View | Details | Raw Unified | Return to bug 34184 | Differences between
and this patch

Collapse All | Expand All

(-)conffiles/etc/univention/s4connector/s4/mapping.py (-15 / +30 lines)
 Lines 59-64    Link Here 
59
			'CN=DomainUpdates,CN=System,@%@connector/s4/ldap/base@%@',
59
			'CN=DomainUpdates,CN=System,@%@connector/s4/ldap/base@%@',
60
			'CN=Password Settings Container,CN=System,@%@connector/s4/ldap/base@%@',
60
			'CN=Password Settings Container,CN=System,@%@connector/s4/ldap/base@%@',
61
			'DC=RootDNSServers,CN=MicrosoftDNS,CN=System,@%@connector/s4/ldap/base@%@',
61
			'DC=RootDNSServers,CN=MicrosoftDNS,CN=System,@%@connector/s4/ldap/base@%@',
62
			'DC=RootDNSServers,CN=MicrosoftDNS,DC=DomainDnsZones,@%@connector/s4/ldap/base@%@',
62
			'CN=File Replication Service,CN=System,@%@connector/s4/ldap/base@%@',
63
			'CN=File Replication Service,CN=System,@%@connector/s4/ldap/base@%@',
63
			'CN=RpcServices,CN=System,@%@connector/s4/ldap/base@%@',
64
			'CN=RpcServices,CN=System,@%@connector/s4/ldap/base@%@',
64
			'CN=Meetings,CN=System,@%@connector/s4/ldap/base@%@',
65
			'CN=Meetings,CN=System,@%@connector/s4/ldap/base@%@',
 Lines 599-640    Link Here 
599
				},
600
				},
600
601
601
		),
602
		),
603
@!@
604
605
sync_mode_dns = configRegistry.get('connector/s4/mapping/dns/syncmode')
606
if not sync_mode_dns:
607
	sync_mode_dns = configRegistry.get('connector/s4/mapping/syncmode')
608
609
if configRegistry.get('connector/s4/mapping/dns/position') == 'legacy':
610
	s4_dns_ldap_base = "CN=System,%s" % (configRegistry['connector/s4/ldap/base'],)
611
else:
612
	s4_dns_ldap_base = "DC=DomainDnsZones,%s" % (configRegistry['connector/s4/ldap/base'],)
613
614
dns_section = '''
602
	'dns': univention.s4connector.property (
615
	'dns': univention.s4connector.property (
603
			ucs_default_dn='cn=dns,@%@ldap/base@%@',
616
			ucs_default_dn='cn=dns,%(ldap_base)s',
604
			con_default_dn='CN=MicrosoftDNS,CN=System,@%@connector/s4/ldap/base@%@',
617
			con_default_dn='CN=MicrosoftDNS,%(s4_dns_ldap_base)s',
605
			ucs_module='dns/dns',
618
			ucs_module='dns/dns',
606
			
619
			
607
			identify=univention.s4connector.s4.dns.identify,
620
			identify=univention.s4connector.s4.dns.identify,
621
			sync_mode='%(sync_mode_dns)s',
608
622
609
			@!@
610
if configRegistry.get('connector/s4/mapping/dns/syncmode'):
611
	print "sync_mode='%s'," % configRegistry.get('connector/s4/mapping/dns/syncmode')
612
else:
613
	print "sync_mode='%s'," % configRegistry.get('connector/s4/mapping/syncmode')
614
@!@
615
616
			scope='sub',
623
			scope='sub',
617
624
618
			con_search_filter='(|(objectClass=dnsNode)(objectClass=dnsZone))',
625
			con_search_filter='(|(objectClass=dnsNode)(objectClass=dnsZone))',
619
626
620
			position_mapping = [( ',cn=dns,@%@ldap/base@%@', ',CN=MicrosoftDNS,CN=System,@%@connector/s4/ldap/base@%@' )],
627
			position_mapping = [( ',cn=dns,%(ldap_base)s', ',CN=MicrosoftDNS,%(s4_dns_ldap_base)s' )],
628
''' % {
629
	'ldap_base': configRegistry['ldap/base'],
630
	'sync_mode_dns': sync_mode_dns,
631
	's4_dns_ldap_base': s4_dns_ldap_base,
632
	}
621
633
622
@!@
623
ignore_filter = ''
634
ignore_filter = ''
624
for dns in configRegistry.get('connector/s4/mapping/dns/ignorelist', '').split(','):
635
for dns in configRegistry.get('connector/s4/mapping/dns/ignorelist', '').split(','):
625
	if dns:
636
	if dns:
626
		ignore_filter += '(%s)' % (dns)
637
		ignore_filter += '(%s)' % (dns)
627
if ignore_filter:
638
if ignore_filter:
628
	print "			ignore_filter='(|%s)'," % ignore_filter
639
	dns_section = dns_section + '''
629
@!@
640
			ignore_filter='(|%s)',''' % ignore_filter
630
641
642
	dns_section = dns_section + '''
631
			ignore_subtree = global_ignore_subtree,
643
			ignore_subtree = global_ignore_subtree,
632
			
