Univention Bugzilla – Attachment 8418 Details for
Bug 41231
Add config option for currently hardcoded german LDAP objects/directories/...
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
updated patch
41231_hardcoded_german_names_11.patch (text/plain), 254.81 KB, created by
Daniel Tröder
on 2017-02-10 13:02:37 CET
(
hide
)
Description:
updated patch
Filename:
MIME Type:
Creator:
Daniel Tröder
Created:
2017-02-10 13:02:37 CET
Size:
254.81 KB
patch
obsolete
>Index: doc/manual/import-hooks-de.xml >=================================================================== >--- doc/manual/import-hooks-de.xml (Revision 76600) >+++ doc/manual/import-hooks-de.xml (Arbeitskopie) >@@ -116,12 +116,20 @@ > zugeordnet wird. > </para> > <para> >- Ãber drei weitere &ucsUCR;-Variablen kann das Verhalten des Hooks gesteuert >+ Ãber vier weitere &ucsUCR;-Variablen kann das Verhalten des Hooks gesteuert > werden: > </para> > <itemizedlist> > <listitem> > <para> >+ <command>ucsschool/import/generate/share/marktplatz/name</command> >+ </para> >+ <para> >+ Diese Variable definiert den Namen der Freigabe. Der Standard ist <literal>Marktplatz</literal>. >+ </para> >+ </listitem> >+ <listitem> >+ <para> > <command>ucsschool/import/generate/share/marktplatz/sharepath</command> > </para> > <para> >Index: doc/manual/performance-de.xml >=================================================================== >--- doc/manual/performance-de.xml (Revision 76600) >+++ doc/manual/performance-de.xml (Arbeitskopie) >@@ -93,6 +93,10 @@ > </simpara> > </listitem> > </itemizedlist> >+ <note> >+ Der Teil des Gruppennamens der hier <Edukativnetz> ist, kann seit &ucsUAS;-Version 4.1 R2 v10 >+ verändert werden. Siehe dazu auch <xref linkend="structure:ldap:container_names"/>. >+ </note> > </para> > </section> > >Index: doc/manual/setup-school-generic-de.xml >=================================================================== >--- doc/manual/setup-school-generic-de.xml (Revision 76600) >+++ doc/manual/setup-school-generic-de.xml (Arbeitskopie) >@@ -39,14 +39,13 @@ > Zugriffsrechte gesetzt werden. Dabei kann der Zugriff für einzelne Benutzer oder ganze Gruppen > erlaubt bzw. gesperrt werden. Um den Schülern den Zugriff auf die physikalischen Drucker zu > verbieten, muss an den Druckerfreigaben für diese Drucker der Zugriff durch Benutzer der >- OU-spezifischen Gruppe >- <systemitem class="groupname">schueler- >- <replaceable>OU</replaceable> >- </systemitem> >- > (z.B. <systemitem class="groupname">schueler-gsmitte</systemitem>) >- verboten werden. Für den PDF-Drucker <systemitem class="resource">PDFDrucker</systemitem> sollten keine >- Einschränkungen >- gemacht werden. >+ OU-spezifischen Gruppe <systemitem class="groupname">schueler-<replaceable>OU</replaceable></systemitem> >+ (z.B. <systemitem class="groupname">schueler-gsmitte</systemitem>) verboten werden. Für den PDF-Drucker >+ <systemitem class="resource">PDFDrucker</systemitem> sollten keine Einschränkungen gemacht werden. >+ <note> >+ Der Teil des Gruppennamens der hier <schueler-> ist, kann seit &ucsUAS;-Version 4.1 R2 v10 verändert >+ werden. Siehe dazu auch <xref linkend="structure:ldap:container_names"/>. >+ </note> > </para> > <para> > Schüler haben damit nur noch die Möglichkeit Druckaufträge an den >@@ -228,6 +227,9 @@ > Anlegen einer OU kann durch das Setzen der &ucsUCRV; > <envar>ucsschool/import/generate/marktplatz</envar> auf den > Wert <literal>no</literal> verhindert werden. >+ <note> >+ Weiterführnde Informationen zur <emphasis>Marktplatz</emphasis>-Freigabe finden sich unter <xref linkend="import:marketplace"/>. >+ </note> > </para> > <para> > Diese Freigaben müssen zwingend auf dem Schulserver bereitgestellt >@@ -280,6 +282,10 @@ > Die Freigabe erlaubt der Gruppe <systemitem class="resource">lehrer-<OU></systemitem> den > administrativen > Zugriff auf das Basisverzeichnis <filename class="directory">/home/<OU>/schueler</filename>. >+ <note> >+ Der Teil des Gruppennamens der hier <schueler-> bzw.<lehrer-> ist, kann seit >+ &ucsUAS;-Version 4.1 R2 v10 verändert werden. Siehe dazu auch <xref linkend="structure:ldap:container_names"/>. >+ </note> > </para> > <para> > Per Voreinstellung wird der Lehrergruppe Lesezugriff gewährt. >@@ -310,23 +316,23 @@ > Option zu Schuladministratoren umgewandelt werden. > <itemizedlist> > <listitem> >- <simpara> >+ <para> > Die zusätzliche Gruppenmitgliedschaft muss manuell über das &ucsUMC;-Modul >- <guimenu>Benutzer</guimenu> >- auf dem &ucsMaster; hinzugefügt werden. Auf dem Reiter >- <guimenu>Gruppen</guimenu> >- muss das Benutzerkonto in die Gruppe >+ <guimenu>Benutzer</guimenu> auf dem &ucsMaster; hinzugefügt werden. Auf dem Reiter >+ <guimenu>Gruppen</guimenu> muss das Benutzerkonto in die Gruppe > <systemitem class="groupname"><replaceable>admins-OU</replaceable></systemitem> > (für die OU <wordasword>gym17</wordasword> ist dies die Gruppe > <systemitem class="groupname">admins-gym17</systemitem>) aufgenommen werden. >- </simpara> >+ <note> >+ Der Teil des Gruppennamens der hier <admins-> ist, kann seit &ucsUAS;-Version 4.1 R2 v10 >+ verändert werden. Siehe dazu auch <xref linkend="structure:ldap:container_names"/>. >+ </note> >+ </para> > </listitem> > <listitem> > <simpara> > Im &ucsUMC;-Modul <guimenu>Benutzer</guimenu> muss auÃerdem im Reiter >- <guimenu>Optionen</guimenu> >- die Option >- <option>UCS@school-Administrator</option> >+ <guimenu>Optionen</guimenu> die Option <option>UCS@school-Administrator</option> > eingeschaltet werden. > </simpara> > </listitem> >Index: doc/manual/structure-de.xml >=================================================================== >--- doc/manual/structure-de.xml (Revision 76600) >+++ doc/manual/structure-de.xml (Arbeitskopie) >@@ -329,6 +329,84 @@ > </note> > </section> > >+ <section id="structure:ldap:container_names"> >+ <title>Gruppen-, Verzeichnis- und Containernamen</title> >+ <para> >+ Seit &ucsUAS;-Version 4.1 R2 v7 können mit Hilfe von UCR-Variablen Teile der Gruppen-, Verzeichnis- und Containernamen >+ <emphasis>vor der Installation der &ucsUAS;-App</emphasis> bestimmt werden. >+ </para> >+ <para> >+ Beispielsweise wird die Gruppe <systemitem class="groupname">Member-Edukativnetz</systemitem> durch Setzen >+ der UCR-Variablen <envar>ucsschool/ldap/default/groupname/all-educational-member=Membre-Enseignement</envar> >+ mit dem Namen <systemitem class="groupname">Membre-Enseignement</systemitem> angelegt. >+ </para> >+ <para> >+ Sollen zum Beispiel die Benutzerkonten von Schülern nicht im Container >+ <uri>cn=schueler,cn=groups,ou=gymmitte,dc=example,dc=com</uri> gespeichert werden, sondern unter >+ <uri>cn=ecolier,cn=groups,ou=gymmitte,dc=example,dc=com</uri>, muss >+ <envar>ucsschool/ldap/default/container/pupils=ecolier</envar> gesetzt werden. >+ </para> >+ <para> >+ Die Bedeutung der aller UCR-Variablen können Sie durch das Lesen der Hilfetexte zu den UCR-Variablen erfahren >+ (siehe <biblioref linkend="ucs-handbuch"/>). >+ </para> >+ <para> >+ <simpara> >+ Die folgenden Teile von Containernamen (z.B. in <uri>cn=admins,cn=groups,ou=gymmitte,dc=example,dc=com</uri>) können gesetzt werden: >+ </simpara> >+ <itemizedlist> >+ <listitem><simpara>admins: <envar>ucsschool/ldap/default/container/admins</envar></simpara></listitem> >+ <listitem><simpara>schueler: <envar>ucsschool/ldap/default/container/pupils</envar></simpara></listitem> >+ <listitem><simpara>mitarbeiter: <envar>ucsschool/ldap/default/container/staff</envar></simpara></listitem> >+ <listitem><simpara>lehrer und mitarbeiter: <envar>ucsschool/ldap/default/container/teachers-and-staff</envar></simpara></listitem> >+ <listitem><simpara>lehrer: <envar>ucsschool/ldap/default/container/teachers</envar></simpara></listitem> >+ <listitem><simpara>klassen: <envar>ucsschool/ldap/default/container/class</envar></simpara></listitem> >+ <listitem><simpara>raeume: <envar>ucsschool/ldap/default/container/rooms</envar></simpara></listitem> >+ <listitem><simpara>examusers: <envar>ucsschool/ldap/default/container/exam</envar></simpara></listitem> >+ </itemizedlist> >+ </para> >+ <para> >+ <simpara> >+ Die folgenden Präfixe von Gruppennamen (z.B. in <systemitem class="groupname">schueler-gymmitte</systemitem>) können gesetzt werden: >+ </simpara> >+ <itemizedlist> >+ <listitem><simpara>schueler-: <envar>ucsschool/ldap/default/groupprefix/pupils</envar></simpara></listitem> >+ <listitem><simpara>lehrer-: <envar>ucsschool/ldap/default/groupprefix/teachers</envar></simpara></listitem> >+ <listitem><simpara>admins-: <envar>ucsschool/ldap/default/groupprefix/admins</envar></simpara></listitem> >+ <listitem><simpara>mitarbeiter-: <envar>ucsschool/ldap/default/groupprefix/staff</envar></simpara></listitem> >+ </itemizedlist> >+ <simpara> >+ Die folgenden Gruppennamen können per UCR gesetzt werden. Bei Namen die <replaceable>%(ou)s</replaceable> enthalten >+ wird dieses vom System durch das jeweilige Schulkürzel ersetzt (z.B. <uri>gymmitte</uri> in >+ <systemitem class="groupname">OUgymmitte-DC-Edukativnetz</systemitem>). >+ </simpara> >+ <itemizedlist> >+ <listitem><simpara>DC-Edukativnetz: <envar>ucsschool/ldap/default/groupname/all-educational-dc</envar></simpara></listitem> >+ <listitem><simpara>Member-Edukativnetz: <envar>ucsschool/ldap/default/groupname/all-educational-member</envar></simpara></listitem> >+ <listitem><simpara>DC-Verwaltungsnetz: <envar>ucsschool/ldap/default/groupname/all-administrativ-dc</envar></simpara></listitem> >+ <listitem><simpara>Member-Verwaltungsnetz: <envar>ucsschool/ldap/default/groupname/all-administrativ-member</envar></simpara></listitem> >+ <listitem><simpara>OU%(ou)s-DC-Edukativnetz: <envar>ucsschool/ldap/default/groupname/ou-educational-dc</envar></simpara></listitem> >+ <listitem><simpara>OU%(ou)s-Member-Edukativnetz: <envar>ucsschool/ldap/default/groupname/ou-educational-member</envar></simpara></listitem> >+ <listitem><simpara>OU%(ou)s-DC-Verwaltungsnetz: <envar>ucsschool/ldap/default/groupname/ou-administrativ-dc</envar></simpara></listitem> >+ <listitem><simpara>OU%(ou)s-Member-Verwaltungsnetz: <envar>ucsschool/ldap/default/groupname/ou-administrativ-member</envar></simpara></listitem> >+ <listitem><simpara>OU%(ou)s-Klassenarbeit: <envar>ucsschool/ldap/default/groupname/exam</envar></simpara></listitem> >+ </itemizedlist> >+ <simpara> >+ Die folgenden Verzeichnisnamen können per UCR gesetzt werden (z.B. <envar>klassen</envar> in <filename class="directory">/home/groups/klassen/3b</filename>): >+ </simpara> >+ <itemizedlist> >+ <listitem><simpara>klassen: <envar>ucsschool/ldap/default/share/class</envar></simpara></listitem> >+ <listitem><simpara>schueler: <envar>ucsschool/ldap/default/share/pupils</envar></simpara></listitem> >+ <listitem><simpara>lehrer: <envar>ucsschool/ldap/default/share/teachers</envar></simpara></listitem> >+ <listitem><simpara>Unterrichtsmaterial: <envar>ucsschool/datadistribution/datadir/sender</envar></simpara></listitem> >+ <listitem><simpara>Unterrichtsmaterial: <envar>ucsschool/datadistribution/datadir/recipient</envar></simpara></listitem> >+ <listitem><simpara>Klassenarbeiten: <envar>ucsschool/ldap/default/share/exams</envar></simpara></listitem> >+ <listitem><simpara>schueler, lehrer, mitarbeiter: <envar>ucsschool/import/roleshare/.*/path</envar></simpara></listitem> >+ <listitem><simpara>Marktplatz: <envar>ucsschool/import/generate/share/marktplatz/name</envar></simpara></listitem> >+ </itemizedlist> >+ </para> >+ </section> >+ > <section id="structure:ldap:global"> > <title>Weitere &ucsUAS;-Objekte</title> > <para> >Index: ucs-school-import/debian/ucs-school-import.univention-config-registry-variables >=================================================================== >--- ucs-school-import/debian/ucs-school-import.univention-config-registry-variables (Revision 76600) >+++ ucs-school-import/debian/ucs-school-import.univention-config-registry-variables (Arbeitskopie) >@@ -4,54 +4,150 @@ > Type=str > Categories=ucsschool-base > >+[ucsschool/ldap/default/container/admins] >+Description[de]=Standard-Container-Name für Administratoren. Standard ist "admins". >+Description[en]=Default container name for administrators. Default is "admins". >+Type=str >+Categories=ucsschool-base >+ >+[ucsschool/ldap/default/container/class] >+Description[de]=Standard-Container-Name für Schulklassen. Standard ist "klassen". >+Description[en]=Default container name for school classes. Default is "klassen". >+Type=str >+Categories=ucsschool-base >+ >+[ucsschool/ldap/default/container/exam] >+Description[de]=Standard-Container-Name für Schüler in einer Prüfung. Standard ist "examusers". >+Description[en]=Default container name name for pupils writing exams. Default is "examusers". >+Type=str >+Categories=ucsschool-base >+ > [ucsschool/ldap/default/container/pupils] >-Description[de]=Standard-Container für Schüler >-Description[en]=Default container for pupils >+Description[de]=Standard-Container-Name für Schüler. Standard ist "schueler". >+Description[en]=Default container name for pupils. Default is "schueler". > Type=str > Categories=ucsschool-base > >+[ucsschool/ldap/default/container/rooms] >+Description[de]=Standard-Container-Name für Klassenräume. Standard ist "raeume". >+Description[en]=Default container name for class rooms. Default is "raeume". >+Type=str >+Categories=ucsschool-base >+ >+[ucsschool/ldap/default/container/staff] >+Description[de]=Standard-Container-Name für Mitarbeiter. Standard ist "mitarbeiter". >+Description[en]=Default container name for staff members. Default is "mitarbeiter". >+Type=str >+Categories=ucsschool-base >+ > [ucsschool/ldap/default/container/teachers] >-Description[de]=Standard-Container für Lehrer >-Description[en]=Default container for teachers >+Description[de]=Standard-Container-Name für Lehrer. Standard ist "lehrer". >+Description[en]=Default container name for teachers. Default is "lehrer". > Type=str > Categories=ucsschool-base > >-[ucsschool/ldap/default/container/admins] >-Description[de]=Standard-Container für Administratoren >-Description[en]=Default container for administrators >+[ucsschool/ldap/default/container/teachers-and-staff] >+Description[de]=Standard-Container-Name für Benutzer die gleichzeitig Lehrer und Mitarbeiter sind. Standard ist "lehrer und mitarbeiter". >+Description[en]=Default container name for users that are both teachers and staff members. Default is "lehrer und mitarbeiter". > Type=str > Categories=ucsschool-base > >-[ucsschool/ldap/default/container/staff] >-Description[de]=Standard-Container für Mitarbeiter >-Description[en]=Default container for staff members >+[ucsschool/ldap/default/groupname/exam] >+Description[de]=Standard Gruppenname für Schüler in einer Prüfung. Das "%(ou)s" im Namen wird mit dem Schulkürzel (OU) ersetzt. Standard ist "OU%(ou)s-Klassenarbeit". >+Description[en]=Default group name for pupils writing exams. The "%(ou)s" in the name will be replaced by the short name of the school (OU). Default is "OU%(ou)s-Klassenarbeit". > Type=str > Categories=ucsschool-base > >-[ucsschool/ldap/default/groupprefix/pupils] >-Description[de]=Standard-Prefix für die Schüler-Gruppen >-Description[en]=Default prefix for pupils groups >+[ucsschool/ldap/default/groupname/all-administrativ-dc] >+Description[de]=Standard Gruppenname für Domain Controller in Verwaltungsnetzen. Standard ist "DC-Verwaltungsnetz". >+Description[en]=Default group name for domain controllers in administrativ networks. Default is "DC-Verwaltungsnetz". > Type=str > Categories=ucsschool-base > >-[ucsschool/ldap/default/groupprefix/teachers] >-Description[de]=Standard-Prefix für die Lehrer-Gruppen >-Description[en]=Default prefix for teacher groups >+[ucsschool/ldap/default/groupname/all-administrativ-member] >+Description[de]=Standard Gruppenname für Member Server in Verwaltungsnetzen. Standard ist "Member-Verwaltungsnetz". >+Description[en]=Default group name for member servers in administrativ networks. Default is "Member-Verwaltungsnetz". > Type=str > Categories=ucsschool-base > >+[ucsschool/ldap/default/groupname/all-educational-dc] >+Description[de]=Standard Gruppenname für Domain Controller in Edukativnetzen. Standard ist "DC-Edukativnetz". >+Description[en]=Default group name for domain controllers in educational networks. Default is "DC-Edukativnetz". >+Type=str >+Categories=ucsschool-base >+ >+[ucsschool/ldap/default/groupname/all-educational-member] >+Description[de]=Standard Gruppenname für Member Server in Edukativnetzen. Standard ist "Member-Edukativnetz". >+Description[en]=Default group name for member servers in educational networks. Default is "Member-Edukativnetz". >+Type=str >+Categories=ucsschool-base >+ >+[ucsschool/ldap/default/groupname/ou-administrativ-dc] >+Description[de]=Standard Gruppenname für Domain Controller im Verwaltungsnetz einer bestimmten Schule. Das "%(ou)s" im Namen wird mit dem Schulkürzel (OU) ersetzt. Standard ist "OU%(ou)s-DC-Verwaltungsnetz". >+Description[en]=Default group name for domain controllers in the administrativ network. The "%(ou)s" in the name will be replaced by the short name of the school (OU). Default is "OU%(ou)s-DC-Verwaltungsnetz". >+Type=str >+Categories=ucsschool-base >+ >+[ucsschool/ldap/default/groupname/ou-administrativ-member] >+Description[de]=Standard Gruppenname für Member Server im Verwaltungsnetz einer bestimmten Schule. Das "%(ou)s" im Namen wird mit dem Schulkürzel (OU) ersetzt. Standard ist "OU%(ou)s-Member-Verwaltungsnetz". >+Description[en]=Default group name for member servers in the administrativ network. The "%(ou)s" in the name will be replaced by the short name of the school (OU). Default is "OU%(ou)s-Member-Verwaltungsnetz". >+Type=str >+Categories=ucsschool-base >+ >+[ucsschool/ldap/default/groupname/ou-educational-dc] >+Description[de]=Standard Gruppenname für Domain Controller im Edukativnetz einer bestimmten Schule. Das "%(ou)s" im Namen wird mit dem Schulkürzel (OU) ersetzt. Standard ist "OU%(ou)s-DC-Edukativnetz". >+Description[en]=Default group name for domain controllers in the educational network. The "%(ou)s" in the name will be replaced by the short name of the school (OU). Default is "OU%(ou)s-DC-Edukativnetz". >+Type=str >+Categories=ucsschool-base >+ >+[ucsschool/ldap/default/groupname/ou-educational-member] >+Description[de]=Standard Gruppenname für Member Server im Edukativnetz einer bestimmten Schule. Das "%(ou)s" im Namen wird mit dem Schulkürzel (OU) ersetzt. Standard ist "OU%(ou)s-Member-Edukativnetz". >+Description[en]=Default group name for member servers in the educational network. The "%(ou)s" in the name will be replaced by the short name of the school (OU). Default is "OU%(ou)s-Member-Edukativnetz". >+Type=str >+Categories=ucsschool-base >+ > [ucsschool/ldap/default/groupprefix/admins] >-Description[de]=Standard-Prefix für die Administrator-Gruppen >-Description[en]=Default prefix for admin groups >+Description[de]=Standard-Prefix für die Administrator-Gruppen. Standard ist "admins-". >+Description[en]=Default prefix for admin groups. Default is "admins-". > Type=str > Categories=ucsschool-base > >+[ucsschool/ldap/default/groupprefix/pupils] >+Description[de]=Standard-Prefix für die Schüler-Gruppen. Standard ist "schueler-". >+Description[en]=Default prefix for pupils groups. Default is "schueler-". >+Type=str >+Categories=ucsschool-base >+ > [ucsschool/ldap/default/groupprefix/staff] >-Description[de]=Standard-Prefix für die Mitarbeiter-Gruppen >-Description[en]=Default prefix for staff groups >+Description[de]=Standard-Prefix für die Mitarbeiter-Gruppen. Standard ist "mitarbeiter-". >+Description[en]=Default prefix for staff groups. Default is "mitarbeiter-". > Type=str > Categories=ucsschool-base > >+[ucsschool/ldap/default/groupprefix/teachers] >+Description[de]=Standard-Prefix für die Lehrer-Gruppen. Standard ist "lehrer-". >+Description[en]=Default prefix for teacher groups. Default is "lehrer-". >+Type=str >+Categories=ucsschool-base >+ >+[ucsschool/ldap/default/share/class] >+Description[de]=Standard Verzeichnisname für die Klassen-Freigabe. Standard ist "klassen". >+Description[en]=Default directory name for the class share. Default is "klassen". >+Type=str >+Categories=ucsschool-base >+ >+[ucsschool/ldap/default/share/pupils] >+Description[de]=Standard Verzeichnisname für die Schüler-Verzeichnisse. Standard ist "schueler". >+Description[en]=Default directory name for the pupils directories. Default is "schueler". >+Type=str >+Categories=ucsschool-base >+ >+[ucsschool/ldap/default/share/teachers] >+Description[de]=Standard Verzeichnisname für die Lehrer-Verzeichnisse. Standard ist "lehrer". >+Description[en]=Default directory name for the teachers directories. Default is "lehrer". >+Type=str >+Categories=ucsschool-base >+ > [ucsschool/ldap/default/dcs] > Description[de]=Spezifiziert welche Schul-DCs beim Erzeugen einer Schule angelegt werden sollen (Werte: edukativ und/oder verwaltung) > Description[en]=Specifies which school DCs are created during the school set up (values: edukativ and/or verwaltung) >@@ -64,6 +160,12 @@ > Type=str > Categories=ucsschool-base > >+[ucsschool/import/generate/share/marktplatz/name] >+Description[de]=Name der Freigabe (Default: "Marktplatz"). >+Description[en]=Name of share (default: "Marktplatz"). >+Type=str >+Categories=ucsschool-base >+ > [ucsschool/import/generate/share/marktplatz/sharepath] > Description[de]=Vorgabepfad der Freigabe "Marktplatz" (Default: /home/$ou/groups/Marktplatz) > Description[en]=Default path of share "Marktplatz" (default: /home/$ou/groups/Marktplatz) >@@ -125,7 +227,7 @@ > Categories=ucsschool-base > > [ucsschool/import/roleshare] >-Description[de]=Falls diese Variable nicht auf "false" oder "no" gesetzt, dann werden Homeverzeichnisse für Benutzer und Klassengruppen in einer rollen- und schulspezifischen Struktur von Unterverzeichnissen angelegt, z.B. unter /home/$ou/schueler/. >+Description[de]=Falls diese Variable nicht auf "false" oder "no" gesetzt wird, werden Homeverzeichnisse für Benutzer und Klassengruppen in einer rollen- und schulspezifischen Struktur von Unterverzeichnissen angelegt, z.B. unter /home/$ou/schueler/. > Description[en]=If this variable is not set to "false" or "no", then home directories for users and class groups will be created in a role and school specific structure of subdirectories, e.g. in /home/$ou/schueler/. > Type=str > Categories=ucsschool-base >Index: ucs-school-import/modules/ucsschool/importer/contrib/csv.py >=================================================================== >--- ucs-school-import/modules/ucsschool/importer/contrib/csv.py (Revision 76600) >+++ ucs-school-import/modules/ucsschool/importer/contrib/csv.py (Arbeitskopie) >@@ -346,7 +346,7 @@ > > def next(self): > if self.line_num == 0: >- # Used only for its side effect. >+ # Used only for its side effect. > self.fieldnames > self.row = self.reader.next() > self.line_num = self.reader.line_num >Index: ucs-school-import/modules/ucsschool/importer/models/import_user.py >=================================================================== >--- ucs-school-import/modules/ucsschool/importer/models/import_user.py (Revision 76600) >+++ ucs-school-import/modules/ucsschool/importer/models/import_user.py (Arbeitskopie) >@@ -107,7 +107,7 @@ > self.__class__.config = Configuration() > self.__class__.reader = self.factory.make_reader() > self.__class__.logger = get_logger() >- self.__class__.username_max_length = 20 - len(self.ucr.get("ucsschool/ldap/default/userprefix/exam", "exam-")) >+ self.__class__.username_max_length = 20 - len(Student.get_search_base(school).user_prefix_exam) > self._lo = None > self._userexpiry = None > super(ImportUser, self).__init__(name, school, **kwargs) >Index: ucs-school-import/tests/test_move_domaincontroller_to_ou >=================================================================== >--- ucs-school-import/tests/test_move_domaincontroller_to_ou (Revision 76600) >+++ ucs-school-import/tests/test_move_domaincontroller_to_ou (Arbeitskopie) >@@ -37,6 +37,8 @@ > exit 1 > fi > >+. /usr/share/ucs-school-lib/base.sh >+ > eval "$(ucr shell)" > > ./create_ou test1 dctest1 >@@ -51,8 +53,10 @@ > > udm computers/domaincontroller_slave create --position "cn=computers,$ldap_base" --set name=dctest7-01 > ./create_ou test7 >-udm computers/domaincontroller_slave modify --dn "cn=dctest7-01,cn=computers,$ldap_base" --append groups="cn=OUtest7-DC-Edukativnetz,cn=ucsschool,cn=groups,$ldap_base" > >+test7_dc="$(ucr_names_default ucsschool/ldap/default/groupname/ou-educational-dc test7)" >+udm computers/domaincontroller_slave modify --dn "cn=dctest7-01,cn=computers,$ldap_base" --append groups="cn=$test7_dc,cn=ucsschool,cn=groups,$ldap_base" >+ > echo "TEST: DC is unknown" > ./move_domaincontroller_to_ou --dcname UnKnOwN --ou test1 > echo "EXITCODE: $?" >Index: ucs-school-import/usr/share/ucs-school-import/hooks/ou_create_post.d/52marktplatz_create >=================================================================== >--- ucs-school-import/usr/share/ucs-school-import/hooks/ou_create_post.d/52marktplatz_create (Revision 76600) >+++ ucs-school-import/usr/share/ucs-school-import/hooks/ou_create_post.d/52marktplatz_create (Arbeitskopie) >@@ -1,7 +1,7 @@ > #!/bin/bash > # > # 52marktplatz_create >-# Creates a Markplatz share for the specified OUs >+# Creates a Marktplatz share for the specified OUs > # > # Depends: ucs-school-import > # >@@ -35,11 +35,14 @@ > [ $# -ne 2 ] && echo "USAGE: $(basename $0) FILE DN" && exit 1 > > . /usr/share/univention-lib/ucr.sh >+. /usr/share/ucs-school-lib/base.sh > > eval "$(ucr shell)" > >+name="$(ucr_names_default ucsschool/import/generate/share/marktplatz/name)" >+ > if ! is_ucr_true "ucsschool/import/generate/share/marktplatz" ; then >- echo "$(basename $0): creation of share 'Marktplatz' has been disabled by ucsschool/import/generate/share/marktplatz" >+ echo "$(basename $0): creation of share '$name' has been disabled by ucsschool/import/generate/share/marktplatz" > exit 0 > fi > >@@ -58,9 +61,9 @@ > sharepath="$ucsschool_import_generate_share_marktplatz_sharepath" > if [ -z "$sharepath" ] ; then > if [ -z "$ucsschool_import_roleshare" ] || is_ucr_true "ucsschool/import/roleshare"; then >- sharepath="/home/$ou/groups/Marktplatz" >+ sharepath="/home/$ou/groups/$name" > else >- sharepath="/home/groups/Marktplatz" >+ sharepath="/home/groups/$name" > fi > fi > >@@ -77,12 +80,12 @@ > > udm shares/share create --ignore_exists \ > --position "cn=shares,ou=${ou}${district},${ldap_base}" \ >- --set name=Marktplatz \ >+ --set name="${name}" \ > --set "host=${dcname}" \ > --set "path=${sharepath}" \ > --set "directorymode=${sharemode}" \ > --set "group=${grpuidnumber}" > >-echo "$(basename $0): added new share Markplatz for server ${dcname}" >+echo "$(basename $0): added new share '$name' for server ${dcname}" > > exit 0 >Index: ucs-school-import/usr/share/ucs-school-import/scripts/ucs-school-import >=================================================================== >--- ucs-school-import/usr/share/ucs-school-import/scripts/ucs-school-import (Revision 76600) >+++ ucs-school-import/usr/share/ucs-school-import/scripts/ucs-school-import (Arbeitskopie) >@@ -78,8 +78,8 @@ > import univention.lib.policy_result > from ucsschool.lib.roles import role_pupil, role_teacher, role_staff > from ucsschool.lib.roleshares import roleshare_home_subdir >-from ucsschool.lib.models.utils import stopped_notifier, add_stream_logger_to_schoollib >-from ucsschool.lib.models.utils import create_passwd >+from ucsschool.lib.models.utils import stopped_notifier, add_stream_logger_to_schoollib, create_passwd >+from ucsschool.lib.models import School, SchoolClass, ClassShare > > > ldap_errors = (ldap.LDAPError, univention.admin.uexceptions.base,) >@@ -107,17 +107,6 @@ > > pwLengthOu = {} > >-cn_pupils = configRegistry.get('ucsschool/ldap/default/container/pupils', 'schueler') >-cn_teachers = configRegistry.get('ucsschool/ldap/default/container/teachers', 'lehrer') >-cn_teachers_staff = configRegistry.get('ucsschool/ldap/default/container/teachers-and-staff', 'lehrer und mitarbeiter') >-cn_admins = configRegistry.get('ucsschool/ldap/default/container/admins', 'admins') >-cn_staff = configRegistry.get('ucsschool/ldap/default/container/staff', 'mitarbeiter') >- >-grp_prefix_pupils = configRegistry.get('ucsschool/ldap/default/groupprefix/pupils', 'schueler-') >-grp_prefix_teachers = configRegistry.get('ucsschool/ldap/default/groupprefix/teachers', 'lehrer-') >-grp_prefix_admins = configRegistry.get('ucsschool/ldap/default/groupprefix/admins', 'admins-') >-grp_prefix_staff = configRegistry.get('ucsschool/ldap/default/groupprefix/staff', 'mitarbeiter-') >- > grp_policy_pupils = configRegistry.get('ucsschool/ldap/default/policy/umc/pupils', 'cn=ucsschool-umc-pupils-default,cn=UMC,cn=policies,%s' % baseDN) > grp_policy_teachers = configRegistry.get('ucsschool/ldap/default/policy/umc/teachers', 'cn=ucsschool-umc-teachers-default,cn=UMC,cn=policies,%s' % baseDN) > grp_policy_admins = configRegistry.get('ucsschool/ldap/default/policy/umc/admins', 'cn=ucsschool-umc-admins-default,cn=UMC,cn=policies,%s' % baseDN) >@@ -138,17 +127,7 @@ > # IP address prefix len conecerning the netmask > default_prefixlen = 24 > >-if not (cn_pupils and cn_teachers and cn_teachers_staff and cn_admins and cn_staff): >- print '''ERROR: Unable to proceed: one of the following UCR variables is not set correctly: >- ucsschool/ldap/default/container/pupils >- ucsschool/ldap/default/container/teachers >- ucsschool/ldap/default/container/teachers-and-staff >- ucsschool/ldap/default/container/staff >- ucsschool/ldap/default/container/admins >-''' >- sys.exit(1) > >- > def is_valid_ou_name(name): > """ check if given OU name is valid """ > return bool(re.match('^[a-zA-Z0-9](([a-zA-Z0-9_]*)([a-zA-Z0-9]$))?