|
42 |
import calendar |
42 |
import calendar |
43 |
import string |
43 |
import string |
44 |
import base64 |
44 |
import base64 |
45 |
import subprocess |
|
|
46 |
from tempfile import NamedTemporaryFile |
47 |
|
45 |
|
48 |
import six |
46 |
import six |
49 |
import ldap |
47 |
import ldap |
Lines 665-682
class ad(univention.connector.ucs):
|
Link Here
|
---|
|
665 |
sid = self.samr.LookupDomain(handle, sam_domain) |
663 |
sid = self.samr.LookupDomain(handle, sam_domain) |
666 |
self.dom_handle = self.samr.OpenDomain(handle, security.SEC_FLAG_MAXIMUM_ALLOWED, sid) |
664 |
self.dom_handle = self.samr.OpenDomain(handle, security.SEC_FLAG_MAXIMUM_ALLOWED, sid) |
667 |
|
665 |
|
668 |
def get_kerberos_ticket(self): |
|
|
669 |
p1 = subprocess.Popen(['kdestroy', ], close_fds=True) |
670 |
p1.wait() |
671 |
with NamedTemporaryFile('w') as fd: |
672 |
fd.write(self.ad_ldap_bindpw) |
673 |
fd.flush() |
674 |
cmd_block = ['kinit', '--no-addresses', '--password-file=%s' % (fd.name,), self.ad_ldap_binddn] |
675 |
p1 = subprocess.Popen(cmd_block, stdout=subprocess.PIPE, stderr=subprocess.STDOUT, close_fds=True) |
676 |
stdout, stderr = p1.communicate() |
677 |
if p1.returncode != 0: |
678 |
raise kerberosAuthenticationFailed('The following command failed: "%s" (%s): %s' % (' '.join(cmd_block), p1.returncode, stdout.decode('UTF-8', 'replace'))) |
679 |
|
680 |
def ad_search_ext_s(self, *args, **kwargs): |
666 |
def ad_search_ext_s(self, *args, **kwargs): |
681 |
return fix_dn_in_search(self.lo_ad.lo.search_ext_s(*args, **kwargs)) |
667 |
return fix_dn_in_search(self.lo_ad.lo.search_ext_s(*args, **kwargs)) |
682 |
|
668 |
|
Lines 696-710
class ad(univention.connector.ucs):
|
Link Here
|
---|
|
696 |
except Exception: # FIXME: which exception is to be caught |
682 |
except Exception: # FIXME: which exception is to be caught |
697 |
self._debug_traceback(ud.ERROR, 'Failed to lookup AD LDAP base, using UCR value.') |
683 |
self._debug_traceback(ud.ERROR, 'Failed to lookup AD LDAP base, using UCR value.') |
698 |
|
684 |
|
|
|
685 |
self.lo_ad = univention.uldap.access( |
686 |
host=self.ad_ldap_host, port=int(self.ad_ldap_port), |
687 |
base=self.ad_ldap_base, binddn=None, bindpw=None, |
688 |
start_tls=tls_mode, use_ldaps=ldaps, |
689 |
ca_certfile=self.ad_ldap_certificate, |
690 |
) |
691 |
|
699 |
if self.configRegistry.is_true('%s/ad/ldap/kerberos' % self.CONFIGBASENAME): |
692 |
if self.configRegistry.is_true('%s/ad/ldap/kerberos' % self.CONFIGBASENAME): |
700 |
os.environ['KRB5CCNAME'] = '/var/cache/univention-ad-connector/krb5.cc' |
693 |
try: |
701 |
self.get_kerberos_ticket() |
694 |
self.lo_ad.bind_sasl_gssapi(self.ad_ldap_binddn, self.ad_ldap_bindpw, '/var/cache/univention-ad-connector/krb5.cc') |
702 |
auth = ldap.sasl.gssapi("") |
695 |
except ldap.LOCAL_ERROR as exc: |
703 |
self.lo_ad = univention.uldap.access(host=self.ad_ldap_host, port=int(self.ad_ldap_port), base=self.ad_ldap_base, binddn=None, bindpw=self.ad_ldap_bindpw, start_tls=tls_mode, use_ldaps=ldaps, ca_certfile=self.ad_ldap_certificate) |
696 |
raise kerberosAuthenticationFailed(str(exc)) |
704 |
self.get_kerberos_ticket() |
|
|
705 |
self.lo_ad.lo.sasl_interactive_bind_s("", auth) |
706 |
else: |
697 |
else: |
707 |
self.lo_ad = univention.uldap.access(host=self.ad_ldap_host, port=int(self.ad_ldap_port), base=self.ad_ldap_base, binddn=self.ad_ldap_binddn, bindpw=self.ad_ldap_bindpw, start_tls=tls_mode, use_ldaps=ldaps, ca_certfile=self.ad_ldap_certificate) |
698 |
self.lo_ad.bind(self.ad_ldap_binddn, self.ad_ldap_bindpw) |
708 |
|
699 |
|
709 |
self.lo_ad.lo.set_option(ldap.OPT_REFERRALS, 0) |
700 |
self.lo_ad.lo.set_option(ldap.OPT_REFERRALS, 0) |
710 |
|
701 |
|