap_object('cn=%s,cn=groups,%s' % (cn_teachers, ou_base), expected_attr={'cn': [cn_teachers]}, should_exist=must_exist) >- utils.verify_ldap_object('cn=klassen,cn=%s,cn=groups,%s' % (cn_pupils, ou_base), expected_attr={'cn': ['klassen']}, should_exist=must_exist) >- utils.verify_ldap_object('cn=raeume,cn=groups,%s' % ou_base, expected_attr={'cn': ['raeume']}, should_exist=must_exist) >+ utils.verify_ldap_object(search_base.networks, expected_attr={'cn': ['networks']}, should_exist=must_exist) >+ utils.verify_ldap_object(search_base.groups, expected_attr={'cn': ['groups']}, should_exist=must_exist) >+ utils.verify_ldap_object(search_base.workgroups, expected_attr={'cn': [cn_pupils]}, should_exist=must_exist) >+ utils.verify_ldap_object(search_base.teachers_group, expected_attr={'cn': [cn_teachers]}, should_exist=must_exist) >+ utils.verify_ldap_object(search_base.classes, expected_attr={'cn': [cn_class]}, should_exist=must_exist) >+ utils.verify_ldap_object(search_base.rooms, expected_attr={'cn': [cn_rooms]}, should_exist=must_exist) > >- utils.verify_ldap_object('cn=dhcp,%s' % ou_base, expected_attr={'cn': ['dhcp']}, should_exist=must_exist) >- utils.verify_ldap_object('cn=policies,%s' % ou_base, expected_attr={'cn': ['policies']}, should_exist=must_exist) >- utils.verify_ldap_object('cn=shares,%s' % ou_base, expected_attr={'cn': ['shares']}, should_exist=must_exist) >- utils.verify_ldap_object('cn=klassen,cn=shares,%s' % ou_base, expected_attr={'cn': ['klassen']}, should_exist=must_exist) >+ utils.verify_ldap_object(search_base.dhcp, expected_attr={'cn': ['dhcp']}, should_exist=must_exist) >+ utils.verify_ldap_object(search_base.policies, expected_attr={'cn': ['policies']}, should_exist=must_exist) >+ utils.verify_ldap_object(search_base.shares, expected_attr={'cn': ['shares']}, should_exist=must_exist) >+ utils.verify_ldap_object(search_base.classShares, expected_attr={'cn': [cn_class]}, should_exist=must_exist) > utils.verify_ldap_object('cn=dc,cn=server,cn=computers,%s' % ou_base, expected_attr={'cn': ['dc']}, should_exist=must_exist) > > if noneducational_create_objects: >- utils.verify_ldap_object('cn=%s,cn=users,%s' % (cn_staff, ou_base), should_exist=must_exist) >- utils.verify_ldap_object('cn=%s,cn=users,%s' % (cn_teachers_staff, ou_base), should_exist=must_exist) >- utils.verify_ldap_object('cn=%s,cn=groups,%s' % (cn_staff, ou_base), should_exist=must_exist) >+ utils.verify_ldap_object(search_base.staff, should_exist=must_exist) >+ utils.verify_ldap_object(search_base.teachersAndStaff, should_exist=must_exist) >+ utils.verify_ldap_object(search_base.staff_group, should_exist=must_exist) > else: >- utils.verify_ldap_object('cn=%s,cn=users,%s' % (cn_staff, ou_base), should_exist=False) >- utils.verify_ldap_object('cn=%s,cn=users,%s' % (cn_teachers_staff, ou_base), should_exist=False) >- utils.verify_ldap_object('cn=%s,cn=groups,%s' % (cn_staff, ou_base), should_exist=False) >+ utils.verify_ldap_object(search_base.staff, should_exist=False) >+ utils.verify_ldap_object(search_base.teachersAndStaff, should_exist=False) >+ utils.verify_ldap_object(search_base.staff_group, should_exist=False) > > if noneducational_create_objects: >- utils.verify_ldap_object('cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,%s' % base_dn, should_exist=True) >- utils.verify_ldap_object('cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,%s' % base_dn, should_exist=True) >- utils.verify_ldap_object('cn=OU%s-DC-Verwaltungsnetz,cn=ucsschool,cn=groups,%s' % (ou, base_dn), should_exist=True) >- utils.verify_ldap_object('cn=OU%s-Member-Verwaltungsnetz,cn=ucsschool,cn=groups,%s' % (ou, base_dn), should_exist=True) >+ utils.verify_ldap_object(search_base.administrative_dc_group, should_exist=True) >+ utils.verify_ldap_object(search_base.administrative_member_group, should_exist=True) >+ utils.verify_ldap_object(search_base.administrative_ou_dc_group) >+ utils.verify_ldap_object(search_base.administrative_ou_member_group) > # This will fail because we don't cleanup these groups in cleanup_ou > #else: > # utils.verify_ldap_object("cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,%s" % base_dn, should_exist=False) >@@ -382,22 +385,17 @@ > if dc_administrative: > verify_dc(ou, dc_administrative, TYPE_DC_ADMINISTRATIVE, base_dn, must_exist) > >- grp_prefix_pupils = ucr.get('ucsschool/ldap/default/groupprefix/pupils', 'schueler-') >- grp_prefix_teachers = ucr.get('ucsschool/ldap/default/groupprefix/teachers', 'lehrer-') >- grp_prefix_admins = ucr.get('ucsschool/ldap/default/groupprefix/admins', 'admins-') >- grp_prefix_staff = ucr.get('ucsschool/ldap/default/groupprefix/staff', 'mitarbeiter-') >- > grp_policy_pupils = ucr.get('ucsschool/ldap/default/policy/umc/pupils', 'cn=ucsschool-umc-pupils-default,cn=UMC,cn=policies,%s' % base_dn) > grp_policy_teachers = ucr.get('ucsschool/ldap/default/policy/umc/teachers', 'cn=ucsschool-umc-teachers-default,cn=UMC,cn=policies,%s' % base_dn) > grp_policy_admins = ucr.get('ucsschool/ldap/default/policy/umc/admins', 'cn=ucsschool-umc-admins-default,cn=UMC,cn=policies,%s' % base_dn) > grp_policy_staff = ucr.get('ucsschool/ldap/default/policy/umc/staff', 'cn=ucsschool-umc-staff-default,cn=UMC,cn=policies,%s' % base_dn) > >- utils.verify_ldap_object("cn=%s%s,cn=ouadmins,cn=groups,%s" % (grp_prefix_admins, ou, base_dn), expected_attr={'univentionPolicyReference': [grp_policy_admins]}, should_exist=True) >- utils.verify_ldap_object("cn=%s%s,cn=groups,%s" % (grp_prefix_pupils, ou, ou_base), expected_attr={'univentionPolicyReference': [grp_policy_pupils]}, should_exist=must_exist) >- utils.verify_ldap_object("cn=%s%s,cn=groups,%s" % (grp_prefix_teachers, ou, ou_base), expected_attr={'univentionPolicyReference': [grp_policy_teachers]}, should_exist=must_exist) >+ utils.verify_ldap_object(search_base.admin_group, expected_attr={'univentionPolicyReference': [grp_policy_admins]}, should_exist=True) >+ utils.verify_ldap_object(search_base.students_ou_group, expected_attr={'univentionPolicyReference': [grp_policy_pupils]}, should_exist=must_exist) >+ utils.verify_ldap_object(search_base.teachers_ou_group, expected_attr={'univentionPolicyReference': [grp_policy_teachers]}, should_exist=must_exist) > > if noneducational_create_objects: >- utils.verify_ldap_object("cn=%s%s,cn=groups,%s" % (grp_prefix_staff, ou, ou_base), expected_attr={'univentionPolicyReference': [grp_policy_staff]}, should_exist=must_exist) >+ utils.verify_ldap_object(search_base.staff_ou_group, expected_attr={'univentionPolicyReference': [grp_policy_staff]}, should_exist=must_exist) > > dcmaster_module = univention.admin.modules.get("computers/domaincontroller_master") > dcbackup_module = univention.admin.modules.get("computers/domaincontroller_backup") >@@ -413,8 +411,7 @@ > # check group membership > # slave should be member > # master and backup should not be member >- dcgroups = ["cn=OU%s-DC-Edukativnetz,cn=ucsschool,cn=groups,%s" % (ou, base_dn), >- "cn=DC-Edukativnetz,cn=ucsschool,cn=groups,%s" % (base_dn)] >+ dcgroups = [search_base.educational_ou_dc_group, search_base.educational_dc_group] > > if must_exist: > if masterobjs: >@@ -490,33 +487,34 @@ > base_dn = ucr.get('ldap/base') > ou_base = get_ou_base(ou, ucr.is_true('ucsschool/ldap/district/enable', False)) > dc_dn = 'cn=%s,cn=dc,cn=server,cn=computers,%s' % (dc_name, ou_base) >+ search_base = School.get_search_base(ou) > > # define list of (un-)desired group memberships ==> [(IS_MEMBER, GROUP_DN), ...] > group_dn_list = [] > if dc_type == TYPE_DC_ADMINISTRATIVE: > group_dn_list += [ >- (True, 'cn=OU%s-DC-Verwaltungsnetz,cn=ucsschool,cn=groups,%s' % (ou.lower(), base_dn)), >- (True, 'cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,%s' % (base_dn, )), >- (False, 'cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,%s' % base_dn), >- (False, 'cn=OU%s-Member-Verwaltungsnetz,cn=ucsschool,cn=groups,%s' % (ou, base_dn)), >- (False, 'cn=OU%s-DC-Edukativnetz,cn=ucsschool,cn=groups,%s' % (ou.lower(), base_dn)), >- (False, 'cn=DC-Edukativnetz,cn=ucsschool,cn=groups,%s' % (base_dn, )), >- (False, 'cn=Member-Edukativnetz,cn=ucsschool,cn=groups,%s' % base_dn), >- (False, 'cn=OU%s-Member-Edukativnetz,cn=ucsschool,cn=groups,%s' % (ou, base_dn)), >+ (True, search_base.administrative_ou_dc_group), >+ (True, search_base.administrative_dc_group), >+ (False, search_base.administrative_member_group), >+ (False, search_base.administrative_ou_member_group), >+ (False, search_base.educational_ou_dc_group), >+ (False, search_base.educational_dc_group), >+ (False, search_base.educational_member_group), >+ (False, search_base.educational_ou_member_group), > ] > else: > group_dn_list += [ >- (True, 'cn=OU%s-DC-Edukativnetz,cn=ucsschool,cn=groups,%s' % (ou.lower(), base_dn)), >- (True, 'cn=DC-Edukativnetz,cn=ucsschool,cn=groups,%s' % (base_dn, )), >- (False, 'cn=Member-Edukativnetz,cn=ucsschool,cn=groups,%s' % base_dn), >- (False, 'cn=OU%s-Member-Edukativnetz,cn=ucsschool,cn=groups,%s' % (ou, base_dn)), >+ (True, search_base.educational_ou_dc_group), >+ (True, search_base.educational_dc_group), >+ (False, search_base.educational_member_group), >+ (False, search_base.educational_ou_member_group), > ] > if ucr.is_true('ucsschool/ldap/noneducational/create/objects', must_exist): > group_dn_list += [ >- (False, 'cn=OU%s-DC-Verwaltungsnetz,cn=ucsschool,cn=groups,%s' % (ou.lower(), base_dn)), >- (False, 'cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,%s' % (base_dn, )), >- (False, 'cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,%s' % base_dn), >- (False, 'cn=OU%s-Member-Verwaltungsnetz,cn=ucsschool,cn=groups,%s' % (ou, base_dn)), >+ (False, search_base.administrative_ou_dc_group), >+ (False, search_base.administrative_dc_group), >+ (False, search_base.administrative_member_group), >+ (False, search_base.administrative_ou_member_group), > ] > > utils.verify_ldap_object(dc_dn, should_exist=must_exist) >Index: ucs-test-ucsschool/90_ucsschool/essential/importusers.py >=================================================================== >--- ucs-test-ucsschool/90_ucsschool/essential/importusers.py (Revision 74005) >+++ ucs-test-ucsschool/90_ucsschool/essential/importusers.py (Arbeitskopie) >@@ -13,6 +13,7 @@ > from univention.testing.decorators import SetTimeout > import univention.uldap > import univention.config_registry >+from ucsschool.lib.models import SchoolClass as SchoolClassLib > from ucsschool.lib.models import Student as StudentLib > from ucsschool.lib.models import Teacher as TeacherLib > from ucsschool.lib.models import Staff as StaffLib >@@ -38,17 +39,7 @@ > configRegistry = univention.config_registry.ConfigRegistry() > configRegistry.load() > >-cn_pupils = configRegistry.get('ucsschool/ldap/default/container/pupils', 'schueler') >-cn_teachers = configRegistry.get('ucsschool/ldap/default/container/teachers', 'lehrer') >-cn_teachers_staff = configRegistry.get('ucsschool/ldap/default/container/teachers-and-staff', 'lehrer und mitarbeiter') >-cn_staff = configRegistry.get('ucsschool/ldap/default/container/staff', 'mitarbeiter') > >-grp_prefix_pupils = configRegistry.get('ucsschool/ldap/default/groupprefix/pupils', 'schueler-') >-grp_prefix_teachers = configRegistry.get('ucsschool/ldap/default/groupprefix/teachers', 'lehrer-') >-grp_prefix_admins = configRegistry.get('ucsschool/ldap/default/groupprefix/admins', 'admins-') >-grp_prefix_staff = configRegistry.get('ucsschool/ldap/default/groupprefix/staff', 'mitarbeiter-') >- >- > class Person(object): > > def __init__(self, school, role): >@@ -57,6 +48,7 @@ > self.username = uts.random_name() > self.school = school > self.schools = [school] >+ self.search_base = SchoolLib.get_search_base(self.school) > self.role = role > self.record_uid = None > self.source_uid = None >@@ -64,17 +56,17 @@ > self.mail = '%s@%s' % (self.username, configRegistry.get('domainname')) > self.school_classes = {} > if self.is_student(): >- self.cn = cn_pupils >- self.grp_prefix = grp_prefix_pupils >+ self.user_type = StudentLib >+ self.role_group_dn = self.search_base.students_ou_group > elif self.is_teacher(): >- self.cn = cn_teachers >- self.grp_prefix = grp_prefix_teachers >+ self.user_type = TeacherLib >+ self.role_group_dn = self.search_base.teachers_ou_group > elif self.is_teacher_staff(): >- self.cn = cn_teachers_staff >- self.grp_prefix = grp_prefix_teachers >+ self.user_type = TeachersAndStaffLib >+ self.role_group_dn = self.search_base.teachers_ou_group > elif self.is_staff(): >- self.cn = cn_staff >- self.grp_prefix = grp_prefix_staff >+ self.user_type = StaffLib >+ self.role_group_dn = self.search_base.staff_ou_group > self.mode = 'A' > self.active = True > self.password = None >@@ -83,7 +75,7 @@ > self.append_random_groups() > > def make_dn(self): >- return 'uid=%s,cn=%s,cn=users,%s' % (self.username, self.cn, self.school_base) >+ return self.user_type(school=self.school, name=self.username).dn > > def make_school_base(self): > return get_school_base(self.school) >@@ -242,17 +234,11 @@ > if self.description: > attr['description'] = [self.description] > >- subdir = '' > if configRegistry.is_true('ucsschool/import/roleshare', True): >- if self.is_student(): >- subdir = os.path.join(self.school, 'schueler') >- elif self.is_teacher(): >- subdir = os.path.join(self.school, 'lehrer') >- elif self.is_teacher_staff(): >- subdir = os.path.join(self.school, 'lehrer') >- elif self.is_staff(): >- subdir = os.path.join(self.school, 'mitarbeiter') >- attr['homeDirectory'] = ['/home/%s' % os.path.join(subdir, self.username)] >+ subdir = self.user_type(school=self.school, name=self.username).get_roleshare_home_subdir() >+ else: >+ subdir = '' >+ attr['homeDirectory'] = [os.path.join('/home', subdir, self.username)] > > if self.is_active(): > attr['krb5KDCFlags'] = ['126'] >@@ -332,11 +318,10 @@ > > for school, classes in self.school_classes.iteritems(): > for cl in classes: >- cl_group_dn = 'cn=%s,cn=klassen,cn=%s,cn=groups,%s' % (cl, cn_pupils, get_school_base(school)) >+ cl_group_dn = SchoolClassLib(school=school, name=cl).dn > utils.verify_ldap_object(cl_group_dn, expected_attr={'uniqueMember': [self.dn], 'memberUid': [self.username]}, strict=False, should_exist=True) > >- role_group_dn = 'cn=%s%s,cn=groups,%s' % (self.grp_prefix, self.school, self.school_base) >- utils.verify_ldap_object(role_group_dn, expected_attr={'uniqueMember': [self.dn], 'memberUid': [self.username]}, strict=False, should_exist=True) >+ utils.verify_ldap_object(self.role_group_dn, expected_attr={'uniqueMember': [self.dn], 'memberUid': [self.username]}, strict=False, should_exist=True) > print 'person OK: %s' % self.username > > >Index: ucs-test-ucsschool/90_ucsschool/essential/internetrule.py >=================================================================== >--- ucs-test-ucsschool/90_ucsschool/essential/internetrule.py (Revision 74005) >+++ ucs-test-ucsschool/90_ucsschool/essential/internetrule.py (Arbeitskopie) >@@ -16,6 +16,7 @@ > import univention.testing.utils as utils > from univention.testing.ucsschool import UCSTestSchool > import univention.testing.ucsschool as utu >+from ucsschool.lib.models import SchoolClass as SchoolClassLib > > > class InternetRule(object): >@@ -240,8 +241,7 @@ > ucsschool = UCSTestSchool() > groupdn = ucsschool.get_workinggroup_dn(school, groupName) > elif groupType == 'class': >- groupdn = 'cn=%s-%s,cn=klassen,cn=schueler,cn=groups,%s' % ( >- school, groupName, school_basedn) >+ groupdn = SchoolClassLib(school=schoolenv.name, name="{}-{}".format(school, groupName)).dn > > if default: > name = '$default$' >Index: ucs-test-ucsschool/90_ucsschool/essential/klasse.py >=================================================================== >--- ucs-test-ucsschool/90_ucsschool/essential/klasse.py (Revision 74005) >+++ ucs-test-ucsschool/90_ucsschool/essential/klasse.py (Arbeitskopie) >@@ -9,6 +9,7 @@ > from univention.testing.ucsschool import UMCConnection > import univention.testing.ucr as ucr_test > from univention.testing.ucsschool import UCSTestSchool >+from ucsschool.lib.models import SchoolClass as SchoolClassLib > > > class GetFail(Exception): >@@ -138,9 +139,7 @@ > k, classes_names)) > > def dn(self): >- return 'cn=%s-%s,cn=klassen,cn=schueler,cn=groups,%s' % ( >- self.school, self.name, UCSTestSchool().get_ou_base_dn(self.school) >- ) >+ return SchoolClassLib(school=self.school, name="{}-{}".format(self.school, self.name)).dn > > def get(self): > """Get class""" >Index: ucs-test-ucsschool/90_ucsschool/essential/school.py >=================================================================== >--- ucs-test-ucsschool/90_ucsschool/essential/school.py (Revision 74005) >+++ ucs-test-ucsschool/90_ucsschool/essential/school.py (Arbeitskopie) >@@ -4,6 +4,7 @@ > > .. moduleauthor:: Ammar Najjar <najjar@univention.de> > """ >+import ldap > from essential.importcomputers import random_ip > from essential.importou import DCNotFound, DCMembership, DhcpdLDAPBase, TYPE_DC_ADMINISTRATIVE > from essential.importou import get_ou_base, verify_dc, get_school_ou_from_dn, TYPE_DC_EDUCATIONAL >@@ -13,6 +14,8 @@ > import univention.testing.ucr as ucr_test > import univention.testing.utils as utils > import univention.uldap >+from ucsschool.lib.models import (School as LibSchool, ComputerRoom as LibComputerRoom, SchoolClass as LibSchoolClass, >+ Staff as LibStaff, TeachersAndStaff as LibTeachersAndStaff, Teacher as LibTeacher, Student as LibStudent) > > > class GetFail(Exception): >@@ -190,7 +193,7 @@ > k, names)) > > def dn(self): >- return UCSTestSchool().get_ou_base_dn(self.name) >+ return UCSTestSchool().get_ou_base_dn(self.name) > > def remove(self): > """Remove school""" >@@ -278,12 +281,15 @@ > old_dhcpd_ldap_base = ucr.get('dhcpd/ldap/base') > lo = univention.uldap.getMachineConnection() > base_dn = ucr.get('ldap/base') >+ search_base = LibSchool.get_search_base(ou) > >- cn_pupils = ucr.get('ucsschool/ldap/default/container/pupils', 'schueler') >- cn_teachers = ucr.get('ucsschool/ldap/default/container/teachers', 'lehrer') >- cn_teachers_staff = ucr.get('ucsschool/ldap/default/container/teachers-and-staff', 'lehrer und mitarbeiter') >- cn_admins = ucr.get('ucsschool/ldap/default/container/admins', 'admins') >- cn_staff = ucr.get('ucsschool/ldap/default/container/staff', 'mitarbeiter') >+ cn_pupils = ldap.explode_dn(LibStudent.get_container(ou), True)[0] >+ cn_teachers = ldap.explode_dn(LibTeacher.get_container(ou), True)[0] >+ cn_teachers_staff = ldap.explode_dn(LibTeachersAndStaff.get_container(ou), True)[0] >+ cn_admins = ldap.explode_dn(search_base.admins, True)[0] >+ cn_staff = ldap.explode_dn(LibStaff.get_container(ou), True)[0] >+ cn_class = ldap.explode_dn(LibSchoolClass.get_container(ou), True)[0] >+ cn_rooms = ldap.explode_dn(LibComputerRoom.get_container(ou), True)[0] > > singlemaster = ucr.is_true('ucsschool/singlemaster') > noneducational_create_objects = ucr.is_true('ucsschool/ldap/noneducational/create/objects') >@@ -317,43 +323,42 @@ > > utils.verify_ldap_object(ou_base, expected_attr={'ou': [ou], 'ucsschoolClassShareFileServer': [classsharefileserver_dn], 