Attachment #8182 for bug #41231




	  zugeordnet wird.
	</para>
	<para>
	  Über vier weitere &ucsUCR;-Variablen kann das Verhalten des Hooks gesteuert
	  werden:
	</para>
	  <itemizedlist>
		<listitem>
		  <para>
			<command>ucsschool/import/generate/share/marktplatz/name</command>
		  </para>
		  <para>
			Diese Variable definiert den Namen der Freigabe. Der Standard ist <literal>Marktplatz</literal>.
		  </para>
		</listitem>
		<listitem>
		  <para>
			<command>ucsschool/import/generate/share/marktplatz/sharepath</command>
		  </para>
		  <para>

(-)doc/manual/performance-de.xml (+4 lines)

Lines 93-98	Link Here

  		  </simpara>

  		  </simpara>

  		</listitem>

  		</listitem>

  	  </itemizedlist>

  	  </itemizedlist>

  	  <note>

  	    Der Teil des Gruppennamens der hier &lt;Edukativnetz&gt; ist, kann seit &ucsUAS;-Version 4.1 R2 v7

  	    verändert werden. Siehe dazu auch <xref linkend="structure:ldap:container_names"/>.

  	  </note>

  	</para>

100

  	</para>

    </section>

101

    </section>

102




            Zugriffsrechte gesetzt werden. Dabei kann der Zugriff für einzelne Benutzer oder ganze Gruppen
            erlaubt bzw. gesperrt werden. Um den Schülern den Zugriff auf die physikalischen Drucker zu
            verbieten, muss an den Druckerfreigaben für diese Drucker der Zugriff durch Benutzer der
            OU-spezifischen Gruppe <systemitem class="groupname">schueler-<replaceable>OU</replaceable></systemitem>
            (z.B. <systemitem class="groupname">schueler-gsmitte</systemitem>) verboten werden. Für den PDF-Drucker
            <systemitem class="resource">PDFDrucker</systemitem> sollten keine Einschränkungen gemacht werden.
            <note>
                Der Teil des Gruppennamens der hier &lt;schueler-&gt; ist, kann seit &ucsUAS;-Version 4.1 R2 v7 verändert
                werden. Siehe dazu auch <xref linkend="structure:ldap:container_names"/>.
            </note>
            gemacht werden.
        </para>
        <para>
            Schüler haben damit nur noch die Möglichkeit Druckaufträge an den

            Anlegen einer OU kann durch das Setzen der &ucsUCRV;
            <envar>ucsschool/import/generate/marktplatz</envar> auf den
            Wert <literal>no</literal> verhindert werden.
            <note>
                Weiterführnde Informationen zur <emphasis>Marktplatz</emphasis>-Freigabe finden sich unter <xref linkend="import:marketplace"/>.
            </note>
        </para>
        <para>
            Diese Freigaben müssen zwingend auf dem Schulserver bereitgestellt

            Die Freigabe erlaubt der Gruppe <systemitem class="resource">lehrer-&lt;OU&gt;</systemitem> den
            administrativen
            Zugriff auf das Basisverzeichnis <filename class="directory">/home/&lt;OU&gt;/schueler</filename>.
            <note>
                Der Teil des Gruppennamens der hier &lt;schueler-&gt; bzw.&lt;lehrer-&gt; ist, kann seit
                &ucsUAS;-Version 4.1 R2 v7 verändert werden. Siehe dazu auch <xref linkend="structure:ldap:container_names"/>.
            </note>
        </para>
        <para>
            Per Voreinstellung wird der Lehrergruppe Lesezugriff gewährt.

            Option zu Schuladministratoren umgewandelt werden.
            <itemizedlist>
                <listitem>
                    <para>
                        Die zusätzliche Gruppenmitgliedschaft muss manuell über das &ucsUMC;-Modul
                        <guimenu>Benutzer</guimenu> auf dem &ucsMaster; hinzugefügt werden. Auf dem Reiter
                        <guimenu>Gruppen</guimenu> muss das Benutzerkonto in die Gruppe
                        <guimenu>Gruppen</guimenu>
                        muss das Benutzerkonto in die Gruppe
                        <systemitem class="groupname"><replaceable>admins-OU</replaceable></systemitem>
                        (für die OU <wordasword>gym17</wordasword> ist dies die Gruppe
                        <systemitem class="groupname">admins-gym17</systemitem>) aufgenommen werden.
                        <note>
                            Der Teil des Gruppennamens der hier &lt;admins-&gt; ist, kann seit &ucsUAS;-Version 4.1 R2 v7
                            verändert werden. Siehe dazu auch <xref linkend="structure:ldap:container_names"/>.
                        </note>
                    </para>
                </listitem>
                <listitem>
                    <simpara>
                        Im &ucsUMC;-Modul <guimenu>Benutzer</guimenu> muss außerdem im Reiter
                        <guimenu>Optionen</guimenu> die Option <option>UCS@school-Administrator</option>
                        die Option
                        <option>UCS@school-Administrator</option>
                        eingeschaltet werden.
                    </simpara>
                </listitem>