644
			
633
			con_sync_function = univention.s4connector.s4.dns.ucs2con,
645
			con_sync_function = univention.s4connector.s4.dns.ucs2con,
634
			ucs_sync_function = univention.s4connector.s4.dns.con2ucs,
646
			ucs_sync_function = univention.s4connector.s4.dns.con2ucs,
635
647
636
		),
648
		),'''
637
@!@
649
650
print dns_section
651
652
638
if configRegistry.is_true('connector/s4/mapping/gpo', True):
653
if configRegistry.is_true('connector/s4/mapping/gpo', True):
639
	ignore_filter = ''
654
	ignore_filter = ''
640
	for gpo in configRegistry.get('connector/s4/mapping/gpo/ignorelist', '').split(','):
655
	for gpo in configRegistry.get('connector/s4/mapping/gpo/ignorelist', '').split(','):
(-)debian/univention-s4-connector.postinst (+4 lines)
 Lines 109-114    Link Here 
109
			--filter "(objectClass=groupPolicyContainer)"
109
			--filter "(objectClass=groupPolicyContainer)"
110
	fi
110
	fi
111
111
112
	if [ "$1" = "configure" -a -n "$2" ] && dpkg --compare-versions "$2" lt 9.0.16-11; then
113
		univention-config-registry set connector/s4/mapping/dns/position?'legacy'
114
	fi
115
112
	if [ "$skip_final_restart" != "true" ]; then
116
	if [ "$skip_final_restart" != "true" ]; then
113
		/etc/init.d/univention-s4-connector restart
117
		/etc/init.d/univention-s4-connector restart
114
	fi
118
	fi
(-)debian/univention-s4-connector.univention-config-registry-variables (+6 lines)
 Lines 267-269    Link Here 
267
Description[en]=Group policies are stored in Group Policy Objects (GPOs) in the directory /var/lib/samba/sysvol/ on all Samba 4 domain controllers. The GPOs and the corresponding access rights are referenced in Samba 4 LDAP. If this option is activated, the access rights of the GPO references are synchronised to the UCS LDAP along with the references. If the variable is unset, the references are not synchronised.
267
Description[en]=Group policies are stored in Group Policy Objects (GPOs) in the directory /var/lib/samba/sysvol/ on all Samba 4 domain controllers. The GPOs and the corresponding access rights are referenced in Samba 4 LDAP. If this option is activated, the access rights of the GPO references are synchronised to the UCS LDAP along with the references. If the variable is unset, the references are not synchronised.
268
Type=bool
268
Type=bool
269
Categories=service-s4con
269
Categories=service-s4con
270
271
[connector/s4/mapping/dns/position]
272
Description[de]=Diese Variable bestimmt die Basis-DN der DNS Objekte im Samba Verzeichnisdienst. Falls sie auf dem Wert 'legacy' steht, dann sucht der S4-Connector die DNS-Objekte unter CN=System statt unter DC=DomainDNSZones. Diese Variable sollte nur einmalig nach manueller Migration der DNS-Objekte angepasst werden, falls sie noch auf 'legacy' steht.
273
Description[en]=This variable determins the base DN of DNS objects in the Samba directory service. When set to 'legacy', the S4 Connector searches DNS objects below CN=System instead of below DC=DomainDNSZones. This variable should only be modified once after manual migration of the DNS objects, if it still has the value 'legacy'.
274
Type=str
275
Categories=service-s4con
(-)modules/univention/s4connector/s4/__init__.py (-15 / +34 lines)
 Lines 38-44    Link Here 
38
import univention.s4connector
38
import univention.s4connector
39
import univention.debug2 as ud
39
import univention.debug2 as ud
40
from ldap.controls import LDAPControl
40
from ldap.controls import LDAPControl
41
from ldap.controls import SimplePagedResultsControl
41
from ldap.controls import SimplePagedResultsControl, LDAPControl
42
