Attachment #5403 for bug #29486

View | Details | Raw Unified | Return to bug 29486
Collapse All | Expand All

(-)conffiles/etc/univention/s4connector/s4/mapping.py (-3 / +17 lines)

Lines 34-39	Link Here

import univention.s4connector.s4.mapping

import univention.s4connector.s4.mapping

import univention.s4connector.s4.password

import univention.s4connector.s4.password

import univention.s4connector.s4.sid_mapping

import univention.s4connector.s4.sid_mapping

import univention.s4connector.s4.group_type

import univention.s4connector.s4.dns

import univention.s4connector.s4.dns

import univention.s4connector.s4.dc

import univention.s4connector.s4.dc

import univention.s4connector.s4.computer

import univention.s4connector.s4.computer

Lines 65-71	Link Here

			'CN=BCKUPKEY_c490e871-a375-4b76-bd24-711e9e49fe5e Secret,CN=System,@%@connector/s4/ldap/base@%@',

			'CN=BCKUPKEY_c490e871-a375-4b76-bd24-711e9e49fe5e Secret,CN=System,@%@connector/s4/ldap/base@%@',

			'CN=BCKUPKEY_PREFERRED Secret,CN=System,@%@connector/s4/ldap/base@%@',

			'CN=BCKUPKEY_PREFERRED Secret,CN=System,@%@connector/s4/ldap/base@%@',

			'ou=Grp Policy Users,@%@connector/s4/ldap/base@%@',

			'ou=Grp Policy Users,@%@connector/s4/ldap/base@%@',

			'cn=Builtin,@%@connector/s4/ldap/base@%@',

			'cn=ForeignSecurityPrincipals,@%@connector/s4/ldap/base@%@',

			'cn=ForeignSecurityPrincipals,@%@connector/s4/ldap/base@%@',

			'cn=Program Data,@%@connector/s4/ldap/base@%@',

			'cn=Program Data,@%@connector/s4/ldap/base@%@',

			'cn=Configuration,@%@connector/s4/ldap/base@%@',

			'cn=Configuration,@%@connector/s4/ldap/base@%@',

Lines 279-288	Link Here

279

280

@!@

280

@!@

281

ignore_filter = ''

281

ignore_filter = ''

282

if configRegistry.is_false('connector/s4/mapping/group/sync/localgroups', True):

283

	ignore_filter += '(sambaGroupType=5)(groupType=5)'

284

282

for group in configRegistry.get('connector/s4/mapping/group/ignorelist', '').split(','):

285

for group in configRegistry.get('connector/s4/mapping/group/ignorelist', '').split(','):

283

	if group:

286

	if group:

284

		ignore_filter += '(cn=%s)' % (group)

287

		ignore_filter += '(cn=%s)' % (group)

285

print "			ignore_filter='(|(sambaGroupType=5)(groupType=5)%s)'," % ignore_filter

288

if ignore_filter:

289

	print "			ignore_filter='(|%s)'," % ignore_filter

286

@!@

290

@!@

287

291

288

			ignore_subtree = global_ignore_subtree,

292

			ignore_subtree = global_ignore_subtree,

Lines 329-336	Link Here

329

							ldap_attribute='mailPrimaryAddress',

333

							ldap_attribute='mailPrimaryAddress',

330

							con_attribute='mail',

334

							con_attribute='mail',

331

							reverse_attribute_check = True,

335

							reverse_attribute_check = True,

336

),

337

@!@

338

if configRegistry.is_true('connector/s4/mapping/group/sync/localgroups', False):

339

	print '''

340

					'groupType': univention.s4connector.attribute (

341

							ucs_attribute='sambaGroupType',

342

							ldap_attribute='sambaGroupType',

343

							con_attribute='groupType',

344

							mapping=(univention.s4connector.s4.group_type.ucs_to_s4_mapping, univention.s4connector.s4.group_type.s4_to_ucs_mapping),

345

							compare_function=univention.s4connector.s4.group_type.compare,

332

),

346

),

333

@!@

347

'''

334

import univention.s4connector.s4.sid_mapping

348

import univention.s4connector.s4.sid_mapping

335

univention.s4connector.s4.sid_mapping.print_sid_mapping(configRegistry)

349

univention.s4connector.s4.sid_mapping.print_sid_mapping(configRegistry)

336

@!@

350

@!@




#!/usr/bin/python2.6
# -*- coding: utf-8 -*-
#
# Univention S4 Connector
#  groupType 
#
# Copyright 2013 Univention GmbH
#
# http://www.univention.de/
#
# All rights reserved.
#
# The source code of this program is made available
# under the terms of the GNU Affero General Public License version 3
# (GNU AGPL V3) as published by the Free Software Foundation.
#
# Binary versions of this program provided by Univention to you as
# well as other copyrighted, protected or trademarked materials like
# Logos, graphics, fonts, specific documentations and configurations,
# cryptographic keys etc. are subject to a license agreement between
# you and Univention and not subject to the GNU AGPL V3.
#
# In the case you use this program under the terms of the GNU AGPL V3,
# the program is provided in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Affero General Public License for more details.
#
# You should have received a copy of the GNU Affero General Public
# License with the Debian GNU/Linux or Univention distribution in file
# /usr/share/common-licenses/AGPL-3; if not, see
# <http://www.gnu.org/licenses/>.