$', name)) >@@ -274,6 +253,7 @@ > else: > self.allsNrs = [self.sNr] > self.other_sNr = [] >+ self.search_base = School.get_search_base(self.allsNrs[0]) > > # split into multiple class number if comma is present > if ',' in self.cNr: >@@ -328,14 +308,13 @@ > > def getPosition_dn(self): > # resolution order for the position is pupil, teacher, staff >- cn = cn_pupils > if role_teacher in self.getRole() and role_staff in self.getRole(): >- cn = cn_teachers_staff >- elif role_teacher in self.getRole(): >- cn = cn_teachers >+ return self.search_base.teachersAndStaff >+ elif role_teacher in self.getRole (): >+ return self.search_base.teachers > elif role_staff in self.getRole(): >- cn = cn_staff >- return "cn=%s,cn=users,%s" % (cn, getDN(self.sNr)) >+ return self.search_base.staff >+ return self.search_base.students > > def getDN(self): > return "uid=" + self.login + "," + self.getPosition_dn() >@@ -344,17 +323,20 @@ > default_groups = [] > > # default group >- default_groups.append("cn=Domain Users " + self.sNr + ",cn=groups,%s" % (getDN(self.sNr), )) >+ default_groups.append("cn=Domain Users %s,%s" % (self.sNr, self.search_base.groups)) > >+ grp_dns = { >+ role_teacher: self.search_base.teachers_ou_group, >+ role_pupil: self.search_base.students_ou_group, >+ role_staff: self.search_base.staff_ou_group} > for role in self.getRole(): >- user_grp_prefix = {role_teacher: grp_prefix_teachers, role_pupil: grp_prefix_pupils, role_staff: grp_prefix_staff}[role] > if role == role_staff and not configRegistry.is_true('ucsschool/ldap/noneducational/create/objects', True): > continue > # class if available > for cnr in self.cNr: >- default_groups.append("cn=" + cnr + ",cn=klassen,cn=%s,cn=groups,%s" % (cn_pupils, getDN(self.sNr))) >+ default_groups.append("cn=%s,%s" % (cnr, self.search_base.classes)) > >- default_groups.append("cn=%s%s,cn=groups,%s" % (user_grp_prefix, self.sNr, getDN(self.sNr))) >+ default_groups.append(grp_dns[role]) > > return default_groups > >@@ -376,7 +358,7 @@ > except IndexError: > # TODO: add more debug output > print "ERROR: Unable to extract district from school number: %s' % schoolNr + \ >- '\n\tIf you don't use the district model deactivate UCR variable ucsschool/ldap/district/enable" >+ '\n\tIf you don't use the district model deactivate UCR variable ucsschool/ldap/district/enable" > > > def getDN(schoolNr, base='school', basedn=baseDN): >@@ -511,21 +493,22 @@ > verify_container(getDN(schoolNr, base='district'), ou_module, co, lo, superordinate, baseDN) > > print "verify ou for school nr %s" % schoolNr >+ search_base = School.get_search_base(schoolNr) > # list of needed sub-containers, the dictionary-key adds the container as default during create in verify_container > container = { >- '0printerPath': ['cn=printers'], >- '1userPath': ['cn=users', 'cn=%s,cn=users' % cn_pupils, 'cn=%s,cn=users' % cn_teachers, 'cn=%s,cn=users' % cn_admins], >- '2computerPath': ['cn=computers', 'cn=server,cn=computers', 'cn=dc,cn=server,cn=computers'], >- '3networkPath': ['cn=networks'], >- '4groupPath': ['cn=groups', 'cn=%s,cn=groups' % cn_pupils, 'cn=%s,cn=groups' % cn_teachers, 'cn=klassen,cn=%s,cn=groups' % cn_pupils, 'cn=raeume,cn=groups'], >- '5dhcpPath': ['cn=dhcp'], >- '6policyPath': ['cn=policies'], >- '7sharePath': ['cn=shares', 'cn=klassen,cn=shares'], >- '8none': ['cn=dc,cn=server,cn=computers'] >+ '0printerPath': [search_base.printers], >+ '1userPath': [search_base.users, search_base.students, search_base.teachers, search_base.admins], >+ '2computerPath': [search_base.computers, 'cn=server,{}'.format(search_base.computers), 'cn=dc,cn=server,{}'.format(search_base.computers)], >+ '3networkPath': [search_base.networks], >+ '4groupPath': [search_base.groups, search_base.workgroups, search_base.teachers_group, search_base.classes, search_base.rooms], >+ '5dhcpPath': [search_base.dhcp], >+ '6policyPath': [search_base.policies], >+ '7sharePath': [search_base.shares, search_base.classShares], >+ '8none': ['cn=dc,cn=server,{}'.format(search_base.computers)] > } > if configRegistry.is_true('ucsschool/ldap/noneducational/create/objects', True): >- container['1userPath'].extend(['cn=%s,cn=users' % cn_staff, 'cn=%s,cn=users' % cn_teachers_staff]) >- container['4groupPath'].append('cn=%s,cn=groups' % cn_staff) >+ container['1userPath'].extend([search_base.staff, search_base.teachersAndStaff]) >+ container['4groupPath'].append(search_base.staff_group) > # FIXME: die Policies sollten besser mit der Gruppe verknüpft werden, um > # z.B. Mitarbeiter und Lehrer im selben Container pflegen zu können > # container_policies = { 'cn=%s,cn=users' % cn_teachers: ['cn=default-lehrer,cn=UMC,cn=policies,' + baseDN] } >@@ -540,20 +523,13 @@ > dccn = '' > myline = '%s\t%s' % (schoolNr, dccn) > hooks.pre('ou', 'A', line=myline) >+ search_base = School.get_search_base(schoolNr) > > # verify global dc groups >- groups_administrative = [ >- "cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,%s" % baseDN, >- "cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,%s" % baseDN] >- groups_education = [ >- "cn=DC-Edukativnetz,cn=ucsschool,cn=groups,%s" % baseDN, >- "cn=Member-Edukativnetz,cn=ucsschool,cn=groups,%s" % baseDN] >- groups_administrativeOU = [ >- "cn=OU%s-DC-Verwaltungsnetz,cn=ucsschool,cn=groups,%s" % (schoolNr.lower(), baseDN), >- "cn=OU%s-Member-Verwaltungsnetz,cn=ucsschool,cn=groups,%s" % (schoolNr.lower(), baseDN)] >- groups_educationOU = [ >- "cn=OU%s-DC-Edukativnetz,cn=ucsschool,cn=groups,%s" % (schoolNr.lower(), baseDN), >- "cn=OU%s-Member-Edukativnetz,cn=ucsschool,cn=groups,%s" % (schoolNr.lower(), baseDN)] >+ groups_administrative = [search_base.administrative_dc_group, search_base.administrative_member_group] >+ groups_education = [search_base.educational_dc_group, search_base.educational_member_group] >+ groups_administrativeOU = [search_base.administrative_ou_dc_group, search_base.administrative_ou_member_group] >+ groups_educationOU = [search_base.educational_ou_dc_group, search_base.educational_ou_member_group] > > if configRegistry.is_true('ucsschool/ldap/noneducational/create/objects', True): > groups = groups_administrative + groups_education + groups_administrativeOU + groups_educationOU >@@ -575,15 +551,15 @@ > # TODO FIXME The following snippet does not make any sense: > # if the DC is member of DC-Verwaltungsnetz then is added again to that group?!? Looks like this code is unused. > for grp in dcobject['groups']: >- if grp.startswith("cn=DC-Verwaltungsnetz,"): >+ if grp.startswith(univention.admin.uldap.explodeDn(search_base.administrative_dc_group)[0]): > zone = "verwaltung" > groups = [] > if zone == "edukativ": >- groups.append("cn=DC-Edukativnetz,cn=ucsschool,cn=groups,%s" % baseDN) >- groups.append("cn=OU%s-DC-Edukativnetz,cn=ucsschool,cn=groups,%s" % (schoolNr.lower(), baseDN)) >+ groups.append(search_base.educational_dc_group) >+ groups.append(search_base.educational_ou_dc_group) > if zone == "verwaltung": >- groups.append("cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,%s" % baseDN) >- groups.append("cn=OU%s-DC-Verwaltungsnetz,cn=ucsschool,cn=groups,%s" % (schoolNr.lower(), baseDN)) >+ groups.append(search_base.administrative_dc_group) >+ groups.append(search_base.administrative_ou_dc_group) > modified = False > for grp in groups: > if grp not in dcobject['groups']: >@@ -632,24 +608,22 @@ > if displayName is not None: > r = lo.modify(ou_base, [('displayName', lo.get(ou_base, ['displayName']).get('displayName', []), [displayName])]) > >- keys = container.keys() >- keys.sort() >- for path in keys: >+ for path in sorted(container.keys()): > for dn in container[path]: > if path[1:] == 'none': > path = ' ' >- verify_container('%s,%s' % (dn, ou_base), cn_module, co, lo, superordinate, baseDN, path=path[1:]) >+ verify_container(dn, cn_module, co, lo, superordinate, baseDN, path=path[1:]) > > # create groups if not existant >- grp_ouadmins = "cn=%s%s,cn=ouadmins,cn=groups,%s" % (grp_prefix_admins, schoolNr.lower(), baseDN) >+ grp_ouadmins = search_base.admin_group > groups = [ > (grp_ouadmins, grp_policy_admins), >- ("cn=%s%s,cn=groups,%s" % (grp_prefix_pupils, schoolNr.lower(), getDN(schoolNr)), grp_policy_pupils), >- ("cn=%s%s,cn=groups,%s" % (grp_prefix_teachers, schoolNr.lower(), getDN(schoolNr)), grp_policy_teachers), >+ (search_base.students_ou_group, grp_policy_pupils), >+ (search_base.teachers_ou_group, grp_policy_teachers), > ] > > if configRegistry.is_true('ucsschool/ldap/noneducational/create/objects', True): >- groups.append(("cn=%s%s,cn=groups,%s" % (grp_prefix_staff, schoolNr.lower(), getDN(schoolNr)), grp_policy_staff), ) >+ groups.append((search_base.staff_ou_group, grp_policy_staff)) > if configRegistry.is_true('ucsschool/import/attach/policy/default-umc-users', True): > domain_users_school = "cn=Domain Users %s,cn=groups,%s" % (schoolNr.lower(), getDN(schoolNr)) > groups.append((domain_users_school, "cn=default-umc-users,cn=UMC,cn=policies,%s" % (baseDN,))) >@@ -686,7 +660,7 @@ > else: > dccn = 'dc%s-01' % schoolNr.lower() > >- dcgroups = ["cn=OU%s-DC-Edukativnetz,cn=ucsschool,cn=groups,%s" % (schoolNr.lower(), baseDN), "cn=DC-Edukativnetz,cn=ucsschool,cn=groups,%s" % (baseDN, )] >+ dcgroups = [search_base.educational_ou_dc_group, search_base.educational_dc_group] > > if dc == 'verwaltung': > if not configRegistry.is_true('ucsschool/ldap/noneducational/create/objects', True): >@@ -698,10 +672,7 @@ > dccn = configRegistry.get('hostname') > else: > dccn = 'dc%sv-01' % schoolNr.lower() # this is the naming convention, a trailing v for Verwaltungsnetz DCs >- dcgroups = [ >- "cn=OU%s-DC-Verwaltungsnetz,cn=ucsschool,cn=groups,%s" % (schoolNr.lower(), baseDN), >- "cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,%s" % (baseDN, ) >- ] >+ dcgroups = [search_base.administrative_ou_dc_group, search_base.administrative_dc_group] > > # create server if not exsistant > objects = univention.admin.modules.lookup( >@@ -724,9 +695,9 @@ > if not server_exists and not dcName: > try: > if dc == 'verwaltung': >- grpdn = 'cn=OU%s-DC-Verwaltungsnetz,cn=ucsschool,cn=groups,%s' % (schoolNr.lower(), baseDN) >+ grpdn = search_base.administrative_ou_dc_group > else: >- grpdn = 'cn=OU%s-DC-Edukativnetz,cn=ucsschool,cn=groups,%s' % (schoolNr.lower(), baseDN) >+ grpdn = search_base.educational_ou_dc_group > hostlist = lo.get(grpdn, ['uniqueMember']).get('uniqueMember', []) > except ldap.NO_SUCH_OBJECT: > hostlist = [] >@@ -1098,7 +1069,7 @@ > if (schoolNr, classNr.lower()) in verified_group_shares: > return True > >- position_dn = "cn=%s,cn=klassen,cn=shares,%s" % (classNr, getDN(schoolNr, basedn=base)) >+ position_dn = ClassShare(school=schoolNr, name=classNr).dn > module = univention.admin.modules.get("shares/share") > position_basedn = univention.admin.uldap.position(baseDN) > univention.admin.modules.init(lo, position_basedn, module) >@@ -1134,7 +1105,9 @@ > print "need to create groupshare %s" % position_dn > > # get gid form corresponding group >- group_dn = "cn=%s,cn=klassen,cn=%s,cn=groups,%s" % (classNr, cn_pupils, getDN(schoolNr, basedn=base)) >+ school_class = SchoolClass(school=schoolNr, name=classNr) >+ class_share = ClassShare.from_school_class(school_class) >+ group_dn = school_class.dn > gids = lo.get(group_dn, ['gidNumber']) > gid = 0 > if len(gids) > 1: # TODO FIXME This doesn't look correct to me - gids is a dict and not a list! >@@ -1183,10 +1156,7 @@ > object.open() > object["name"] = "%s" % classNr > object["host"] = serverfqdn >- if configRegistry.is_true('ucsschool/import/roleshare', True): >- object["path"] = "/home/" + os.path.join(schoolNr, "groups/klassen/%s" % (classNr,)) >- else: >- object["path"] = "/home/groups/klassen/%s" % (classNr,) >+ object["path"] = class_share.get_share_path() > object["writeable"] = "1" > object["sambaWriteable"] = "1" > object["sambaBrowseable"] = "1" >@@ -1327,7 +1297,7 @@ > object["username"] = person.login > object["primaryGroup"] = default_groups[0] > subdir = roleshare_home_subdir(person.sNr, person.getRole(), configRegistry) >- object["unixhome"] = "/home/" + os.path.join(subdir, person.login) >+ object["unixhome"] = os.path.join("/home", subdir, person.login) > object["firstname"] = person.name > object["lastname"] = person.sname > object["e-mail"] = person.mail >@@ -1349,12 +1319,18 @@ > # FIXME / TODO > # Test should be following: > # if ( ( ( parts[0].startswith( 'cn=%s' % grp_prefix_pupils) or parts[0].startswith( 'cn=%s' % grp_prefix_pupils) ) and parts[1] == 'cn=groups' and parts[2].startswith('ou=') ) or >- # ( parts[1] == 'cn=klassen' and parts[2] == 'cn=%s' % cn_pupils and parts[3] == 'cn=groups' and parts[4].startswith('ou=') ) ): >+ # ( parts[1] == 'cn=%s' % cn_classes and parts[2] == 'cn=%s' % cn_pupils and parts[3] == 'cn=groups' and parts[4].startswith('ou=') ) ): > >+ search_base = School.get_search_base(None) >+ cn_pupils = ldap.explode_dn(search_base.students, True)[0] >+ cn_classes = ldap.explode_dn(search_base.classes, True)[0] >+ grp_prefix_pupils = search_base.group_prefix_students >+ grp_prefix_teachers = search_base.group_prefix_teachers >+ > if ( > parts[0].startswith('cn=%s' % grp_prefix_pupils) or > parts[0].startswith('cn=%s' % grp_prefix_teachers) or >- (parts[1] == 'cn=klassen' and parts[2] == 'cn=%s' % cn_pupils) >+ (parts[1] == 'cn=%s' % cn_classes and parts[2] == 'cn=%s' % cn_pupils) > ): > # group looks like a default group, so we don't need it anymore > print "remove from group: %s" % group >@@ -1499,7 +1475,7 @@ > if len(groups) > 1: > object["groups"] = groups[1:] > subdir = roleshare_home_subdir(person.sNr, person.getRole(), configRegistry) >- object["unixhome"] = "/home/" + os.path.join(subdir, person.login) >+ object["unixhome"] = os.path.join("/home", subdir, person.login) > if object.has_key('mailbox'): > object["mailbox"] = "/var/spool/%s/" % person.login > object["password"] = password >@@ -1645,12 +1621,13 @@ > main_person.isTeacher = '0' > main_person.isStaff = '0' > >- if object.dn.endswith(',cn=%s,cn=users,%s' % (cn_teachers_staff, getDN(ou))): >+ search_base = School.get_search_base(ou) >+ if object.dn.endswith(',%s' % search_base.teachersAndStaff): > main_person.isTeacher = '1' > main_person.isStaff = '1' >- elif object.dn.endswith(',cn=%s,cn=users,%s' % (cn_teachers, getDN(ou))): >+ elif object.dn.endswith(',%s' % search_base.teachers): > main_person.isTeacher = '1' >- elif object.dn.endswith(',cn=%s,cn=users,%s' % (cn_staff, getDN(ou))): >+ elif object.dn.endswith(',%s' % search_base.staff): > main_person.isStaff = '1' > > if ou in main_person.allsNrs: >@@ -2265,6 +2242,7 @@ > zone = parsed[6] > > verify_school_ou(schoolNr, co, lo, baseDN) >+ search_base = School.get_search_base(schoolNr) > > try: > ip = ipaddr.IPv4Network(IP) >@@ -2281,11 +2259,11 @@ > groups = {} > if ctype == "memberserver": > if zone == "edukativ": >- groups["cn=OU%s-Member-Edukativnetz,cn=ucsschool,cn=groups,%s" % (schoolNr.lower(), baseDN)] = 1 >- groups["cn=Member-Edukativnetz,cn=ucsschool,cn=groups,%s" % baseDN] = 1 >+ groups[search_base.educational_ou_member_group] = 1 >+ groups[search_base.educational_member_group] = 1 > if zone == "verwaltung": >- groups["cn=OU%s-Member-Verwaltungsnetz,cn=ucsschool,cn=groups,%s" % (schoolNr.lower(), baseDN)] = 1 >- groups["cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,%s" % baseDN] = 1 >+ groups[search_base.administrative_ou_member_group] = 1 >+ groups[search_base.administrative_member_group] = 1 > > # invoke pre hooks > hooks.pre('computer', 'A', line=line) >@@ -2390,8 +2368,8 @@ > ClassID = parsed[2] > Descrpt = parsed[3] > >- group_dn = "cn=%s,cn=klassen,cn=%s,cn=groups,%s" % (ClassID, cn_pupils, getDN(schoolNr)) >- share_dn = "cn=%s,cn=klassen,cn=shares,%s" % (ClassID, getDN(schoolNr)) >+ group_dn = SchoolClass(school=schoolNr, name=ClassID).dn >+ share_dn = ClassShare(school=schoolNr, name=ClassID).dn > > verify_school_ou(schoolNr, co, lo, baseDN) > >@@ -2934,11 +2912,12 @@ > > slave = slaves[0] > ouDn = oulist[0].dn >+ search_base = School.get_search_base(options.ou) > > group_filter = univention.admin.filter.conjunction('&', [ > univention.admin.filter.conjunction('|', [ >- univention.admin.filter.expression('cn', 'OU%s-DC-Edukativnetz' % options.ou), >- univention.admin.filter.expression('cn', 'OU%s-DC-Verwaltungsnetz' % options.ou), >+ univention.admin.uldap.explodeDn(search_base.educational_ou_dc_group)[0], >+ univention.admin.uldap.explodeDn(search_base.administrative_ou_dc_group)[0], > ]), > univention.admin.filter.expression('uniqueMember', slave.dn), > ]) >@@ -3039,16 +3018,11 @@ > print 'ERROR: specified OU %r does not exist' % ou_name > sys.exit(1) > >+ search_base = School.get_search_base(ou_name) > # get list of desired group memberships > group_dn_list = { >- TYPE_DC_ADMINISTRATIVE: [ >- 'cn=OU%s-DC-Verwaltungsnetz,cn=ucsschool,cn=groups,%s' % (ou_name.lower(), baseDN), >- 'cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,%s' % (baseDN,), >- ], >- TYPE_DC_EDUCATIONAL: [ >- 'cn=DC-Edukativnetz,cn=ucsschool,cn=groups,%s' % (baseDN,), >- 'cn=OU%s-DC-Edukativnetz,cn=ucsschool,cn=groups,%s' % (ou_name.lower(), baseDN), >- ], >+ TYPE_DC_ADMINISTRATIVE: [search_base.administrative_ou_dc_group, search_base.administrative_dc_group], >+ TYPE_DC_EDUCATIONAL: [search_base.educational_dc_group, search_base.educational_ou_dc_group] > }[dc_type] > for grpdn in group_dn_list: > verify_group(grpdn, co, lo, superordinate, baseDN) >Index: ucs-school-import/usr/share/ucs-school-import/scripts/ucs-school-join-secondary-samba4 >=================================================================== >--- ucs-school-import/usr/share/ucs-school-import/scripts/ucs-school-join-secondary-samba4 (Revision 76600) >+++ ucs-school-import/usr/share/ucs-school-import/scripts/ucs-school-join-secondary-samba4 (Arbeitskopie) >@@ -31,6 +31,7 @@ > # <http://www.gnu.org/licenses/>. > > . /usr/share/univention-lib/all.sh >+. /usr/share/ucs-school-lib/base.sh > > display_help() { > cat <<-EOL >@@ -195,11 +196,13 @@ > while read service; do > case "$service" in > "UCS@school Education") >- target_server_ucsschool_type=Edukativnetz >+ target_server_all_dcs="$(ucr_names_default ucsschool/ldap/default/groupname/all-educational-dc)" >+ target_server_ou_dcs="$(ucr_names_default ucsschool/ldap/default/groupname/ou-educational-dc)" > target_server_ucsschool_service="$service" > ;; > "UCS@school Administration") >- target_server_ucsschool_type=Verwaltungsnetz >+ target_server_all_dcs="$(ucr_names_default ucsschool/ldap/default/groupname/all-administrativ-dc)" >+ target_server_ou_dcs="$(ucr_names_default ucsschool/ldap/default/groupname/ou-administrativ-dc)" > target_server_ucsschool_service="$service" > ;; > esac >@@ -258,17 +261,17 @@ > > echo -n "Check group memberschip : " > test_output=$(univention-ssh "$ROOTPWD" "root@${target_school_dc_ip}" \ >- /usr/sbin/udm groups/group list --filter name="DC-$target_server_ucsschool_type" | sed -n "/^ *hosts: $target_ldap_hostdn$/p") >+ /usr/sbin/udm groups/group list --filter name="$target_server_all_dcs" | sed -n "/^ *hosts: $target_ldap_hostdn$/p") > if [ -z "$test_output" ]; then > echo -e "\033[60Gfailed" >- echo "$hostname is not member of the group DC-$target_server_ucsschool_type, this needs to be fixed first manually." >+ echo "$hostname is not member of the group $target_server_all_dcs, this needs to be fixed first manually." > exit 1 > fi > test_output=$(univention-ssh "$ROOTPWD" "root@${target_school_dc_ip}" \ >- /usr/sbin/udm groups/group list --filter name="OU$my_school_ou-DC-$target_server_ucsschool_type" | sed -n "/^ *hosts: $target_ldap_hostdn$/p") >+ /usr/sbin/udm groups/group list --filter name="$(replace_ou "$target_server_ou_dcs" "$my_school_ou")" | sed -n "/^ *hosts: $target_ldap_hostdn$/p") > if [ -z "$test_output" ]; then > echo -e "\033[60Gfailed" >- echo "$hostname is not member of the group OU$my_school_ou-DC-$target_server_ucsschool_type, this needs to be fixed first manually." >+ echo "$hostname is not member of the group $(replace_ou "$target_server_ou_dcs" "$my_school_ou"), this needs to be fixed first manually." > exit 1 > else > echo -e "\033[60Gdone" >Index: ucs-school-import/usr/share/ucs-school-import/scripts/ucs-school-verify-class-memberships >=================================================================== >--- ucs-school-import/usr/share/ucs-school-import/scripts/ucs-school-verify-class-memberships (Revision 76600) >+++ ucs-school-import/usr/share/ucs-school-import/scripts/ucs-school-verify-class-memberships (Arbeitskopie) >@@ -42,6 +42,7 @@ > import univention.admin.handlers.groups.group > import univention.admin.handlers.users.user > import univention.admin.objects >+from ucsschool.lib.models import School, SchoolClass, Staff, Student, Teacher > > > class Problem(Exception): >@@ -160,7 +161,8 @@ > > > def parse_line(lo, line): >- oubase = 'ou=%s,%s' % (line['school'], ucr['ldap/base'],) >+ school = School(name=line['school']) >+ oubase = school.dn > uid = line['name'] > try: > dn = lo.search(filter_format('uid=%s', (uid,)), oubase, unique=True)[0][0] >@@ -173,8 +175,8 @@ > raise StudentDoesNotExists(line, uid) > else: > raise StudentIsInAnotherSchool(line, uid, dn) >- if not dn.endswith(',cn=schueler,cn=users,%s' % (oubase,)): >- if not dn.endswith(',cn=lehrer,cn=users,%s' % (oubase,)) or not dn.endswith(',cn=mitarbeiter,cn=users,%s' % (oubase,)): >+ if not dn.endswith(Student.get_container(school.name)): >+ if not dn.endswith(Teacher.get_container(school.name)) or not dn.endswith(Staff.get_container(school.name)): > print('Ignoring teacher/staff %r' % (uid,)) > return > msg('ERROR: %s (%s %s) is not a student/teacher/staff.' % (uid, line['firstname'], line['lastname'])) >@@ -186,7 +188,7 @@ > correct = False > invalid_groups = set() > for gdn, group in groups: # pylint: disable=W0612 >- if not gdn.endswith(',cn=klassen,cn=schueler,cn=groups,%s' % (oubase,)): >+ if not gdn.endswith(SchoolClass.get_container(school.name)): > if not gdn.endswith(oubase) and re.search(',ou=[^,]+,%s$' % (ucr['ldap/base'],), gdn, re.I): > raise StudentIsInAnotherClassInAnotherSchool(line, uid, dn, gdn) > continue # ignore workgroups / Domain Users >Index: ucs-school-ldap-acls-master/61ucsschool_presettings >=================================================================== >--- ucs-school-ldap-acls-master/61ucsschool_presettings (Revision 76600) >+++ ucs-school-ldap-acls-master/61ucsschool_presettings (Arbeitskopie) >@@ -1,65 +1,95 @@ >+@!@ >+# -*- coding: utf-8 -*- >+import re >+ >+ >+def replace_ucr_variables(template): >+ variable_token = re.compile('@[$]@') >+ >+ dir_ucsschool = { >+ 'ALL_ADM_DC': configRegistry.get('ucsschool/ldap/default/groupname/all-administrativ-dc', 'DC-Verwaltungsnetz'), >+ 'ALL_ADM_MEMBER': configRegistry.get('ucsschool/ldap/default/groupname/all-administrativ-member', 'Member-Verwaltungsnetz'), >+ 'ALL_EDU_DC': configRegistry.get('ucsschool/ldap/default/groupname/all-educational-dc', 'DC-Edukativnetz'), >+ 'ALL_EDU_MEMBER': configRegistry.get('ucsschool/ldap/default/groupname/all-educational-member', 'Member-Edukativnetz'), >+ } >+ >+ while 1: >+ i = variable_token.finditer(template) >+ try: >+ start = i.next() >+ end = i.next() >+ name = template[start.end():end.start()] >+ >+ template = template[:start.start()] + dir_ucsschool.get(name,'') + template[end.end():] >+ except StopIteration: >+ break >+ >+ return template >+ >+ >+aclset += """ > # start 61ucsschool_presettings > > # revert rule from UCS; Bug #41402 > access to attrs=entry,objectClass,uniqueMember,ou,uid,loginShell,homeDirectory,uidNumber,gidNumber,sn,cn,gecos,description,memberUid > by dn.regex=".*cn=computers,ou=([^,]+),(ou=[^,]+,)?@%@ldap/base@%@" none break >- by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" none break >- by group/univentionGroup/uniqueMember="cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" none break >- by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" none break >- by group/univentionGroup/uniqueMember="cn=Member-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" none break >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none break >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none break >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none break >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none break > by set="user/objectClass & ([ucsschoolStudent] | [ucsschoolTeacher] | [ucsschoolStaff] | [ucsschoolAdministrator])" none break > by * +0 break > > # Slave-Controller und Member-Server duerfen Samba-Domaenenobjekt(e) modifizieren > access to filter="(objectClass=sambaDomain)" >- by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >- by group/univentionGroup/uniqueMember="cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >- by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >- by group/univentionGroup/uniqueMember="cn=Member-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write > by * +0 break > > # grant write access to domaincontroller slave/member server for certain univention app center settings > access to dn.regex="^univentionAppID=([^,]+),cn=([^,]+),cn=apps,cn=univention,@%@ldap/base@%@$" filter="(objectClass=univentionApp)" >- by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >- by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >- by group/univentionGroup/uniqueMember="cn=Member-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >- by group/univentionGroup/uniqueMember="cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write > by * +0 break > > access to dn.regex="^cn=([^,]+),cn=apps,cn=univention,@%@ldap/base@%@$" attrs=children,entry >- by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >- by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >- by group/univentionGroup/uniqueMember="cn=Member-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >- by group/univentionGroup/uniqueMember="cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write > by * +0 break > > access to dn="cn=apps,cn=univention,@%@ldap/base@%@" attrs=children,entry >- by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >- by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >- by group/univentionGroup/uniqueMember="cn=Member-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >- by group/univentionGroup/uniqueMember="cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write > by * +0 break > > # Slave controllers and memberservers require write access to virtual machine manager objects > access to dn.regex="^univentionVirtualMachineUUID=([^,]+),cn=Information,cn=Virtual Machine Manager,@%@ldap/base@%@" filter="(objectClass=univentionVirtualMachine)" >- by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >- by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >- by group/univentionGroup/uniqueMember="cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >- by group/univentionGroup/uniqueMember="cn=Member-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write > by * +0 break > > access to dn.regex="^cn=([^,]+),cn=CloudConnection,cn=Virtual Machine Manager,@%@ldap/base@%@" filter="(objectClass=univentionVirtualMachineCloudConnection)" >- by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >- by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >- by group/univentionGroup/uniqueMember="cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >- by group/univentionGroup/uniqueMember="cn=Member-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write > by * +0 break > > access to dn="cn=(Information|CloudConnection),cn=Virtual Machine Manager,@%@ldap/base@%@" attrs=children,entry >- by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >- by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >- by group/univentionGroup/uniqueMember="cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >- by group/univentionGroup/uniqueMember="cn=Member-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write > by dn.regex="^[^,]+,cn=dc,cn=computers,@%@ldap/base@%@$$" write > by dn.regex="^[^,]+,cn=memberserver,cn=computers,@%@ldap/base@%@$$" write > by * +0 break >@@ -66,47 +96,51 @@ > > # Slave-Controller und Member-Server benoetigen idmap-Container > access to dn.base="cn=idmap,cn=univention,@%@ldap/base@%@" >- by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >- by group/univentionGroup/uniqueMember="cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >- by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >- by group/univentionGroup/uniqueMember="cn=Member-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write > by * +0 break > > # Slave-Controller und Member-Server benoetigen ID-Mapping > access to dn.subtree="cn=idmap,cn=univention,@%@ldap/base@%@" filter="(|(&(objectClass=sambaUnixIdPool)(objectClass=organizationalRole)(objectClass=top))(&(objectClass=sambaIdmapEntry)(objectClass=sambaSidEntry)))" >- by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >- by group/univentionGroup/uniqueMember="cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >- by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >- by group/univentionGroup/uniqueMember="cn=Member-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write > by * +0 break > > # Slave-Controller und Member-Server benoetigen nicht alle Container > access to dn.subtree="cn=backup,@%@ldap/base@%@" >- by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" none >- by group/univentionGroup/uniqueMember="cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" none >- by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" none >- by group/univentionGroup/uniqueMember="cn=Member-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" none >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none > by * +0 break > > access to dn.subtree="cn=printers,@%@ldap/base@%@" >- by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" none >- by group/univentionGroup/uniqueMember="cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" none >- by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" none >- by group/univentionGroup/uniqueMember="cn=Member-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" none >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none > by * +0 break > > access to dn.subtree="cn=networks,@%@ldap/base@%@" >- by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" none >- by group/univentionGroup/uniqueMember="cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" none >- by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" none >- by group/univentionGroup/uniqueMember="cn=Member-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" none >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none > by * +0 break > > access to dn.regex="^(.