from samba.dcerpc import security
42
from samba.dcerpc import security
43
from samba.ndr import ndr_pack, ndr_unpack
43
from samba.ndr import ndr_pack, ndr_unpack
44
from samba.dcerpc import misc
44
from samba.dcerpc import misc
 Lines 45-50    Link Here 
45
45
46
DECODE_IGNORELIST=['objectSid', 'objectGUID', 'repsFrom', 'replUpToDateVector', 'ipsecData', 'logonHours', 'userCertificate', 'dNSProperty', 'dnsRecord']
46
DECODE_IGNORELIST=['objectSid', 'objectGUID', 'repsFrom', 'replUpToDateVector', 'ipsecData', 'logonHours', 'userCertificate', 'dNSProperty', 'dnsRecord']
47
47
48
LDAP_SERVER_SHOW_DELETED_OID = "1.2.840.113556.1.4.417"
49
LDB_CONTROL_DOMAIN_SCOPE_OID = "1.2.840.113556.1.4.1339"
50
LDB_CONTROL_RELAX_OID = "1.3.6.1.4.1.4203.666.5.12"
51
LDB_CONTROL_PROVISION_OID = '1.3.6.1.4.1.7165.4.3.16'
52
48
# page results
53
# page results
49
PAGE_SIZE = 1000
54
PAGE_SIZE = 1000
50
55
 Lines 110-116    Link Here 
110
115
111
		ud.debug(ud.LDAP, ud.INFO, 'add_primary_group_to_addlist: Set primary group to %s (rid) for %s' % (primary_group_rid, object.get('dn')))
116
		ud.debug(ud.LDAP, ud.INFO, 'add_primary_group_to_addlist: Set primary group to %s (rid) for %s' % (primary_group_rid, object.get('dn')))
112
		addlist.append(('primaryGroupID', [primary_group_rid]))
117
		addlist.append(('primaryGroupID', [primary_group_rid]))
113
		LDB_CONTROL_RELAX_OID = '1.3.6.1.4.1.4203.666.5.12'
114
		serverctrls.append(LDAPControl(LDB_CONTROL_RELAX_OID,criticality=0))
118
		serverctrls.append(LDAPControl(LDB_CONTROL_RELAX_OID,criticality=0))
115
119
116
def __is_groupType_local(groupType):
120
def __is_groupType_local(groupType):
 Lines 126-132    Link Here 
126
130
127
	ud.debug(ud.LDAP, ud.INFO, "groupType: %s" % groupType)
131
	ud.debug(ud.LDAP, ud.INFO, "groupType: %s" % groupType)
128
	if __is_groupType_local(groupType):
132
	if __is_groupType_local(groupType):
129
		LDB_CONTROL_RELAX_OID = '1.3.6.1.4.1.4203.666.5.12'
130
		serverctrls.append(LDAPControl(LDB_CONTROL_RELAX_OID,criticality=0))
133
		serverctrls.append(LDAPControl(LDB_CONTROL_RELAX_OID,criticality=0))
131
134
132
		sambaSID = object.get('attributes', {}).get('sambaSID', [])[0]
135
		sambaSID = object.get('attributes', {}).get('sambaSID', [])[0]
 Lines 384-391    Link Here 
384
def old_user_dn_mapping(s4connector, given_object):
387
def old_user_dn_mapping(s4connector, given_object):
385
	object = copy.deepcopy(given_object)
388
	object = copy.deepcopy(given_object)
386
389
387
	# LDAP_SERVER_SHOW_DELETED_OID -> 1.2.840.113556.1.4.417
390
	ctrls = [LDAPControl(LDAP_SERVER_SHOW_DELETED_OID, criticality=1)]
388
	ctrls = [LDAPControl('1.2.840.113556.1.4.417',criticality=1)]
389
	samaccountname = ''
391
	samaccountname = ''
390
392
391
	if object.has_key('sAMAccountName'):
393
	if object.has_key('sAMAccountName'):
 Lines 753-760    Link Here 
753
			ud.debug(ud.LDAP, ud.INFO,"__init__: init add config section 'S4 GUID'")
755
			ud.debug(ud.LDAP, ud.INFO,"__init__: init add config section 'S4 GUID'")
754
			self.config.add_section('S4 GUID')
756
			self.config.add_section('S4 GUID')
755
		try:
757
		try:
756
			# LDAP_SERVER_SHOW_DELETED_OID -> 1.2.840.113556.1.4.417
758
			self.ctrl_show_deleted = LDAPControl(LDAP_SERVER_SHOW_DELETED_OID, criticality=1)
757
			self.ctrl_show_deleted = LDAPControl('1.2.840.113556.1.4.417',criticality=1)
758
			res = self.lo_s4.lo.search_ext_s('',ldap.SCOPE_BASE, 'objectclass=*',[],
759
			res = self.lo_s4.lo.search_ext_s('',ldap.SCOPE_BASE, 'objectclass=*',[],
759
								serverctrls=[ self.ctrl_show_deleted ],
760