import univention.debug2 as ud

S4_GROUP_GLOBAL="-2147483646"
S4_GROUP_LOCAL="-2147483644"
S4_GROUP_BUILTIN="-2147483643"
S4_GROUP_UNIVERSAL="-2147483640"

UCS_GROUP_DOMAIN='2'
UCS_GROUP_LOCAL='3'
UCS_GROUP_WELLL_KNOWN='5'

UCS_GROUPS = [ UCS_GROUP_DOMAIN, UCS_GROUP_LOCAL, UCS_GROUP_WELLL_KNOWN ]

GROUP_LIST_GLOBAL = [ S4_GROUP_GLOBAL, S4_GROUP_UNIVERSAL, UCS_GROUP_DOMAIN ]
GROUP_LIST_LOCAL = [ S4_GROUP_LOCAL, UCS_GROUP_LOCAL ]
GROUP_LIST_BUILTIN = [ S4_GROUP_BUILTIN, UCS_GROUP_WELLL_KNOWN ]

def _is_list(val):
	return isinstance(val, list)

def compare(group_type1, group_type2):
	if _is_list(group_type1):
		group_type1 = group_type1[0]
	if _is_list(group_type2):
		group_type2 = group_type2[0]

	if group_type1 in GROUP_LIST_GLOBAL and group_type2 in GROUP_LIST_GLOBAL:
		return True
	if group_type1 in  GROUP_LIST_LOCAL and group_type2 in GROUP_LIST_LOCAL:
		return True
	if group_type1 in GROUP_LIST_BUILTIN and group_type2 in GROUP_LIST_BUILTIN:
		return True

	return False

def s4_to_ucs_mapping(s4connector, key, s4_object):
	ud.debug(ud.LDAP, ud.INFO, 'group_type: s4_to_ucs_mapping')

	# check if the UCS object already exists and don't change the
	# group type in this case
	ucs_object = s4connector.get_ucs_ldap_object(s4_object['dn'])
	if ucs_object:
		ud.debug(ud.LDAP, ud.INFO, 'group_type: object exists already, use the old sambaGroupType')
		return ucs_object.get('sambaGroupType')

	group_type = s4_object['attributes']['groupType'][0]
	ud.debug(ud.LDAP, ud.INFO, 'group_type: sid type: %s' % group_type)

	if group_type in [S4_GROUP_GLOBAL, S4_GROUP_UNIVERSAL]:
		return [UCS_GROUP_DOMAIN]
	if group_type == S4_GROUP_LOCAL:
		return [UCS_GROUP_LOCAL]
	if group_type == S4_GROUP_BUILTIN:
		return [UCS_GROUP_WELLL_KNOWN]

	# Use the default
	return [UCS_GROUP_DOMAIN]

def ucs_to_s4_mapping(s4connector, key, ucs_object):
	ud.debug(ud.LDAP, ud.INFO, 'group_type: ucs_to_s4_mapping')

	group_type = ucs_object['attributes'].get('sambaGroupType', [])[0]
	ud.debug(ud.LDAP, ud.INFO, 'group_type: ucs type: %s' % group_type)

	# It is not possible to create a local or builtin group
	return [S4_GROUP_GLOBAL]

	#if group_type == UCS_GROUP_DOMAIN:
	#	return [S4_GROUP_GLOBAL]
	#if group_type == UCS_GROUP_LOCAL:
	#	return [S4_GROUP_LOCAL]
	#if group_type == UCS_GROUP_WELLL_KNOWN:
	#	return [S4_GROUP_BUILTIN]
	#
	#return [S4_GROUP_GLOBAL]

(-)debian/univention-s4-connector.univention-config-registry-variables (+6 lines)

Lines 195-197	Link Here

195

Description[en]=A static list mapping of group names in UCS LDAP to group names in the Samba 4 user directory. Group names in UCS LDAP are always in English. The mapping "connector/s4/mapping/group/table/'Domain Users'=Domänen-Benutzer" e.g. advises the S4 Connector to synchronise a group object called "Domain Users" in UCS-LDAP with a group object called "Domänen-Benutzer" in the Samba 4 user directory. This variable is used internally by UCS tools and should not be adapted manually.

195

Description[en]=A static list mapping of group names in UCS LDAP to group names in the Samba 4 user directory. Group names in UCS LDAP are always in English. The mapping "connector/s4/mapping/group/table/'Domain Users'=Domänen-Benutzer" e.g. advises the S4 Connector to synchronise a group object called "Domain Users" in UCS-LDAP with a group object called "Domänen-Benutzer" in the Samba 4 user directory. This variable is used internally by UCS tools and should not be adapted manually.

