Index: conffiles/etc/univention/s4connector/s4/mapping.py
===================================================================
--- conffiles/etc/univention/s4connector/s4/mapping.py (Revision 43559)
+++ conffiles/etc/univention/s4connector/s4/mapping.py (Arbeitskopie)
@@ -34,6 +34,7 @@
import univention.s4connector.s4.mapping
import univention.s4connector.s4.password
import univention.s4connector.s4.sid_mapping
+import univention.s4connector.s4.group_type
import univention.s4connector.s4.dns
import univention.s4connector.s4.dc
import univention.s4connector.s4.computer
@@ -65,7 +66,6 @@
'CN=BCKUPKEY_c490e871-a375-4b76-bd24-711e9e49fe5e Secret,CN=System,@%@connector/s4/ldap/base@%@',
'CN=BCKUPKEY_PREFERRED Secret,CN=System,@%@connector/s4/ldap/base@%@',
'ou=Grp Policy Users,@%@connector/s4/ldap/base@%@',
- 'cn=Builtin,@%@connector/s4/ldap/base@%@',
'cn=ForeignSecurityPrincipals,@%@connector/s4/ldap/base@%@',
'cn=Program Data,@%@connector/s4/ldap/base@%@',
'cn=Configuration,@%@connector/s4/ldap/base@%@',
@@ -279,10 +279,14 @@
@!@
ignore_filter = ''
+if configRegistry.is_false('connector/s4/mapping/group/sync/localgroups', True):
+ ignore_filter += '(sambaGroupType=5)(groupType=5)'
+
for group in configRegistry.get('connector/s4/mapping/group/ignorelist', '').split(','):
if group:
ignore_filter += '(cn=%s)' % (group)
-print " ignore_filter='(|(sambaGroupType=5)(groupType=5)%s)'," % ignore_filter
+if ignore_filter:
+ print " ignore_filter='(|%s)'," % ignore_filter
@!@
ignore_subtree = global_ignore_subtree,
@@ -329,8 +333,18 @@
ldap_attribute='mailPrimaryAddress',
con_attribute='mail',
reverse_attribute_check = True,
+ ),
+ @!@
+if configRegistry.is_true('connector/s4/mapping/group/sync/localgroups', False):
+ print '''
+ 'groupType': univention.s4connector.attribute (
+ ucs_attribute='sambaGroupType',
+ ldap_attribute='sambaGroupType',
+ con_attribute='groupType',
+ mapping=(univention.s4connector.s4.group_type.ucs_to_s4_mapping, univention.s4connector.s4.group_type.s4_to_ucs_mapping),
+ compare_function=univention.s4connector.s4.group_type.compare,
),
- @!@
+'''
import univention.s4connector.s4.sid_mapping
univention.s4connector.s4.sid_mapping.print_sid_mapping(configRegistry)
@!@
Index: modules/univention/s4connector/s4/group_type.py
===================================================================
--- modules/univention/s4connector/s4/group_type.py (Revision 0)
+++ modules/univention/s4connector/s4/group_type.py (Revision 0)
@@ -0,0 +1,108 @@
+#!/usr/bin/python2.6
+# -*- coding: utf-8 -*-
+#
+# Univention S4 Connector
+# groupType
+#
+# Copyright 2013 Univention GmbH
+#
+# http://www.univention.de/
+#
+# All rights reserved.
+#
+# The source code of this program is made available
+# under the terms of the GNU Affero General Public License version 3
+# (GNU AGPL V3) as published by the Free Software Foundation.
+#
+# Binary versions of this program provided by Univention to you as
+# well as other copyrighted, protected or trademarked materials like
+# Logos, graphics, fonts, specific documentations and configurations,
+# cryptographic keys etc. are subject to a license agreement between
+# you and Univention and not subject to the GNU AGPL V3.
+#
+# In the case you use this program under the terms of the GNU AGPL V3,
+# the program is provided in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public
+# License with the Debian GNU/Linux or Univention distribution in file
+# /usr/share/common-licenses/AGPL-3; if not, see
+# .