*,)?cn=(cups|ppolicy|packages|services|templates|admin-settings|default containers|saml-serviceprovider),cn=univention,@%@ldap/base@%@$$" >- by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" none >- by group/univentionGroup/uniqueMember="cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" none >- by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" none >- by group/univentionGroup/uniqueMember="cn=Member-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" none >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none > by * +0 break > > # end 61ucsschool_presettings >+""" >+ >+print replace_ucr_variables(aclset) >+@!@ >Index: ucs-school-ldap-acls-master/65ucsschool >=================================================================== >--- ucs-school-ldap-acls-master/65ucsschool (Revision 76600) >+++ ucs-school-ldap-acls-master/65ucsschool (Arbeitskopie) >@@ -14,19 +14,24 @@ > def replace_ucr_variables(template): > variable_token = re.compile('@[$]@') > >- dir_ucsschool = { } >- dir_ucsschool[ 'DISTRICT' ] = '' >- if configRegistry.get('ucsschool/ldap/district/enable','no').lower() in ( 'yes', 'true', '1' ): >- dir_ucsschool[ 'DISTRICT' ] = 'ou=[^,]+,' >- dir_ucsschool[ 'PUPILS' ] = configRegistry.get('ucsschool/ldap/default/container/pupils', 'schueler') >- dir_ucsschool[ 'TEACHERS' ] = configRegistry.get('ucsschool/ldap/default/container/teachers', 'lehrer') >- dir_ucsschool[ 'STAFF' ] = configRegistry.get('ucsschool/ldap/default/container/staff', 'mitarbeiter') >- dir_ucsschool[ 'TEACHERS-STAFF' ] = configRegistry.get('ucsschool/ldap/default/container/teachers-and-staff', 'lehrer und mitarbeiter') >- dir_ucsschool[ 'ADMINS' ] = configRegistry.get('ucsschool/ldap/default/container/admins', 'admins') >- dir_ucsschool[ 'GRPADMINS' ] = configRegistry.get('ucsschool/ldap/default/groupprefix/admins', 'admins-') >- dir_ucsschool[ 'EXAM' ] = configRegistry.get('ucsschool/ldap/default/container/exam', 'examusers') >+ dir_ucsschool = { >+ 'DISTRICT': 'ou=[^,]+,' if configRegistry.is_true('ucsschool/ldap/district/enable') else '', >+ 'PUPILS': configRegistry.get('ucsschool/ldap/default/container/pupils', 'schueler'), >+ 'TEACHERS': configRegistry.get('ucsschool/ldap/default/container/teachers', 'lehrer'), >+ 'STAFF': configRegistry.get('ucsschool/ldap/default/container/staff', 'mitarbeiter'), >+ 'TEACHERS-STAFF': configRegistry.get('ucsschool/ldap/default/container/teachers-and-staff', 'lehrer und mitarbeiter'), >+ 'ADMINS': configRegistry.get('ucsschool/ldap/default/container/admins', 'admins'), >+ 'GRPADMINS': configRegistry.get('ucsschool/ldap/default/groupprefix/admins', 'admins-'), >+ 'EXAM': configRegistry.get('ucsschool/ldap/default/container/exam', 'examusers'), >+ 'CLASS': configRegistry.get('ucsschool/ldap/default/container/class', 'klassen'), >+ 'ROOMS': configRegistry.get('ucsschool/ldap/default/container/rooms', 'raeume'), >+ 'ALL_ADM_DC': configRegistry.get('ucsschool/ldap/default/groupname/all-administrativ-dc', 'DC-Verwaltungsnetz'), >+ 'ALL_ADM_MEMBER': configRegistry.get('ucsschool/ldap/default/groupname/all-administrativ-member', 'Member-Verwaltungsnetz'), >+ 'ALL_EDU_DC': configRegistry.get('ucsschool/ldap/default/groupname/all-educational-dc', 'DC-Edukativnetz'), >+ 'ALL_EDU_MEMBER': configRegistry.get('ucsschool/ldap/default/groupname/all-educational-member', 'Member-Edukativnetz'), >+ 'DOMAIN_ADMINS': custom_groupname('Domain Admins'), >+ } > >- dir_ucsschool['DOMAIN_ADMINS'] = custom_groupname('Domain Admins') > while 1: > i = variable_token.finditer(template) > try: >@@ -44,20 +49,20 @@ > aclset += """ > # DC Slaves need write access to the members of the group Domain Computers > access to dn.exact="cn=Domain Computers,cn=groups,@%@ldap/base@%@" attrs="uniqueMember,memberUid" >- by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >- by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write > by * +0 break > > # Slave DCs can read and write policy containers for MS GPOs and msPrintConnectionPolicy objects > access to dn.subtree="cn=policies,cn=system,@%@ldap/base@%@" filter="(|(objectClass=msGPOContainer)(objectClass=organizationalRole)(objectClass=msPrintConnectionPolicy))" >- by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >- by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write > by * +0 break > > # Slave DCs can read and write policy containers for MS WMI filter objects > access to dn.subtree="cn=WMIPolicy,cn=system,@%@ldap/base@%@" filter="(|(objectClass=msWMISom)(objectClass=organizationalRole))" >- by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >- by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write > by * +0 break > > # Lehrer, Mitarbeiter und OU-Admins duerfen Schueler-Passwoerter aendern >@@ -71,12 +76,12 @@ > by * +0 break > > # Lehrer, Mitarbeiter und OU-Admins duerfen Raum-Gruppen anlegen und bearbeiten >-access to dn.regex="^cn=raeume,cn=groups,ou=([^,]+),@$@DISTRICT@$@@%@ldap/base@%@$$" attrs=children,entry >+access to dn.regex="^cn=@$@ROOMS@$@,cn=groups,ou=([^,]+),@$@DISTRICT@$@@%@ldap/base@%@$$" attrs=children,entry > by set.expand="[$1] & ([ldap:///]+user/entryDN+[?entryDN?base?%28%7C%28objectClass%3DucsschoolTeacher%29%28objectClass%3DucsschoolAdministrator%29%28objectClass%3DucsschoolStaff%29%29])/ucsschoolSchool" write > @$@# old rule@$@ by dn.regex="^uid=([^,]+),cn=(@$@TEACHERS@$@|@$@TEACHERS-STAFF@$@|@$@STAFF@$@|@$@ADMINS@$@),cn=users,ou=$1,@$@DISTRICT@$@@%@ldap/base@%@$$" write > by * +0 break > >-access to dn.regex="^cn=([^,]+),cn=raeume,cn=groups,ou=([^,]+),@$@DISTRICT@$@@%@ldap/base@%@$$" filter="(&(!(|(uidNumber=*)(objectClass=SambaSamAccount)))(objectClass=univentionGroup))" >+access to dn.regex="^cn=([^,]+),cn=@$@ROOMS@$@,cn=groups,ou=([^,]+),@$@DISTRICT@$@@%@ldap/base@%@$$" filter="(&(!(|(uidNumber=*)(objectClass=SambaSamAccount)))(objectClass=univentionGroup))" > by set.expand="[$2] & ([ldap:///]+user/entryDN+[?entryDN?base?%28%7C%28objectClass%3DucsschoolTeacher%29%28objectClass%3DucsschoolAdministrator%29%28objectClass%3DucsschoolStaff%29%29])/ucsschoolSchool" write > @$@# old rule@$@ by dn.regex="^uid=([^,]+),cn=(@$@TEACHERS@$@|@$@TEACHERS-STAFF@$@|@$@STAFF@$@|@$@ADMINS@$@),cn=users,ou=$2,@$@DISTRICT@$@@%@ldap/base@%@$$" write > by * +0 break >@@ -146,10 +151,10 @@ > by * +0 break > > access to dn.subtree="cn=temporary,cn=univention,@%@ldap/base@%@" >- by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" none >- by group/univentionGroup/uniqueMember="cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" none >- by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" none >- by group/univentionGroup/uniqueMember="cn=Member-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" none >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none > by * +0 break > > # OU-Admins duerfen MAC-Adressen im Rechner- und DHCP-Objekt aendern >@@ -173,24 +178,24 @@ > > # domaincontroller slaves and memberservers of management group are not allowed to replicate pupils and teachers > access to dn.regex="^.+,cn=(@$@TEACHERS@$@|@$@PUPILS@$@),cn=users,ou=[^,]+,@$@DISTRICT@$@@%@ldap/base@%@$$" >- by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" none >- by group/univentionGroup/uniqueMember="cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" none >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none > by * +0 break > > access to filter="(|(objectClass=ucsschoolStudent)(&(objectClass=ucsschoolTeacher)(!(objectClass=ucsschoolStaff))))" >- by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" none >- by group/univentionGroup/uniqueMember="cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" none >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none > by * +0 break > > # domaincontroller slaves and memberservers of educational group are not allowed to replicate staff users > access to dn.regex="^.+,cn=@$@STAFF@$@,cn=users,ou=[^,]+,@$@DISTRICT@$@@%@ldap/base@%@$$" >- by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" none >- by group/univentionGroup/uniqueMember="cn=Member-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" none >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none > by * +0 break > > access to filter="(&(objectClass=ucsschoolStaff)(!(objectClass=ucsschoolTeacher))(!(objectClass=ucsschoolAdministrator)))" >- by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" none >- by group/univentionGroup/uniqueMember="cn=Member-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" none >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none > by * +0 break > > # FIXME: this rule allows to read all passwords underneath of all OU's instead of only the password belonging to the OU; explain why or fix it >@@ -197,41 +202,41 @@ > # TODO: are the following attributes missing here?: 'sambaBadPasswordCount', 'krb5PasswordEnd', 'shadowMax', 'sambaAcctFlags', 'sambaPasswordHistory' > # Memberserver duerfen Passwoerter aller Objekte unterhalb einer Schule lesen > access to dn.regex="^(.+,)?ou=([^,]+),@$@DISTRICT@$@@%@ldap/base@%@$$" attrs=userPassword,krb5Key,krb5KDCFlags,sambaNTPassword,sambaLMPassword,shadowLastChange,sambaPwdLastSet,pwhistory,krb5KeyVersionNumber,sambaPwdCanChange,sambaPwdMustChange >- by group/univentionGroup/uniqueMember="cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" +rscxd >- by group/univentionGroup/uniqueMember="cn=Member-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" +rscxd >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" +rscxd >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" +rscxd > by * +0 break > > # Alle DC-Slaves muessen alle Benutzercontainer und Gruppen jeder Schule lesen koennen > access to dn.regex="^ou=([^,]+),@$@DISTRICT@$@@%@ldap/base@%@$$" filter="objectClass=ucsschoolOrganizationalUnit" >- by group/univentionGroup/uniqueMember.expand="cn=OU$1-DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >- by group/univentionGroup/uniqueMember.expand="cn=OU$1-DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember.expand="cn=OU$1-@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember.expand="cn=OU$1-@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write > by dn.regex="^cn=.*,cn=server,cn=computers,ou=([^,]+),@$@DISTRICT@$@@%@ldap/base@%@$$" +rscxd > by * +0 break > > access to dn.regex="^cn=(users|groups|@$@EXAM@$@),ou=([^,]+),@$@DISTRICT@$@@%@ldap/base@%@$$" >- by group/univentionGroup/uniqueMember.expand="cn=OU$2-DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >- by group/univentionGroup/uniqueMember.expand="cn=OU$2-DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember.expand="cn=OU$2-@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember.expand="cn=OU$2-@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write > by dn.regex="^cn=.*,cn=server,cn=computers,ou=([^,]+),@$@DISTRICT@$@@%@ldap/base@%@$$" +rscxd > by * +0 break > > access to dn.regex="^([^,]+),cn=groups,ou=([^,]+),@$@DISTRICT@$@@%@ldap/base@%@$$" >- by group/univentionGroup/uniqueMember.expand="cn=OU$2-DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >- by group/univentionGroup/uniqueMember.expand="cn=OU$2-DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember.expand="cn=OU$2-@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember.expand="cn=OU$2-@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write > by dn.regex="^cn=.*,cn=server,cn=computers,ou=([^,]+),@$@DISTRICT@$@@%@ldap/base@%@$$" +rscxd > by * +0 break > > access to dn.regex="^cn=(@$@PUPILS@$@|@$@TEACHERS@$@|@$@TEACHERS-STAFF@$@|@$@STAFF@$@|@$@ADMINS@$@),cn=users,ou=([^,]+),@$@DISTRICT@$@@%@ldap/base@%@$$" >- by group/univentionGroup/uniqueMember.expand="cn=OU$2-DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >- by group/univentionGroup/uniqueMember.expand="cn=OU$2-DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember.expand="cn=OU$2-@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember.expand="cn=OU$2-@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write > by dn.regex="^cn=.*,cn=server,cn=computers,ou=([^,]+),@$@DISTRICT@$@@%@ldap/base@%@$$" +rscxd > by * +0 break > > # DC-Slaves muessen die Benutzer ihrer Schule lesen und schreiben duerfen > access to dn.regex="^uid=([^,]+),cn=(@$@PUPILS@$@|@$@TEACHERS@$@|@$@TEACHERS-STAFF@$@|@$@STAFF@$@|@$@ADMINS@$@),cn=users,ou=([^,]+),@$@DISTRICT@$@@%@ldap/base@%@$$" >- by set="([cn=OU]+this/ucsschoolSchool+[-DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@])/uniqueMember & user" write >+ by set="([cn=OU]+this/ucsschoolSchool+[-@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@])/uniqueMember & user" write > by * +0 break > access to dn.regex="^uid=([^,]+),cn=@$@EXAM@$@,ou=([^,]+),@$@DISTRICT@$@@%@ldap/base@%@$$" >- by set="([cn=OU]+this/ucsschoolSchool+[-DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@])/uniqueMember & user" write >+ by set="([cn=OU]+this/ucsschoolSchool+[-@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@])/uniqueMember & user" write > by * +0 break > > # Schul-Slave-Server duerfen nur Eintraege ihrer OU lesen und schreiben (Passwortaenderungen etc.) >@@ -239,13 +244,13 @@ > access to dn.regex="^(.+,)?ou=([^,]+),@$@DISTRICT@$@@%@ldap/base@%@$$" > by group/univentionGroup/uniqueMember="cn=@$@DOMAIN_ADMINS@$@,cn=groups,@%@ldap/base@%@" +0 break > by set.expand="[ldap:///ou=$2,@%@ldap/base@%@?ou?base?%28%21%28objectClass%3DucsschoolOrganizationalUnit%29%29]/ou" +0 break >- by group/univentionGroup/uniqueMember.expand="cn=OU$2-DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >- by group/univentionGroup/uniqueMember.expand="cn=OU$2-DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember.expand="cn=OU$2-@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember.expand="cn=OU$2-@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write > by group/univentionLDAPACL/univentionLDAPAccessWrite.expand="ou=$2,@$@DISTRICT@$@@%@ldap/base@%@" write > by dn.regex="^uid=([^,]+),cn=(@$@TEACHERS@$@|@$@TEACHERS-STAFF@$@|@$@STAFF@$@|@$@ADMINS@$@),cn=users,ou=$2,@$@DISTRICT@$@@%@ldap/base@%@$$" +rscxd continue > by set.expand="[$2] & ([ldap:///]+user/entryDN+[?entryDN?base?%28%7C%28objectClass%3DucsschoolTeacher%29%28objectClass%3DucsschoolAdministrator%29%28objectClass%3DucsschoolStaff%29%29])/ucsschoolSchool" +rscxd continue >- by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" +0 stop >- by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" +0 stop >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" +0 stop >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" +0 stop > by set.expand="([ldap:///]+user/entryDN+[?entryDN?base?%28%7C%28objectClass%3DucsschoolTeacher%29%28objectClass%3DucsschoolAdministrator%29%28objectClass%3DucsschoolStaff%29%29])/ucsschoolSchool" +0 stop > by dn.regex="^.*,ou=$2,@$@DISTRICT@$@@%@ldap/base@%@$$" +rscxd break > by dn.regex="^.*,ou=([^,]+),@$@DISTRICT@$@@%@ldap/base@%@$$" +0 stop >@@ -252,22 +257,22 @@ > by * +0 break > > # Slave-Controller duerfen Klassen-Gruppen bearbeiten (AUSNAHME! Wird fuer Lehrerzuordnung in UMC benoetigt!) >-access to dn.regex="^cn=klassen,cn=@$@PUPILS@$@,cn=groups,ou=([^,]+),@$@DISTRICT@$@@%@ldap/base@%@$$" attrs=children,entry >- by group/univentionGroup/uniqueMember.expand="cn=OU$1-DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >- by group/univentionGroup/uniqueMember.expand="cn=OU$1-DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+access to dn.regex="^cn=@$@CLASS@$@,cn=@$@PUPILS@$@,cn=groups,ou=([^,]+),@$@DISTRICT@$@@%@ldap/base@%@$$" attrs=children,entry >+ by group/univentionGroup/uniqueMember.expand="cn=OU$1-@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember.expand="cn=OU$1-@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write > by * +0 break > > access to dn.regex="^cn=([^,]+),cn=klassen,cn=@$@PUPILS@$@,cn=groups,ou=([^,]+),@$@DISTRICT@$@@%@ldap/base@%@$$" filter="(&(!(|(uidNumber=*)(objectClass=SambaSamAccount)))(objectClass=univentionGroup))" >- by group/univentionGroup/uniqueMember.expand="cn=OU$2-DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >- by group/univentionGroup/uniqueMember.expand="cn=OU$2-DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember.expand="cn=OU$2-@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember.expand="cn=OU$2-@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write > by * +0 break > > # Schulserver duerfen die Passwoerter aller globalen Objekte replizieren > access to dn.regex="^(.+,)?cn=(users|kerberos|computers),@%@ldap/base@%@$$" >- by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" +rscxd >- by group/univentionGroup/uniqueMember="cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" +rscxd >- by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" +rscxd >- by group/univentionGroup/uniqueMember="cn=Member-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" +rscxd >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" +rscxd >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" +rscxd >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" +rscxd >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" +rscxd > by * +0 break > """ > >Index: ucs-school-ldap-acls-master/70ucsschool-ldap-acls-master.inst >=================================================================== >--- ucs-school-ldap-acls-master/70ucsschool-ldap-acls-master.inst (Revision 76600) >+++ ucs-school-ldap-acls-master/70ucsschool-ldap-acls-master.inst (Arbeitskopie) >@@ -32,6 +32,8 @@ > VERSION=7 > . /usr/share/univention-join/joinscripthelper.lib > . /usr/share/univention-lib/ldap.sh >+. /usr/share/ucs-school-lib/base.sh >+ > joinscript_init > > eval "$(univention-config-registry shell)" >@@ -43,7 +45,11 @@ > --set name="ucsschool" > > # create global groups required for LDAP ACLs for UCS@school >-for grp in "DC-Verwaltungsnetz" "Member-Verwaltungsnetz" "DC-Edukativnetz" "Member-Edukativnetz" ; do >+for grp in \ >+ "$(ucr_names_default ucsschool/ldap/default/groupname/all-administrativ-dc)" \ >+ "$(ucr_names_default ucsschool/ldap/default/groupname/all-administrativ-member)" \ >+ "$(ucr_names_default ucsschool/ldap/default/groupname/all-educational-dc)" \ >+ "$(ucr_names_default ucsschool/ldap/default/groupname/all-educational-member)"; do > univention-directory-manager groups/group create "$@" \ > --ignore_exist \ > --position="cn=ucsschool,cn=groups,$ldap_base" \ >Index: ucs-school-ldap-acls-master/debian/control >=================================================================== >--- ucs-school-ldap-acls-master/debian/control (Revision 76600) >+++ ucs-school-ldap-acls-master/debian/control (Arbeitskopie) >@@ -9,7 +9,7 @@ > > Package: ucs-school-ldap-acls-master > Architecture: all >-Depends: univention-ldap-server, univention-ldap-config >+Depends: univention-ldap-server, univention-ldap-config, shell-ucs-school > Conflicts: univention-server-slave, univention-server-member, univention-mobile-client, univention-managed-client, univention-basesystem > Description: Special LDAP ACLs for UCS@school > This package provides additional LDAP ACLs for slapd >Index: ucs-school-lib/python/models/school.py >=================================================================== >--- ucs-school-lib/python/models/school.py (Revision 76600) >+++ ucs-school-lib/python/models/school.py (Arbeitskopie) >@@ -80,22 +80,18 @@ > def get_container(cls, school=None): > return ucr.get('ldap/base') > >- @classmethod >- def cn_name(cls, name, default): >- ucr_var = 'ucsschool/ldap/default/container/%s' % name >- return ucr.get(ucr_var, default) >- > def create_default_containers(self, lo): >- cn_pupils = self.cn_name('pupils', 'schueler') >- cn_teachers = self.cn_name('teachers', 'lehrer') >- cn_admins = self.cn_name('admins', 'admins') >- cn_classes = self.cn_name('class', 'klassen') >- cn_rooms = self.cn_name('rooms', 'raeume') >+ search_base = self.get_search_base(self.name) >+ cn_pupils = ldap.explode_dn(search_base.students, True)[0] >+ cn_teachers = ldap.explode_dn(search_base.teachers, True)[0] >+ cn_admins = ldap.explode_dn(search_base.admins, True)[0] >+ cn_classes = ldap.explode_dn(search_base.classes, True)[0] >+ cn_rooms = ldap.explode_dn(search_base.rooms, True)[0] > user_containers = [cn_pupils, cn_teachers, cn_admins] > group_containers = [cn_pupils, [cn_classes], cn_teachers, cn_rooms] > if self.shall_create_administrative_objects(): >- cn_staff = self.cn_name('staff', 'mitarbeiter') >- cn_teachers_staff = self.cn_name('teachers-and-staff', 'lehrer und mitarbeiter') >+ cn_staff = ldap.explode_dn(search_base.staff, True)[0] >+ cn_teachers_staff = ldap.explode_dn(search_base.teachersAndStaff, True)[0] > user_containers.extend([cn_staff, cn_teachers_staff]) > group_containers.append(cn_staff) > containers_with_path = { >@@ -127,12 +123,6 @@ > for cn in containers: > last_dn = _add_container(cn, last_dn, self.dn, path, lo) > >- def group_name(self, prefix_var, default_prefix): >- ucr_var = 'ucsschool/ldap/default/groupprefix/%s' % prefix_var >- name_part = ucr.get(ucr_var, default_prefix) >- school_part = self.name.lower() >- return '%s%s' % (name_part, school_part) >- > def get_umc_policy_dn(self, name): > # at least the default ones should exist due to the join script > return ucr.get('ucsschool/ldap/default/policy/umc/%s' % name, 'cn=ucsschool-umc-%s-default,cn=UMC,cn=policies,%s' % (name, ucr.get('ldap/base'))) >@@ -153,8 +143,8 @@ > group.create(lo) > > # cn=ouadmins >- admin_group_container = 'cn=ouadmins,cn=groups,%s' % ucr.get('ldap/base') >- group = BasicGroup.cache(self.group_name('admins', 'admins-'), container=admin_group_container) >+ search_base = self.get_search_base(self.name) >+ group = BasicGroup.cache("{}{}".format(search_base.group_prefix_admins, self.name.lower()), container=search_base.globalGroupContainer) > group.create(lo) > group.add_umc_policy(self.get_umc_policy_dn('admins'), lo) > try: >@@ -169,18 +159,18 @@ > udm_obj.modify() > > # cn=schueler >- group = Group.cache(self.group_name('pupils', 'schueler-'), self.name) >+ group = Group.cache("{}{}".format(search_base.group_prefix_students, self.name.lower()), self.name) > group.create(lo) > group.add_umc_policy(self.get_umc_policy_dn('pupils'), lo) > > # cn=lehrer >- group = Group.cache(self.group_name('teachers', 'lehrer-'), self.name) >+ group = Group.cache("{}{}".format(search_base.group_prefix_teachers, self.name.lower()), self.name) > group.create(lo) > group.add_umc_policy(self.get_umc_policy_dn('teachers'), lo) > > # cn=mitarbeiter > if self.shall_create_administrative_objects(): >- group = Group.cache(self.group_name('staff', 'mitarbeiter-'), self.name) >+ group = Group.cache("{}{}".format(search_base.group_prefix_staff, self.name.lower()), self.name) > group.create(lo) > group.add_umc_policy(self.get_umc_policy_dn('staff'), lo) > >@@ -237,20 +227,34 @@ > return flatten([self.get_administrative_group_name(group_type, True, ou_specific, as_dn), self.get_administrative_group_name(group_type, False, ou_specific, as_dn)]) > if ou_specific == 'both': > return flatten([self.get_administrative_group_name(group_type, domain_controller, False, as_dn), self.get_administrative_group_name(group_type, domain_controller, True, as_dn)]) >+ search_base = self.get_search_base(self.name) >+ base_dn = ucr.get('ldap/base') > if group_type == 'administrative': >- name = 'Verwaltungsnetz' >+ if domain_controller: >+ if ou_specific: >+ dn = search_base.administrative_ou_dc_group >+ else: >+ dn = search_base.administrative_dc_group >+ else: >+ if ou_specific: >+ dn = search_base.administrative_ou_member_group >+ else: >+ dn = search_base.administrative_member_group > else: >- name = 'Edukativnetz' >- if domain_controller: >- name = 'DC-%s' % name >- else: >- name = 'Member-%s' % name >- if ou_specific: >- name = 'OU%s-%s' % (self.name.lower(), name) >+ if domain_controller: >+ if ou_specific: >+ dn = search_base.educational_ou_dc_group >+ else: >+ dn = search_base.educational_dc_group >+ else: >+ if ou_specific: >+ dn = search_base.educational_ou_member_group >+ else: >+ dn = search_base.educational_member_group > if as_dn: >- return 'cn=%s,cn=ucsschool,cn=groups,%s' % (name, ucr.get('ldap/base')) >+ return dn > else: >- return name >+ return ldap.explode_dn(dn, True)[0] > > def get_administrative_server_names(self, lo): > dn = self.get_administrative_group_name('administrative', ou_specific=True, as_dn=True) >Index: ucs-school-lib/python/models/share.py >=================================================================== >--- ucs-school-lib/python/models/share.py (Revision 76600) >+++ ucs-school-lib/python/models/share.py (Arbeitskopie) >@@ -138,6 +138,6 @@ > > def get_share_path(self): > if ucr.is_true('ucsschool/import/roleshare', True): >- return '/home/%s/groups/klassen/%s' % (self.school_group.school, self.name) >+ return '/home/%s/groups/%s/%s' % (self.school_group.school, self.get_search_base(self.school).share_name_class, self.name) > else: >- return '/home/groups/klassen/%s' % self.name >+ return '/home/groups/%s/%s' % (self.get_search_base(self.school).share_name_class, self.name) >Index: ucs-school-lib/python/models/user.py >=================================================================== >--- ucs-school-lib/python/models/user.py (Revision 76600) >+++ ucs-school-lib/python/models/user.py (Arbeitskopie) >@@ -435,15 +435,15 @@ > return [self.get_group_dn('Domain Users %s' % school, school) for school in self.schools] > > def