		</note>
	  </section>

	  <section id="structure:ldap:container_names">
		<title>Gruppen-, Verzeichnis- und Containernamen</title>
		  <para>
		    Seit &ucsUAS;-Version 4.1 R2 v7 können mit Hilfe von UCR-Variablen Teile der Gruppen-, Verzeichnis- und Containernamen
		    <emphasis>vor der Installation der &ucsUAS;-App</emphasis> bestimmt werden.
		  </para>
		  <para>
			Beispielsweise wird die Gruppe <systemitem class="groupname">Member-Edukativnetz</systemitem> durch Setzen
			der UCR-Variablen <envar>ucsschool/ldap/default/groupname/all-educational-member=Membre-Enseignement</envar>
			mit dem Namen <systemitem class="groupname">Membre-Enseignement</systemitem> angelegt.
		  </para>
		  <para>
			  Sollen zum Beispiel die Benutzerkonten von Schülern nicht im Container
			  <uri>cn=schueler,cn=groups,ou=gymmitte,dc=example,dc=com</uri> gespeichert werden, sondern unter
			  <uri>cn=ecolier,cn=groups,ou=gymmitte,dc=example,dc=com</uri>, muss
			  <envar>ucsschool/ldap/default/container/pupils=ecolier</envar> gesetzt werden.
		  </para>
		  <para>
			  Die Bedeutung der aller UCR-Variablen können Sie durch das Lesen der Hilfetexte zu den UCR-Variablen erfahren
			  (siehe <biblioref linkend="ucs-handbuch"/>).
		  </para>
		  <para>
			  <simpara>
				Die folgenden Teile von Containernamen (z.B. in <uri>cn=admins,cn=groups,ou=gymmitte,dc=example,dc=com</uri>) können gesetzt werden:
			  </simpara>
			  <itemizedlist>
				  <listitem><simpara>admins:                 <envar>ucsschool/ldap/default/container/admins</envar></simpara></listitem>
				  <listitem><simpara>schueler:               <envar>ucsschool/ldap/default/container/pupils</envar></simpara></listitem>
				  <listitem><simpara>mitarbeiter:            <envar>ucsschool/ldap/default/container/staff</envar></simpara></listitem>
				  <listitem><simpara>lehrer und mitarbeiter: <envar>ucsschool/ldap/default/container/teachers-and-staff</envar></simpara></listitem>
				  <listitem><simpara>lehrer:                 <envar>ucsschool/ldap/default/container/teachers</envar></simpara></listitem>
				  <listitem><simpara>klassen:                <envar>ucsschool/ldap/default/container/class</envar></simpara></listitem>
				  <listitem><simpara>raeume:                 <envar>ucsschool/ldap/default/container/rooms</envar></simpara></listitem>
				  <listitem><simpara>examusers:              <envar>ucsschool/ldap/default/container/exam</envar></simpara></listitem>
			  </itemizedlist>
		  </para>
		  <para>
			  <simpara>
				Die folgenden Präfixe von Gruppennamen (z.B. in <systemitem class="groupname">schueler-gymmitte</systemitem>) können gesetzt werden:
			  </simpara>
			  <itemizedlist>
				  <listitem><simpara>schueler-:              <envar>ucsschool/ldap/default/groupprefix/pupils</envar></simpara></listitem>
				  <listitem><simpara>lehrer-:                <envar>ucsschool/ldap/default/groupprefix/teachers</envar></simpara></listitem>
				  <listitem><simpara>admins-:                <envar>ucsschool/ldap/default/groupprefix/admins</envar></simpara></listitem>
