diff --git a/services/univention-ad-connector/umc/python/adconnector/__init__.py b/services/univention-ad-connector/umc/python/adconnector/__init__.py index 1de6f315e3..6020c05fc7 100644 --- a/services/univention-ad-connector/umc/python/adconnector/__init__.py +++ b/services/univention-ad-connector/umc/python/adconnector/__init__.py @@ -41,6 +41,8 @@ from univention.management.console.modules.mixins import ProgressMixin from univention.management.console.modules.sanitizers import StringSanitizer, ChoicesSanitizer from contextlib import contextmanager +from cryptography import x509 +from cryptography.hazmat.backends import default_backend import os.path import re import subprocess @@ -289,19 +291,30 @@ class Instance(Base, ProgressMixin): bufstdout = [ x.decode('UTF-8', 'replace') for x in bufstdout ] bufstderr = [ x.decode('UTF-8', 'replace') for x in bufstderr ] success = True - if status == 0: - message = _('Certificate has been uploaded successfully.') - MODULE.info('Certificate has been uploaded successfully. status=%s\nSTDOUT:\n%s\n\nSTDERR:\n%s' % (status, '\n'.join(bufstdout), '\n'.join(bufstderr))) - try: - self._enable_ssl_and_test_connection(fn) - except UMC_Error: - message = _('Could not establish connection. Either the certificate is wrong, the Active Directory server is unreachable or it does not support SSL.') - success = False - else: + if status != 0: success = False message = _('Certificate upload or conversion failed.') MODULE.process('Certificate upload or conversion failed. status=%s\nSTDOUT:\n%s\n\nSTDERR:\n%s' % (status, '\n'.join(bufstdout), '\n'.join(bufstderr))) + else: + with open(fn, 'rb') as f: + pem_data = f.read() + cert = x509.load_pem_x509_certificate(pem_data, default_backend()) + x509_keyusage_extension = [x.value.key_cert_sign for x in cert.extensions if isinstance(x.value, x509.extensions.KeyUsage)] + if not any(x509_keyusage_extension): + success = False + message = _('Certificate is not a CA certificate.') + + if success: + message = _('Certificate has been uploaded successfully.') + MODULE.info('Certificate has been uploaded successfully. status=%s\nSTDOUT:\n%s\n\nSTDERR:\n%s' % (status, '\n'.join(bufstdout), '\n'.join(bufstderr))) + try: + self._enable_ssl_and_test_connection(fn) + except UMC_Error: + message = _('Could not establish connection. Either the certificate is wrong, the Active Directory server is unreachable or it does not support SSL.') + success = False + if success: + subprocess.call(['systemctl', 'restart', 'univention-ad-connector']) self.finished(request.id, [{'success': success, 'message': message}]) upload = request.options[0]['tmpfile'] @@ -337,7 +350,7 @@ class Instance(Base, ProgressMixin): return def _run_it(action): - return subprocess.call(('service', 'univention-ad-connector', action)) + return subprocess.call(('systemctl', action, 'univention-ad-connector')) def _return(thread, result, request): success = not result @@ -578,6 +591,7 @@ class Instance(Base, ProgressMixin): try: success = test_connection() except ADNotAvailable: + admember.disable_ssl() success = False if not success: raise UMC_Error(_('Could not establish an encrypted connection. Either "%r" is not reachable or does not support encryption.') % server) @@ -587,7 +601,7 @@ class Instance(Base, ProgressMixin): @simple_response def enable_ssl(self): self._enable_ssl_and_test_connection() - return subprocess.call(['service', 'univention-ad-connector', 'restart']) + return subprocess.call(['systemctl', 'restart', 'univention-ad-connector']) @simple_response def password_sync_service(self, enable=True): @@ -595,7 +609,7 @@ class Instance(Base, ProgressMixin): # kinit=false -> sync passwords value = str(not enable).lower() univention.config_registry.handler_set(['connector/ad/mapping/user/password/kinit=%s' % value]) - return subprocess.call(['service', 'univention-ad-connector', 'restart']) + return subprocess.call(['systemctl', 'restart', 'univention-ad-connector']) @simple_response def check_dcmaster_srv_rec(self):