get_students_groups(self): >- prefix = ucr.get('ucsschool/ldap/default/groupprefix/pupils', 'schueler-') >+ prefix = self.get_search_base(self.school).group_prefix_students > return [self.get_group_dn('%s%s' % (prefix, school), school) for school in self.schools] > > def get_teachers_groups(self): >- prefix = ucr.get('ucsschool/ldap/default/groupprefix/teachers', 'lehrer-') >+ prefix = self.get_search_base(self.school).group_prefix_teachers > return [self.get_group_dn('%s%s' % (prefix, school), school) for school in self.schools] > > def get_staff_groups(self): >- prefix = ucr.get('ucsschool/ldap/default/groupprefix/staff', 'mitarbeiter-') >+ prefix = self.get_search_base(self.school).group_prefix_staff > return [self.get_group_dn('%s%s' % (prefix, school), school) for school in self.schools] > > def groups_used(self, lo): >@@ -667,6 +667,6 @@ > > @classmethod > def from_student_dn(cls, lo, school, dn): >- examUserPrefix = ucr.get('ucsschool/ldap/default/userprefix/exam', 'exam-') >+ examUserPrefix = cls.get_search_base(school).user_prefix_exam > dn = 'uid=%s%s,%s' % (escape_dn_chars(examUserPrefix), explode_dn(dn, True)[0], cls.get_container(school)) > return cls.from_dn(dn, school, lo) >Index: ucs-school-lib/python/roleshares.py >=================================================================== >--- ucs-school-lib/python/roleshares.py (Revision 76600) >+++ ucs-school-lib/python/roleshares.py (Arbeitskopie) >@@ -36,7 +36,7 @@ > import univention.config_registry > from ucsschool.lib.roles import role_pupil, role_teacher, role_staff > from ucsschool.lib.i18n import ucs_school_name_i18n >-from ucsschool.lib.models import Group, School >+from ucsschool.lib.models import Group, School, Share > from ucsschool.lib.schoolldap import LDAP_Connection, USER_READ, USER_WRITE, MACHINE_READ > import univention.admin.uexceptions > import univention.admin.uldap as udm_uldap >@@ -151,7 +151,7 @@ > ucr.load() > > school_ou = school.name >- share_container_dn = school.get_search_base(school.name).shares >+ share_container_dn = Share.get_container(school.name) > > teacher_groupname = '-'.join((ucs_school_name_i18n(role_teacher), school_ou)) > teacher_group = Group(name=teacher_groupname, school=school_ou).get_udm_object(ldap_user_read) >Index: ucs-school-lib/python/schoolldap.py >=================================================================== >--- ucs-school-lib/python/schoolldap.py (Revision 76600) >+++ ucs-school-lib/python/schoolldap.py (Arbeitskopie) >@@ -177,7 +177,16 @@ > self._school = school or availableSchools[0] > self._schoolDN = dn or School.cache(self.school).dn > >- # prefixes >+ # >+ # When adding/updating UCRV defaults, also add/update them in shell/base.sh. >+ # >+ >+ # >+ # When changing any of ucsschool/ldap/default/groupname/all-{administrativ, educational}-{dc, member} >+ # copy the changes to ucs-school-ldap-acls-master/{61ucsschool_presettings, 65ucsschool}. >+ # >+ >+ # containers > self._containerAdmins = ucr.get('ucsschool/ldap/default/container/admins', 'admins') > self._containerStudents = ucr.get('ucsschool/ldap/default/container/pupils', 'schueler') > self._containerStaff = ucr.get('ucsschool/ldap/default/container/staff', 'mitarbeiter') >@@ -186,12 +195,38 @@ > self._containerClass = ucr.get('ucsschool/ldap/default/container/class', 'klassen') > self._containerRooms = ucr.get('ucsschool/ldap/default/container/rooms', 'raeume') > self._examUserContainerName = ucr.get('ucsschool/ldap/default/container/exam', 'examusers') >- self._examGroupNameTemplate = ucr.get('ucsschool/ldap/default/groupname/exam', 'OU%(ou)s-Klassenarbeit') >- >+ # group names >+ self._examGroupName = ucr.get('ucsschool/ldap/default/groupname/exam', >+ 'OU%(ou)s-Klassenarbeit') % {'ou': self._school.lower()} >+ self._all_administrativ_dc = ucr.get('ucsschool/ldap/default/groupname/all-administrativ-dc', >+ 'DC-Verwaltungsnetz') >+ self._all_administrativ_member = ucr.get('ucsschool/ldap/default/groupname/all-administrativ-member', >+ 'Member-Verwaltungsnetz') >+ self._all_educational_dc = ucr.get('ucsschool/ldap/default/groupname/all-educational-dc', >+ 'DC-Edukativnetz') >+ self._all_educational_member = ucr.get('ucsschool/ldap/default/groupname/all-educational-member', >+ 'Member-Edukativnetz') >+ self._ou_administrativ_dc = ucr.get('ucsschool/ldap/default/groupname/ou-administrativ-dc', >+ 'OU%(ou)s-DC-Verwaltungsnetz') % {'ou': self._school.lower()} >+ self._ou_administrativ_member = ucr.get('ucsschool/ldap/default/groupname/ou-administrativ-member', >+ 'OU%(ou)s-Member-Verwaltungsnetz') % {'ou': self._school.lower()} >+ self._ou_educational_dc = ucr.get('ucsschool/ldap/default/groupname/ou-educational-dc', >+ 'OU%(ou)s-DC-Edukativnetz') % {'ou': self._school.lower()} >+ self._ou_educational_member = ucr.get('ucsschool/ldap/default/groupname/ou-educational-member', >+ 'OU%(ou)s-Member-Edukativnetz') % {'ou': self._school.lower()} >+ # group prefixes > self.group_prefix_students = ucr.get('ucsschool/ldap/default/groupprefix/pupils', 'schueler-') > self.group_prefix_teachers = ucr.get('ucsschool/ldap/default/groupprefix/teachers', 'lehrer-') > self.group_prefix_admins = ucr.get('ucsschool/ldap/default/groupprefix/admins', 'admins-') > self.group_prefix_staff = ucr.get('ucsschool/ldap/default/groupprefix/staff', 'mitarbeiter-') >+ # user prefix >+ self.user_prefix_exam = ucr.get('ucsschool/ldap/default/userprefix/exam', 'exam-') >+ # share/directory names >+ self.share_name_class = ucr.get('ucsschool/ldap/default/share/class', 'klassen') >+ self.share_name_pupils = ucr.get('ucsschool/ldap/default/share/pupils', 'schueler') >+ self.share_name_teachers = ucr.get('ucsschool/ldap/default/share/teachers', 'lehrer') >+ self.share_name_exams = ucr.get('ucsschool/ldap/default/share/exams', 'Klassenarbeiten') >+ self.share_name_marktplatz = ucr.get('ucsschool/import/generate/share/marktplatz/name', 'Marktplatz') > > @classmethod > def getOU(cls, dn): >@@ -260,25 +295,65 @@ > > @property > def students(self): >+ """cn=schueler,cn=users,<ou dn>""" > return "cn=%s,cn=users,%s" % (self._containerStudents, self.schoolDN) > > @property >+ def students_group(self): >+ """cn=schueler,cn=groups,<ou dn>""" >+ return "cn=%s,cn=groups,%s" % (self._containerStudents, self.schoolDN) >+ >+ @property >+ def students_ou_group(self): >+ """cn=schueler-%(ou)s,cn=groups,<ou dn> (ou already replaced)""" >+ return "cn=%s%s,cn=groups,%s" % (self.group_prefix_students, self.school, self.schoolDN) >+ >+ @property > def teachers(self): >+ """cn=lehrer,cn=users,<ou dn>""" > return "cn=%s,cn=users,%s" % (self._containerTeachers, self.schoolDN) > > @property >+ def teachers_group(self): >+ """cn=lehrer,cn=groups,<ou dn>""" >+ return "cn=%s,cn=groups,%s" % (self._containerTeachers, self.schoolDN) >+ >+ @property >+ def teachers_ou_group(self): >+ """cn=lehrer-%(ou)s,cn=groups,<ou dn> (ou already replaced)""" >+ return "cn=%s%s,cn=groups,%s" % (self.group_prefix_teachers, self.school, self.schoolDN) >+ >+ @property > def teachersAndStaff(self): >+ """cn=lehrer und mitarbeiter,cn=users,<ou dn>""" > return "cn=%s,cn=users,%s" % (self._containerTeachersAndStaff, self.schoolDN) > > @property > def staff(self): >+ """cn=mitarbeiter,cn=users,<ou dn>""" > return "cn=%s,cn=users,%s" % (self._containerStaff, self.schoolDN) > > @property >+ def staff_group(self): >+ """cn=mitarbeiter,cn=groups,<ou dn>""" >+ return "cn=%s,cn=groups,%s" % (self._containerStaff, self.schoolDN) >+ >+ @property >+ def staff_ou_group(self): >+ """cn=mitarbeiter-%(ou)s,cn=groups,<ou dn> (ou already replaced)""" >+ return "cn=%s%s,cn=groups,%s" % (self.group_prefix_staff, self.school, self.schoolDN) >+ >+ @property > def admins(self): >+ """cn=admins,cn=users,<ou dn>""" > return "cn=%s,cn=users,%s" % (self._containerAdmins, self.schoolDN) > > @property >+ def admin_group(self): >+ """cn=admins-%(ou)s,cn=ouadmins,cn=groups,<ou dn> (ou already replaced)""" >+ return "cn=%s%s,cn=ouadmins,cn=groups,%s" % (self.group_prefix_admins, self.school, self.schoolDN) >+ >+ @property > def classShares(self): > return "cn=%s,cn=shares,%s" % (self._containerClass, self.schoolDN) > >@@ -304,28 +379,72 @@ > > @property > def educationalDCGroup(self): >- return "cn=OU%s-DC-Edukativnetz,cn=ucsschool,cn=groups,%s" % (self.school, self._ldapBase) >+ """deprecated, please use educational_ou_dc_group""" >+ return self.educational_ou_dc_group > > @property > def educationalMemberGroup(self): >- return "cn=OU%s-Member-Edukativnetz,cn=ucsschool,cn=groups,%s" % (self.school, self._ldapBase) >+ """deprecated, please use educational_ou_member_group""" >+ return self.educational_ou_member_group > > @property > def administrativeDCGroup(self): >- return "cn=OU%s-DC-Verwaltungsnetz,cn=ucsschool,cn=groups,%s" % (self.school, self._ldapBase) >+ """deprecated, please use administrative_ou_dc_group""" >+ return self.administrative_ou_dc_group > > @property > def administrativeMemberGroup(self): >- return "cn=OU%s-Member-Verwaltungsnetz,cn=ucsschool,cn=groups,%s" % (self.school, self._ldapBase) >+ """deprecated, please use administrative_ou_member_group""" >+ return self.administrative_ou_member_group > > @property >+ def administrative_dc_group(self): >+ """cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,<ldap base>""" >+ return "cn=%s,cn=ucsschool,cn=groups,%s" % (self._all_administrativ_dc, self._ldapBase) >+ >+ @property >+ def administrative_member_group(self): >+ """cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,<ldap base>""" >+ return "cn=%s,cn=ucsschool,cn=groups,%s" % (self._all_administrativ_member, self._ldapBase) >+ >+ @property >+ def educational_dc_group(self): >+ """cn=DC-Edukativnetz,cn=ucsschool,cn=groups,<ldap base>""" >+ return "cn=%s,cn=ucsschool,cn=groups,%s" % (self._all_educational_dc, self._ldapBase) >+ >+ @property >+ def educational_member_group(self): >+ """cn=Member-Edukativnetz,cn=ucsschool,cn=groups,<ldap base>""" >+ return "cn=%s,cn=ucsschool,cn=groups,%s" % (self._all_educational_member, self._ldapBase) >+ >+ @property >+ def educational_ou_dc_group(self): >+ """cn=OU%(ou)s-DC-Edukativnetz,cn=ucsschool,cn=groups,<ldap base> (ou already replaced)""" >+ return "cn=%s,cn=ucsschool,cn=groups,%s" % (self._ou_educational_dc, self._ldapBase) >+ >+ @property >+ def educational_ou_member_group(self): >+ """cn=OU%(ou)s-Member-Edukativnetz,cn=ucsschool,cn=groups,<ldap base> (ou already replaced)""" >+ return "cn=%s,cn=ucsschool,cn=groups,%s" % (self._ou_educational_member, self._ldapBase) >+ >+ @property >+ def administrative_ou_dc_group(self): >+ """cn=OU%(ou)s-DC-Verwaltungsnetz,cn=ucsschool,cn=groups,<ldap base> (ou already replaced)""" >+ return "cn=%s,cn=ucsschool,cn=groups,%s" % (self._ou_administrativ_dc, self._ldapBase) >+ >+ @property >+ def administrative_ou_member_group(self): >+ """cn=OU%(ou)s-Member-Verwaltungsnetz,cn=ucsschool,cn=groups,<ldap base> (ou already replaced)""" >+ return "cn=%s,cn=ucsschool,cn=groups,%s" % (self._ou_administrativ_member, self._ldapBase) >+ >+ @property > def examGroupName(self): >- # replace '%(ou)s' strings in generic exam_group_name >- ucr_value_keywords = {'ou': self.school} >- return self._examGroupNameTemplate % ucr_value_keywords >+ """OU%(ou)s-Klassenarbeit (only name, not a DN, ou already replaced)""" >+ return self._examGroupName > > @property > def examGroup(self): >+ """cn=OU%(ou)s-Klassenarbeit,cn=ucsschool,cn=groups,<ldap base> (ou already replaced)""" > return "cn=%s,cn=ucsschool,cn=groups,%s" % (self.examGroupName, self._ldapBase) > > def isWorkgroup(self, groupDN): >Index: ucs-school-lib/shell/base.sh >=================================================================== >--- ucs-school-lib/shell/base.sh (Revision 76600) >+++ ucs-school-lib/shell/base.sh (Arbeitskopie) >@@ -110,7 +110,7 @@ > # > # $ servers_school_ous -h $(ucr get ldap/master) -p $(ucr get ldap/master/port) > # ou=bar,dc=example,dc=com >- local ldap_hostdn ldap_base ldap_server ldap_port IFS >+ local ldap_hostdn ldap_base ldap_server ldap_port IFS res > . /usr/share/univention-lib/ucr.sh > > ldap_base="$(/usr/sbin/univention-config-registry get ldap/base)" >@@ -140,10 +140,9 @@ > res="" > for oudn in $(univention-ldapsearch $ldap_server $ldap_port -xLLL -b "$ldap_base" 'objectClass=ucsschoolOrganizationalUnit' dn | ldapsearch-wrapper | sed -nre 's/^dn: //p') ; do > ouname="$(school_ou "$oudn")" >- if is_ucr_true ucsschool/singlemaster; then >- search_str="(|(cn=OU${ouname}-DC-Edukativnetz)(cn=OU${ouname}-DC-Verwaltungsnetz))" >- else >- search_str="(&(|(cn=OU${ouname}-DC-Edukativnetz)(cn=OU${ouname}-DC-Verwaltungsnetz))(uniqueMember=${ldap_hostdn}))" >+ search_str="(|(cn=$(ucr_names_default ucsschool/ldap/default/groupname/ou-educational-dc ${ouname}))(cn=$(ucr_names_default ucsschool/ldap/default/groupname/ou-administrativ-dc OU${ouname})))" >+ if ! is_ucr_true ucsschool/singlemaster; then >+ search_str="(&${search_str}(uniqueMember=${ldap_hostdn}))" > fi > if univention-ldapsearch $ldap_server $ldap_port -xLLL "$search_str" dn | grep -q "^dn: "; then > res="$res >@@ -152,3 +151,92 @@ > done > echo -n "${res}" | egrep -v "^\s*$" > } >+ >+replace_ou() { >+ # syntax: replace_ou <template> <ou> >+ # >+ # Replace '%(ou)s' in <template> with <ou> >+ # >+ # example: >+ # $ replace_ou "OU%(ou)s-DC-Edukativnetz" "myschool" >+ # "OUmyschool-DC-Edukativnetz >+ if [ "$#" != 2 ]; then >+ echo "syntax: replace_ou <template> <ou>" >+ return 1 >+ fi >+ echo -n "$1" | sed "s/%(ou)s/$2/" >+} >+ >+ucr_names_default() { >+ # syntax: ucr_names_default <ucr> [ou] >+ # >+ # Get UCR value or default, optionally replace '%(ou)s'. >+ # >+ # example: >+ # $ ucr_names_default "ucsschool/ldap/default/container/pupils" >+ # "schueler >+ # $ ucr_names_default "ucsschool/ldap/default/groupname/ou-administrativ-dc" "myschool" >+ # "OUmyschool-DC-Verwaltungsnetz" >+ local res >+ >+ if [ "$#" -lt 1 -o "$#" -gt 2 ]; then >+ echo "syntax: ucr_names_default <ucr> [ou]" >+ return 1 >+ fi >+ if [ $(echo -n "$1" | cut -f 1-3 -d '/') != 'ucsschool/ldap/default' ]; then >+ echo "<ucr> must be a UCR variable from ucsschool/ldap/default/*/*" >+ return 1 >+ fi >+ >+ # >+ # When adding/updating UCRV defaults, also add/update them in python/schoolldap.py. >+ # >+ >+ res="$(ucr get $1)" >+ if [ -z "$res" ]; then >+ case "$1" in >+ # containers >+ 'ucsschool/ldap/default/container/admins') res='admins';; >+ 'ucsschool/ldap/default/container/pupils') res='schueler';; >+ 'ucsschool/ldap/default/container/staff') res='mitarbeiter';; >+ 'ucsschool/ldap/default/container/teachers-and-staff') res='lehrer und mitarbeiter';; >+ 'ucsschool/ldap/default/container/teachers') res='lehrer';; >+ 'ucsschool/ldap/default/container/class') res='klassen';; >+ 'ucsschool/ldap/default/container/rooms') res='raeume';; >+ 'ucsschool/ldap/default/container/exam') res='examusers';; >+ # group names >+ 'ucsschool/ldap/default/groupname/exam') res='OU%(ou)%s-Klassenarbeit';; >+ 'ucsschool/ldap/default/groupname/all-administrativ-dc') res='DC-Verwaltungsnetz';; >+ 'ucsschool/ldap/default/groupname/all-administrativ-member') res='Member-Verwaltungsnetz';; >+ 'ucsschool/ldap/default/groupname/all-educational-dc') res='DC-Edukativnetz';; >+ 'ucsschool/ldap/default/groupname/all-educational-member') res='Member-Edukativnetz';; >+ 'ucsschool/ldap/default/groupname/ou-administrativ-dc') res='OU%(ou)s-DC-Verwaltungsnetz';; >+ 'ucsschool/ldap/default/groupname/ou-administrativ-member') res='OU%(ou)s-Member-Verwaltungsnetz';; >+ 'ucsschool/ldap/default/groupname/ou-educational-dc') res='OU%(ou)s-DC-Edukativnetz';; >+ 'ucsschool/ldap/default/groupname/ou-educational-member') res='OU%(ou)s-Member-Edukativnetz';; >+ # group prefixes >+ 'ucsschool/ldap/default/groupprefix/pupils') res='schueler-';; >+ 'ucsschool/ldap/default/groupprefix/teachers') res='lehrer-';; >+ 'ucsschool/ldap/default/groupprefix/admins') res='admins-';; >+ 'ucsschool/ldap/default/groupprefix/staff') res='mitarbeiter-';; >+ # user prefix >+ 'ucsschool/ldap/default/userprefix/exam') res='exam-';; >+ # share/directory names >+ 'ucsschool/ldap/default/share/class') res='klassen';; >+ 'ucsschool/ldap/default/share/pupils') res='schueler';; >+ 'ucsschool/ldap/default/share/teachers') res='lehrer';; >+ 'ucsschool/ldap/default/share/exams') res='Klassenarbeiten';; >+ 'ucsschool/import/generate/share/marktplatz/name') res='Marktplatz';; >+ esac >+ fi >+ if [ -z "$res" ]; then >+ echo "Error: Unknown UCR $1." >+ return 1 >+ fi >+ >+ if [ -z "$2" ]; then >+ echo -n "$res" >+ else >+ replace_ou "$res" "$2" >+ fi >+} >Index: ucs-school-netlogon-user-logonscripts/99ucs-school-netlogon-user-logonscripts.inst >=================================================================== >--- ucs-school-netlogon-user-logonscripts/99ucs-school-netlogon-user-logonscripts.inst (Revision 76600) >+++ ucs-school-netlogon-user-logonscripts/99ucs-school-netlogon-user-logonscripts.inst (Arbeitskopie) >@@ -32,9 +32,12 @@ > VERSION="1" > > . /usr/share/univention-join/joinscripthelper.lib >+. /usr/share/ucs-school-lib/base.sh >+ > joinscript_init > > eval "$(univention-config-registry shell)" >+share_name="$(ucr_names_default ucsschool/import/generate/share/marktplatz/name)" > > # samba 4 netlogon share > myrealm=$(echo $kerberos_realm | awk '{print tolower($0)}') >@@ -43,9 +46,9 @@ > fi > > univention-config-registry set \ >- ucsschool/userlogon/commonshares?"Marktplatz" \ >- ucsschool/userlogon/commonshares/server/Marktplatz?"$hostname" \ >- ucsschool/userlogon/commonshares/letter/Marktplatz?"M" \ >+ ucsschool/userlogon/commonshares?"$share_name" \ >+ "ucsschool/userlogon/commonshares/server/$share_name?$hostname" \ >+ "ucsschool/userlogon/commonshares/letter/$share_name?M" \ > ucsschool/userlogon/classshareletter?"K" \ > ucsschool/netlogon/ucs-school-netlogon-user-logonscripts/script?'user\%USERNAME%.vbs' > >Index: ucs-school-netlogon-user-logonscripts/debian/control >=================================================================== >--- ucs-school-netlogon-user-logonscripts/debian/control (Revision 76600) >+++ ucs-school-netlogon-user-logonscripts/debian/control (Arbeitskopie) >@@ -13,6 +13,7 @@ > univention-directory-listener, > ucs-school-netlogon, > shell-univention-lib, >+ shell-ucs-school, > univention-config > Description: UCS@school userspecific netlogon scripts > This package provides a listener-module that creates >Index: ucs-school-netlogon-user-logonscripts/debian/ucs-school-netlogon-user-logonscripts.postinst >=================================================================== >--- ucs-school-netlogon-user-logonscripts/debian/ucs-school-netlogon-user-logonscripts.postinst (Revision 76600) >+++ ucs-school-netlogon-user-logonscripts/debian/ucs-school-netlogon-user-logonscripts.postinst (Arbeitskopie) >@@ -33,14 +33,16 @@ > #DEBHELPER# > > . /usr/share/univention-lib/all.sh >+. /usr/share/ucs-school-lib/base.sh > > eval "$(ucr shell)" >+share_name="$(ucr_names_default ucsschool/import/generate/share/marktplatz/name)" > > univention-config-registry set \ > samba/homedirletter?I \ >- ucsschool/userlogon/commonshares?"Marktplatz" \ >- ucsschool/userlogon/commonshares/server/Marktplatz?"$hostname" \ >- ucsschool/userlogon/commonshares/letter/Marktplatz?"M" \ >+ ucsschool/userlogon/commonshares?"$share_name" \ >+ "ucsschool/userlogon/commonshares/server/$share_name?$hostname" \ >+ "ucsschool/userlogon/commonshares/letter/$share_name?M" \ > ucsschool/userlogon/classshareletter?"K" \ > ucsschool/netlogon/ucs-school-netlogon-user-logonscripts/script?'user\%USERNAME%.vbs' \ > ucsschool/userlogon/myshares/enabled?no >Index: ucs-school-umc-computerroom/umc/python/computerroom/__init__.py >=================================================================== >--- ucs-school-umc-computerroom/umc/python/computerroom/__init__.py (Revision 76600) >+++ ucs-school-umc-computerroom/umc/python/computerroom/__init__.py (Arbeitskopie) >@@ -700,7 +700,7 @@ > vset[vunset[-1]] = shareMode > vextract.append('samba/othershares/hosts/deny') > vappend[vextract[-1]] = hosts >- vextract.append('samba/share/Marktplatz/hosts/deny') >+ vextract.append('samba/share/{}/hosts/deny'.format(School.get_search_base(self._italc.school).share_name_marktplatz)) > vappend[vextract[-1]] = hosts > else: > vunset_now.append('samba/sharemode/room/%s' % self._italc.room) >Index: ucs-school-umc-csv-import/umc/python/schoolcsvimport/util.py >=================================================================== >--- ucs-school-umc-csv-import/umc/python/schoolcsvimport/util.py (Revision 76600) >+++ ucs-school-umc-csv-import/umc/python/schoolcsvimport/util.py (Arbeitskopie) >@@ -126,7 +126,7 @@ > firstname = firstname[:5] + '.' > > username = firstname + lastname[:5] >- maxlength = 20 - len(ucr.get('ucsschool/ldap/default/userprefix/exam', 'exam-')) >+ maxlength = 20 - len(self.get_search_base(self.school).user_prefix_exam) > return replace_invalid_chars(username[:maxlength]) > > @classmethod >Index: ucs-school-umc-exam/debian/control >=================================================================== >--- ucs-school-umc-exam/debian/control (Revision 76600) >+++ ucs-school-umc-exam/debian/control (Arbeitskopie) >@@ -31,6 +31,7 @@ > python-ucs-school, > ucs-school-import, > shell-univention-lib, >+ shell-ucs-school, > univention-ldap-config (>= 9.0.27-3), > Description: UMC module delivering backend services for ucs-school-umc-exam > UMC module delivering backend services for ucs-school-umc-exam >Index: ucs-school-umc-exam/hooks/ou_create_post.d/60schoolexam-master >=================================================================== >--- ucs-school-umc-exam/hooks/ou_create_post.d/60schoolexam-master (Revision 76600) >+++ ucs-school-umc-exam/hooks/ou_create_post.d/60schoolexam-master (Arbeitskopie) >@@ -35,6 +35,7 @@ > [ $# -ne 2 ] && echo "USAGE: $(basename $0) FILE DN" && exit 1 > > . /usr/share/univention-lib/ucr.sh >+. /usr/share/ucs-school-lib/base.sh > > eval "$(ucr shell)" > >@@ -43,20 +44,13 @@ > district=",ou=${ou:0:2}" > fi > >-examusers="$ucsschool_ldap_default_container_exam" >-if [ -z "$examusers" ] ; then >- examusers='examusers' >-fi >+examusers="$(ucr_names_default ucsschool/ldap/default/container/exam)" > > udm container/cn create --ignore_exists \ > --position "ou=${ou}${district},${ldap_base}" \ > --set name="${examusers}" \ > >-examgroupname="$ucsschool_ldap_default_groupname_exam" >-if [ -z "$examgroupname" ] ; then >- examgroupname='OU%(ou)s-Klassenarbeit' >-fi >-ou_specific_examgroupname=$(python -c "print '$examgroupname' % {'ou': '$ou'}") >+ou_specific_examgroupname="$(ucr_names_default ucsschool/ldap/default/groupname/exam)" > > udm groups/group create --ignore_exists \ > --position "cn=ucsschool,cn=groups,${ldap_base}" \ >Index: ucs-school-umc-exam/share/exam-and-room-cleanup >=================================================================== >--- ucs-school-umc-exam/share/exam-and-room-cleanup (Revision 76600) >+++ ucs-school-umc-exam/share/exam-and-room-cleanup (Arbeitskopie) >@@ -39,7 +39,7 @@ > import univention.config_registry > import univention.uldap > import univention.admin.uldap >-from ucsschool.lib.schoolldap import SchoolSearchBase >+from ucsschool.lib.models import ExamStudent > from univention.lib.umc_connection import UMCConnection > from univention.admin.uexceptions import noObject > from ldap.filter import escape_filter_chars >@@ -59,7 +59,6 @@ > self.hostname = self.ucr.get('hostname') > self.umcp = self.get_UMCP_connection() > self.lo = self.get_LDAP_connection() >- self.exam_prefix = self.ucr.get('ucsschool/ldap/default/userprefix/exam', 'exam-') > self.DIR_ROOMS = '/var/cache/ucs-school-umc-computerroom' > self.DIR_EXAMS = self.ucr.get('ucsschool/exam/cache', '/var/lib/ucs-school-umc-schoolexam') > >@@ -143,9 +142,9 @@ > ou_list = self.lo.search(filter='(objectClass=ucsschoolOrganizationalUnit)') > for ou_dn, ou_attrs in ou_list: > ou_name = ou_attrs['ou'][0] >- searchbase = SchoolSearchBase([ou_name], dn=ou_dn) >+ exam_prefix = ExamStudent.get_search_base(ou_name).user_prefix_exam > try: >- userlist = mod_user.lookup({}, lo, 'uid=%s*' % (escape_filter_chars(self.exam_prefix),), base=searchbase.examUsers) >+ userlist = mod_user.lookup({}, lo, 'uid=%s*' % (escape_filter_chars(exam_prefix),), base=ExamStudent.get_container(ou_name)) > except noObject: > # no exam users container in this OU > continue >Index: ucs-school-umc-exam/umc/python/schoolexam-master/__init__.py >=================================================================== >--- ucs-school-umc-exam/umc/python/schoolexam-master/__init__.py (Revision 76600) >+++ ucs-school-umc-exam/umc/python/schoolexam-master/__init__.py (Arbeitskopie) >@@ -39,6 +39,7 @@ > import traceback > import re > from ldap.filter import filter_format >+from ldap import explode_dn > > from univention.management.console.config import ucr > from univention.management.console.log import MODULE >@@ -61,8 +62,6 @@ > def __init__(self): > SchoolBaseModule.