				  <listitem><simpara>mitarbeiter-:           <envar>ucsschool/ldap/default/groupprefix/staff</envar></simpara></listitem>
			  </itemizedlist>
			  <simpara>
				  Die folgenden Gruppennamen können per UCR gesetzt werden. Bei Namen die <replaceable>%(ou)s</replaceable> enthalten
				  wird dieses vom System durch das jeweilige Schulkürzel ersetzt (z.B. <uri>gymmitte</uri> in
				  <systemitem class="groupname">OUgymmitte-DC-Edukativnetz</systemitem>).
			  </simpara>
			  <itemizedlist>
				  <listitem><simpara>DC-Edukativnetz:                 <envar>ucsschool/ldap/default/groupname/all-educational-dc</envar></simpara></listitem>
				  <listitem><simpara>Member-Edukativnetz:             <envar>ucsschool/ldap/default/groupname/all-educational-member</envar></simpara></listitem>
				  <listitem><simpara>DC-Verwaltungsnetz:              <envar>ucsschool/ldap/default/groupname/all-administrativ-dc</envar></simpara></listitem>
				  <listitem><simpara>Member-Verwaltungsnetz:          <envar>ucsschool/ldap/default/groupname/all-administrativ-member</envar></simpara></listitem>
				  <listitem><simpara>OU%(ou)s-DC-Edukativnetz:        <envar>ucsschool/ldap/default/groupname/ou-educational-dc</envar></simpara></listitem>
				  <listitem><simpara>OU%(ou)s-Member-Edukativnetz:    <envar>ucsschool/ldap/default/groupname/ou-educational-member</envar></simpara></listitem>
				  <listitem><simpara>OU%(ou)s-DC-Verwaltungsnetz:     <envar>ucsschool/ldap/default/groupname/ou-administrativ-dc</envar></simpara></listitem>
				  <listitem><simpara>OU%(ou)s-Member-Verwaltungsnetz: <envar>ucsschool/ldap/default/groupname/ou-administrativ-member</envar></simpara></listitem>
				  <listitem><simpara>OU%(ou)s-Klassenarbeit:          <envar>ucsschool/ldap/default/groupname/exam</envar></simpara></listitem>
			  </itemizedlist>
			  <simpara>
				  Die folgenden Verzeichnisnamen können per UCR gesetzt werden (z.B. <envar>klassen</envar> in <filename class="directory">/home/groups/klassen/3b</filename>):
			  </simpara>
			  <itemizedlist>
				  <listitem><simpara>klassen:                <envar>ucsschool/ldap/default/share/class</envar></simpara></listitem>
				  <listitem><simpara>schueler:               <envar>ucsschool/ldap/default/share/pupils</envar></simpara></listitem>
				  <listitem><simpara>lehrer:                 <envar>ucsschool/ldap/default/share/teachers</envar></simpara></listitem>
				  <listitem><simpara>Unterrichtsmaterial:    <envar>ucsschool/datadistribution/datadir/sender</envar></simpara></listitem>
				  <listitem><simpara>Unterrichtsmaterial:    <envar>ucsschool/datadistribution/datadir/recipient</envar></simpara></listitem>
				  <listitem><simpara>Klassenarbeiten:        <envar>ucsschool/ldap/default/share/exams</envar></simpara></listitem>
				  <listitem><simpara>schueler, lehrer, mitarbeiter:  <envar>ucsschool/import/roleshare/.*/path</envar></simpara></listitem>
				  <listitem><simpara>Marktplatz:             <envar>ucsschool/import/generate/share/marktplatz/name</envar></simpara></listitem>
			  </itemizedlist>
		  </para>
	  </section>

