Univention Bugzilla – Attachment 8455 Details for
Bug 43628
UCS@school: replication cycle for nTSecurityDescriptor
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
pre_con_modify_check.patch
pre_con_modify_check.patch (text/plain), 5.57 KB, created by
Arvid Requate
on 2017-02-23 17:50:04 CET
(
hide
)
Description:
pre_con_modify_check.patch
Filename:
MIME Type:
Creator:
Arvid Requate
Created:
2017-02-23 17:50:04 CET
Size:
5.57 KB
patch
obsolete
>Index: conffiles/etc/univention/s4connector/s4/mapping.py >=================================================================== >--- conffiles/etc/univention/s4connector/s4/mapping.py (Revision 75940) >+++ conffiles/etc/univention/s4connector/s4/mapping.py (Arbeitskopie) >@@ -759,6 +759,9 @@ > post_ucs_modify_functions=[ > univention.s4connector.s4.ntsecurity_descriptor.ntsd_to_ucs, > ], >+ pre_con_modify_functions=[ >+ univention.s4connector.s4.ntsecurity_descriptor.ntsd_is_unchanged_in_s4, >+ ], > post_con_create_functions = [ > univention.s4connector.s4.ntsecurity_descriptor.ntsd_to_s4, > ], >Index: modules/univention/s4connector/__init__.py >=================================================================== >--- modules/univention/s4connector/__init__.py (Revision 75940) >+++ modules/univention/s4connector/__init__.py (Arbeitskopie) >@@ -378,6 +378,7 @@ > ucs_create_functions=[], > con_create_extenstions=[], > post_con_create_functions=[], >+ pre_con_modify_functions=[], > post_con_modify_functions=[], > post_ucs_modify_functions=[], > post_attributes=None, >@@ -417,6 +418,7 @@ > self.con_create_extenstions = con_create_extenstions > > self.post_con_create_functions = post_con_create_functions >+ self.pre_con_modify_functions = pre_con_modify_functions > self.post_con_modify_functions = post_con_modify_functions > self.post_ucs_modify_functions = post_ucs_modify_functions > >@@ -1507,7 +1509,7 @@ > except (ldap.SERVER_DOWN, SystemExit): > raise > except: # FIXME: which exception is to be caught? >- self._debug_traceback(ud.ERROR, "failed in post_con_modify_functions") >+ self._debug_traceback(ud.ERROR, "failed in post_ucs_modify_functions") > result = False > > if result: >Index: modules/univention/s4connector/s4/__init__.py >=================================================================== >--- modules/univention/s4connector/s4/__init__.py (Revision 75940) >+++ modules/univention/s4connector/s4/__init__.py (Arbeitskopie) >@@ -2595,6 +2595,22 @@ > else: > ud.debug(ud.LDAP, ud.INFO, "to modify: %s" % object['dn']) > ud.debug(ud.LDAP, ud.ALL, "sync_from_ucs: modlist: %s" % modlist) >+ >+ if hasattr(self.property[property_type], "pre_con_modify_functions"): >+ for f in self.property[property_type].pre_con_modify_functions: >+ ud.debug(ud.LDAP, ud.INFO, "Call pre_con_modify_function: %s" % f) >+ if not f(self, property_type, object): >+ ud.debug(ud.LDAP, ud.INFO, "sync_from_ucs: Veto by pre_con_modify_function %s" % f) >+ ud.debug(ud.LDAP, ud.INFO, "sync_from_ucs: Skipping modify") >+ >+ ud.debug(ud.LDAP, ud.INFO, "sync_from_ucs: unlock UCS entryUUID: %s" % entryUUID) >+ self.lockingdb.unlock_ucs(entryUUID) >+ >+ self._check_dn_mapping(pre_mapped_ucs_dn, object['dn']) >+ return True >+ ud.debug(ud.LDAP, ud.INFO, "Call pre_con_modify_function: %s (ok)" % f) >+ >+ if modlist: > try: > self.lo_s4.lo.modify_ext_s(compatible_modstring(object['dn']), compatible_modlist(modlist), serverctrls=self.serverctrls_for_add_and_modify) > except: >Index: modules/univention/s4connector/s4/ntsecurity_descriptor.py >=================================================================== >--- modules/univention/s4connector/s4/ntsecurity_descriptor.py (Revision 75940) >+++ modules/univention/s4connector/s4/ntsecurity_descriptor.py (Arbeitskopie) >@@ -72,6 +72,27 @@ > domain_sid = security.dom_sid(s4connector.s4_sid) > return decode_sd_in_ndr_to_sddl(domain_sid, ntsd_ndr) > >+# Pre-modify function >+ >+def ntsd_is_unchanged_in_s4(s4connector, key, object): >+ (s4_dn, s4_attributes) = s4connector.lo_s4.lo.search_s(s4_dn, ldap.SCOPE_BASE, '(objectClass=*)', ['nTSecurityDescriptor', 'uSNChanged', 'objectGUID'])[0] >+ ntsd_ndr = s4_attributes.get('nTSecurityDescriptor') >+ if ntsd_ndr: >+ domain_sid = security.dom_sid(s4connector.s4_sid) >+ s4_ntsd_sddl = decode_sd_in_ndr_to_sddl(domain_sid, ntsd_ndr[0]) >+ if s4_ntsd_sddl == ucs_ntsd_sddl: >+ ud.debug(ud.LDAP, ud.INFO, 'ntsd_to_s4: nTSecurityDescriptors are equal') >+ return True >+ >+ guid_blob = s4_attributes.get('objectGUID')[0] >+ objectGUID = str(ndr_unpack(misc.GUID, guid_blob)) >+ old_s4_object = s4connector.s4cache.get_entry(objectGUID) >+ if old_s4_object: >+ if old_s4_object.get('uSNChanged')[0] != s4_attributes.get('uSNChanged')[0]: >+ ud.debug(ud.LDAP, ud.PROCESS, "ntsd_to_s4: skipping, S4-Object changed: %s" % object['dn']) >+ return False >+ return True >+ > # Post-create/modify functions > > >@@ -88,7 +109,7 @@ > return > > ucs_ntsd_sddl = object['attributes']['msNTSecurityDescriptor'][0] >- (s4_dn, s4_attributes) = s4connector.lo_s4.lo.search_s(s4_dn, ldap.SCOPE_BASE, '(objectClass=*)', ['nTSecurityDescriptor', 'uSNChanged' , 'objectGUID'])[0] >+ (s4_dn, s4_attributes) = s4connector.lo_s4.lo.search_s(s4_dn, ldap.SCOPE_BASE, '(objectClass=*)', ['nTSecurityDescriptor', 'objectGUID'])[0] > ntsd_ndr = s4_attributes.get('nTSecurityDescriptor') > if ntsd_ndr: > domain_sid = security.dom_sid(s4connector.s4_sid) >@@ -97,14 +118,6 @@ > ud.debug(ud.LDAP, ud.INFO, 'ntsd_to_s4: nTSecurityDescriptors are equal') > return > >- guid_blob = s4_attributes.get('objectGUID')[0] >- objectGUID = str(ndr_unpack(misc.GUID, guid_blob)) >- old_s4_object = s4connector.s4cache.get_entry(objectGUID) >- if old_s4_object: >- if old_s4_object.get('uSNChanged')[0] != s4_attributes.get('uSNChanged')[0]: >- ud.debug(ud.LDAP, ud.PROCESS, "ntsd_to_s4: skipping, S4-Object changed: %s" % object['dn']) >- return >- > ud.debug(ud.LDAP, ud.INFO, 'ntsd_to_s4: changing nTSecurityDescriptor from %s to %s' % (s4_ntsd_sddl, ucs_ntsd_sddl)) > > ucs_ntsd_ndr = encode_sddl_to_sd_in_ndr(domain_sid, ucs_ntsd_sddl)
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=8455">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 43628
:
8455
|
9006
|
9008