__init__(self) > >- self._examUserPrefix = ucr.get('ucsschool/ldap/default/userprefix/exam', 'exam-') >- > # cache objects > self._udm_modules = dict() > self._examGroup = None >@@ -104,9 +103,8 @@ > def examUserContainerDN(self, ldap_admin_write, ldap_position, school): > '''lookup examUserContainerDN, create it if missing''' > if not self._examUserContainerDN: >- search_base = School.get_search_base(school) >- examUsers = search_base.examUsers >- examUserContainerName = search_base._examUserContainerName >+ examUsers = ExamStudent.get_container(school) >+ examUserContainerName = explode_dn(ExamStudent.get_search_base(school).examUsers, True)[0] > try: > ldap_admin_write.searchDn('(objectClass=organizationalRole)', examUsers, scope='base') > except univention.admin.uexceptions.noObject: >@@ -151,7 +149,8 @@ > user_orig = user.get_udm_object(ldap_admin_write) > > # uid and DN of exam_user >- exam_user_uid = "".join((self._examUserPrefix, user_orig['username'])) >+ exam_user_prefix = ExamStudent.get_search_base(school).user_prefix_exam >+ exam_user_uid = "".join((exam_user_prefix, user_orig['username'])) > exam_user_dn = "uid=%s,%s" % (exam_user_uid, self.examUserContainerDN(ldap_admin_write, ldap_position, user.school or school)) > > try: >Index: ucs-test-ucsschool/90_ucsschool/07_printermoderation_check >=================================================================== >--- ucs-test-ucsschool/90_ucsschool/07_printermoderation_check (Revision 76600) >+++ ucs-test-ucsschool/90_ucsschool/07_printermoderation_check (Arbeitskopie) >@@ -21,6 +21,7 @@ > import univention.testing.udm > import univention.testing.utils as utils > from univention.testing.umc2 import Client >+from ucsschool.lib.models import SchoolClass > > > def _dir(userName): >@@ -95,10 +96,7 @@ > # get the current printed jobs > def queryPrintJobs(connection, printerName, cName, school, pattern, basedn): > if cName != 'None': >- cdn = 'cn=%s,cn=klassen,cn=schueler,cn=groups,ou=%s,%s' % ( >- cName, >- school, >- basedn) >+ cdn = SchoolClass(school=school, name=cName).dn > else: > cdn = cName > param = {'school': school, 'class': cdn, 'pattern': pattern} >@@ -166,12 +164,12 @@ > klasse1_dn = udm.create_object( > 'groups/group', > name='%s-1A' % school, >- position="cn=klassen,cn=schueler,cn=groups,%s" % oudn >+ position=SchoolClass.get_container(oudn) > ) > klasse2_dn = udm.create_object( > 'groups/group', > name='%s-2B' % school, >- position="cn=klassen,cn=schueler,cn=groups,%s" % oudn >+ position=SchoolClass.get_container(school) > ) > tea, teadn = schoolenv.create_user(school, is_teacher=True) > stu1, stu1_dn = schoolenv.create_user(school) >Index: ucs-test-ucsschool/90_ucsschool/101_exam_mode >=================================================================== >--- ucs-test-ucsschool/90_ucsschool/101_exam_mode (Revision 76600) >+++ ucs-test-ucsschool/90_ucsschool/101_exam_mode (Arbeitskopie) >@@ -14,7 +14,7 @@ > import univention.testing.ucsschool as utu > import univention.testing.udm > import univention.testing.strings as uts >-from ucsschool.lib.models import Student >+from ucsschool.lib.models import SchoolClass, Student > > > def main(): >@@ -32,7 +32,7 @@ > else: > edudc = ucr.get('hostname') > school, oudn = schoolenv.create_ou(name_edudc=edudc) >- klasse_dn = udm.create_object('groups/group', name='%s-AA1' % school, position="cn=klassen,cn=schueler,cn=groups,%s" % oudn) >+ klasse_dn = udm.create_object('groups/group', name='%s-AA1' % school, position=SchoolClass.get_container(school)) > > tea, teadn = schoolenv.create_user(school, is_teacher=True) > stu, studn = schoolenv.create_user(school) >Index: ucs-test-ucsschool/90_ucsschool/101_exam_mode_group_members >=================================================================== >--- ucs-test-ucsschool/90_ucsschool/101_exam_mode_group_members (Revision 76600) >+++ ucs-test-ucsschool/90_ucsschool/101_exam_mode_group_members (Arbeitskopie) >@@ -16,7 +16,7 @@ > import univention.testing.udm > import univention.testing.utils as utils > import univention.testing.strings as uts >-from ucsschool.lib.models import Student >+from ucsschool.lib.models import ExamStudent, SchoolClass, Student > > > def main(): >@@ -31,7 +31,11 @@ > else: > edudc = ucr.get('hostname') > school, oudn = schoolenv.create_ou(name_edudc=edudc) >- klasse_dn = udm.create_object('groups/group', name='%s-AA1' % school, position="cn=klassen,cn=schueler,cn=groups,%s" % oudn) >+ klasse_dn = udm.create_object( >+ 'groups/group', >+ name='%s-AA1' % school, >+ position=SchoolClass.get_container(school) >+ ) > tea, teadn = schoolenv.create_user(school, is_teacher=True) > stu, studn = schoolenv.create_user(school) > student2 = Student( >@@ -68,17 +72,21 @@ > > try: > expected_memberUid = ["%s$" % pc2.name, "exam-%s" % stu, "exam-%s" % student2.name] >- expected_uniqueMember = ["%s" % pc2.dn, "uid=exam-%s,cn=examusers,%s" % (stu, oudn), "uid=exam-%s,cn=examusers,%s" % (student2.name, oudn)] >+ expected_uniqueMember = [ >+ pc2.dn, >+ ExamStudent(school=school, name=stu).dn, >+ ExamStudent(school=school, name=student2.name).dn >+ ] > > # Get the current attributes values > lo = getMachineConnection() >- exam_group_dn = "cn=OU%s-Klassenarbeit,cn=ucsschool,cn=groups,%s" % (school, ucr.get('ldap/base')) >+ exam_group_dn = ExamStudent.get_search_base(school).examGroup > memberUid = lo.search(base=exam_group_dn)[0][1].get('memberUid') > uniqueMember = lo.search(base=exam_group_dn)[0][1].get('uniqueMember') > >- if (set(memberUid) != set(expected_memberUid)): >+ if set(memberUid) != set(expected_memberUid): > utils.fail("Current memberUid = %r\nExpected = %r" % (memberUid, expected_memberUid)) >- if (set(uniqueMember) != set(expected_uniqueMember)): >+ if set(uniqueMember) != set(expected_uniqueMember): > utils.fail("Current uniqueMember = %r\nExpected= %r" % (uniqueMember, expected_uniqueMember)) > > finally: >Index: ucs-test-ucsschool/90_ucsschool/101_exam_mode_settings >=================================================================== >--- ucs-test-ucsschool/90_ucsschool/101_exam_mode_settings (Revision 76600) >+++ ucs-test-ucsschool/90_ucsschool/101_exam_mode_settings (Arbeitskopie) >@@ -18,7 +18,7 @@ > import univention.testing.ucsschool as utu > import univention.testing.udm > import univention.testing.strings as uts >-from ucsschool.lib.models import Student >+from ucsschool.lib.models import SchoolClass, Student > > > def main(): >@@ -37,7 +37,7 @@ > edudc = ucr.get('hostname') > > school, oudn = schoolenv.create_ou(name_edudc=edudc) >- klasse_dn = udm.create_object('groups/group', name='%s-AA1' % school, position="cn=klassen,cn=schueler,cn=groups,%s" % oudn) >+ klasse_dn = udm.create_object('groups/group', name='%s-AA1' % school, position=SchoolClass.get_container(school)) > > tea, teadn = schoolenv.create_user(school, is_teacher=True) > stu, studn = schoolenv.create_user(school) >Index: ucs-test-ucsschool/90_ucsschool/102_rename_class >=================================================================== >--- ucs-test-ucsschool/90_ucsschool/102_rename_class (Revision 76600) >+++ ucs-test-ucsschool/90_ucsschool/102_rename_class (Arbeitskopie) >@@ -16,7 +16,9 @@ > import univention.testing.ucr as ucr_test > import univention.testing.ucsschool as utu > import univention.testing.utils as utils >+from ucsschool.lib.models import ClassShare, SchoolClass > >+ > BACKUP_PATH = '/home/backup/groups' > > >@@ -46,17 +48,16 @@ > > > def share_dn(class_name, school): >- with ucr_test.UCSTestConfigRegistry() as ucr: >- return 'cn=%s,cn=klassen,cn=shares,ou=%s,%s' % (class_name, school, ucr.get('ldap/base')) >+ return ClassShare(school=school, name=class_name).dn > > > def class_dn(class_name, school): >- with ucr_test.UCSTestConfigRegistry() as ucr: >- return 'cn=%s,cn=klassen,cn=schueler,cn=groups,ou=%s,%s' % (class_name, school, ucr.get('ldap/base')) >+ return SchoolClass(school=school, name=class_name).dn > > > def share_path(class_name, school): >- path = '/home/%s/groups/klassen/%s' % (school, class_name) >+ sc = SchoolClass(school=school, name=class_name) >+ path = ClassShare(school=school, name=class_name, school_group=sc).get_share_path() > if os.path.exists(path): > return path > >Index: ucs-test-ucsschool/90_ucsschool/110_set_default-umc-users >=================================================================== >--- ucs-test-ucsschool/90_ucsschool/110_set_default-umc-users (Revision 76600) >+++ ucs-test-ucsschool/90_ucsschool/110_set_default-umc-users (Arbeitskopie) >@@ -10,6 +10,7 @@ > import ldap > import univention.testing.ucr as ucr_test > import univention.testing.utils as utils >+from ucsschool.lib.models import Group > > > def main(): >@@ -38,7 +39,7 @@ > utils.fail('Attribute %s was not found in ldap object %r' % ( > 'univentionPolicyReference', base)) > except ldap.NO_SUCH_OBJECT as e: >- if "cn=groups,%s" % (schoolenv.get_ou_base_dn(school),) in str(e): >+ if Group.get_container(school) in str(e): > print ('* Cought an expected exception: %r' % e) > else: > utils.fail('Unexpected Exception: %r' % e) >Index: ucs-test-ucsschool/90_ucsschool/131_check_for_nfs_shares >=================================================================== >--- ucs-test-ucsschool/90_ucsschool/131_check_for_nfs_shares (Revision 76600) >+++ ucs-test-ucsschool/90_ucsschool/131_check_for_nfs_shares (Arbeitskopie) >@@ -19,7 +19,7 @@ > for share in Share.get_all(lo, school.name): > share_udm = share.get_udm_object(lo) > if "nfs" in share_udm.options: >- if share.name in ["Marktplatz", "iTALC-Installation"]: >+ if share.name in [Share.get_search_base(school).share_name_marktplatz, "iTALC-Installation"]: > print("*** Ignoring //{}/{} (Bug #42514)".format(school.name, share.name)) > else: > nfs_shares.append((school.name, share.name)) >Index: ucs-test-ucsschool/90_ucsschool/16_s4_slave_automatic_srv_record >=================================================================== >--- ucs-test-ucsschool/90_ucsschool/16_s4_slave_automatic_srv_record (Revision 76600) >+++ ucs-test-ucsschool/90_ucsschool/16_s4_slave_automatic_srv_record (Arbeitskopie) >@@ -135,7 +135,7 @@ > position="cn=dc,cn=server,cn=computers,%s" % (school.dn,), > domain=ucr.get('domainname'), > service=("S4 SlavePDC", _local_ucsschool_service), >- groups=("cn=DC-Edukativnetz,cn=ucsschool,cn=groups,%(ldap/base)s" % ucr) >+ groups=(school.get_search_base(school.name).educational_dc_group) > ) > > positive_test_fqdn = ".".join((positive_test_hostname, ucr.get('domainname'))) >@@ -148,7 +148,7 @@ > position="cn=dc,cn=server,cn=computers,%s" % (school.dn,), > domain=ucr.get('domainname'), > service=("S4 SlavePDC", _not_local_ucsschool_service), >- groups=("cn=DC-Edukativnetz,cn=ucsschool,cn=groups,%(ldap/base)s" % ucr) >+ groups=(school.get_search_base(school.name).educational_dc_group) > ) > > negative_test_fqdn = ".".join((negative_test_hostname, ucr.get('domainname'))) >Index: ucs-test-ucsschool/90_ucsschool/19_available_umc_modules >=================================================================== >--- ucs-test-ucsschool/90_ucsschool/19_available_umc_modules (Revision 76600) >+++ ucs-test-ucsschool/90_ucsschool/19_available_umc_modules (Arbeitskopie) >@@ -9,7 +9,7 @@ > import univention.testing.ucsschool as utu > import univention.testing.udm as udm_test > import univention.testing.utils as utils >- >+from ucsschool.lib.models import School > from univention.testing.umc2 import Client > > >@@ -146,8 +146,9 @@ > utils.wait_for_replication_and_postrun() > > basedn = ucr.get('ldap/base') >- position = 'cn=admins,cn=users,ou=%s,%s' % (school, basedn) >- groups = ["cn=admins-%s,cn=ouadmins,cn=groups,%s" % (school, basedn)] >+ search_base = School.get_search_base(school) >+ position = search_base.admins >+ groups = [search_base.admin_group] > dn, schooladmin = udm.create_user(position=position, groups=groups) > groups = ["cn=Domain Admins,cn=groups,%s" % (basedn,)] > dn, domainadmin = udm.create_user(position=position, groups=groups) >Index: ucs-test-ucsschool/90_ucsschool/213_import-users_modify_with_several_groups >=================================================================== >--- ucs-test-ucsschool/90_ucsschool/213_import-users_modify_with_several_groups (Revision 76600) >+++ ucs-test-ucsschool/90_ucsschool/213_import-users_modify_with_several_groups (Arbeitskopie) >@@ -12,6 +12,7 @@ > import univention.testing.utils as utils > from essential.importusers_cli_v2 import CLI_Import_v2_Tester > from essential.importusers import Person >+from ucsschool.lib.models import SchoolClass, WorkGroup > > > class Test(CLI_Import_v2_Tester): >@@ -39,10 +40,10 @@ > self.log.debug('*** Creating groups...') > global_group_dn, global_group_name = self.udm.create_group() > workgroup_A_dn, workgroup_A_name = self.udm.create_group( >- position='cn=schueler,cn=groups,%s' % (self.ou_A.dn,), >+ position=WorkGroup.get_container(self.ou_A.name), > name="{}-{}".format(self.ou_A.name, uts.random_groupname())) > class_A_dn, class_A_name = self.udm.create_group( >- position='cn=klassen,cn=schueler,cn=groups,%s' % (self.ou_A.dn,), >+ position=SchoolClass.get_container(self.ou_A.name), > name="{}-{}".format(self.ou_A.name, uts.random_groupname())) > cn_A_dn = self.udm.create_object('container/cn', position=self.ou_A.dn, name='kurs-%s' % uts.random_string()) > extra_A_group1_dn, extra_A_group1_name = self.udm.create_group(position=cn_A_dn) >@@ -51,10 +52,10 @@ > name="{}-{}".format(self.ou_A.name, uts.random_groupname())) > > workgroup_B_dn, workgroup_B_name = self.udm.create_group( >- position='cn=schueler,cn=groups,%s' % (self.ou_B.dn,), >+ position=WorkGroup.get_container(self.ou_B.name), > name="{}-{}".format(self.ou_B.name, uts.random_groupname())) > class_B_dn, class_B_name = self.udm.create_group( >- position='cn=klassen,cn=schueler,cn=groups,%s' % (self.ou_B.dn,), >+ position=SchoolClass.get_container(self.ou_B.name), > name="{}-{}".format(self.ou_B.name, uts.random_groupname())) > cn_B_dn = self.udm.create_object('container/cn', position=self.ou_B.dn, name='kurs-%s' % uts.random_string()) > extra_B_group1_dn, extra_B_group1_name = self.udm.create_group(position=cn_B_dn) >Index: ucs-test-ucsschool/90_ucsschool/214_import-users_empty_class_column >=================================================================== >--- ucs-test-ucsschool/90_ucsschool/214_import-users_empty_class_column (Revision 76600) >+++ ucs-test-ucsschool/90_ucsschool/214_import-users_empty_class_column (Arbeitskopie) >@@ -13,6 +13,7 @@ > import univention.testing.utils as utils > from essential.importusers_cli_v2 import CLI_Import_v2_Tester > from essential.importusers import Person >+from ucsschool.lib.models import SchoolClass > > > class Test(CLI_Import_v2_Tester): >@@ -45,7 +46,7 @@ > > def create_user_w_two_classes(record_uid, source_uid, same_ou=True): > cls1_dn, cls1_name = self.udm.create_group( >- position='cn=klassen,cn=schueler,cn=groups,%s' % (self.ou_A.dn,), >+ position=SchoolClass.get_container(self.ou_A.name), > name="{}-{}".format(self.ou_A.name, uts.random_groupname())) > if same_ou: > dn = self.ou_A.dn >@@ -56,7 +57,7 @@ > name = self.ou_B.name > school = sorted([self.ou_A.name, self.ou_B.name])[0] > cls2_dn, cls2_name = self.udm.create_group( >- position='cn=klassen,cn=schueler,cn=groups,%s' % (dn,), >+ position=SchoolClass.get_container(name), > name="{}-{}".format(name, uts.random_groupname())) > person = Person(school, role) > person.update(record_uid=record_uid, source_uid=source_uid, username=uts.random_username()) >Index: ucs-test-ucsschool/90_ucsschool/22_computerroom_two_rooms_settings_interference >=================================================================== >--- ucs-test-ucsschool/90_ucsschool/22_computerroom_two_rooms_settings_interference (Revision 76600) >+++ ucs-test-ucsschool/90_ucsschool/22_computerroom_two_rooms_settings_interference (Arbeitskopie) >@@ -11,6 +11,7 @@ > from essential.computerroom import Room, Computers, add_printer, remove_printer, clean_folder > from essential.internetrule import InternetRule > from essential.workgroup import Workgroup >+from ucsschool.lib.models import Share > from univention.testing.umc2 import Client > from univention.testing.network import NetworkRedirector > import datetime >@@ -113,7 +114,7 @@ > room1.check_behavior(room1_old_settings, room1_new_settings, tea, computers_ips[1], printer_name, white_page, global_domains, ucr) > # For DEBUG purposes > # run_commands([['ucr', 'search', room1.name], ['ucr','search', room2.name], ['atq']], {}) >- clean_folder('/home/gsmitte/groups/Marktplatz/') >+ clean_folder('/home/gsmitte/groups/{}/'.format(Share.get_search_base(school).share_name_marktplatz)) > clean_folder('/home/%s/lehrer/%s/' % (school, tea)) > # TODO Exception Errno4 > except ConnectorError as e: >Index: ucs-test-ucsschool/90_ucsschool/40_schoolwizard_school_create >=================================================================== >--- ucs-test-ucsschool/90_ucsschool/40_schoolwizard_school_create (Revision 76600) >+++ ucs-test-ucsschool/90_ucsschool/40_schoolwizard_school_create (Arbeitskopie) >@@ -8,7 +8,7 @@ > ## - ucs-school-master | ucs-school-singlemaster > > import pytest >- >+from ucsschool.lib.models import Group > import univention.testing.ucr as ucr_test > import univention.testing.utils as utils > import univention.testing.strings as uts >@@ -31,6 +31,14 @@ > assert connection.umc_command('schoolwizards/schools/create', jsonargs, 'schoolwizards/schools').result[0] is True > > >+def grp_dns(ou_name, edu=True): >+ search_base = Group.get_search_base(ou_name) >+ if edu: >+ return [search_base.educational_ou_dc_group, search_base.educational_dc_group] >+ else: >+ return [search_base.administrative_ou_dc_group, search_base.administrative_dc_group] >+ >+ > def main(): > remove_ous = [] > testschool = UCSTestSchool() >@@ -47,8 +55,7 @@ > utils.verify_ldap_object(dc_dn, expected_attr={'cn': [dc_name]}, strict=True, should_exist=False) > else: > utils.verify_ldap_object(dc_dn, expected_attr={'cn': [dc_name]}, strict=True, should_exist=True) >- for grp_dn in ('cn=OU%(ou)s-DC-Edukativnetz,cn=ucsschool,cn=groups,%(basedn)s', 'cn=DC-Edukativnetz,cn=ucsschool,cn=groups,%(basedn)s', ): >- grp_dn = grp_dn % {'ou': ou_name, 'basedn': ucr.get('ldap/base')} >+ for grp_dn in grp_dns(ou_name): > utils.verify_ldap_object(grp_dn, expected_attr={'uniqueMember': [dc_dn]}, strict=False, should_exist=True) > > msg = 'new random OU, new random DC' >@@ -59,8 +66,7 @@ > schoolwizards_schools_create(ou_name, dc_name) > dc_dn = 'cn=%s,cn=dc,cn=server,cn=computers,%s' % (dc_name, testschool.get_ou_base_dn(ou_name)) > utils.verify_ldap_object(dc_dn, expected_attr={'cn': [dc_name]}, strict=True, should_exist=True) >- for grp_dn in ('cn=OU%(ou)s-DC-Edukativnetz,cn=ucsschool,cn=groups,%(basedn)s', 'cn=DC-Edukativnetz,cn=ucsschool,cn=groups,%(basedn)s', ): >- grp_dn = grp_dn % {'ou': ou_name, 'basedn': ucr.get('ldap/base')} >+ for grp_dn in grp_dns(ou_name): > utils.verify_ldap_object(grp_dn, expected_attr={'uniqueMember': [dc_dn]}, strict=False, should_exist=True) > > msg = 'new random OU, existing DC in other OU' >@@ -70,8 +76,7 @@ > schoolwizards_schools_create(ou_name, dc_name) > # reusing first DC > utils.verify_ldap_object(dc_dn, expected_attr={'cn': [dc_name]}, strict=True, should_exist=True) >- for grp_dn in ('cn=OU%(ou)s-DC-Edukativnetz,cn=ucsschool,cn=groups,%(basedn)s', 'cn=DC-Edukativnetz,cn=ucsschool,cn=groups,%(basedn)s', ): >- grp_dn = grp_dn % {'ou': ou_name, 'basedn': ucr.get('ldap/base')} >+ for grp_dn in grp_dns(ou_name): > utils.verify_ldap_object(grp_dn, expected_attr={'uniqueMember': [dc_dn]}, strict=False, should_exist=True) > > msg = 'new random OU with existing DC in cn=computers,BASEDN' >@@ -90,8 +95,7 @@ > schoolwizards_schools_create(ou_name, dc_name) > > utils.verify_ldap_object(dc_dn, expected_attr={'cn': [dc_name]}, strict=True, should_exist=True) >- for grp_dn in ('cn=OU%(ou)s-DC-Edukativnetz,cn=ucsschool,cn=groups,%(basedn)s', 'cn=DC-Edukativnetz,cn=ucsschool,cn=groups,%(basedn)s', ): >- grp_dn = grp_dn % {'ou': ou_name, 'basedn': ucr.get('ldap/base')} >+ for grp_dn in grp_dns(ou_name): > utils.verify_ldap_object(grp_dn, expected_attr={'uniqueMember': [dc_dn]}, strict=False, should_exist=True) > > msg = 'new random OU, new random DC and then try to add a second new random DC' >@@ -102,8 +106,7 @@ > schoolwizards_schools_create(ou_name, dc_name) > dc_dn = 'cn=%s,cn=dc,cn=server,cn=computers,%s' % (dc_name, testschool.get_ou_base_dn(ou_name)) > utils.verify_ldap_object(dc_dn, expected_attr={'cn': [dc_name]}, strict=True, should_exist=True) >- for grp_dn in ('cn=OU%(ou)s-DC-Edukativnetz,cn=ucsschool,cn=groups,%(basedn)s', 'cn=DC-Edukativnetz,cn=ucsschool,cn=groups,%(basedn)s', ): >- grp_dn = grp_dn % {'ou': ou_name, 'basedn': ucr.get('ldap/base')} >+ for grp_dn in grp_dns(ou_name): > utils.verify_ldap_object(grp_dn, expected_attr={'uniqueMember': [dc_dn]}, strict=False, should_exist=True) > > dc_name = uts.random_string() >@@ -111,8 +114,7 @@ > schoolwizards_schools_create(ou_name, dc_name) > dc_dn = 'cn=%s,cn=dc,cn=server,cn=computers,%s' % (dc_name, testschool.get_ou_base_dn(ou_name)) > utils.verify_ldap_object(dc_dn, expected_attr={'cn': [dc_name]}, strict=True, should_exist=True) >- for grp_dn in ('cn=OU%(ou)s-DC-Edukativnetz,cn=ucsschool,cn=groups,%(basedn)s', 'cn=DC-Edukativnetz,cn=ucsschool,cn=groups,%(basedn)s', ): >- grp_dn = grp_dn % {'ou': ou_name, 'basedn': ucr.get('ldap/base')} >+ for grp_dn in grp_dns(ou_name): > utils.verify_ldap_object(grp_dn, expected_attr={'uniqueMember': [dc_dn]}, strict=False, should_exist=True) > > msg = 'new random OU, new random administrative DC' >@@ -125,11 +127,9 @@ > dc_dn = 'cn=%s,cn=dc,cn=server,cn=computers,%s' % (dc_name, testschool.get_ou_base_dn(ou_name)) > dc_dn_administrative = 'cn=%s,cn=dc,cn=server,cn=computers,%s' % (dc_name_administrative, testschool.get_ou_base_dn(ou_name)) > utils.verify_ldap_object(dc_dn_administrative, expected_attr={'cn': [dc_name_administrative]}, strict=True, should_exist=True) >- for grp_dn in ('cn=OU%(ou)s-DC-Edukativnetz,cn=ucsschool,cn=groups,%(basedn)s', 'cn=DC-Edukativnetz,cn=ucsschool,cn=groups,%(basedn)s', ): >- grp_dn = grp_dn % {'ou': ou_name, 'basedn': ucr.get('ldap/base')} >+ for grp_dn in grp_dns(ou_name): > utils.verify_ldap_object(grp_dn, expected_attr={'uniqueMember': [dc_dn]}, strict=False, should_exist=True) >- for grp_dn in ('cn=OU%(ou)s-DC-Verwaltungsnetz,cn=ucsschool,cn=groups,%(basedn)s', 'cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,%(basedn)s', ): >- grp_dn = grp_dn % {'ou': ou_name, 'basedn': ucr.get('ldap/base')} >+ for grp_dn in grp_dns(ou_name, False): > utils.verify_ldap_object(grp_dn, expected_attr={'uniqueMember': [dc_dn_administrative]}, strict=False, should_exist=True) > > msg = 'new random OU, new random educational DC and then try to add a second new random administrative DC' >@@ -140,8 +140,7 @@ > schoolwizards_schools_create(ou_name, dc_name) > dc_dn = 'cn=%s,cn=dc,cn=server,cn=computers,%s' % (dc_name, testschool.get_ou_base_dn(ou_name)) > utils.verify_ldap_object(dc_dn, expected_attr={'cn': [dc_name]}, strict=True, should_exist=True) >- for grp_dn in ('cn=OU%(ou)s-DC-Edukativnetz,cn=ucsschool,cn=groups,%(basedn)s', 'cn=DC-Edukativnetz,cn=ucsschool,cn=groups,%(basedn)s', ): >- grp_dn = grp_dn % {'ou': ou_name, 'basedn': ucr.get('ldap/base')} >+ for grp_dn in grp_dns(ou_name): > utils.verify_ldap_object(grp_dn, expected_attr={'uniqueMember': [dc_dn]}, strict=False, should_exist=True) > > dc_name_administrative = uts.random_string() >@@ -149,11 +148,9 @@ > schoolwizards_schools_create(ou_name, dc_name, dc_name_administrative) > dc_dn_administrative = 'cn=%s,cn=dc,cn=server,cn=computers,%s' % (dc_name_administrative, testschool.get_ou_base_dn(ou_name)) > utils.verify_ldap_object(dc_dn_administrative, expected_attr={'cn': [dc_name_administrative]}, strict=True, should_exist=True) >- for grp_dn in ('cn=OU%(ou)s-DC-Edukativnetz,cn=ucsschool,cn=groups,%(basedn)s', 'cn=DC-Edukativnetz,cn=ucsschool,cn=groups,%(basedn)s', ): >- grp_dn = grp_dn % {'ou': ou_name, 'basedn': ucr.get('ldap/base')} >+ for grp_dn in grp_dns(ou_name): > utils.verify_ldap_object(grp_dn, expected_attr={'uniqueMember': [dc_dn]}, strict=False, should_exist=True) >- for grp_dn in ('cn=OU%(ou)s-DC-Verwaltungsnetz,cn=ucsschool,cn=groups,%(basedn)s', 'cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,%(basedn)s', ): >- grp_dn = grp_dn % {'ou': ou_name, 'basedn': ucr.get('ldap/base')} >+ for grp_dn in grp_dns(ou_name, False): > utils.verify_ldap_object(grp_dn, expected_attr={'uniqueMember': [dc_dn_administrative]}, strict=False, should_exist=True) > > msg = 'new random OU with existing administrative DC in cn=computers,BASEDN' >@@ -174,11 +171,9 @@ > > dc_dn = 'cn=%s,cn=dc,cn=server,cn=computers,%s' % (dc_name, testschool.get_ou_base_dn(ou_name)) > utils.verify_ldap_object(dc_dn, expected_attr={'cn': [dc_name]}, strict=True, should_exist=True) >- for grp_dn in ('cn=OU%(ou)s-DC-Edukativnetz,cn=ucsschool,cn=groups,%(basedn)s', 'cn=DC-Edukativnetz,cn=ucsschool,cn=groups,%(basedn)s', ): >- grp_dn = grp_dn % {'ou': ou_name, 'basedn': ucr.get('ldap/base')} >+ for grp_dn in grp_dns(ou_name): > utils.verify_ldap_object(grp_dn, expected_attr={'uniqueMember': [dc_dn]}, strict=False, should_exist=True) >- for grp_dn in ('cn=OU%(ou)s-DC-Verwaltungsnetz,cn=ucsschool,cn=groups,%(basedn)s', 'cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,%(basedn)s', ): >- grp_dn = grp_dn % {'ou': ou_name, 'basedn': ucr.get('ldap/base')} >+ for grp_dn in grp_dns(ou_name, False): > utils.verify_ldap_object(grp_dn, expected_attr={'uniqueMember': [dc_dn_administrative]}, strict=False, should_exist=True) > > finally: >Index: ucs-test-ucsschool/90_ucsschool/41_create_marktplatz_share >=================================================================== >--- ucs-test-ucsschool/90_ucsschool/41_create_marktplatz_share (Revision 76600) >+++ ucs-test-ucsschool/90_ucsschool/41_create_marktplatz_share (Arbeitskopie) >@@ -1,14 +1,15 @@ > #!/usr/share/ucs-test/runner python > ## -*- coding: utf-8 -*- >-## desc: computerroom module settings checks >+## desc: check marktplatz creation > ## roles: [domaincontroller_master] > ## tags: [apptest,ucsschool] > ## exposure: dangerous > ## packages: [ucs-school-umc-computerroom] >-## bugs: [40785] >+## bugs: [40785, 41231] > > import univention.testing.ucr as ucr_test > import univention.testing.ucsschool as utu >+import univention.testing.strings as uts > from univention.testing import utils > from univention.config_registry import handler_set, handler_unset > >@@ -15,17 +16,28 @@ > > def main(): > with utu.UCSTestSchool() as schoolenv, ucr_test.UCSTestConfigRegistry() as ucr: >- for should_exist, variable in [(False, None), (True, 'yes'), (False, 'no')]: >+ for should_exist, variable, name in [(False, None, ''), (True, 'yes', 'Marktplatz'), (True, 'yes', uts.random_name()), (False, 'no', '')]: > if variable is None: > handler_unset(['ucsschool/import/generate/share/marktplatz']) > else: >+ print '### Setting ucsschool/import/generate/share/marktplatz=%s.' % variable > handler_set(['ucsschool/import/generate/share/marktplatz=%s' % (variable,)]) > > print '### Creating school. Expecting Marktplatz to exists = %r' % (should_exist,) >+ if should_exist: >+ if name: >+ print '### Setting share name to %r.' % name >+ handler_set(['ucsschool/import/generate/share/marktplatz/name={}'.format(name)]) >+ else: >+ print '### Not setting share name, should be "Marktplatz".' >+ handler_unset(['ucsschool/import/generate/share/marktplatz/name']) >+ > school, oudn = schoolenv.create_ou(name_edudc=ucr.get('hostname')) > utils.wait_for_replication() >- utils.verify_ldap_object('cn=Marktplatz,cn=shares,%s' % (oudn,), strict=True, should_exist=should_exist) >+ utils.verify_ldap_object( >+ 'cn={},cn=shares,{}'.format(name or 'Marktplatz', oudn), >+ strict=True, >+ should_exist=should_exist) > >- > if __name__ == '__main__': > main() >Index: ucs-test-ucsschool/90_ucsschool/75_ldap_acls_admins >=================================================================== >--- ucs-test-ucsschool/90_ucsschool/75_ldap_acls_admins (Revision 76600) >+++ ucs-test-ucsschool/90_ucsschool/75_ldap_acls_admins (Arbeitskopie) >@@ -12,6 +12,7 @@ > from essential.schoolroom import ComputerRoom > import univention.testing.ucr as ucr_test > import univention.testing.ucsschool as utu >+from ucsschool.lib.models import ClassShare, Share > > > def main(): >@@ -52,11 +53,11 @@ > acl.assert_teacher_group('write') > acl.assert_student_group('write') > >- shares_dn = 'cn=shares,%s' % utu.UCSTestSchool().get_ou_base_dn(school) >+ shares_dn = Share.get_container(school) > acl.assert_shares(shares_dn, 'write') >- shares_dn = 'cn=Marktplatz,cn=shares,%s' % utu.UCSTestSchool().get_ou_base_dn(school) >+ shares_dn = Share(school=school, name=Share.get_search_base(school).share_name_marktplatz).dn > acl.assert_shares(shares_dn, 'write') >- shares_dn = 'cn=klassen,cn=shares,%s' % utu.UCSTestSchool().get_ou_base_dn(school) >+ shares_dn = ClassShare.get_container(school) > acl.assert_shares(shares_dn, 'read') > > acl.assert_temps('write') >Index: ucs-test-ucsschool/90_ucsschool/75_ldap_acls_staff >=================================================================== >--- ucs-test-ucsschool/90_ucsschool/75_ldap_acls_staff (Revision 76600) >+++ ucs-test-ucsschool/90_ucsschool/75_ldap_acls_staff (Arbeitskopie) >@@ -10,6 +10,7 @@ > from essential.acl import Acl > from essential.computerroom import Computers > from essential.schoolroom import ComputerRoom >+from ucsschool.lib.models import Share > import univention.testing.ucr as ucr_test > import univention.testing.ucsschool as utu > >@@ -50,7 +51,7 @@ > share_dn = open_ldap_co.searchDn(filter=filter_format('(&(objectClass=univentionShare)(cn=%s))', (class_name,)))[0] > acl.assert_share_object_access(share_dn, 'read', 'ALLOWED') > acl.assert_share_object_access(share_dn, 'write', 'DENIED') >- share_dn = 'cn=Marktplatz,cn=shares,%s' % (oudn,) >+ share_dn = Share(school=school, name=Share.get_search_base(school).share_name_marktplatz).dn > acl.assert_share_object_access(share_dn, 'read', 'ALLOWED') > acl.assert_share_object_access(share_dn, 'write', 'DENIED') > >Index: ucs-test-ucsschool/90_ucsschool/75_ldap_acls_teacher_and_staff >=================================================================== >--- ucs-test-ucsschool/90_ucsschool/75_ldap_acls_teacher_and_staff (Revision 76600) >+++ ucs-test-ucsschool/90_ucsschool/75_ldap_acls_teacher_and_staff (Arbeitskopie) >@@ -12,6 +12,7 @@ > from essential.schoolroom import ComputerRoom > import univention.testing.ucr as ucr_test > import univention.testing.ucsschool as utu >+from ucsschool.lib.models import ClassShare, Share > > > def main(): >@@ -40,11 +41,11 @@ > acl.assert_teacher_group('write') > acl.assert_student_group('write') > >- shares_dn = 'cn=shares,%s' % utu.UCSTestSchool().get_ou_base_dn(school) >+ shares_dn = Share.get_container(school) > acl.assert_shares(shares_dn, 'write') >- shares_dn = 'cn=Marktplatz,cn=shares,%s' % utu.UCSTestSchool().get_ou_base_dn(school) >+ shares_dn = Share(school=school, name=Share.get_search_base(school).share_name_marktplatz).dn > acl.assert_shares(shares_dn, 'write') >- shares_dn = 'cn=klassen,cn=shares,%s' % utu.UCSTestSchool().get_ou_base_dn(school) >+ shares_dn = ClassShare.get_container(school) > acl.assert_shares(shares_dn, 'read') > > acl.assert_temps('write') >Index: ucs-test-ucsschool/90_ucsschool/75_ldap_acls_teachers >=================================================================== >--- ucs-test-ucsschool/90_ucsschool/75_ldap_acls_teachers (Revision 76600) >+++ ucs-test-ucsschool/90_ucsschool/75_ldap_acls_teachers (Arbeitskopie) >@@ -12,6 +12,7 @@ > from essential.schoolroom import ComputerRoom > import univention.testing.ucr as ucr_test > import univention.testing.ucsschool as utu >+from ucsschool.lib.models import ClassShare, Share > > > def main(): >@@ -41,11 +42,11 @@ > > acl.assert_teacher_group('write') > >- shares_dn = 'cn=shares,%s' % utu.UCSTestSchool().get_ou_base_dn(school) >+ shares_dn = Share.get_container(school) > acl.assert_shares(shares_dn, 'write') >- shares_dn = 'cn=Marktplatz,cn=shares,%s' % utu.UCSTestSchool().get_ou_base_dn(school) >+ shares_dn = Share(school=school, name=Share.get_search_base(school).share_name_marktplatz).dn > acl.assert_shares(shares_dn, 'write') >- shares_dn = 'cn=klassen,cn=shares,%s' % utu.UCSTestSchool().get_ou_base_dn(school) >+ shares_dn = ClassShare.get_container(school) > acl.assert_shares(shares_dn, 'read') > > acl.assert_temps('write') >Index: ucs-test-ucsschool/90_ucsschool/76_ldap_acls >=================================================================== >--- ucs-test-ucsschool/90_ucsschool/76_ldap_acls (Revision 76600) >+++ ucs-test-ucsschool/90_ucsschool/76_ldap_acls (Arbeitskopie) >@@ -14,6 +14,7 @@ > from univention.uldap import getMachineConnection > import univention.testing.ucr as ucr_test > import univention.testing.ucsschool as utu >+from ucsschool.lib.models import Group, Policy > > > class FailAcl(Exception): >@@ -370,15 +371,18 @@ > room = ComputerRoom(school, host_members=computers_dns) > room.add() > >- room_container_dn = 'cn=raeume,cn=groups,%s' % school_dn >- shares_dn = 'cn=shares,%s' % school_dn >+ room_container_dn = ComputerRoom.get_container(school) > >- teacher_group2_dn = 'cn=lehrer-%s,cn=groups,%s' % (school, school_dn) >- student_group2_dn = 'cn=schueler-%s,cn=groups,%s' % (school, school_dn) >+ # unused? >+ # >+ # shares_dn = search_base.shares >+ # >+ # teacher_group2_dn = search_base.teachers_ou_group >+ # student_group2_dn = search_base.students_ou_group >+ # >+ # teacher_group_dn = search_base.teachers_group >+ # student_group_dn = search_base.students_group > >- teacher_group_dn = 'cn=lehrer,cn=groups,%s' % school_dn >- student_group_dn = 'cn=schueler,cn=groups,%s' % school_dn >- > gid_temp_dn = 'cn=gid,cn=temporary,cn=univention,%s' % base_dn > gidNumber_temp_dn = 'cn=gidNumber,cn=temporary,cn=univention,%s' % base_dn > sid_temp_dn = 'cn=sid,cn=temporary,cn=univention,%s' % base_dn >@@ -386,9 +390,9 @@ > mac_temp_dn = 'cn=mac,cn=temporary,cn=univention,%s' % base_dn > > global_univention_dn = 'cn=univention,%s' % base_dn >- global_policies_dn = 'cn=policies,%s' % base_dn >+ global_policies_dn = Policy.get_container(school) > global_dns_dn = 'cn=dns,%s' % base_dn >- global_groups_dn = 'cn=groups,%s' % base_dn >+ global_groups_dn = Group.get_container(school) > > dhcp_dn = 'cn=%s,cn=%s,cn=dhcp,%s' % (computers_hostnames[0], school, base_dn) > >Index: ucs-test-ucsschool/90_ucsschool/78_ldap_acls_dump.oldconfig.61ucsschool_presettings >=================================================================== >--- ucs-test-ucsschool/90_ucsschool/78_ldap_acls_dump.oldconfig.61ucsschool_presettings (Revision 76600) >+++ ucs-test-ucsschool/90_ucsschool/78_ldap_acls_dump.oldconfig.61ucsschool_presettings (Arbeitskopie) >@@ -1,154 +1,189 @@ >+@!