	  <section id="structure:ldap:global">
		<title>Weitere &ucsUAS;-Objekte</title>
		<para>




Type=str
Categories=ucsschool-base

[ucsschool/ldap/default/container/admins]
Description[de]=Standard-Container-Name für Administratoren. Standard ist "admins".
Description[en]=Default container name for administrators. Default is "admins".
Type=str
Categories=ucsschool-base

[ucsschool/ldap/default/container/class]
Description[de]=Standard-Container-Name für Schulklassen. Standard ist "klassen".
Description[en]=Default container name for school classes. Default is "klassen".
Type=str
Categories=ucsschool-base

[ucsschool/ldap/default/container/exam]
Description[de]=Standard-Container-Name für Schüler in einer Prüfung. Standard ist "examusers".
Description[en]=Default container name name for pupils writing exams. Default is "examusers".
Type=str
Categories=ucsschool-base

[ucsschool/ldap/default/container/pupils]
Description[de]=Standard-Container-Name für Schüler. Standard ist "schueler".
Description[en]=Default container name for pupils. Default is "schueler".
Type=str
Categories=ucsschool-base

[ucsschool/ldap/default/container/rooms]
Description[de]=Standard-Container-Name für Klassenräume. Standard ist "raeume".
Description[en]=Default container name for class rooms. Default is "raeume".
Type=str
Categories=ucsschool-base

[ucsschool/ldap/default/container/staff]
Description[de]=Standard-Container-Name für Mitarbeiter. Standard ist "mitarbeiter".
Description[en]=Default container name for staff members. Default is "mitarbeiter".
Type=str
Categories=ucsschool-base

[ucsschool/ldap/default/container/teachers]
Description[de]=Standard-Container-Name für Lehrer. Standard ist "lehrer".
Description[en]=Default container name for teachers. Default is "lehrer".
Type=str
Categories=ucsschool-base

[ucsschool/ldap/default/container/teachers-and-staff]
Description[de]=Standard-Container-Name für Benutzer die gleichzeitig Lehrer und Mitarbeiter sind. Standard ist "lehrer und mitarbeiter".
Description[en]=Default container name for users that are both teachers and staff members. Default is "lehrer und mitarbeiter".
Type=str
Categories=ucsschool-base

[ucsschool/ldap/default/groupname/exam]
Description[de]=Standard Gruppenname für Schüler in einer Prüfung. Das "%(ou)s" im Namen wird mit dem Schulkürzel (OU) ersetzt. Standard ist "OU%(ou)s-Klassenarbeit".
Description[en]=Default group name for pupils writing exams. The "%(ou)s" in the name will be replaced by the short name of the school (OU). Default is "OU%(ou)s-Klassenarbeit".
Type=str
Categories=ucsschool-base

[ucsschool/ldap/default/groupname/all-administrativ-dc]
Description[de]=Standard Gruppenname für Domain Controller in Verwaltungsnetzen. Standard ist "DC-Verwaltungsnetz".
Description[en]=Default group name for domain controllers in administrativ networks. Default is "DC-Verwaltungsnetz".
Type=str
Categories=ucsschool-base

[ucsschool/ldap/default/groupname/all-administrativ-member]
Description[de]=Standard Gruppenname für Member Server in Verwaltungsnetzen. Standard ist "Member-Verwaltungsnetz".
Description[en]=Default group name for member servers in administrativ networks. Default is "Member-Verwaltungsnetz".
Type=str
Categories=ucsschool-base

[ucsschool/ldap/default/groupname/all-educational-dc]
Description[de]=Standard Gruppenname für Domain Controller in Edukativnetzen. Standard ist "DC-Edukativnetz".
Description[en]=Default group name for domain controllers in educational networks. Default is "DC-Edukativnetz".
Type=str
Categories=ucsschool-base

[ucsschool/ldap/default/groupname/all-educational-member]
Description[de]=Standard Gruppenname für Member Server in Edukativnetzen. Standard ist "Member-Edukativnetz".
Description[en]=Default group name for member servers in educational networks. Default is "Member-Edukativnetz".
Type=str
Categories=ucsschool-base

[ucsschool/ldap/default/groupname/ou-administrativ-dc]
Description[de]=Standard Gruppenname für Domain Controller im Verwaltungsnetz einer bestimmten Schule. Das "%(ou)s" im Namen wird mit dem Schulkürzel (OU) ersetzt. Standard ist "OU%(ou)s-DC-Verwaltungsnetz".
Description[en]=Default group name for domain controllers in the administrativ network. The "%(ou)s" in the name will be replaced by the short name of the school (OU). Default is "OU%(ou)s-DC-Verwaltungsnetz".
Type=str
Categories=ucsschool-base

[ucsschool/ldap/default/groupname/ou-administrativ-member]
Description[de]=Standard Gruppenname für Member Server im Verwaltungsnetz einer bestimmten Schule. Das "%(ou)s" im Namen wird mit dem Schulkürzel (OU) ersetzt. Standard ist "OU%(ou)s-Member-Verwaltungsnetz".
Description[en]=Default group name for member servers in the administrativ network. The "%(ou)s" in the name will be replaced by the short name of the school (OU). Default is "OU%(ou)s-Member-Verwaltungsnetz".
Type=str
Categories=ucsschool-base