+
+import univention.debug2 as ud
+
+S4_GROUP_GLOBAL="-2147483646"
+S4_GROUP_LOCAL="-2147483644"
+S4_GROUP_BUILTIN="-2147483643"
+S4_GROUP_UNIVERSAL="-2147483640"
+
+UCS_GROUP_DOMAIN='2'
+UCS_GROUP_LOCAL='3'
+UCS_GROUP_WELLL_KNOWN='5'
+
+UCS_GROUPS = [ UCS_GROUP_DOMAIN, UCS_GROUP_LOCAL, UCS_GROUP_WELLL_KNOWN ]
+
+GROUP_LIST_GLOBAL = [ S4_GROUP_GLOBAL, S4_GROUP_UNIVERSAL, UCS_GROUP_DOMAIN ]
+GROUP_LIST_LOCAL = [ S4_GROUP_LOCAL, UCS_GROUP_LOCAL ]
+GROUP_LIST_BUILTIN = [ S4_GROUP_BUILTIN, UCS_GROUP_WELLL_KNOWN ]
+
+def _is_list(val):
+ return isinstance(val, list)
+
+def compare(group_type1, group_type2):
+ if _is_list(group_type1):
+ group_type1 = group_type1[0]
+ if _is_list(group_type2):
+ group_type2 = group_type2[0]
+
+ if group_type1 in GROUP_LIST_GLOBAL and group_type2 in GROUP_LIST_GLOBAL:
+ return True
+ if group_type1 in GROUP_LIST_LOCAL and group_type2 in GROUP_LIST_LOCAL:
+ return True
+ if group_type1 in GROUP_LIST_BUILTIN and group_type2 in GROUP_LIST_BUILTIN:
+ return True
+
+ return False
+
+def s4_to_ucs_mapping(s4connector, key, s4_object):
+ ud.debug(ud.LDAP, ud.INFO, 'group_type: s4_to_ucs_mapping')
+
+ # check if the UCS object already exists and don't change the
+ # group type in this case
+ ucs_object = s4connector.get_ucs_ldap_object(s4_object['dn'])
+ if ucs_object:
+ ud.debug(ud.LDAP, ud.INFO, 'group_type: object exists already, use the old sambaGroupType')
+ return ucs_object.get('sambaGroupType')
+
+ group_type = s4_object['attributes']['groupType'][0]
+ ud.debug(ud.LDAP, ud.INFO, 'group_type: sid type: %s' % group_type)
+
+ if group_type in [S4_GROUP_GLOBAL, S4_GROUP_UNIVERSAL]:
+ return [UCS_GROUP_DOMAIN]
+ if group_type == S4_GROUP_LOCAL:
+ return [UCS_GROUP_LOCAL]
+ if group_type == S4_GROUP_BUILTIN:
+ return [UCS_GROUP_WELLL_KNOWN]
+
+ # Use the default
+ return [UCS_GROUP_DOMAIN]
+
+def ucs_to_s4_mapping(s4connector, key, ucs_object):
+ ud.debug(ud.LDAP, ud.INFO, 'group_type: ucs_to_s4_mapping')
+
+ group_type = ucs_object['attributes'].get('sambaGroupType', [])[0]
+ ud.debug(ud.LDAP, ud.INFO, 'group_type: ucs type: %s' % group_type)
+
+ # It is not possible to create a local or builtin group
+ return [S4_GROUP_GLOBAL]
+
+ #if group_type == UCS_GROUP_DOMAIN:
+ # return [S4_GROUP_GLOBAL]
+ #if group_type == UCS_GROUP_LOCAL:
+ # return [S4_GROUP_LOCAL]
+ #if group_type == UCS_GROUP_WELLL_KNOWN:
+ # return [S4_GROUP_BUILTIN]
+ #
+ #return [S4_GROUP_GLOBAL]
Index: debian/univention-s4-connector.univention-config-registry-variables
===================================================================
--- debian/univention-s4-connector.univention-config-registry-variables (Revision 43559)
+++ debian/univention-s4-connector.univention-config-registry-variables (Arbeitskopie)
@@ -195,3 +195,9 @@
Description[en]=A static list mapping of group names in UCS LDAP to group names in the Samba 4 user directory. Group names in UCS LDAP are always in English. The mapping "connector/s4/mapping/group/table/'Domain Users'=Domänen-Benutzer" e.g. advises the S4 Connector to synchronise a group object called "Domain Users" in UCS-LDAP with a group object called "Domänen-Benutzer" in the Samba 4 user directory. This variable is used internally by UCS tools and should not be adapted manually.