@ > # -*- coding: utf-8 -*- >+import re > >+ >+def replace_ucr_variables(template): >+ variable_token = re.compile('@[$]@') >+ >+ dir_ucsschool = { >+ 'ALL_ADM_DC': configRegistry.get('ucsschool/ldap/default/groupname/all-administrativ-dc', 'DC-Verwaltungsnetz'), >+ 'ALL_ADM_MEMBER': configRegistry.get('ucsschool/ldap/default/groupname/all-administrativ-member', 'Member-Verwaltungsnetz'), >+ 'ALL_EDU_DC': configRegistry.get('ucsschool/ldap/default/groupname/all-educational-dc', 'DC-Edukativnetz'), >+ 'ALL_EDU_MEMBER': configRegistry.get('ucsschool/ldap/default/groupname/all-educational-member', 'Member-Edukativnetz'), >+ } >+ >+ while 1: >+ i = variable_token.finditer(template) >+ try: >+ start = i.next() >+ end = i.next() >+ name = template[start.end():end.start()] >+ >+ template = template[:start.start()] + dir_ucsschool.get(name,'') + template[end.end():] >+ except StopIteration: >+ break >+ >+ return template >+ >+ >+aclset += """ >+# -*- coding: utf-8 -*- >+ > # Slave-Controller und Member-Server duerfen Samba-Domaenenobjekt(e) modifizieren > access to filter="(objectClass=sambaDomain)" >- by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >- by group/univentionGroup/uniqueMember="cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >- by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >- by group/univentionGroup/uniqueMember="cn=Member-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write > by * none break > > # Slave-Controller und Memberserver duerfen ausschliesslich den univention-Container replizieren > access to dn="cn=univention,@%@ldap/base@%@" >- by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >- by group/univentionGroup/uniqueMember="cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >- by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >- by group/univentionGroup/uniqueMember="cn=Member-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read > by * none break > > # Slave-Controller may replicate license container > access to dn.subtree="cn=license,cn=univention,@%@ldap/base@%@" >- by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >- by group/univentionGroup/uniqueMember="cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >- by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >- by group/univentionGroup/uniqueMember="cn=Member-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read > by * none break > > # Slave-Controller duerfen custom attributes-Container und dessen Inhalt replizieren > access to dn.subtree="cn=custom attributes,cn=univention,@%@ldap/base@%@" >- by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >- by group/univentionGroup/uniqueMember="cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >- by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >- by group/univentionGroup/uniqueMember="cn=Member-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read > by * none break > > # Slave-Controller benoetigen den Console-Container fuer die Berechtigungen an der Lehrerconsole > access to dn.subtree="cn=console,cn=univention,@%@ldap/base@%@" >- by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >- by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >- by group/univentionGroup/uniqueMember="cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >- by group/univentionGroup/uniqueMember="cn=Member-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read > by * none break > > # Slave-Controller benoetigen den UMC-Container fuer die Berechtigungen an der Lehrerconsole > access to dn.subtree="cn=UMC,cn=univention,@%@ldap/base@%@" >- by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >- by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >- by group/univentionGroup/uniqueMember="cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >- by group/univentionGroup/uniqueMember="cn=Member-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read > by * none break > > # grant write access to domaincontroller slave/member server for certain univention app center settings > access to dn.regex="^univentionAppID=([^,]+),cn=([^,]+),cn=apps,cn=univention,@%@ldap/base@%@$" filter="(objectClass=univentionApp)" >- by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >- by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >- by group/univentionGroup/uniqueMember="cn=Member-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >- by group/univentionGroup/uniqueMember="cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write > by * none break > > access to dn.regex="^cn=([^,]+),cn=apps,cn=univention,@%@ldap/base@%@$" attrs=children,entry >- by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >- by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >- by group/univentionGroup/uniqueMember="cn=Member-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >- by group/univentionGroup/uniqueMember="cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write > by * none break > > access to dn="cn=apps,cn=univention,@%@ldap/base@%@" attrs=children,entry >- by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >- by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >- by group/univentionGroup/uniqueMember="cn=Member-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >- by group/univentionGroup/uniqueMember="cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write > by * none break > > # grant read access to domaincontroller slave/member server for all other univention app center settings > access to dn.subtree="cn=apps,cn=univention,@%@ldap/base@%@" >- by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >- by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >- by group/univentionGroup/uniqueMember="cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >- by group/univentionGroup/uniqueMember="cn=Member-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read > by * none break > > access to dn.subtree="cn=udm_module,cn=univention,@%@ldap/base@%@" >- by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >- by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >- by group/univentionGroup/uniqueMember="cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >- by group/univentionGroup/uniqueMember="cn=Member-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read > by * none break > > access to dn.subtree="cn=udm_hook,cn=univention,@%@ldap/base@%@" >- by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >- by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >- by group/univentionGroup/uniqueMember="cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >- by group/univentionGroup/uniqueMember="cn=Member-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read > by * none break > > access to dn.subtree="cn=udm_syntax,cn=univention,@%@ldap/base@%@" >- by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >- by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >- by group/univentionGroup/uniqueMember="cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >- by group/univentionGroup/uniqueMember="cn=Member-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read > by * none break > > access to dn.subtree="cn=ldapacl,cn=univention,@%@ldap/base@%@" >- by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >- by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >- by group/univentionGroup/uniqueMember="cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >- by group/univentionGroup/uniqueMember="cn=Member-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read > by * none break > > access to dn.subtree="cn=ldapschema,cn=univention,@%@ldap/base@%@" >- by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >- by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >- by group/univentionGroup/uniqueMember="cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >- by group/univentionGroup/uniqueMember="cn=Member-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read > by * none break > > # Slave-Controller und Member-Server benoetigen idmap-Container > access to dn.base="cn=idmap,cn=univention,@%@ldap/base@%@" >- by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >- by group/univentionGroup/uniqueMember="cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >- by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >- by group/univentionGroup/uniqueMember="cn=Member-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write > by * none break > > # Slave-Controller und Member-Server benoetigen ID-Mapping > access to dn.subtree="cn=idmap,cn=univention,@%@ldap/base@%@" filter="(|(&(objectClass=sambaUnixIdPool)(objectClass=organizationalRole)(objectClass=top))(&(objectClass=sambaIdmapEntry)(objectClass=sambaSidEntry)))" >- by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >- by group/univentionGroup/uniqueMember="cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >- by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >- by group/univentionGroup/uniqueMember="cn=Member-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write > by * none break > > # Slave-Controller und Memberserver duerfen samba-Container und dessen Inhalt replizieren > access to dn.subtree="cn=samba,@%@ldap/base@%@" >- by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >- by group/univentionGroup/uniqueMember="cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >- by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >- by group/univentionGroup/uniqueMember="cn=Member-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read > by * none break > > # Slave-Controller needs the builtin groups > access to dn.subtree="cn=Builtin,@%@ldap/base@%@" >- by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >- by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >- by group/univentionGroup/uniqueMember="cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >- by group/univentionGroup/uniqueMember="cn=Member-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read > by * none break > > # sonst duerfen sie nichts aus cn=univention,BASEDN replizieren > access to dn.subtree="cn=univention,@%@ldap/base@%@" >- by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" none >- by group/univentionGroup/uniqueMember="cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" none >- by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" none >- by group/univentionGroup/uniqueMember="cn=Member-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" none >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none > by * none break >+ >+""" >+ >+print replace_ucr_variables(aclset) >+@!@ >Index: ucs-test-ucsschool/90_ucsschool/78_ldap_acls_dump.oldconfig.65ucsschool >=================================================================== >--- ucs-test-ucsschool/90_ucsschool/78_ldap_acls_dump.oldconfig.65ucsschool (Revision 76600) >+++ ucs-test-ucsschool/90_ucsschool/78_ldap_acls_dump.oldconfig.65ucsschool (Arbeitskopie) >@@ -13,18 +13,21 @@ > def replace_ucr_variables(template): > variable_token = re.compile('@[$]@') > >- dir_ucsschool = { } >- dir_ucsschool[ 'DISTRICT' ] = '' >- if configRegistry.get('ucsschool/ldap/district/enable','no').lower() in ( 'yes', 'true', '1' ): >- dir_ucsschool[ 'DISTRICT' ] = 'ou=[^,]+,' >- dir_ucsschool[ 'PUPILS' ] = configRegistry.get('ucsschool/ldap/default/container/pupils', 'schueler') >- dir_ucsschool[ 'TEACHERS' ] = configRegistry.get('ucsschool/ldap/default/container/teachers', 'lehrer') >- dir_ucsschool[ 'STAFF' ] = configRegistry.get('ucsschool/ldap/default/container/staff', 'mitarbeiter') >- dir_ucsschool[ 'TEACHERS-STAFF' ] = configRegistry.get('ucsschool/ldap/default/container/teachers-and-staff', 'lehrer und mitarbeiter') >- dir_ucsschool[ 'ADMINS' ] = configRegistry.get('ucsschool/ldap/default/container/admins', 'admins') >- dir_ucsschool[ 'GRPADMINS' ] = configRegistry.get('ucsschool/ldap/default/groupprefix/admins', 'admins-') >+ dir_ucsschool = { >+ 'DISTRICT': 'ou=[^,]+,' if configRegistry.is_true('ucsschool/ldap/district/enable') else '', >+ 'PUPILS': configRegistry.get('ucsschool/ldap/default/container/pupils', 'schueler'), >+ 'TEACHERS': configRegistry.get('ucsschool/ldap/default/container/teachers', 'lehrer'), >+ 'STAFF': configRegistry.get('ucsschool/ldap/default/container/staff', 'mitarbeiter'), >+ 'TEACHERS-STAFF': configRegistry.get('ucsschool/ldap/default/container/teachers-and-staff', 'lehrer und mitarbeiter'), >+ 'ADMINS': configRegistry.get('ucsschool/ldap/default/container/admins', 'admins'), >+ 'GRPADMINS': configRegistry.get('ucsschool/ldap/default/groupprefix/admins', 'admins-'), >+ 'ROOMS': configRegistry.get('ucsschool/ldap/default/container/rooms', 'raeume'), >+ 'ALL_ADM_DC': configRegistry.get('ucsschool/ldap/default/groupname/all-administrativ-dc', 'DC-Verwaltungsnetz'), >+ 'ALL_ADM_MEMBER': configRegistry.get('ucsschool/ldap/default/groupname/all-administrativ-member', 'Member-Verwaltungsnetz'), >+ 'ALL_EDU_DC': configRegistry.get('ucsschool/ldap/default/groupname/all-educational-dc', 'DC-Edukativnetz'), >+ 'ALL_EDU_MEMBER': configRegistry.get('ucsschool/ldap/default/groupname/all-educational-member', 'Member-Edukativnetz'), >+ } > >- > while 1: > i = variable_token.finditer(template) > try: >@@ -39,15 +42,14 @@ > return template > > >- >-if configRegistry.get('ucsschool/ldap/district/enable','no').lower() in ( 'yes', 'true', '1' ): >+if configRegistry.is_true('ucsschool/ldap/district/enable','no'): > aclset += """ > # DCs und Memberserver erhalten Lesezugriff auf das OU-Objekt selbst (im DISTRICT-Mode notwendig) > access to dn.regex="^ou=([^,]+),@%@ldap/base@%@$$" >- by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >- by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >- by group/univentionGroup/uniqueMember="cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >- by group/univentionGroup/uniqueMember="cn=Member-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read > by * none break > > """ >@@ -61,28 +63,28 @@ > > # Slave controllers and memberservers require write access to virtual machine manager objects > access to dn.regex="^univentionVirtualMachineUUID=([^,]+),cn=Information,cn=Virtual Machine Manager,@%@ldap/base@%@" filter="(objectClass=univentionVirtualMachine)" >- by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >- by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >- by group/univentionGroup/uniqueMember="cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >- by group/univentionGroup/uniqueMember="cn=Member-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write > by dn.regex="^[^,]+,cn=dc,cn=computers,@%@ldap/base@%@$$" write > by dn.regex="^[^,]+,cn=memberserver,cn=computers,@%@ldap/base@%@$$" write > by * read break > > access to dn.regex="^cn=([^,]+),cn=CloudConnection,cn=Virtual Machine Manager,@%@ldap/base@%@" filter="(objectClass=univentionVirtualMachineCloudConnection)" >- by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >- by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >- by group/univentionGroup/uniqueMember="cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >- by group/univentionGroup/uniqueMember="cn=Member-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write > by dn.regex="^[^,]+,cn=dc,cn=computers,@%@ldap/base@%@$$" write > by dn.regex="^[^,]+,cn=memberserver,cn=computers,@%@ldap/base@%@$$" write > by * read break > > access to dn="cn=(Information|CloudConnection),cn=Virtual Machine Manager,@%@ldap/base@%@" attrs=children,entry >- by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >- by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >- by group/univentionGroup/uniqueMember="cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >- by group/univentionGroup/uniqueMember="cn=Member-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write > by dn.regex="^[^,]+,cn=dc,cn=computers,@%@ldap/base@%@$$" write > by dn.regex="^[^,]+,cn=memberserver,cn=computers,@%@ldap/base@%@$$" write > by * read break >@@ -89,18 +91,18 @@ > > # Slave controller and memberservers may replicate the Virtual Machine Manager container > access to dn.subtree="cn=Virtual Machine Manager,@%@ldap/base@%@" >- by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >- by group/univentionGroup/uniqueMember="cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >- by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >- by group/univentionGroup/uniqueMember="cn=Member-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read > by * read break > > # Slave controller and memberservers may replicate the mail container > access to dn.subtree="cn=mail,@%@ldap/base@%@" >- by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >- by group/univentionGroup/uniqueMember="cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >- by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >- by group/univentionGroup/uniqueMember="cn=Member-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read > by * read break > > access to dn.regex="^@%@ldap/base@%@$$" >@@ -109,34 +111,34 @@ > > # DC Slaves need write access to the members of the group Domain Computers > access to dn.exact="cn=Domain Computers,cn=groups,@%@ldap/base@%@" attrs="uniqueMember,memberUid" >- by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >- by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write > by * none break > > # Slave-Controller und Memberserver duerfen globale Container computers, shares, dns, dhcp, kerberos und policies sowie Benutzer lesen > access to dn.regex="(^(.+,)?cn=(groups|dns|dhcp|policies|computers|kerberos|shares),|^(uid=[^,]+,|)cn=users,|^)@%@ldap/base@%@$$" >- by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >- by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >- by group/univentionGroup/uniqueMember="cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >- by group/univentionGroup/uniqueMember="cn=Member-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read > by * none break > > # Slave DCs can read MS system container > access to dn.base="cn=system,@%@ldap/base@%@" >- by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >- by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read > by * none break > > # Slave DCs can read and write policy containers for MS GPOs and msPrintConnectionPolicy objects > access to dn.subtree="cn=policies,cn=system,@%@ldap/base@%@" filter="(|(objectClass=msGPOContainer)(objectClass=organizationalRole)(objectClass=msPrintConnectionPolicy))" >- by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >- by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write > by * none break > > # Slave DCs can read and write policy containers for MS WMI filter objects > access to dn.subtree="cn=WMIPolicy,cn=system,@%@ldap/base@%@" filter="(|(objectClass=msWMISom)(objectClass=organizationalRole))" >- by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >- by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write > by * none break > > # Lehrer, Mitarbeiter und OU-Admins duerfen Schueler-Passwoerter aendern >@@ -145,11 +147,11 @@ > by * none break > > # Lehrer und ouadmins duerfen Raum-Gruppen anlegen und bearbeiten >-access to dn.regex="^cn=raeume,cn=groups,ou=([^,]+),@$@DISTRICT@$@@%@ldap/base@%@$$" attrs=children,entry >+access to dn.regex="^cn=@$@ROOMS@$@,cn=groups,ou=([^,]+),@$@DISTRICT@$@@%@ldap/base@%@$$" attrs=children,entry > by dn.regex="^uid=([^,]+),cn=(@$@TEACHERS@$@|@$@TEACHERS-STAFF@$@|@$@STAFF@$@|@$@ADMINS@$@),cn=users,ou=$1,@$@DISTRICT@$@@%@ldap/base@%@$$" write > by * none break > >-access to dn.regex="^cn=([^,]+),cn=raeume,cn=groups,ou=([^,]+),@$@DISTRICT@$@@%@ldap/base@%@$$" filter="(&(!(|(uidNumber=*)(objectClass=SambaSamAccount)))(objectClass=univentionGroup))" >+access to dn.regex="^cn=([^,]+),cn=@$@ROOMS@$@,cn=groups,ou=([^,]+),@$@DISTRICT@$@@%@ldap/base@%@$$" filter="(&(!(|(uidNumber=*)(objectClass=SambaSamAccount)))(objectClass=univentionGroup))" > by dn.regex="^uid=([^,]+),cn=(@$@TEACHERS@$@|@$@TEACHERS-STAFF@$@|@$@STAFF@$@|@$@ADMINS@$@),cn=users,ou=$2,@$@DISTRICT@$@@%@ldap/base@%@$$" write > by * none break > >@@ -224,40 +226,40 @@ > > # domaincontroller slaves and memberservers of management group are not allowed to replicate pupils and teachers > access to dn.regex="^.+,cn=(@$@TEACHERS@$@|@$@PUPILS@$@),cn=users,ou=[^,]+,@$@DISTRICT@$@@%@ldap/base@%@$$" >- by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" none >- by group/univentionGroup/uniqueMember="cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" none >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none > by * none break > > # domaincontroller slaves and memberservers of educational group are not allowed to replicate staff users > access to dn.regex="^.+,cn=@$@STAFF@$@,cn=users,ou=[^,]+,@$@DISTRICT@$@@%@ldap/base@%@$$" >- by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" none >- by group/univentionGroup/uniqueMember="cn=Member-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" none >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none > by * none break > > # domaincontroller slaves and memberservers may replicate the OU "domain controllers" > access to dn.subtree="ou=domain controllers,@%@ldap/base@%@" >- by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >- by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >- by group/univentionGroup/uniqueMember="cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >- by group/univentionGroup/uniqueMember="cn=Member-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read > by * read break > > # Memberserver duerfen bestimmte Attribute lesen > access to dn.regex="^(.+,)?ou=([^,]+),@$@DISTRICT@$@@%@ldap/base@%@$$" attrs=userPassword,krb5Key,krb5KDCFlags,sambaNTPassword,sambaLMPassword,shadowLastChange,sambaPwdLastSet,pwhistory,krb5KeyVersionNumber,univentionWindowsReinstall,sambaPwdCanChange,sambaPwdMustChange >- by group/univentionGroup/uniqueMember="cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >- by group/univentionGroup/uniqueMember="cn=Member-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read > by * none break > > # Slave-Controller duerfen Eintraege Ihrer ou lesen und schreiben (Passwortaenderungen etc.) > # Lehrer und Memberserver duerfen sie lesen, ou-eigene bekommen Standard-ACLs, ou-fremde Server/user duerfen nichts > access to dn.regex="^(.+,)?ou=([^,]+),@$@DISTRICT@$@@%@ldap/base@%@$$" >- by group/univentionGroup/uniqueMember.expand="cn=OU$2-DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >- by group/univentionGroup/uniqueMember.expand="cn=OU$2-DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember.expand="cn=OU$2-@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember.expand="cn=OU$2-@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write > by group/univentionLDAPACL/univentionLDAPAccessWrite.expand="ou=$2,@$@DISTRICT@$@@%@ldap/base@%@" write >- by group/univentionGroup/uniqueMember.expand="cn=OU$2-Member-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >- by group/univentionGroup/uniqueMember.expand="cn=OU$2-Member-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >- by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" none >- by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" none >+ by group/univentionGroup/uniqueMember.expand="cn=OU$2-@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >+ by group/univentionGroup/uniqueMember.expand="cn=OU$2-@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none > by dn.regex="^uid=([^,]+),cn=(@$@TEACHERS@$@|@$@TEACHERS-STAFF@$@|@$@STAFF@$@|@$@ADMINS@$@),cn=users,ou=$2,@$@DISTRICT@$@@%@ldap/base@%@$$" read > by dn.regex="^uid=(.+,)?cn=users,ou=$2,@$@DISTRICT@$@@%@ldap/base@%@$$" none break > by dn.regex="^uid=(.+,)?ou=([^,]+),@$@DISTRICT@$@@%@ldap/base@%@$$" none >@@ -265,21 +267,21 @@ > > # Slave-Controller duerfen Klassen-Gruppen bearbeiten (AUSNAHME! Wird fuer Lehrerzuordnung in UMC benoetigt!) > access to dn.regex="^cn=klassen,cn=@$@PUPILS@$@,cn=groups,ou=([^,]+),@$@DISTRICT@$@@%@ldap/base@%@$$" attrs=children,entry >- by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >- by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write > by * none break > > access to dn.regex="^cn=([^,]+),cn=klassen,cn=@$@PUPILS@$@,cn=groups,ou=([^,]+),@$@DISTRICT@$@@%@ldap/base@%@$$" filter="(&(!