[ucsschool/ldap/default/groupname/ou-educational-dc]
Description[de]=Standard Gruppenname für Domain Controller im Edukativnetz einer bestimmten Schule. Das "%(ou)s" im Namen wird mit dem Schulkürzel (OU) ersetzt. Standard ist "OU%(ou)s-DC-Edukativnetz".
Description[en]=Default group name for domain controllers in the educational network. The "%(ou)s" in the name will be replaced by the short name of the school (OU). Default is "OU%(ou)s-DC-Edukativnetz".
Type=str
Categories=ucsschool-base

[ucsschool/ldap/default/groupname/ou-educational-member]
Description[de]=Standard Gruppenname für Member Server im Edukativnetz einer bestimmten Schule. Das "%(ou)s" im Namen wird mit dem Schulkürzel (OU) ersetzt. Standard ist "OU%(ou)s-Member-Edukativnetz".
Description[en]=Default group name for member servers in the educational network. The "%(ou)s" in the name will be replaced by the short name of the school (OU). Default is "OU%(ou)s-Member-Edukativnetz".
Type=str
Categories=ucsschool-base

[ucsschool/ldap/default/groupprefix/admins]
Description[de]=Standard-Prefix für die Administrator-Gruppen. Standard ist "admins-".
Description[en]=Default prefix for admin groups. Default is "admins-".
Type=str
Categories=ucsschool-base

[ucsschool/ldap/default/groupprefix/pupils]
Description[de]=Standard-Prefix für die Schüler-Gruppen. Standard ist "schueler-".
Description[en]=Default prefix for pupils groups. Default is "schueler-".
Type=str
Categories=ucsschool-base

[ucsschool/ldap/default/groupprefix/staff]
Description[de]=Standard-Prefix für die Mitarbeiter-Gruppen. Standard ist "mitarbeiter-".
Description[en]=Default prefix for staff groups. Default is "mitarbeiter-".
Type=str
Categories=ucsschool-base

[ucsschool/ldap/default/groupprefix/teachers]
Description[de]=Standard-Prefix für die Lehrer-Gruppen. Standard ist "lehrer-".
Description[en]=Default prefix for teacher groups. Default is "lehrer-".
Type=str
Categories=ucsschool-base

[ucsschool/ldap/default/share/class]
Description[de]=Standard Verzeichnisname für die Klassen-Freigabe. Standard ist "klassen".
Description[en]=Default directory name for the class share. Default is "klassen".
Type=str
Categories=ucsschool-base

[ucsschool/ldap/default/share/pupils]
Description[de]=Standard Verzeichnisname für die Schüler-Verzeichnisse. Standard ist "schueler".
Description[en]=Default directory name for the pupils directories. Default is "schueler".
Type=str
Categories=ucsschool-base

[ucsschool/ldap/default/share/teachers]
Description[de]=Standard Verzeichnisname für die Lehrer-Verzeichnisse. Standard ist "lehrer".
Description[en]=Default directory name for the teachers directories. Default is "lehrer".
Type=str
Categories=ucsschool-base

[ucsschool/ldap/default/dcs]
Description[de]=Spezifiziert welche Schul-DCs beim Erzeugen einer Schule angelegt werden sollen (Werte: edukativ und/oder verwaltung)
Description[en]=Specifies which school DCs are created during the school set up (values: edukativ and/or verwaltung)

Type=str
Categories=ucsschool-base

[ucsschool/import/generate/share/marktplatz/name]
Description[de]=Name der Freigabe (Default: "Marktplatz").
Description[en]=Name of share (default: "Marktplatz").
Type=str
Categories=ucsschool-base

[ucsschool/import/generate/share/marktplatz/sharepath]
Description[de]=Vorgabepfad der Freigabe "Marktplatz" (Default: /home/$ou/groups/Marktplatz)
Description[en]=Default path of share "Marktplatz" (default: /home/$ou/groups/Marktplatz)

Categories=ucsschool-base

[ucsschool/import/roleshare]
Description[de]=Falls diese Variable nicht auf "false" oder "no" gesetzt wird, werden Homeverzeichnisse für Benutzer und Klassengruppen in einer rollen- und schulspezifischen Struktur von Unterverzeichnissen angelegt, z.B. unter /home/$ou/schueler/.
Description[en]=If this variable is not set to "false" or "no", then home directories for users and class groups will be created in a role and school specific structure of subdirectories, e.g. in /home/$ou/schueler/.
Type=str
Categories=ucsschool-base

(-)ucs-school-import/modules/ucsschool/importer/models/import_user.py (-1 / +1 lines)