								serverctrls=[ self.ctrl_show_deleted ],
760
								timeout=-1, sizelimit=0)
761
								timeout=-1, sizelimit=0)
 Lines 773-779    Link Here 
773
774
774
		# objectSid modification for an Samba4 object is only possible with the "provision" control:
775
		# objectSid modification for an Samba4 object is only possible with the "provision" control:
775
		if self.configRegistry.is_true('connector/s4/mapping/sid_to_s4', False):
776
		if self.configRegistry.is_true('connector/s4/mapping/sid_to_s4', False):
776
			LDB_CONTROL_PROVISION_OID = '1.3.6.1.4.1.7165.4.3.16'
777
			self.serverctrls_for_add_and_modify.append(LDAPControl(LDB_CONTROL_PROVISION_OID,criticality=0) )
777
			self.serverctrls_for_add_and_modify.append(LDAPControl(LDB_CONTROL_PROVISION_OID,criticality=0) )
778
778
779
		# Save a list of objects just created, this is needed to
779
		# Save a list of objects just created, this is needed to
 Lines 865-870    Link Here 
865
865
866
		self.lo_s4.lo.set_option(ldap.OPT_REFERRALS,0)
866
		self.lo_s4.lo.set_option(ldap.OPT_REFERRALS,0)
867
867
868
		if not self.configRegistry.get('connector/s4/mapping/dns/position') == 'legacy':
869
			self.s4_ldap_partitions = (self.s4_ldap_base, "DC=DomainDNSZones,%s" % self.s4_ldap_base)
870
		else:
871
			self.s4_ldap_partitions = (self.s4_ldap_base,)
872
873
868
	# encode string to unicode
874
	# encode string to unicode
869
	def encode(self, string):
875
	def encode(self, string):
870
		try:
876
		try:
 Lines 1003-1008    Link Here 
1003
1009
1004
		return max(usnchanged,usncreated)
1010
		return max(usnchanged,usncreated)
1005
1011
1012
	def __search_s4_partitions(self, scope=ldap.SCOPE_SUBTREE, filter='', attrlist= [], show_deleted=False):
1013
		'''
1014
		search s4 across all partitions listed in self.s4_ldap_partitions
1015
		'''
1016
		_d=ud.function('ldap.__search_s4_partitions')
1017
		res = []
1018
		for base in self.s4_ldap_partitions:
1019
			res += self.__search_s4(base, scope, filter, attrlist, show_deleted)
1020
1021
		return res
1022
1006
	def __search_s4(self, base=None, scope=ldap.SCOPE_SUBTREE, filter='', attrlist= [], show_deleted=False):
1023
	def __search_s4(self, base=None, scope=ldap.SCOPE_SUBTREE, filter='', attrlist= [], show_deleted=False):
1007
		'''
1024
		'''
1008
		search s4
1025
		search s4
 Lines 1012-1023    Link Here 
1012
		if not base:
1029
		if not base:
1013
			base=self.lo_s4.base
1030
			base=self.lo_s4.base
1014
1031
1015
		ctrls=[]
1032
		ctrls=[
1016
		ctrls.append(SimplePagedResultsControl(True, PAGE_SIZE, ''))
1033
			LDAPControl(LDB_CONTROL_DOMAIN_SCOPE_OID, criticality=0),	## Don't show referrals
1034
			SimplePagedResultsControl(True, PAGE_SIZE, '')),
1035
		]
1017
1036
1018
		if show_deleted:
1037
		if show_deleted:
1019
			# LDAP_SERVER_SHOW_DELETED_OID -> 1.2.840.113556.1.4.417
1038
			ctrls.append(LDAPControl(LDAP_SERVER_SHOW_DELETED_OID, criticality=1))
1020
			ctrls.append(LDAPControl('1.2.840.113556.1.4.417',criticality=1))
1021
1039
1022
		ud.debug(ud.LDAP, ud.INFO, "Search S4 with filter: %s" % filter)
1040
		ud.debug(ud.LDAP, ud.INFO, "Search S4 with filter: %s" % filter)
1023
		msgid = self.lo_s4.lo.search_ext(base, scope, filter, attrlist, serverctrls=ctrls, timeout=-1, sizelimit=0)
1041
		msgid = self.lo_s4.lo.search_ext(base, scope, filter, attrlist, serverctrls=ctrls, timeout=-1, sizelimit=0)
 Lines 1046-1052    Link Here 
1046
			else:
1064
			else:
1047
				ud.debug(ud.LDAP, ud.WARN, "S4 ignores PAGE_RESULTS")
1065
				ud.debug(ud.LDAP, ud.WARN, "S4 ignores PAGE_RESULTS")
1048
				break
1066
				break
1049
1050
		