Type=str
Categories=service-s4con
+
+[connector/s4/mapping/group/sync/localgroups]
+Description[de]=Ist diese Variable aktiviert, werden auch lokale Gruppen synchronisiert. Vor der Aktivierung sollten die Gruppenmitglieder der lokalen Gruppen manuell abgeglichen werden, weitere Details sind in den UCS 3.2 Release Notes zu finden. Ab UCS 3.2 ist die Synchronisiation dieser Gruppen per Default aktiviert.
+Description[en]=If this variable is activated local groups will be synchronized as well. The group members should be harmonized manually before activating this setting, for more details see UCS 3.2 release notes. Since UCS 3.2 the local group synchronization is activated by default.
+Type=bool
+Categories=service-s4con
Index: debian/changelog
===================================================================
--- debian/changelog (Revision 43559)
+++ debian/changelog (Arbeitskopie)
@@ -58,7 +58,7 @@
univention-s4-connector (8.0.3-1) unstable; urgency=low
- * Use again two searches for the change list but a faster comparsion.
+ * Use again two searches for the change list but a faster comparison.
The order is important first the created objects are needed
otherwise the child object is added before the parent object. An
alternative would be to sort the one search result by the dn length
@@ -75,7 +75,7 @@
univention-s4-connector (8.0.2-1) unstable; urgency=low
* Search for uSNCreated and uSNChanged in one search to prevent a slow
- list comparsion (Bug #32213)
+ list comparison (Bug #32213)
-- Stefan Gohmann Mon, 12 Aug 2013 07:41:23 +0200
Index: debian/univention-s4-connector.postinst
===================================================================
--- debian/univention-s4-connector.postinst (Revision 43559)
+++ debian/univention-s4-connector.postinst (Arbeitskopie)
@@ -38,6 +38,10 @@
#DEBHELPER#
+if [ "$1" = "configure" -a -n "$2" ] && dpkg --compare-versions "$2" lt 8.0.0-1; then
+ ucr set connector/s4/mapping/group/sync/localgroups?false
+fi
+
univention-config-registry set connector/s4/listener/dir?/var/lib/univention-connector/s4 \
connector/s4/poll/sleep?5 \
connector/s4/retryrejected?10 \
@@ -49,10 +53,14 @@
connector/s4/mapping/syncmode?sync \
connector/s4/mapping/sid?true \
connector/s4/mapping/gpo?true \
+ connector/s4/mapping/group/sync/localgroups?true \
connector/s4/mapping/user/ignorelist?"root,pcpatch,ucs-s4sync" \
connector/s4/mapping/group/ignorelist?"Windows Hosts,Authenticated Users,World Authority,Everyone,Null Authority,Nobody,Enterprise Domain Controllers" \
connector/s4/mapping/container/ignorelist?"mail,kerberos,MicrosoftDNS" \
- connector/s4/mapping/dns/ignorelist?"DC=_ldap._tcp.Default-First-Site-Name._site"
+ connector/s4/mapping/dns/ignorelist?"DC=_ldap._tcp.Default-First-Site-Name._site" \
+ connector/s4/mapping/group/table/Printer-Admins?"Print Operators" \
+ connector/s4/mapping/group/table/Replicators?"Replicator" \
+ "connector/s4/mapping/group/table/System Operators?Server Operators"
if [ ! -d /var/lib/univention-connector/s4 ]; then
mkdir -p /var/lib/univention-connector/s4