Lines 94-100	Link Here

			self.config = Configuration()

			self.config = Configuration()

			self.reader = self.factory.make_reader()

			self.reader = self.factory.make_reader()

			self.logger = get_logger()

			self.logger = get_logger()

			self.username_max_length = 20 - len(self.ucr.get("ucsschool/ldap/default/userprefix/exam", "exam-"))

			self.username_max_length = 20 - len(Student.get_search_base(school).user_prefix_exam)

		self._lo = None

		self._lo = None

		self._userexpiry = None

		self._userexpiry = None

100

		super(ImportUser, self).__init__(name, school, **kwargs)

100

		super(ImportUser, self).__init__(name, school, **kwargs)

(-)ucs-school-import/tests/test_move_domaincontroller_to_ou (-1 / +5 lines)

Lines 37-42	Link Here

	exit 1

	exit 1

fi

fi

. /usr/share/ucs-school-lib/base.sh

eval "$(ucr shell)"

eval "$(ucr shell)"

./create_ou test1 dctest1

./create_ou test1 dctest1

Lines 51-58	Link Here

udm computers/domaincontroller_slave create --position "cn=computers,$ldap_base" --set name=dctest7-01

udm computers/domaincontroller_slave create --position "cn=computers,$ldap_base" --set name=dctest7-01

./create_ou test7

./create_ou test7

udm computers/domaincontroller_slave modify --dn "cn=dctest7-01,cn=computers,$ldap_base" --append groups="cn=OUtest7-DC-Edukativnetz,cn=ucsschool,cn=groups,$ldap_base"

test7_dc="$(ucr_names_default ucsschool/ldap/default/groupname/ou-educational-dc test7)"

udm computers/domaincontroller_slave modify --dn "cn=dctest7-01,cn=computers,$ldap_base" --append groups="cn=$test7_dc,cn=ucsschool,cn=groups,$ldap_base"

echo "TEST: DC is unknown"

echo "TEST: DC is unknown"

./move_domaincontroller_to_ou --dcname UnKnOwN --ou test1

./move_domaincontroller_to_ou --dcname UnKnOwN --ou test1

echo "EXITCODE: $?"

echo "EXITCODE: $?"

(-)ucs-school-import/usr/share/ucs-school-import/hooks/ou_create_post.d/52marktplatz_create (-6 / +9 lines)

#!/bin/bash

#!/bin/bash

# 52marktplatz_create

# 52marktplatz_create

#  Creates a Markplatz share for the specified OUs

#  Creates a Marktplatz share for the specified OUs

# Depends: ucs-school-import

# Depends: ucs-school-import

[ $# -ne 2 ] && echo "USAGE: $(basename $0) FILE DN" && exit 1

[ $# -ne 2 ] && echo "USAGE: $(basename $0) FILE DN" && exit 1

. /usr/share/univention-lib/ucr.sh

. /usr/share/univention-lib/ucr.sh

. /usr/share/ucs-school-lib/base.sh

eval "$(ucr shell)"

eval "$(ucr shell)"

name="$(ucr_names_default ucsschool/import/generate/share/marktplatz/name)"

if ! is_ucr_true "ucsschool/import/generate/share/marktplatz" ; then

if ! is_ucr_true "ucsschool/import/generate/share/marktplatz" ; then

	echo "$(basename $0): creation of share 'Marktplatz' has been disabled by ucsschool/import/generate/share/marktplatz"

	echo "$(basename $0): creation of share '$name' has been disabled by ucsschool/import/generate/share/marktplatz"

	exit 0

	exit 0

fi

fi

sharepath="$ucsschool_import_generate_share_marktplatz_sharepath"

sharepath="$ucsschool_import_generate_share_marktplatz_sharepath"

if [ -z "$sharepath" ] ; then

if [ -z "$sharepath" ] ; then

	if [ -z "$ucsschool_import_roleshare" ] || is_ucr_true "ucsschool/import/roleshare"; then

	if [ -z "$ucsschool_import_roleshare" ] || is_ucr_true "ucsschool/import/roleshare"; then

		sharepath="/home/$ou/groups/Marktplatz"

		sharepath="/home/$ou/groups/$name"

	else

	else

		sharepath="/home/groups/Marktplatz"

		sharepath="/home/groups/$name"

fi

fi

fi

fi

udm shares/share create --ignore_exists \

udm shares/share create --ignore_exists \

	--position "cn=shares,ou=${ou}${district},${ldap_base}" \

	--position "cn=shares,ou=${ou}${district},${ldap_base}" \

	--set name=Marktplatz \

	--set name="${name}" \

	--set "host=${dcname}" \

	--set "host=${dcname}" \

	--set "path=${sharepath}" \

	--set "path=${sharepath}" \

	--set "directorymode=${sharemode}" \

	--set "directorymode=${sharemode}" \

	--set "group=${grpuidnumber}"