(|(uidNumber=*)(objectClass=SambaSamAccount)))(objectClass=univentionGroup))" >- by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >- by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write > by * none break > > # Slave-Controller duerfen nagios-Container und Inhalt replizieren > access to dn.subtree="cn=nagios,@%@ldap/base@%@" >- by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >- by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >- by group/univentionGroup/uniqueMember="cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >- by group/univentionGroup/uniqueMember="cn=Member-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read > by * none break > > # Schüler, Lehrer, Mitarbeiter, Admins duerfen globale Container univention, policies, groups und dns lesen >@@ -290,10 +292,10 @@ > > # Slave-Controller und normale Lehrer duerfen sonst nichts lesen, Schueler sowieso nicht > access to * >- by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" none >- by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" none >- by group/univentionGroup/uniqueMember="cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" none >- by group/univentionGroup/uniqueMember="cn=Member-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" none >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none >+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none > by * none break > > """ >Index: ucs-test-ucsschool/90_ucsschool/80_move_users_into_another_ou >=================================================================== >--- ucs-test-ucsschool/90_ucsschool/80_move_users_into_another_ou (Revision 76600) >+++ ucs-test-ucsschool/90_ucsschool/80_move_users_into_another_ou (Arbeitskopie) >@@ -32,30 +32,26 @@ > # TODO: change school and uid at once! > # TODO: user without classes > >- base = ucr['ldap/base'] >- domain_users_school = 'cn=Domain Users %s,cn=groups,ou=%s,%s' % (b, b, base) >- teacher_group = 'cn=lehrer-%s,cn=groups,ou=%s,%s' % (b, b, base) >- staff_group = 'cn=mitarbeiter-%s,cn=groups,ou=%s,%s' % (b, b, base) >- students_group = 'cn=schueler-%s,cn=groups,ou=%s,%s' % (b, b, base) >+ search_base = User.get_search_base(b) >+ domain_users_school = 'cn=Domain Users {},{}'.format(b, search_base.groups) >+ teacher_group = search_base.teachers_ou_group >+ staff_group = search_base.staff_ou_group >+ students_group = search_base.students_ou_group > grp1_name = uts.random_username() > grp2_name = uts.random_username() > two_klasses = '{0}-{1},{0}-{2}'.format(a, grp1_name, grp2_name) >- workgroup_dn, workgroup_name = udm.create_group(position='cn=schueler,cn=groups,%s' % (a_dn,)) >+ workgroup_dn, workgroup_name = udm.create_group(position=WorkGroup.get_container(a)) > global_group_dn, global_group_name = udm.create_group() > > users = [ >- (env.create_user(a, classes=two_klasses), 'schueler', >- [students_group, domain_users_school, global_group_dn]), >- (env.create_user(a, is_teacher=True, classes=two_klasses), 'lehrer', >- [domain_users_school, teacher_group, global_group_dn]), >- (env.create_user(a, is_staff=True), 'mitarbeiter', >- [domain_users_school, staff_group, global_group_dn]), >- (env.create_user(a, is_teacher=True, is_staff=True, classes=two_klasses), 'lehrer', >- [domain_users_school, teacher_group, staff_group, global_group_dn]), >+ (env.create_user(a, classes=two_klasses), [students_group, domain_users_school, global_group_dn]), >+ (env.create_user(a, is_teacher=True, classes=two_klasses), [domain_users_school, teacher_group, global_group_dn]), >+ (env.create_user(a, is_staff=True), [domain_users_school, staff_group, global_group_dn]), >+ (env.create_user(a, is_teacher=True, is_staff=True, classes=two_klasses), [domain_users_school, teacher_group, staff_group, global_group_dn]), > ] > lo = env.open_ldap_connection() > workgroup = WorkGroup.from_dn(workgroup_dn, None, lo) >- users_dns = [dn for (user, dn,), roleshare_path, groups in users] >+ users_dns = [dn for (user, dn,), groups in users] > udm.modify_object('groups/group', dn=global_group_dn, append={'users': users_dns}) > workgroup.users.extend(users_dns) > workgroup.modify(lo) >@@ -62,7 +58,7 @@ > workgroup = WorkGroup.from_dn(workgroup_dn, None, lo) > print('*** Users in workgroup {}: {}'.format(workgroup.name, workgroup.users)) > >- for (user, dn,), roleshare_path, groups in users: >+ for (user, dn,), groups in users: > user = User.from_dn(dn, None, lo) > print('*** Groups {} is in: {}'.format(user, user.get_udm_object(lo)['groups'])) > >@@ -71,7 +67,7 @@ > print '################################' > > attrs = { >- 'homeDirectory': [os.path.join('/home', b, roleshare_path, user.name)], >+ 'homeDirectory': [os.path.join('/home', user.get_roleshare_home_subdir(), user.name)], > 'ucsschoolSchool': [b], > 'departmentNumber': [b], > # TODO: add sambaHomeDrive sambaHomePath sambaLogonScript sambaProfilePath >Index: ucs-test-ucsschool/90_ucsschool/98_samba4_evaluate_windows_gpo >=================================================================== >--- ucs-test-ucsschool/90_ucsschool/98_samba4_evaluate_windows_gpo (Revision 76600) >+++ ucs-test-ucsschool/90_ucsschool/98_samba4_evaluate_windows_gpo (Arbeitskopie) >@@ -26,7 +26,7 @@ > > from datetime import datetime, timedelta > from ucsschool.lib.schoolldap import SchoolSearchBase >-from ucsschool.lib.models import School >+from ucsschool.lib.models import School, SchoolClass > from essential.computerroom import Room > from essential.exam import Exam > >@@ -170,6 +170,7 @@ > return True > utils.fail("Get-ItemProperty for %s did not return expected value (%s) for subkey %s" % (reg_key, expected_value, subkey)) > >+ > def samba_check_gpo_exists(gpo_name): > """ > Checks that GPO with 'gpo_name' exists via samba-tool. >@@ -526,7 +527,7 @@ > klasse_dn = udm.create_object( > 'groups/group', > name=schoolclassname, >- position="cn=klassen,cn=schueler,cn=groups,%s" % school_dn >+ position=SchoolClass.get_container(school) > ) > > student_pwd = "univention" >Index: ucs-test-ucsschool/90_ucsschool/essential/acl.py >=================================================================== >--- ucs-test-ucsschool/90_ucsschool/essential/acl.py (Revision 76600) >+++ ucs-test-ucsschool/90_ucsschool/essential/acl.py (Arbeitskopie) >@@ -13,6 +13,7 @@ > import univention.testing.ucr as ucr_test > import univention.testing.ucsschool as utu > import univention.testing.strings as uts >+from ucsschool.lib.models import ComputerRoom, School > > > class FailAcl(Exception): >@@ -122,6 +123,7 @@ > self.access_allowance = access_allowance > self.ucr = ucr_test.UCSTestConfigRegistry() > self.ucr.load() >+ self.search_base = School.get_search_base(self.school) > > def assert_acl(self, target_dn, access, attrs, access_allowance=None): > """Test ACL rule:\n >@@ -202,7 +204,7 @@ > def assert_room(self, room_dn, access): > """Lehrer und ouadmins duerfen Raum-Gruppen anlegen und bearbeiten > """ >- target_dn = 'cn=raeume,cn=groups,%s' % utu.UCSTestSchool().get_ou_base_dn(self.school) >+ target_dn = ComputerRoom.get_container(self.school) > attrs = [ > 'children', > 'entry', >@@ -229,7 +231,7 @@ > """Lehrer, Mitarbeiter und Mitglieder der lokalen Administratoren > duerfen Arbeitsgruppen anlegen und aendern > """ >- group_dn = 'cn=lehrer,cn=groups,%s' % utu.UCSTestSchool().get_ou_base_dn(self.school) >+ group_dn = self.search_base.teachers_group > attrs = [ > 'children', > 'entry', >@@ -259,7 +261,7 @@ > self.assert_acl(group_dn, access, attrs) > > def assert_student_group(self, access): >- group_dn = 'cn=schueler,cn=groups,%s' % utu.UCSTestSchool().get_ou_base_dn(self.school) >+ group_dn = self.search_base.students_group > attrs = [ > 'children', > 'entry', >Index: ucs-test-ucsschool/90_ucsschool/essential/computerroom.py >=================================================================== >--- ucs-test-ucsschool/90_ucsschool/essential/computerroom.py (Revision 76600) >+++ ucs-test-ucsschool/90_ucsschool/essential/computerroom.py (Arbeitskopie) >@@ -7,6 +7,8 @@ > from ucsschool.lib.models import IPComputer as IPComputerLib > from ucsschool.lib.models import MacComputer as MacComputerLib > from ucsschool.lib.models import WindowsComputer as WindowsComputerLib >+from ucsschool.lib.models import School as SchoolLib >+from ucsschool.lib.models import ComputerRoom as ComputerRoomLib > from univention.testing.umc2 import Client > from univention.testing.umc2 import ConnectionError > import copy >@@ -92,10 +94,10 @@ > def __init__(self, school, name=None, dn=None, description=None, host_members=None): > self.school = school > self.name = name if name else uts.random_name() >- self.dn = dn if dn else 'cn=%s-%s,cn=raeume,cn=groups,%s' % ( >- school, self.name, utu.UCSTestSchool().get_ou_base_dn(school)) >+ self.dn = dn if dn else ComputerRoomLib(school=school, name='{}-{}'.format(school, self.name)).dn > self.description = description if description else uts.random_name() > self.host_members = host_members or [] >+ self.marktplatz_name = SchoolLib.get_search_base(self.school).share_name_marktplatz > > def get_room_user(self, client): > print 'Executing command: computerroom/rooms in school:', self.school >@@ -286,35 +288,37 @@ > utils.fail('Write to home directory result (%r), expected (%r)' % (write[0], expected_result)) > > def check_marktplatz_read(self, user, ip_address, passwd='univention', expected_result=0): >- print '.... Check Marktplatz read ....' >- cmd_read_marktplatz = ['smbclient', '//%(ip)s/Marktplatz', '-U', '%(user)s', '-c', 'dir'] >+ print '.... Check Marktplatz ({}) read ....'.format(self.marktplatz_name) >+ cmd_read_marktplatz = ['smbclient', '//%(ip)s/%(marktplatz_name)s', '-U', '%(user)s', '-c', 'dir'] > read = run_commands( > [cmd_read_marktplatz], > { > 'ip': ip_address, >- 'user': '{0}%{1}'.format(user, passwd) >+ 'user': '{0}%{1}'.format(user, passwd), >+ 'marktplatz_name': self.marktplatz_name > } > ) > if read[0] != expected_result: >- print 'FAIL .. Read Marktplatz directory result (%r), expected (%r)' % (read[0], expected_result) >- utils.fail('Read Marktplatz directory result (%r), expected (%r)' % (read[0], expected_result)) >+ print 'FAIL .. Read Marktplatz (%s) directory result (%r), expected (%r)' % (self.marktplatz_name, read[0], expected_result) >+ utils.fail('Read Marktplatz (%s) directory result (%r), expected (%r)' % (self.marktplatz_name, read[0], expected_result)) > > def check_marktplatz_write(self, user, ip_address, passwd='univention', expected_result=0): >- print '.... Check Marktplatz write ....' >+ print '.... Check Marktplatz ({}) write ....'.format(self.marktplatz_name) > f = tempfile.NamedTemporaryFile(dir='/tmp') >- cmd_write_marktplatz = ['smbclient', '//%(ip)s/Marktplatz', '-U', '%(user)s', '-c', 'put %(filename)s'] >+ cmd_write_marktplatz = ['smbclient', '//%(ip)s/%(marktplatz_name)s', '-U', '%(user)s', '-c', 'put %(filename)s'] > write = run_commands( > [cmd_write_marktplatz], > { > 'ip': ip_address, > 'user': '{0}%{1}'.format(user, passwd), >- 'filename': '%s %s' % (f.name, f.name.split('/')[-1]) >+ 'filename': '%s %s' % (f.name, f.name.split('/')[-1]), >+ 'marktplatz_name': self.marktplatz_name, > } > ) > f.close() > if write[0] != expected_result: >- print 'FAIL .. Write to Marktplatz directory result (%r), expected (%r)' % (write[0], expected_result) >- utils.fail('Write to Marktplatz directory result (%r), expected (%r)' % (write[0], expected_result)) >+ print 'FAIL .. Write to Marktplatz (%s) directory result (%r), expected (%r)' % (self.marktplatz_name, write[0], expected_result) >+ utils.fail('Write to Marktplatz (%s) directory result (%r), expected (%r)' % (self.marktplatz_name, write[0], expected_result)) > > def check_share_access(self, user, ip_address, expected_home_result, expected_marktplatz_result): > self.check_home_read(user, ip_address, expected_result=expected_home_result) >Index: ucs-test-ucsschool/90_ucsschool/essential/distribution.py >=================================================================== >--- ucs-test-ucsschool/90_ucsschool/essential/distribution.py (Revision 76600) >+++ ucs-test-ucsschool/90_ucsschool/essential/distribution.py (Arbeitskopie) >@@ -13,6 +13,7 @@ > import univention.testing.strings as uts > import univention.testing.ucr as ucr_test > import univention.testing.utils as utils >+from ucsschool.lib.models import School > > > class Distribution(object): >@@ -505,14 +506,39 @@ > path = '' > self.ucr.load() > roleshare = self.ucr.get('ucsschool/import/roleshare') >+ collect_from = self.ucr.get('ucsschool/datadistribution/datadir/sender', 'Unterrichtsmaterial') >+ distribute_to = self.ucr.get('ucsschool/datadistribution/datadir/recipient', 'Unterrichtsmaterial') >+ search_base = School.get_search_base(self.school) > if purpose == 'distribute': > if roleshare == 'no' or roleshare is False: >- path = '/home/{0}/Unterrichtsmaterial/{1}/'.format(user, self.name) >+ path = '/home/{}/{}/{}/'.format( >+ user, >+ distribute_to, >+ self.name >+ ) > else: >- path = '/home/{0}/schueler/{1}/Unterrichtsmaterial/{2}'.format(self.school, user, self.name) >+ path = '/home/{}/{}/{}/{}/{}'.format( >+ self.school, >+ search_base.share_name_pupils, >+ user, >+ distribute_to, >+ self.name >+ ) > elif purpose == 'collect': > if roleshare == 'no' or roleshare is False: >- path = '/home/{0}/Unterrichtsmaterial/{1}/{2}/'.format(self.sender, self.name, user) >+ path = '/home/{}/{}/{}/{}/'.format( >+ self.sender, >+ collect_from, >+ self.name, >+ user >+ ) > else: >- path = '/home/{0}/lehrer/{1}/Unterrichtsmaterial/{2}/{3}'.format(self.school, self.sender, self.name, user) >+ path = '/home/{}/{}/{}/{}/{}/{}'.format( >+ self.school, >+ search_base.share_name_teachers, >+ self.sender, >+ collect_from, >+ self.name, >+ user >+ ) > return path >Index: ucs-test-ucsschool/90_ucsschool/essential/exam.py >=================================================================== >--- ucs-test-ucsschool/90_ucsschool/essential/exam.py (Revision 76600) >+++ ucs-test-ucsschool/90_ucsschool/essential/exam.py (Arbeitskopie) >@@ -15,6 +15,7 @@ > import subprocess > import univention.testing.strings as uts > import univention.testing.utils as utils >+from ucsschool.lib.models import School > > > class StartFail(Exception): >@@ -120,6 +121,7 @@ > self.shareMode = shareMode > self.internetRule = internetRule > self.customRule = customRule >+ self.search_base = School.get_search_base(self.school) > > if connection: > self.client = connection >@@ -251,7 +253,7 @@ > def check_collect(self): > account = utils.UCSTestDomainAdminCredentials() > admin = account.username >- path = '/home/%s/Klassenarbeiten/%s' % (admin, self.name) >+ path = '/home/%s/%s/%s' % (admin, self.search_base.share_name_exams, self.name) > path_files = get_dir_files(path) > if not set(self.files).issubset(set(path_files)): > utils.fail('%r were not collected to %r' % (self.files, path)) >@@ -263,7 +265,7 @@ > utils.fail('%r were not uploaded to %r' % (self.files, path)) > > def check_distribute(self): >- path = '/home/%s/schueler' % self.school >+ path = '/home/%s/%s' % (self.school, self.search_base.share_name_pupils) > path_files = get_dir_files(path) > if not set(self.files).issubset(set(path_files)): > utils.fail('%r were not uploaded to %r' % (self.files, path)) >Index: ucs-test-ucsschool/90_ucsschool/essential/importcomputers.py >=================================================================== >--- ucs-test-ucsschool/90_ucsschool/essential/importcomputers.py (Revision 76600) >+++ ucs-test-ucsschool/90_ucsschool/essential/importcomputers.py (Arbeitskopie) >@@ -146,11 +146,11 @@ > print 'verify computer: %s' % self.name > > utils.verify_ldap_object(self.dn, expected_attr=self.expected_attributes(), should_exist=True) >- >- verwaltung_member_group1 = 'cn=OU%s-Member-Verwaltungsnetz,cn=ucsschool,cn=groups,%s' % (self.school, configRegistry.get('ldap/base')) >- verwaltung_member_group2 = 'cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,%s' % (configRegistry.get('ldap/base')) >- edukativ_member_group1 = 'cn=OU%s-Member-Edukativnetz,cn=ucsschool,cn=groups,%s' % (self.school, configRegistry.get('ldap/base')) >- edukativ_member_group2 = 'cn=Member-Edukativnetz,cn=ucsschool,cn=groups,%s' % (configRegistry.get('ldap/base')) >+ search_base = SchoolLib.get_search_base(self.school) >+ verwaltung_member_group1 = search_base.administrative_ou_member_group >+ verwaltung_member_group2 = search_base.administrative_member_group >+ edukativ_member_group1 = search_base.educational_ou_member_group >+ edukativ_member_group2 = search_base.educational_member_group > if self.zone == 'verwaltung': > utils.verify_ldap_object(verwaltung_member_group1, expected_attr={'uniqueMember': [self.dn]}, strict=False, should_exist=True) > utils.verify_ldap_object(verwaltung_member_group2, expected_attr={'uniqueMember': [self.dn]}, strict=False, should_exist=True) >Index: ucs-test-ucsschool/90_ucsschool/essential/importgroups.py >=================================================================== >--- ucs-test-ucsschool/90_ucsschool/essential/importgroups.py (Revision 76600) >+++ ucs-test-ucsschool/90_ucsschool/essential/importgroups.py (Arbeitskopie) >@@ -10,6 +10,7 @@ > import univention.testing.strings as uts > from ucsschool.lib.models import SchoolClass as GroupLib > from ucsschool.lib.models import School as SchoolLib >+from ucsschool.lib.models import ClassShare as ClassShareLib > import ucsschool.lib.models.utils > > from essential.importou import remove_ou, get_school_base >@@ -28,9 +29,7 @@ > configRegistry = univention.config_registry.ConfigRegistry() > configRegistry.load() > >-cn_pupils = configRegistry.get('ucsschool/ldap/default/container/pupils', 'schueler') > >- > class Group: > > def __init__(self, school): >@@ -41,8 +40,8 @@ > > self.school_base = get_school_base(self.school) > >- self.dn = 'cn=%s,cn=klassen,cn=%s,cn=groups,%s' % (self.name, cn_pupils, self.school_base) >- self.share_dn = 'cn=%s,cn=klassen,cn=shares,%s' % (self.name, self.school_base) >+ self.dn = GroupLib(school=self.school, name=self.name).dn >+ self.share_dn = ClassShareLib(school=self.school, name=self.name).dn > > def set_mode_to_modify(self): > self.mode = 'M' >Index: ucs-test-ucsschool/90_ucsschool/essential/importou.py >=================================================================== >--- ucs-test-ucsschool/90_ucsschool/essential/importou.py (Revision 76600) >+++ ucs-test-ucsschool/90_ucsschool/essential/importou.py (Arbeitskopie) >@@ -13,6 +13,7 @@ > > import univention.uldap > import univention.admin.uldap >+import ldap > import univention.admin.modules > import univention.admin.filter > import univention.config_registry >@@ -299,12 +300,15 @@ > old_dhcpd_ldap_base = ucr.get('dhcpd/ldap/base') > lo = univention.uldap.getMachineConnection() > base_dn = ucr.get('ldap/base') >+ search_base = School.get_search_base(ou) > >- cn_pupils = ucr.get('ucsschool/ldap/default/container/pupils', 'schueler') >- cn_teachers = ucr.get('ucsschool/ldap/default/container/teachers', 'lehrer') >- cn_teachers_staff = ucr.get('ucsschool/ldap/default/container/teachers-and-staff', 'lehrer und mitarbeiter') >- cn_admins = ucr.get('ucsschool/ldap/default/container/admins', 'admins') >- cn_staff = ucr.get('ucsschool/ldap/default/container/staff', 'mitarbeiter') >+ cn_pupils = ldap.explode_dn(search_base.students, True)[0] >+ cn_teachers = ldap.explode_dn(search_base.teachers, True)[0] >+ cn_teachers_staff = ldap.explode_dn(search_base.teachersAndStaff, True)[0] >+ cn_admins = ldap.explode_dn(search_base.admins, True)[0] >+ cn_staff = ldap.explode_dn(search_base.staff, True)[0] >+ cn_class = ldap.explode_dn(search_base.classes, True)[0] >+ cn_rooms = ldap.explode_dn(search_base.rooms, True)[0] > > singlemaster = ucr.is_true('ucsschool/singlemaster') > noneducational_create_objects = ucr.is_true('ucsschool/ldap/noneducational/create/objects') >@@ -332,43 +336,42 @@ > > utils.verify_ldap_object(ou_base, expected_attr={'ou': [ou], 'ucsschoolClassShareFileServer': [sharefileserver_dn], 'ucsschoolHomeShareFileServer': [sharefileserver_dn]}, should_exist=must_exist) > >- utils.verify_ldap_object('cn=printers,%s' % ou_base, expected_attr={'cn': ['printers']}, should_exist=must_exist) >- utils.verify_ldap_object('cn=users,%s' % ou_base, expected_attr={'cn': ['users']}, should_exist=must_exist) >- utils.verify_ldap_object('cn=%s,cn=users,%s' % (cn_pupils, ou_base), expected_attr={'cn': [cn_pupils]}, should_exist=must_exist) >- utils.verify_ldap_object('cn=%s,cn=users,%s' % (cn_teachers, ou_base), expected_attr={'cn': [cn_teachers]}, should_exist=must_exist) >- utils.verify_ldap_object('cn=%s,cn=users,%s' % (cn_admins, ou_base), expected_attr={'cn': [cn_admins]}, should_exist=must_exist) >- utils.verify_ldap_object('cn=%s,cn=users,%s' % (cn_admins, ou_base), expected_attr={'cn': [cn_admins]}, should_exist=must_exist) >+ utils.verify_ldap_object(search_base.printers, expected_attr={'cn': ['printers']}, should_exist=must_exist) >+ utils.verify_ldap_object(search_base.users, expected_attr={'cn': ['users']}, should_exist=must_exist) >+ utils.verify_ldap_object(search_base.students, expected_attr={'cn': [cn_pupils]}, should_exist=must_exist) >+ utils.verify_ldap_object(search_base.teachers, expected_attr={'cn': [cn_teachers]}, should_exist=must_exist) >+ utils.verify_ldap_object(search_base.admins, expected_attr={'cn': [cn_admins]}, should_exist=must_exist) > >- utils.verify_ldap_object('cn=computers,%s' % ou_base, expected_attr={'cn': ['computers']}, should_exist=must_exist) >+ utils.verify_ldap_object(search_base.computers, expected_attr={'cn': ['computers']}, should_exist=must_exist) > utils.verify_ldap_object('cn=server,cn=computers,%s' % ou_base, expected_attr={'cn': ['server']}, should_exist=must_exist) > utils.verify_ldap_object('cn=dc,cn=server,cn=computers,%s' % ou_base, expected_attr={'cn': ['dc']}, should_exist=must_exist) >- utils.verify_ldap_object('cn=networks,%s' % ou_base, expected_attr={'cn': ['networks']}, should_exist=must_exist) >- utils.verify_ldap_object('cn=groups,%s' % ou_base, expected_attr={'cn': ['groups']}, should_exist=must_exist) >- utils.verify_ldap_object('cn=%s,cn=groups,%s' % (cn_pupils, ou_base), expected_attr={'cn': [cn_pupils]}, should_exist=must_exist) >- utils.verify_ldap_object('cn=%s,cn=groups,%s' % (cn_teachers, ou_base), expected_attr={'cn': [cn_teachers]}, should_exist=must_exist) >- utils.verify_ldap_object('cn=klassen,cn=%s,cn=groups,%s' % (cn_pupils, ou_base), expected_attr={'cn': ['klassen']}, should_exist=must_exist) >- utils.verify_ldap_object('cn=raeume,cn=groups,%s' % ou_base, expected_attr={'cn': ['raeume']}, should_exist=must_exist) >+ utils.verify_ldap_object(search_base.networks, expected_attr={'cn': ['networks']}, should_exist=must_exist) >+ utils.verify_ldap_object(search_base.groups, expected_attr={'cn': ['groups']}, should_exist=must_exist) >+ utils.verify_ldap_object(search_base.workgroups, expected_attr={'cn': [cn_pupils]}, should_exist=must_exist) >+ utils.verify_ldap_object(search_base.teachers_group, expected_attr={'cn': [cn_teachers]}, should_exist=must_exist) >+ utils.verify_ldap_object(search_base.classes, expected_attr={'cn': [cn_class]}, should_exist=must_exist) >+ utils.verify_ldap_object(search_base.rooms, expected_attr={'cn': [cn_rooms]}, should_exist=must_exist) > >- utils.verify_ldap_object('cn=dhcp,%s' % ou_base, expected_attr={'cn': ['dhcp']}, should_exist=must_exist) >- utils.verify_ldap_object('cn=policies,%s' % ou_base, expected_attr={'cn': ['policies']}, should_exist=must_exist) >- utils.verify_ldap_object('cn=shares,%s' % ou_base, expected_attr={'cn': ['shares']}, should_exist=must_exist) >- utils.verify_ldap_object('cn=klassen,cn=shares,%s' % ou_base, expected_attr={'cn': ['klassen']}, should_exist=must_exist) >+ utils.verify_ldap_object(search_base.dhcp, expected_attr={'cn': ['dhcp']}, should_exist=must_exist) >+ utils.verify_ldap_object(search_base.policies, expected_attr={'cn': ['policies']}, should_exist=must_exist) >+ utils.verify_ldap_object(search_base.shares, expected_attr={'cn': ['shares']}, should_exist=must_exist) >+ utils.verify_ldap_object(search_base.classShares, expected_attr={'cn': [cn_class]}, should_exist=must_exist) > utils.verify_ldap_object('cn=dc,cn=server,cn=computers,%s' % ou_base, expected_attr={'cn': ['dc']}, should_exist=must_exist) > > if noneducational_create_objects: >- utils.verify_ldap_object('cn=%s,cn=users,%s' % (cn_staff, ou_base), should_exist=must_exist) >- utils.verify_ldap_object('cn=%s,cn=users,%s' % (cn_teachers_staff, ou_base), should_exist=must_exist) >- utils.verify_ldap_object('cn=%s,cn=groups,%s' % (cn_staff, ou_base), should_exist=must_exist) >+ utils.verify_ldap_object(search_base.staff, should_exist=must_exist) >+ utils.verify_ldap_object(search_base.teachersAndStaff, should_exist=must_exist) >+ utils.verify_ldap_object(search_base.staff_group, should_exist=must_exist) > else: >- utils.verify_ldap_object('cn=%s,cn=users,%s' % (cn_staff, ou_base), should_exist=False) >- utils.verify_ldap_object('cn=%s,cn=users,%s' % (cn_teachers_staff, ou_base), should_exist=False) >- utils.verify_ldap_object('cn=%s,cn=groups,%s' % (cn_staff, ou_base), should_exist=False) >+ utils.verify_ldap_object(search_base.staff, should_exist=False) >+ utils.verify_ldap_object(search_base.teachersAndStaff, should_exist=False) >+ utils.verify_ldap_object(search_base.staff_group, should_exist=False) > > if noneducational_create_objects: >- utils.verify_ldap_object('cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,%s' % base_dn, should_exist=True) >- utils.verify_ldap_object('cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,%s' % base_dn, should_exist=True) >- utils.verify_ldap_object('cn=OU%s-DC-Verwaltungsnetz,cn=ucsschool,cn=groups,%s' % (ou, base_dn), should_exist=True) >- utils.verify_ldap_object('cn=OU%s-Member-Verwaltungsnetz,cn=ucsschool,cn=groups,%s' % (ou, base_dn), should_exist=True) >+ utils.verify_ldap_object(search_base.administrative_dc_group, should_exist=True) >+ utils.verify_ldap_object(search_base.administrative_member_group, should_exist=True) >+ utils.verify_ldap_object(search_base.administrative_ou_dc_group) >+ utils.verify_ldap_object(search_base.administrative_ou_member_group) > # This will fail because we don't cleanup these groups in cleanup_ou > # else: > # utils.verify_ldap_object("cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,%s" % base_dn, should_exist=False) >@@ -382,22 +385,17 @@ > if dc_administrative: > verify_dc(ou, dc_administrative, TYPE_DC_ADMINISTRATIVE, base_dn, must_exist) > >- grp_prefix_pupils = ucr.get('ucsschool/ldap/default/groupprefix/pupils', 'schueler-') >- grp_prefix_teachers = ucr.get('ucsschool/ldap/default/groupprefix/teachers', 'lehrer-') >- grp_prefix_admins = ucr.get('ucsschool/ldap/default/groupprefix/admins', 'admins-') >- grp_prefix_staff = ucr.get('ucsschool/ldap/default/groupprefix/staff', 'mitarbeiter-') >- > grp_policy_pupils = ucr.get('ucsschool/ldap/default/policy/umc/pupils', 'cn=ucsschool-umc-pupils-default,cn=UMC,cn=policies,%s' % base_dn) > grp_policy_teachers = ucr.get('ucsschool/ldap/default/policy/umc/teachers', 'cn=ucsschool-umc-teachers-default,cn=UMC,cn=policies,%s' % base_dn) > grp_policy_admins = ucr.get('ucsschool/ldap/default/policy/umc/admins', 'cn=ucsschool-umc-admins-default,cn=UMC,cn=policies,%s' % base_dn) > grp_policy_staff = ucr.get('ucsschool/ldap/default/policy/umc/staff', 'cn=ucsschool-umc-staff-default,cn=UMC,cn=policies,%s' % base_dn) > >- utils.verify_ldap_object("cn=%s%s,cn=ouadmins,cn=groups,%s" % (grp_prefix_admins, ou, base_dn), expected_attr={'univentionPolicyReference': [grp_policy_admins]}, should_exist=True) >- utils.verify_ldap_object("cn=%s%s,cn=groups,%s" % (grp_prefix_pupils, ou, ou_base), expected_attr={'univentionPolicyReference': [grp_policy_pupils]}, should_exist=must_exist) >- utils.verify_ldap_object("cn=%s%s,cn=groups,%s" % (grp_prefix_teachers, ou, ou_base), expected_attr={'univentionPolicyReference': [grp_policy_teachers]}, should_exist=must_exist) >+ utils.verify_ldap_object(search_base.admin_group, expected_attr={'univentionPolicyReference': [grp_policy_admins]}, should_exist=True) >+ utils.verify_ldap_object(search_base.students_ou_group, expected_attr={'univentionPolicyReference': [grp_policy_pupils]}, should_exist=must_exist) >+ utils.verify_ldap_object(search_base.teachers_ou_group, expected_attr={'univentionPolicyReference': [grp_policy_teachers]}, should_exist=must_exist) > > if noneducational_create_objects: >- utils.verify_ldap_object("cn=%s%s,cn=groups,%s" % (grp_prefix_staff, ou, ou_base), expected_attr={'univentionPolicyReference': [grp_policy_staff]}, should_exist=must_exist) >+ utils.verify_ldap_object(search_base.staff_ou_group, expected_attr={'univentionPolicyReference': [grp_policy_staff]}, should_exist=must_exist) > > dcmaster_module = univention.admin.modules.get("computers/domaincontroller_master") > dcbackup_module = univention.admin.modules.get("computers/domaincontroller_backup") >@@ -410,7 +408,7 @@ > # check group membership > # slave should be member > # master and backup should not be member >- dcgroups = ["cn=OU%s-DC-Edukativnetz,cn=ucsschool,cn=groups,%s" % (ou, base_dn), "cn=DC-Edukativnetz,cn=ucsschool,cn=groups,%s" % (base_dn)] >+ dcgroups = [search_base.educational_ou_dc_group, search_base.educational_dc_group] > > if must_exist: > if masterobjs: >@@ -486,33 +484,34 @@ > base_dn = ucr.get('ldap/base') > ou_base = get_ou_base(ou, ucr.is_true('ucsschool/ldap/district/enable', False)) > dc_dn = 'cn=%s,cn=dc,cn=server,cn=computers,%s' % (dc_name, ou_base) >+ search_base = School.get_search_base(ou) > > # define list of (un-)desired group memberships ==> [(IS_MEMBER, GROUP_DN), ...] > group_dn_list = [] > if dc_type == TYPE_DC_ADMINISTRATIVE: > group_dn_list += [ >- (True, 'cn=OU%s-DC-Verwaltungsnetz,cn=ucsschool,cn=groups,%s' % (ou.lower(), base_dn)), >- (True, 'cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,%s' % (base_dn, )), >- (False, 'cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,%s' % base_dn), >- (False, 'cn=OU%s-Member-Verwaltungsnetz,cn=ucsschool,cn=groups,%s' % (ou, base_dn)), >- (False, 'cn=OU%s-DC-Edukativnetz,cn=ucsschool,cn=groups,%s' % (ou.lower(), base_dn)), >- (False, 'cn=DC-Edukativnetz,cn=ucsschool,cn=groups,%s' % (base_dn, )), >- (False, 'cn=Member-Edukativnetz,cn=ucsschool,cn=groups,%s' % base_dn), >- (False, 