1067
		
1051
		return encode_s4_resultlist(res)
1068
		return encode_s4_resultlist(res)
1052
		
1069
		
 Lines 1078-1084    Link Here 
1078
			if filter !='':
1095
			if filter !='':
1079
				usnFilter = '(&(%s)(%s))' % ( filter, usnFilter )
1096
				usnFilter = '(&(%s)(%s))' % ( filter, usnFilter )
1080
				
1097
				
1081
			return self.__search_s4( filter=usnFilter, show_deleted=show_deleted)
1098
			res = self.__search_s4_partitions(filter=usnFilter, show_deleted=show_deleted)
1099
			return sorted(res, key=lambda element: element[1][attribute][0])
1082
1100
1083
1101
1084
		# search fpr objects with uSNCreated and uSNChanged in the known range
1102
		# search fpr objects with uSNCreated and uSNChanged in the known range
 Lines 1132-1140    Link Here 
1132
			filter = '(&(%s)(|(uSNChanged=%s)(uSNCreated=%s)))' % (filter,changeUSN,changeUSN)
1150
			filter = '(&(%s)(|(uSNChanged=%s)(uSNCreated=%s)))' % (filter,changeUSN,changeUSN)
1133
		else:
1151
		else:
1134
			filter = '(|(uSNChanged=%s)(uSNCreated=%s))' % (changeUSN,changeUSN)
1152
			filter = '(|(uSNChanged=%s)(uSNCreated=%s))' % (changeUSN,changeUSN)
1135
		return self.__search_s4(filter=filter, show_deleted=show_deleted)
1136
1153
1154
		return self.__search_s4_partitions(filter=usnFilter, show_deleted=show_deleted)
1137
1155
1156
1138
	def __dn_from_deleted_object(self, object, GUID):
1157
	def __dn_from_deleted_object(self, object, GUID):
1139
		'''
1158
		'''
1140
		gets dn for deleted object (original dn before the object was moved into the deleted objects container)
1159
		gets dn for deleted object (original dn before the object was moved into the deleted objects container)

Return to bug 34184