'ucsschoolHomeShareFileServer': [homesharefileserver_dn]}, should_exist=must_exist) > >- utils.verify_ldap_object('cn=printers,%s' % ou_base, expected_attr={'cn': ['printers']}, should_exist=must_exist) >- utils.verify_ldap_object('cn=users,%s' % ou_base, expected_attr={'cn': ['users']}, should_exist=must_exist) >- utils.verify_ldap_object('cn=%s,cn=users,%s' % (cn_pupils, ou_base), expected_attr={'cn': [cn_pupils]}, should_exist=must_exist) >- utils.verify_ldap_object('cn=%s,cn=users,%s' % (cn_teachers, ou_base), expected_attr={'cn': [cn_teachers]}, should_exist=must_exist) >- utils.verify_ldap_object('cn=%s,cn=users,%s' % (cn_admins, ou_base), expected_attr={'cn': [cn_admins]}, should_exist=must_exist) >- utils.verify_ldap_object('cn=%s,cn=users,%s' % (cn_admins, ou_base), expected_attr={'cn': [cn_admins]}, should_exist=must_exist) >+ utils.verify_ldap_object(search_base.printers, expected_attr={'cn': ['printers']}, should_exist=must_exist) >+ utils.verify_ldap_object(search_base.users, expected_attr={'cn': ['users']}, should_exist=must_exist) >+ utils.verify_ldap_object(search_base.students, expected_attr={'cn': [cn_pupils]}, should_exist=must_exist) >+ utils.verify_ldap_object(search_base.teachers, expected_attr={'cn': [cn_teachers]}, should_exist=must_exist) >+ utils.verify_ldap_object(search_base.admins, expected_attr={'cn': [cn_admins]}, should_exist=must_exist) > >- utils.verify_ldap_object('cn=computers,%s' % ou_base, expected_attr={'cn': ['computers']}, should_exist=must_exist) >+ utils.verify_ldap_object(search_base.computers, expected_attr={'cn': ['computers']}, should_exist=must_exist) > utils.verify_ldap_object('cn=server,cn=computers,%s' % ou_base, expected_attr={'cn': ['server']}, should_exist=must_exist) > utils.verify_ldap_object('cn=dc,cn=server,cn=computers,%s' % ou_base, expected_attr={'cn': ['dc']}, should_exist=must_exist) >- utils.verify_ldap_object('cn=networks,%s' % ou_base, expected_attr={'cn': ['networks']}, should_exist=must_exist) >- utils.verify_ldap_object('cn=groups,%s' % ou_base, expected_attr={'cn': ['groups']}, should_exist=must_exist) >- utils.verify_ldap_object('cn=%s,cn=groups,%s' % (cn_pupils, ou_base), expected_attr={'cn': [cn_pupils]}, should_exist=must_exist) >- utils.verify_ldap_object('cn=%s,cn=groups,%s' % (cn_teachers, ou_base), expected_attr={'cn': [cn_teachers]}, should_exist=must_exist) >- utils.verify_ldap_object('cn=klassen,cn=%s,cn=groups,%s' % (cn_pupils, ou_base), expected_attr={'cn': ['klassen']}, should_exist=must_exist) >- utils.verify_ldap_object('cn=raeume,cn=groups,%s' % ou_base, expected_attr={'cn': ['raeume']}, should_exist=must_exist) >+ utils.verify_ldap_object(search_base.networks, expected_attr={'cn': ['networks']}, should_exist=must_exist) >+ utils.verify_ldap_object(search_base.groups, expected_attr={'cn': ['groups']}, should_exist=must_exist) >+ utils.verify_ldap_object(search_base.workgroups, expected_attr={'cn': [cn_pupils]}, should_exist=must_exist) >+ utils.verify_ldap_object(search_base.teachers_group, expected_attr={'cn': [cn_teachers]}, should_exist=must_exist) >+ utils.verify_ldap_object(search_base.classes, expected_attr={'cn': [cn_class]}, should_exist=must_exist) >+ utils.verify_ldap_object(search_base.rooms, expected_attr={'cn': [cn_rooms]}, should_exist=must_exist) > >- utils.verify_ldap_object('cn=dhcp,%s' % ou_base, expected_attr={'cn': ['dhcp']}, should_exist=must_exist) >- utils.verify_ldap_object('cn=policies,%s' % ou_base, expected_attr={'cn': ['policies']}, should_exist=must_exist) >- utils.verify_ldap_object('cn=shares,%s' % ou_base, expected_attr={'cn': ['shares']}, should_exist=must_exist) >- utils.verify_ldap_object('cn=klassen,cn=shares,%s' % ou_base, expected_attr={'cn': ['klassen']}, should_exist=must_exist) >+ utils.verify_ldap_object(search_base.dhcp, expected_attr={'cn': ['dhcp']}, should_exist=must_exist) >+ utils.verify_ldap_object(search_base.policies, expected_attr={'cn': ['policies']}, should_exist=must_exist) >+ utils.verify_ldap_object(search_base.shares, expected_attr={'cn': ['shares']}, should_exist=must_exist) >+ utils.verify_ldap_object(search_base.classShares, expected_attr={'cn': [cn_class]}, should_exist=must_exist) > utils.verify_ldap_object('cn=dc,cn=server,cn=computers,%s' % ou_base, expected_attr={'cn': ['dc']}, should_exist=must_exist) > > if noneducational_create_objects: >- utils.verify_ldap_object('cn=%s,cn=users,%s' % (cn_staff, ou_base), should_exist=must_exist) >- utils.verify_ldap_object('cn=%s,cn=users,%s' % (cn_teachers_staff, ou_base), should_exist=must_exist) >- utils.verify_ldap_object('cn=%s,cn=groups,%s' % (cn_staff, ou_base), should_exist=must_exist) >+ utils.verify_ldap_object(search_base.staff, should_exist=must_exist) >+ utils.verify_ldap_object(search_base.teachersAndStaff, should_exist=must_exist) >+ utils.verify_ldap_object(search_base.staff_group, should_exist=must_exist) > else: >- utils.verify_ldap_object('cn=%s,cn=users,%s' % (cn_staff, ou_base), should_exist=False) >- utils.verify_ldap_object('cn=%s,cn=users,%s' % (cn_teachers_staff, ou_base), should_exist=False) >- utils.verify_ldap_object('cn=%s,cn=groups,%s' % (cn_staff, ou_base), should_exist=False) >+ utils.verify_ldap_object(search_base.staff, should_exist=False) >+ utils.verify_ldap_object(search_base.teachersAndStaff, should_exist=False) >+ utils.verify_ldap_object(search_base.staff_group, should_exist=False) > > if noneducational_create_objects: >- utils.verify_ldap_object('cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,%s' % base_dn, should_exist=True) >- utils.verify_ldap_object('cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,%s' % base_dn, should_exist=True) >- utils.verify_ldap_object('cn=OU%s-DC-Verwaltungsnetz,cn=ucsschool,cn=groups,%s' % (ou, base_dn), should_exist=True) >- utils.verify_ldap_object('cn=OU%s-Member-Verwaltungsnetz,cn=ucsschool,cn=groups,%s' % (ou, base_dn), should_exist=True) >+ utils.verify_ldap_object(search_base.administrative_dc_group, should_exist=True) >+ utils.verify_ldap_object(search_base.administrative_member_group, should_exist=True) >+ utils.verify_ldap_object(search_base.administrative_ou_dc_group) >+ utils.verify_ldap_object(search_base.administrative_ou_member_group) > # This will fail because we don't cleanup these groups in cleanup_ou > #else: > # utils.verify_ldap_object("cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,%s" % base_dn, should_exist=False) >@@ -367,22 +372,17 @@ > if dc_administrative: > verify_dc(ou, dc_administrative, TYPE_DC_ADMINISTRATIVE, base_dn, must_exist) > >- grp_prefix_pupils = ucr.get('ucsschool/ldap/default/groupprefix/pupils', 'schueler-') >- grp_prefix_teachers = ucr.get('ucsschool/ldap/default/groupprefix/teachers', 'lehrer-') >- grp_prefix_admins = ucr.get('ucsschool/ldap/default/groupprefix/admins', 'admins-') >- grp_prefix_staff = ucr.get('ucsschool/ldap/default/groupprefix/staff', 'mitarbeiter-') >- > grp_policy_pupils = ucr.get('ucsschool/ldap/default/policy/umc/pupils', 'cn=ucsschool-umc-pupils-default,cn=UMC,cn=policies,%s' % base_dn) > grp_policy_teachers = ucr.get('ucsschool/ldap/default/policy/umc/teachers', 'cn=ucsschool-umc-teachers-default,cn=UMC,cn=policies,%s' % base_dn) > grp_policy_admins = ucr.get('ucsschool/ldap/default/policy/umc/admins', 'cn=ucsschool-umc-admins-default,cn=UMC,cn=policies,%s' % base_dn) > grp_policy_staff = ucr.get('ucsschool/ldap/default/policy/umc/staff', 'cn=ucsschool-umc-staff-default,cn=UMC,cn=policies,%s' % base_dn) > >- utils.verify_ldap_object("cn=%s%s,cn=ouadmins,cn=groups,%s" % (grp_prefix_admins, ou, base_dn), expected_attr={'univentionPolicyReference': [grp_policy_admins]}, should_exist=True) >- utils.verify_ldap_object("cn=%s%s,cn=groups,%s" % (grp_prefix_pupils, ou, ou_base), expected_attr={'univentionPolicyReference': [grp_policy_pupils]}, should_exist=must_exist) >- utils.verify_ldap_object("cn=%s%s,cn=groups,%s" % (grp_prefix_teachers, ou, ou_base), expected_attr={'univentionPolicyReference': [grp_policy_teachers]}, should_exist=must_exist) >+ utils.verify_ldap_object(search_base.admin_group, expected_attr={'univentionPolicyReference': [grp_policy_admins]}, should_exist=True) >+ utils.verify_ldap_object(search_base.students_ou_group, expected_attr={'univentionPolicyReference': [grp_policy_pupils]}, should_exist=must_exist) >+ utils.verify_ldap_object(search_base.teachers_ou_group, expected_attr={'univentionPolicyReference': [grp_policy_teachers]}, should_exist=must_exist) > > if noneducational_create_objects: >- utils.verify_ldap_object("cn=%s%s,cn=groups,%s" % (grp_prefix_staff, ou, ou_base), expected_attr={'univentionPolicyReference': [grp_policy_staff]}, should_exist=must_exist) >+ utils.verify_ldap_object(search_base.staff_ou_group, expected_attr={'univentionPolicyReference': [grp_policy_staff]}, should_exist=must_exist) > > dcmaster_module = univention.admin.modules.get("computers/domaincontroller_master") > dcbackup_module = univention.admin.modules.get("computers/domaincontroller_backup") >@@ -398,8 +398,7 @@ > # check group membership > # slave should be member > # master and backup should not be member >- dcgroups = ["cn=OU%s-DC-Edukativnetz,cn=ucsschool,cn=groups,%s" % (ou, base_dn), >- "cn=DC-Edukativnetz,cn=ucsschool,cn=groups,%s" % (base_dn)] >+ dcgroups = [search_base.educational_ou_dc_group, search_base.educational_dc_group] > > if must_exist: > if masterobjs: >@@ -443,7 +442,7 @@ > # seems to be the first OU, so check the variable settings > if ucr.get('dhcpd/ldap/base') != "cn=dhcp,%s" % (ou_base,): > print 'ERROR: dhcpd/ldap/base =', ucr.get('dhcpd/ldap/base') >- print 'ERROR: expected base =', dhcp_dn >+ print 'ERROR: expected base =', dhcp_dn # FIXME: unresolve reference: dhcp_dn > raise DhcpdLDAPBase() > > # use the UCR value and check if the DHCP service exists >Index: ucs-test-ucsschool/90_ucsschool/essential/schoolroom.py >=================================================================== >--- ucs-test-ucsschool/90_ucsschool/essential/schoolroom.py (Revision 74005) >+++ ucs-test-ucsschool/90_ucsschool/essential/schoolroom.py (Arbeitskopie) >@@ -1,8 +1,8 @@ > from univention.testing.ucsschool import UMCConnection > import univention.testing.strings as uts > import univention.testing.ucr as ucr_test >-import univention.testing.ucsschool as utu > import univention.testing.utils as utils >+from ucsschool.lib.models import LibComputerRoom > > > class FailQuery(Exception): >@@ -59,8 +59,7 @@ > self.umc_connection.auth(admin, passwd) > > def dn(self): >- return 'cn=%s-%s,cn=raeume,cn=groups,%s' % ( >- self.school, self.name, utu.UCSTestSchool().get_ou_base_dn(self.school)) >+ return LibComputerRoom(school="myschool", name='{}-{}'.format("myschool", "myname")).dn > > def add(self, should_pass=True): > param = [{ >Index: univention-management-console-module-selective-udm/umc/python/selective-udm/__init__.py >=================================================================== >--- univention-management-console-module-selective-udm/umc/python/selective-udm/__init__.py (Revision 74005) >+++ univention-management-console-module-selective-udm/umc/python/selective-udm/__init__.py (Arbeitskopie) >@@ -51,6 +51,7 @@ > from univention.management.console.log import MODULE > from univention.management.console.modules import UMC_Error > from ucsschool.lib.schoolldap import LDAP_Connection, SchoolBaseModule, ADMIN_WRITE, USER_READ >+from ucsschool.lib.models import SchoolComputer > > from univention.management.console.config import ucr > >@@ -92,7 +93,7 @@ > > try: > # Set new position >- ldap_position.setDn(search_base.computers) >+ ldap_position.setDn(SchoolComputer.get_container(search_base.school)) > > usersid = request.options.get('usersid') > self._check_usersid_join_permissions(ldap_user_read, usersid)
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=8182">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 41231
:
8182
|
8209
|
8418