'cn=OU%s-Member-Edukativnetz,cn=ucsschool,cn=groups,%s' % (ou, base_dn)), >+ (True, search_base.administrative_ou_dc_group), >+ (True, search_base.administrative_dc_group), >+ (False, search_base.administrative_member_group), >+ (False, search_base.administrative_ou_member_group), >+ (False, search_base.educational_ou_dc_group), >+ (False, search_base.educational_dc_group), >+ (False, search_base.educational_member_group), >+ (False, search_base.educational_ou_member_group), > ] > else: > group_dn_list += [ >- (True, 'cn=OU%s-DC-Edukativnetz,cn=ucsschool,cn=groups,%s' % (ou.lower(), base_dn)), >- (True, 'cn=DC-Edukativnetz,cn=ucsschool,cn=groups,%s' % (base_dn, )), >- (False, 'cn=Member-Edukativnetz,cn=ucsschool,cn=groups,%s' % base_dn), >- (False, 'cn=OU%s-Member-Edukativnetz,cn=ucsschool,cn=groups,%s' % (ou, base_dn)), >+ (True, search_base.educational_ou_dc_group), >+ (True, search_base.educational_dc_group), >+ (False, search_base.educational_member_group), >+ (False, search_base.educational_ou_member_group), > ] > if ucr.is_true('ucsschool/ldap/noneducational/create/objects', must_exist): > group_dn_list += [ >- (False, 'cn=OU%s-DC-Verwaltungsnetz,cn=ucsschool,cn=groups,%s' % (ou.lower(), base_dn)), >- (False, 'cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,%s' % (base_dn, )), >- (False, 'cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,%s' % base_dn), >- (False, 'cn=OU%s-Member-Verwaltungsnetz,cn=ucsschool,cn=groups,%s' % (ou, base_dn)), >+ (False, search_base.administrative_ou_dc_group), >+ (False, search_base.administrative_dc_group), >+ (False, search_base.administrative_member_group), >+ (False, search_base.administrative_ou_member_group), > ] > > utils.verify_ldap_object(dc_dn, should_exist=must_exist) >Index: ucs-test-ucsschool/90_ucsschool/essential/importusers.py >=================================================================== >--- ucs-test-ucsschool/90_ucsschool/essential/importusers.py (Revision 76600) >+++ ucs-test-ucsschool/90_ucsschool/essential/importusers.py (Arbeitskopie) >@@ -13,6 +13,7 @@ > from univention.testing.decorators import SetTimeout > import univention.uldap > import univention.config_registry >+from ucsschool.lib.models import SchoolClass as SchoolClassLib > from ucsschool.lib.models import Student as StudentLib > from ucsschool.lib.models import Teacher as TeacherLib > from ucsschool.lib.models import Staff as StaffLib >@@ -31,7 +32,7 @@ > > HOOK_BASEDIR = '/usr/share/ucs-school-import/hooks' > >- >+i > class ImportUser(Exception): > pass > >@@ -43,17 +44,7 @@ > configRegistry = univention.config_registry.ConfigRegistry() > configRegistry.load() > >-cn_pupils = configRegistry.get('ucsschool/ldap/default/container/pupils', 'schueler') >-cn_teachers = configRegistry.get('ucsschool/ldap/default/container/teachers', 'lehrer') >-cn_teachers_staff = configRegistry.get('ucsschool/ldap/default/container/teachers-and-staff', 'lehrer und mitarbeiter') >-cn_staff = configRegistry.get('ucsschool/ldap/default/container/staff', 'mitarbeiter') > >-grp_prefix_pupils = configRegistry.get('ucsschool/ldap/default/groupprefix/pupils', 'schueler-') >-grp_prefix_teachers = configRegistry.get('ucsschool/ldap/default/groupprefix/teachers', 'lehrer-') >-grp_prefix_admins = configRegistry.get('ucsschool/ldap/default/groupprefix/admins', 'admins-') >-grp_prefix_staff = configRegistry.get('ucsschool/ldap/default/groupprefix/staff', 'mitarbeiter-') >- >- > class Person(object): > > def __init__(self, school, role): >@@ -62,6 +53,7 @@ > self.username = uts.random_name() > self.school = school > self.schools = [school] >+ self.search_base = SchoolLib.get_search_base(self.school) > self.role = role > self.record_uid = None > self.source_uid = None >@@ -69,17 +61,17 @@ > self.mail = '%s@%s' % (self.username, configRegistry.get('domainname')) > self.school_classes = {} > if self.is_student(): >- self.cn = cn_pupils >- self.grp_prefix = grp_prefix_pupils >+ self.user_type = StudentLib >+ self.role_group_dn = self.search_base.students_ou_group > elif self.is_teacher(): >- self.cn = cn_teachers >- self.grp_prefix = grp_prefix_teachers >+ self.user_type = TeacherLib >+ self.role_group_dn = self.search_base.teachers_ou_group > elif self.is_teacher_staff(): >- self.cn = cn_teachers_staff >- self.grp_prefix = grp_prefix_teachers >+ self.user_type = TeachersAndStaffLib >+ self.role_group_dn = self.search_base.teachers_ou_group > elif self.is_staff(): >- self.cn = cn_staff >- self.grp_prefix = grp_prefix_staff >+ self.user_type = StaffLib >+ self.role_group_dn = self.search_base.staff_ou_group > self.mode = 'A' > self.active = True > self.password = None >@@ -88,20 +80,14 @@ > self.append_random_groups() > > def make_dn(self): >- return 'uid=%s,cn=%s,cn=users,%s' % (self.username, self.cn, self.school_base) >+ return self.user_type(school=self.school, name=self.username).dn > > @property > def homedir(self): >- subdir = '' > if configRegistry.is_true('ucsschool/import/roleshare', True): >- if self.is_student(): >- subdir = os.path.join(self.school, 'schueler') >- elif self.is_teacher(): >- subdir = os.path.join(self.school, 'lehrer') >- elif self.is_teacher_staff(): >- subdir = os.path.join(self.school, 'lehrer') >- elif self.is_staff(): >- subdir = os.path.join(self.school, 'mitarbeiter') >+ subdir = self.user_type(school=self.school, name=self.username).get_roleshare_home_subdir() >+ else: >+ subdir = '' > return os.path.join('/home', subdir, self.username) > > def make_school_base(self): >@@ -340,15 +326,12 @@ > > for school, classes in self.school_classes.iteritems(): > for cl in classes: >- cl_group_dn = 'cn=%s,cn=klassen,cn=%s,cn=groups,%s' % (cl, cn_pupils, get_school_base(school)) >+ cl_group_dn = SchoolClassLib(school=school, name=cl).dn > utils.verify_ldap_object(cl_group_dn, expected_attr={'uniqueMember': [self.dn], 'memberUid': [self.username]}, strict=False, should_exist=True) > > assert self.school in self.schools > >- for school in self.schools: >- role_group_dn = 'cn=%s%s,cn=groups,%s' % (self.grp_prefix, school, get_school_base(school)) >- utils.verify_ldap_object(role_group_dn, expected_attr={'uniqueMember': [self.dn], 'memberUid': [self.username]}, strict=False, should_exist=True) >- >+ utils.verify_ldap_object(self.role_group_dn, expected_attr={'uniqueMember': [self.dn], 'memberUid': [self.username]}, strict=False, should_exist=True) > print 'person OK: %s' % self.username > > >@@ -695,16 +678,14 @@ > 'name': name, > 'service': 'Windows Profile Server', > } >- school_base = get_school_base(ou) >+ udm.create_object('computers/memberserver', position=SchoolComputerLib.get_container(ou), **properties) > >- udm.create_object('computers/memberserver', position=school_base, **properties) > >- >-def create_home_server(udm, name): >+def create_home_server(udm, ou, name): > properties = { > 'name': name, > } >- udm.create_object('computers/memberserver', **properties) >+ udm.create_object('computers/memberserver', position=SchoolComputerLib.get_container(ou), **properties) > > > def import_users_basics(use_cli_api=True, use_python_api=False): >@@ -729,7 +710,7 @@ > > if home_server_at_ou: > home_server_at_ou = uts.random_name() >- create_home_server(udm, home_server_at_ou) >+ create_home_server(udm, school_name, home_server_at_ou) > create_ou_cli(school_name, sharefileserver=home_server_at_ou) > else: > create_ou_cli(school_name) >Index: ucs-test-ucsschool/90_ucsschool/essential/internetrule.py >=================================================================== >--- ucs-test-ucsschool/90_ucsschool/essential/internetrule.py (Revision 76600) >+++ ucs-test-ucsschool/90_ucsschool/essential/internetrule.py (Arbeitskopie) >@@ -15,6 +15,7 @@ > import univention.testing.utils as utils > from univention.testing.ucsschool import UCSTestSchool > import univention.testing.ucsschool as utu >+from ucsschool.lib.models import SchoolClass as SchoolClassLib > > > class InternetRule(object): >@@ -193,7 +194,7 @@ > ucsschool = UCSTestSchool() > groupdn = ucsschool.get_workinggroup_dn(school, groupName) > elif groupType == 'class': >- groupdn = 'cn=%s-%s,cn=klassen,cn=schueler,cn=groups,%s' % (school, groupName, school_basedn) >+ groupdn = SchoolClassLib(school=schoolenv.name, name="{}-{}".format(school, groupName)).dn > > if default: > name = '$default$' >Index: ucs-test-ucsschool/90_ucsschool/essential/klasse.py >=================================================================== >--- ucs-test-ucsschool/90_ucsschool/essential/klasse.py (Revision 76600) >+++ ucs-test-ucsschool/90_ucsschool/essential/klasse.py (Arbeitskopie) >@@ -9,6 +9,7 @@ > from univention.testing.umc2 import Client > import univention.testing.ucr as ucr_test > from univention.testing.ucsschool import UCSTestSchool >+from ucsschool.lib.models import SchoolClass as SchoolClassLib > > > class GetFail(Exception): >@@ -121,9 +122,7 @@ > k, classes_names)) > > def dn(self): >- return 'cn=%s-%s,cn=klassen,cn=schueler,cn=groups,%s' % ( >- self.school, self.name, UCSTestSchool().get_ou_base_dn(self.school) >- ) >+ return SchoolClassLib(school=self.school, name="{}-{}".format(self.school, self.name)).dn > > def get(self): > """Get class""" >Index: ucs-test-ucsschool/90_ucsschool/essential/school.py >=================================================================== >--- ucs-test-ucsschool/90_ucsschool/essential/school.py (Revision 76600) >+++ ucs-test-ucsschool/90_ucsschool/essential/school.py (Arbeitskopie) >@@ -4,6 +4,7 @@ > > .. moduleauthor:: Ammar Najjar <najjar@univention.de> > """ >+import ldap > from essential.importcomputers import random_ip > from essential.importou import DCNotFound, DCMembership, DhcpdLDAPBase, TYPE_DC_ADMINISTRATIVE > from essential.importou import get_ou_base, verify_dc, get_school_ou_from_dn, TYPE_DC_EDUCATIONAL >@@ -13,6 +14,8 @@ > import univention.testing.ucr as ucr_test > import univention.testing.utils as utils > import univention.uldap >+from ucsschool.lib.models import (School as LibSchool, ComputerRoom as LibComputerRoom, SchoolClass as LibSchoolClass, >+ Staff as LibStaff, TeachersAndStaff as LibTeachersAndStaff, Teacher as LibTeacher, Student as LibStudent) > > > class GetFail(Exception): >@@ -251,12 +254,15 @@ > old_dhcpd_ldap_base = ucr.get('dhcpd/ldap/base') > lo = univention.uldap.getMachineConnection() > base_dn = ucr.get('ldap/base') >+ search_base = LibSchool.get_search_base(ou) > >- cn_pupils = ucr.get('ucsschool/ldap/default/container/pupils', 'schueler') >- cn_teachers = ucr.get('ucsschool/ldap/default/container/teachers', 'lehrer') >- cn_teachers_staff = ucr.get('ucsschool/ldap/default/container/teachers-and-staff', 'lehrer und mitarbeiter') >- cn_admins = ucr.get('ucsschool/ldap/default/container/admins', 'admins') >- cn_staff = ucr.get('ucsschool/ldap/default/container/staff', 'mitarbeiter') >+ cn_pupils = ldap.explode_dn(LibStudent.get_container(ou), True)[0] >+ cn_teachers = ldap.explode_dn(LibTeacher.get_container(ou), True)[0] >+ cn_teachers_staff = ldap.explode_dn(LibTeachersAndStaff.get_container(ou), True)[0] >+ cn_admins = ldap.explode_dn(search_base.admins, True)[0] >+ cn_staff = ldap.explode_dn(LibStaff.get_container(ou), True)[0] >+ cn_class = ldap.explode_dn(LibSchoolClass.get_container(ou), True)[0] >+ cn_rooms = ldap.explode_dn(LibComputerRoom.get_container(ou), True)[0] > > singlemaster = ucr.is_true('ucsschool/singlemaster') > noneducational_create_objects = ucr.is_true('ucsschool/ldap/noneducational/create/objects') >@@ -290,43 +296,42 @@ > > utils.verify_ldap_object(ou_base, expected_attr={'ou': [ou], 'ucsschoolClassShareFileServer': [classsharefileserver_dn], 'ucsschoolHomeShareFileServer': [homesharefileserver_dn]}, should_exist=must_exist) > >- utils.verify_ldap_object('cn=printers,%s' % ou_base, expected_attr={'cn': ['printers']}, should_exist=must_exist) >- utils.verify_ldap_object('cn=users,%s' % ou_base, expected_attr={'cn': ['users']}, should_exist=must_exist) >- utils.verify_ldap_object('cn=%s,cn=users,%s' % (cn_pupils, ou_base), expected_attr={'cn': [cn_pupils]}, should_exist=must_exist) >- utils.verify_ldap_object('cn=%s,cn=users,%s' % (cn_teachers, ou_base), expected_attr={'cn': [cn_teachers]}, should_exist=must_exist) >- utils.verify_ldap_object('cn=%s,cn=users,%s' % (cn_admins, ou_base), expected_attr={'cn': [cn_admins]}, should_exist=must_exist) >- utils.verify_ldap_object('cn=%s,cn=users,%s' % (cn_admins, ou_base), expected_attr={'cn': [cn_admins]}, should_exist=must_exist) >+ utils.verify_ldap_object(search_base.printers, expected_attr={'cn': ['printers']}, should_exist=must_exist) >+ utils.verify_ldap_object(search_base.users, expected_attr={'cn': ['users']}, should_exist=must_exist) >+ utils.verify_ldap_object(search_base.students, expected_attr={'cn': [cn_pupils]}, should_exist=must_exist) >+ utils.verify_ldap_object(search_base.teachers, expected_attr={'cn': [cn_teachers]}, should_exist=must_exist) >+ utils.verify_ldap_object(search_base.admins, expected_attr={'cn': [cn_admins]}, should_exist=must_exist) > >- utils.verify_ldap_object('cn=computers,%s' % ou_base, expected_attr={'cn': ['computers']}, should_exist=must_exist) >+ utils.verify_ldap_object(search_base.computers, expected_attr={'cn': ['computers']}, should_exist=must_exist) > utils.verify_ldap_object('cn=server,cn=computers,%s' % ou_base, expected_attr={'cn': ['server']}, should_exist=must_exist) > utils.verify_ldap_object('cn=dc,cn=server,cn=computers,%s' % ou_base, expected_attr={'cn': ['dc']}, should_exist=must_exist) >- utils.verify_ldap_object('cn=networks,%s' % ou_base, expected_attr={'cn': ['networks']}, should_exist=must_exist) >- utils.verify_ldap_object('cn=groups,%s' % ou_base, expected_attr={'cn': ['groups']}, should_exist=must_exist) >- utils.verify_ldap_object('cn=%s,cn=groups,%s' % (cn_pupils, ou_base), expected_attr={'cn': [cn_pupils]}, should_exist=must_exist) >- utils.verify_ldap_object('cn=%s,cn=groups,%s' % (cn_teachers, ou_base), expected_attr={'cn': [cn_teachers]}, should_exist=must_exist) >- utils.verify_ldap_object('cn=klassen,cn=%s,cn=groups,%s' % (cn_pupils, ou_base), expected_attr={'cn': ['klassen']}, should_exist=must_exist) >- utils.verify_ldap_object('cn=raeume,cn=groups,%s' % ou_base, expected_attr={'cn': ['raeume']}, should_exist=must_exist) >+ utils.verify_ldap_object(search_base.networks, expected_attr={'cn': ['networks']}, should_exist=must_exist) >+ utils.verify_ldap_object(search_base.groups, expected_attr={'cn': ['groups']}, should_exist=must_exist) >+ utils.verify_ldap_object(search_base.workgroups, expected_attr={'cn': [cn_pupils]}, should_exist=must_exist) >+ utils.verify_ldap_object(search_base.teachers_group, expected_attr={'cn': [cn_teachers]}, should_exist=must_exist) >+ utils.verify_ldap_object(search_base.classes, expected_attr={'cn': [cn_class]}, should_exist=must_exist) >+ utils.verify_ldap_object(search_base.rooms, expected_attr={'cn': [cn_rooms]}, should_exist=must_exist) > >- utils.verify_ldap_object('cn=dhcp,%s' % ou_base, expected_attr={'cn': ['dhcp']}, should_exist=must_exist) >- utils.verify_ldap_object('cn=policies,%s' % ou_base, expected_attr={'cn': ['policies']}, should_exist=must_exist) >- utils.verify_ldap_object('cn=shares,%s' % ou_base, expected_attr={'cn': ['shares']}, should_exist=must_exist) >- utils.verify_ldap_object('cn=klassen,cn=shares,%s' % ou_base, expected_attr={'cn': ['klassen']}, should_exist=must_exist) >+ utils.verify_ldap_object(search_base.dhcp, expected_attr={'cn': ['dhcp']}, should_exist=must_exist) >+ utils.verify_ldap_object(search_base.policies, expected_attr={'cn': ['policies']}, should_exist=must_exist) >+ utils.verify_ldap_object(search_base.shares, expected_attr={'cn': ['shares']}, should_exist=must_exist) >+ utils.verify_ldap_object(search_base.classShares, expected_attr={'cn': [cn_class]}, should_exist=must_exist) > utils.verify_ldap_object('cn=dc,cn=server,cn=computers,%s' % ou_base, expected_attr={'cn': ['dc']}, should_exist=must_exist) > > if noneducational_create_objects: >- utils.verify_ldap_object('cn=%s,cn=users,%s' % (cn_staff, ou_base), should_exist=must_exist) >- utils.verify_ldap_object('cn=%s,cn=users,%s' % (cn_teachers_staff, ou_base), should_exist=must_exist) >- utils.verify_ldap_object('cn=%s,cn=groups,%s' % (cn_staff, ou_base), should_exist=must_exist) >+ utils.verify_ldap_object(search_base.staff, should_exist=must_exist) >+ utils.verify_ldap_object(search_base.teachersAndStaff, should_exist=must_exist) >+ utils.verify_ldap_object(search_base.staff_group, should_exist=must_exist) > else: >- utils.verify_ldap_object('cn=%s,cn=users,%s' % (cn_staff, ou_base), should_exist=False) >- utils.verify_ldap_object('cn=%s,cn=users,%s' % (cn_teachers_staff, ou_base), should_exist=False) >- utils.verify_ldap_object('cn=%s,cn=groups,%s' % (cn_staff, ou_base), should_exist=False) >+ utils.verify_ldap_object(search_base.staff, should_exist=False) >+ utils.verify_ldap_object(search_base.teachersAndStaff, should_exist=False) >+ utils.verify_ldap_object(search_base.staff_group, should_exist=False) > > if noneducational_create_objects: >- utils.verify_ldap_object('cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,%s' % base_dn, should_exist=True) >- utils.verify_ldap_object('cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,%s' % base_dn, should_exist=True) >- utils.verify_ldap_object('cn=OU%s-DC-Verwaltungsnetz,cn=ucsschool,cn=groups,%s' % (ou, base_dn), should_exist=True) >- utils.verify_ldap_object('cn=OU%s-Member-Verwaltungsnetz,cn=ucsschool,cn=groups,%s' % (ou, base_dn), should_exist=True) >+ utils.verify_ldap_object(search_base.administrative_dc_group, should_exist=True) >+ utils.verify_ldap_object(search_base.administrative_member_group, should_exist=True) >+ utils.verify_ldap_object(search_base.administrative_ou_dc_group) >+ utils.verify_ldap_object(search_base.administrative_ou_member_group) > # This will fail because we don't cleanup these groups in cleanup_ou > # else: > # utils.verify_ldap_object("cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,%s" % base_dn, should_exist=False) >@@ -340,22 +345,17 @@ > if dc_administrative: > verify_dc(ou, dc_administrative, TYPE_DC_ADMINISTRATIVE, base_dn, must_exist) > >- grp_prefix_pupils = ucr.get('ucsschool/ldap/default/groupprefix/pupils', 'schueler-') >- grp_prefix_teachers = ucr.get('ucsschool/ldap/default/groupprefix/teachers', 'lehrer-') >- grp_prefix_admins = ucr.get('ucsschool/ldap/default/groupprefix/admins', 'admins-') >- grp_prefix_staff = ucr.get('ucsschool/ldap/default/groupprefix/staff', 'mitarbeiter-') >- > grp_policy_pupils = ucr.get('ucsschool/ldap/default/policy/umc/pupils', 'cn=ucsschool-umc-pupils-default,cn=UMC,cn=policies,%s' % base_dn) > grp_policy_teachers = ucr.get('ucsschool/ldap/default/policy/umc/teachers', 'cn=ucsschool-umc-teachers-default,cn=UMC,cn=policies,%s' % base_dn) > grp_policy_admins = ucr.get('ucsschool/ldap/default/policy/umc/admins', 'cn=ucsschool-umc-admins-default,cn=UMC,cn=policies,%s' % base_dn) > grp_policy_staff = ucr.get('ucsschool/ldap/default/policy/umc/staff', 'cn=ucsschool-umc-staff-default,cn=UMC,cn=policies,%s' % base_dn) > >- utils.verify_ldap_object("cn=%s%s,cn=ouadmins,cn=groups,%s" % (grp_prefix_admins, ou, base_dn), expected_attr={'univentionPolicyReference': [grp_policy_admins]}, should_exist=True) >- utils.verify_ldap_object("cn=%s%s,cn=groups,%s" % (grp_prefix_pupils, ou, ou_base), expected_attr={'univentionPolicyReference': [grp_policy_pupils]}, should_exist=must_exist) >- utils.verify_ldap_object("cn=%s%s,cn=groups,%s" % (grp_prefix_teachers, ou, ou_base), expected_attr={'univentionPolicyReference': [grp_policy_teachers]}, should_exist=must_exist) >+ utils.verify_ldap_object(search_base.admin_group, expected_attr={'univentionPolicyReference': [grp_policy_admins]}, should_exist=True) >+ utils.verify_ldap_object(search_base.students_ou_group, expected_attr={'univentionPolicyReference': [grp_policy_pupils]}, should_exist=must_exist) >+ utils.verify_ldap_object(search_base.teachers_ou_group, expected_attr={'univentionPolicyReference': [grp_policy_teachers]}, should_exist=must_exist) > > if noneducational_create_objects: >- utils.verify_ldap_object("cn=%s%s,cn=groups,%s" % (grp_prefix_staff, ou, ou_base), expected_attr={'univentionPolicyReference': [grp_policy_staff]}, should_exist=must_exist) >+ utils.verify_ldap_object(search_base.staff_ou_group, expected_attr={'univentionPolicyReference': [grp_policy_staff]}, should_exist=must_exist) > > dcmaster_module = univention.admin.modules.get("computers/domaincontroller_master") > dcbackup_module = univention.admin.modules.get("computers/domaincontroller_backup") >@@ -368,7 +368,7 @@ > # check group membership > # slave should be member > # master and backup should not be member >- dcgroups = ["cn=OU%s-DC-Edukativnetz,cn=ucsschool,cn=groups,%s" % (ou, base_dn), "cn=DC-Edukativnetz,cn=ucsschool,cn=groups,%s" % (base_dn)] >+ dcgroups = [search_base.educational_ou_dc_group, search_base.educational_dc_group] > > if must_exist: > if masterobjs: >@@ -412,7 +412,7 @@ > # seems to be the first OU, so check the variable settings > if ucr.get('dhcpd/ldap/base') != "cn=dhcp,%s" % (ou_base,): > print 'ERROR: dhcpd/ldap/base =', ucr.get('dhcpd/ldap/base') >- print 'ERROR: expected base =', dhcp_dn >+ print 'ERROR: expected base =', dhcp_dn # FIXME: unresolve reference: dhcp_dn > raise DhcpdLDAPBase() > > # use the UCR value and check if the DHCP service exists >Index: ucs-test-ucsschool/90_ucsschool/essential/schoolroom.py >=================================================================== >--- ucs-test-ucsschool/90_ucsschool/essential/schoolroom.py (Revision 76600) >+++ ucs-test-ucsschool/90_ucsschool/essential/schoolroom.py (Arbeitskopie) >@@ -3,6 +3,7 @@ > import univention.testing.ucr as ucr_test > import univention.testing.ucsschool as utu > import univention.testing.utils as utils >+from ucsschool.lib.models import LibComputerRoom > > > class FailQuery(Exception): >@@ -49,7 +50,7 @@ > self.client = Client.get_test_connection() > > def dn(self): >- return 'cn=%s-%s,cn=raeume,cn=groups,%s' % (self.school, self.name, utu.UCSTestSchool().get_ou_base_dn(self.school)) >+ return LibComputerRoom(school="myschool", name='{}-{}'.format("myschool", "myname")).dn > > def add(self, should_pass=True): > param = [{ >Index: ucs-test-ucsschool/univention/testing/ucsschool.py >=================================================================== >--- ucs-test-ucsschool/univention/testing/ucsschool.py (Revision 76600) >+++ ucs-test-ucsschool/univention/testing/ucsschool.py (Arbeitskopie) >@@ -53,7 +53,7 @@ > import univention.admin.uldap as udm_uldap > import univention.admin.uexceptions as udm_errors > >-from ucsschool.lib.models import School, User, Student, Teacher, TeachersAndStaff, Staff, SchoolClass, WorkGroup >+from ucsschool.lib.models import School, User, Student, Teacher, TeachersAndStaff, Staff, SchoolClass, WorkGroup, Share > from ucsschool.lib.models.utils import add_stream_logger_to_schoollib > from ucsschool.lib.models.group import ComputerRoom > >@@ -83,11 +83,6 @@ > PATH_CMD_CREATE_OU = PATH_CMD_BASE + '/create_ou' > > PATH_CMD_IMPORT_USER = PATH_CMD_BASE + '/import_user' >- CN_STUDENT = _ucr.get('ucsschool/ldap/default/container/pupils', 'schueler') >- CN_TEACHERS = _ucr.get('ucsschool/ldap/default/container/teachers', 'lehrer') >- CN_TEACHERS_STAFF = _ucr.get('ucsschool/ldap/default/container/teachers-and-staff', 'lehrer und mitarbeiter') >- CN_ADMINS = _ucr.get('ucsschool/ldap/default/container/admins', 'admins') >- CN_STAFF = _ucr.get('ucsschool/ldap/default/container/staff', 'mitarbeiter') > > def __init__(self): > self._cleanup_ou_names = set() >@@ -189,15 +184,14 @@ > print '' > print '*** Purging OU %s and related objects' % ou_name > # remove OU specific groups >+ search_base = School.get_search_base(ou_name) > for grpdn in ( >- 'cn=OU%(ou)s-Member-Verwaltungsnetz,cn=ucsschool,cn=groups,%(basedn)s', >- 'cn=OU%(ou)s-Member-Edukativnetz,cn=ucsschool,cn=groups,%(basedn)s', >- 'cn=OU%(ou)s-Klassenarbeit,cn=ucsschool,cn=groups,%(basedn)s', >- 'cn=OU%(ou)s-DC-Verwaltungsnetz,cn=ucsschool,cn=groups,%(basedn)s', >- 'cn=OU%(ou)s-DC-Edukativnetz,cn=ucsschool,cn=groups,%(basedn)s', >- 'cn=admins-%(ou)s,cn=ouadmins,cn=groups,%(basedn)s', >- ): >- grpdn = grpdn % {'ou': ou_name, 'basedn': self._ucr.get('ldap/base')} >+ search_base.administrative_ou_member_group, >+ search_base.educational_ou_member_group, >+ search_base.examGroup, >+ search_base.administrative_ou_dc_group, >+ search_base.educational_ou_dc_group, >+ search_base.admin_group): > self._remove_udm_object('groups/group', grpdn) > > # remove OU recursively >@@ -310,24 +304,24 @@ > Returns user container for specified user role and ou_name. > """ > if is_teacher and is_staff: >- return 'cn=%s,cn=users,%s' % (self.CN_TEACHERS_STAFF, self.get_ou_base_dn(ou_name)) >+ return TeachersAndStaff.get_container(ou_name) > if is_teacher: >- return 'cn=%s,cn=users,%s' % (self.CN_TEACHERS, self.get_ou_base_dn(ou_name)) >+ return Teacher.get_container(ou_name) > if is_staff: >- return 'cn=%s,cn=users,%s' % (self.CN_STAFF, self.get_ou_base_dn(ou_name)) >- return 'cn=%s,cn=users,%s' % (self.CN_STUDENT, self.get_ou_base_dn(ou_name)) >+ return Staff.get_container(ou_name) >+ return Student.get_container(ou_name) > > def get_workinggroup_dn(self, ou_name, group_name): > """ > Return the DN of the specified working group. > """ >- return 'cn=%s-%s,cn=schueler,cn=groups,%s' % (ou_name, group_name, self.get_ou_base_dn(ou_name)) >+ return WorkGroup(school=ou_name, name="{}-{}".format(ou_name, group_name)).dn > > def get_workinggroup_share_dn(self, ou_name, group_name): > """ > Return the DN of the share object for the specified working group. > """ >- return 'cn=%s-%s,cn=shares,%s' % (ou_name, group_name, self.get_ou_base_dn(ou_name)) >+ return Share(school=ou_name, name="{}-{}".format(ou_name, group_name)).dn > > def create_teacher(self, *args, **kwargs): > return self.create_user(*args, is_teacher=True, is_staff=False, **kwargs) >@@ -457,7 +451,8 @@ > return school_admin, dn > > def create_domain_admin(self, ou_name, username=None, password='univention'): >- position = 'cn=admins,cn=users,%s' % (self.get_ou_base_dn(ou_name)) >+ search_base = School.get_search_base(ou_name) >+ position = search_base.admins > groups = ["cn=Domain Admins,cn=groups,%s" % (self.LDAP_BASE,)] > udm = udm_test.UCSTestUDM() > if username is None: >@@ -487,7 +482,7 @@ > class_name = uts.random_username() > if not class_name.startswith('{}-'.format(ou_name)): > class_name = '{}-{}'.format(ou_name, class_name) >- grp_dn = 'cn={},cn=klassen,cn=schueler,cn=groups,ou={},{}'.format(class_name, ou_name, self.LDAP_BASE) >+ grp_dn = SchoolClass(school=ou_name, name=class_name).dn > kwargs = { > 'school': ou_name, > 'name': class_name, >@@ -516,7 +511,6 @@ > workgroup_name = uts.random_username() > if not workgroup_name.startswith('{}-'.format(ou_name)): > workgroup_name = '{}-{}'.format(ou_name, workgroup_name) >- grp_dn = 'cn={},cn=schueler,cn=groups,ou={},{}'.format(workgroup_name, ou_name, self.LDAP_BASE) > kwargs = { > 'school': ou_name, > 'name': workgroup_name, >@@ -533,7 +527,7 @@ > if wait_for_replication: > utils.wait_for_replication() > >- return workgroup_name, grp_dn >+ return workgroup_name, WorkGroup(**kwargs).dn > > def create_computerroom(self, ou_name, name=None, description=None, host_members=None, wait_for_replication=True): > """ >Index: univention-management-console-module-selective-udm/umc/python/selective-udm/__init__.py >=================================================================== >--- univention-management-console-module-selective-udm/umc/python/selective-udm/__init__.py (Revision 76600) >+++ univention-management-console-module-selective-udm/umc/python/selective-udm/__init__.py (Arbeitskopie) >@@ -48,6 +48,7 @@ > from univention.management.console.modules.sanitizers import StringSanitizer > from univention.management.console.modules.decorators import sanitize > from ucsschool.lib.schoolldap import LDAP_Connection, SchoolBaseModule, ADMIN_WRITE, USER_READ >+from ucsschool.lib.models import SchoolComputer > > from univention.management.console.config import ucr > >@@ -89,7 +90,7 @@ > raise UMC_Error(_('Could not determine schoolOU.')) > > # Set new position >- ldap_position.setDn(search_base.computers) >+ ldap_position.setDn(SchoolComputer.get_container(search_base.school)) > > self._check_usersid_join_permissions(ldap_user_read, request.options.get('usersid')) >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=8418">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 41231
:
8182
|
8209
| 8418