196

Type=str

196

Type=str

197

Categories=service-s4con

197

Categories=service-s4con

198

199

[connector/s4/mapping/group/sync/localgroups]

200

Description[de]=Ist diese Variable aktiviert, werden auch lokale Gruppen synchronisiert. Vor der Aktivierung sollten die Gruppenmitglieder der lokalen Gruppen manuell abgeglichen werden, weitere Details sind in den UCS 3.2 Release Notes zu finden. Ab UCS 3.2 ist die Synchronisiation dieser Gruppen per Default aktiviert.

201

Description[en]=If this variable is activated local groups will be synchronized as well. The group members should be harmonized manually before activating this setting, for more details see UCS 3.2 release notes. Since UCS 3.2 the local group synchronization is activated by default.

202

Type=bool

203

Categories=service-s4con

(-)debian/changelog (-2 / +2 lines)

Lines 58-64	Link Here

univention-s4-connector (8.0.3-1) unstable; urgency=low

univention-s4-connector (8.0.3-1) unstable; urgency=low

  * Use again two searches for the change list but a faster comparsion.

  * Use again two searches for the change list but a faster comparison.

    The order is important first the created objects are needed

    The order is important first the created objects are needed

    otherwise the child object is added before the parent object. An

    otherwise the child object is added before the parent object. An

    alternative would be to sort the one search result by the dn length

    alternative would be to sort the one search result by the dn length

Lines 75-81	Link Here

univention-s4-connector (8.0.2-1) unstable; urgency=low

univention-s4-connector (8.0.2-1) unstable; urgency=low

  * Search for uSNCreated and uSNChanged in one search to prevent a slow

  * Search for uSNCreated and uSNChanged in one search to prevent a slow

    list comparsion (Bug #32213)

    list comparison (Bug #32213)

 -- Stefan Gohmann <gohmann@univention.de>  Mon, 12 Aug 2013 07:41:23 +0200

 -- Stefan Gohmann <gohmann@univention.de>  Mon, 12 Aug 2013 07:41:23 +0200

(-)debian/univention-s4-connector.postinst (-1 / +9 lines)

Lines 38-43	Link Here

#DEBHELPER#

#DEBHELPER#

if [ "$1" = "configure" -a -n "$2" ] && dpkg --compare-versions "$2" lt 8.0.0-1; then

	ucr set connector/s4/mapping/group/sync/localgroups?false

fi

univention-config-registry set connector/s4/listener/dir?/var/lib/univention-connector/s4 \

univention-config-registry set connector/s4/listener/dir?/var/lib/univention-connector/s4 \

							   connector/s4/poll/sleep?5 \

							   connector/s4/poll/sleep?5 \

							   connector/s4/retryrejected?10 \

							   connector/s4/retryrejected?10 \

Lines 49-58	Link Here

							   connector/s4/mapping/syncmode?sync \

							   connector/s4/mapping/syncmode?sync \

							   connector/s4/mapping/sid?true \

							   connector/s4/mapping/sid?true \

							   connector/s4/mapping/gpo?true \

							   connector/s4/mapping/gpo?true \

							   connector/s4/mapping/group/sync/localgroups?true \

							   connector/s4/mapping/user/ignorelist?"root,pcpatch,ucs-s4sync" \

							   connector/s4/mapping/user/ignorelist?"root,pcpatch,ucs-s4sync" \

							   connector/s4/mapping/group/ignorelist?"Windows Hosts,Authenticated Users,World Authority,Everyone,Null Authority,Nobody,Enterprise Domain Controllers" \

							   connector/s4/mapping/group/ignorelist?"Windows Hosts,Authenticated Users,World Authority,Everyone,Null Authority,Nobody,Enterprise Domain Controllers" \

							   connector/s4/mapping/container/ignorelist?"mail,kerberos,MicrosoftDNS" \

							   connector/s4/mapping/container/ignorelist?"mail,kerberos,MicrosoftDNS" \

							   connector/s4/mapping/dns/ignorelist?"DC=_ldap._tcp.Default-First-Site-Name._site"

							   connector/s4/mapping/dns/ignorelist?"DC=_ldap._tcp.Default-First-Site-Name._site" \

							   connector/s4/mapping/group/table/Printer-Admins?"Print Operators" \

							   connector/s4/mapping/group/table/Replicators?"Replicator" \

							   "connector/s4/mapping/group/table/System Operators?Server Operators"

if [ ! -d /var/lib/univention-connector/s4 ]; then

if [ ! -d /var/lib/univention-connector/s4 ]; then

	mkdir -p /var/lib/univention-connector/s4

	mkdir -p /var/lib/univention-connector/s4

Return to bug 29486