	--set "group=${grpuidnumber}"

echo "$(basename $0): added new share Markplatz for server ${dcname}"

echo "$(basename $0): added new share '$name' for server ${dcname}"

exit 0

exit 0




import univention.lib.policy_result
from ucsschool.lib.roles import role_pupil, role_teacher, role_staff
from ucsschool.lib.roleshares import roleshare_home_subdir
from ucsschool.lib.models.utils import stopped_notifier, add_stream_logger_to_schoollib, create_passwd
from ucsschool.lib.models import School, SchoolClass, ClassShare


ldap_errors = (ldap.LDAPError, univention.admin.uexceptions.base,)


pwLengthOu = {}

cn_pupils   = configRegistry.get('ucsschool/ldap/default/container/pupils', 'schueler')
cn_teachers = configRegistry.get('ucsschool/ldap/default/container/teachers', 'lehrer')
cn_teachers_staff = configRegistry.get('ucsschool/ldap/default/container/teachers-and-staff', 'lehrer und mitarbeiter')
cn_admins	= configRegistry.get('ucsschool/ldap/default/container/admins', 'admins')
cn_staff	= configRegistry.get('ucsschool/ldap/default/container/staff', 'mitarbeiter')

grp_prefix_pupils   = configRegistry.get('ucsschool/ldap/default/groupprefix/pupils', 'schueler-')
grp_prefix_teachers = configRegistry.get('ucsschool/ldap/default/groupprefix/teachers', 'lehrer-')
grp_prefix_admins	= configRegistry.get('ucsschool/ldap/default/groupprefix/admins', 'admins-')
grp_prefix_staff	= configRegistry.get('ucsschool/ldap/default/groupprefix/staff', 'mitarbeiter-')

grp_policy_pupils	= configRegistry.get('ucsschool/ldap/default/policy/umc/pupils', 'cn=ucsschool-umc-pupils-default,cn=UMC,cn=policies,%s' % baseDN)
grp_policy_teachers = configRegistry.get('ucsschool/ldap/default/policy/umc/teachers', 'cn=ucsschool-umc-teachers-default,cn=UMC,cn=policies,%s' % baseDN)
grp_policy_admins	= configRegistry.get('ucsschool/ldap/default/policy/umc/admins', 'cn=ucsschool-umc-admins-default,cn=UMC,cn=policies,%s' % baseDN)

TYPE_DC_EDUCATIONAL = 'educational'


# IP address prefix len concerning the netmask
default_prefixlen = 24

if not (cn_pupils and cn_classes):
	print '''ERROR: Unable to proceed: one of the following UCR variables is not set correctly:
	ucsschool/ldap/default/container/pupils
	ucsschool/ldap/default/container/teachers

		else:
			self.allsNrs=[self.sNr]
			self.other_sNr=[]
		self.search_base = School.get_search_base(self.allsNrs[0])

		# split into multiple class number if comma is present
		if ',' in self.cNr:


	def getPosition_dn(self):
		# resolution order for the position is pupil, teacher, staff
		cn = cn_pupils
		if role_teacher in self.getRole() and role_staff in self.getRole():
			return self.search_base.teachersAndStaff
		elif role_teacher in self.getRole ():
			return self.search_base.teachers
		elif role_staff in self.getRole():
			return self.search_base.staff
		return self.search_base.students

	def getDN(self):
		return "uid="+self.login+","+self.getPosition_dn()

		default_groups=[]

		# default group
		default_groups.append("cn=Domain Users %s,%s" % (self.sNr, self.search_base.groups))

		grp_dns = {
			role_teacher: self.search_base.teachers_ou_group,
			role_pupil: self.search_base.students_ou_group,
			role_staff: self.search_base.staff_ou_group}
		for role in self.getRole():
			if role == role_staff and not configRegistry.is_true('ucsschool/ldap/noneducational/create/objects', True):
				continue
			# class if available
			for cnr in self.cNr:
				default_groups.append("cn=%s,%s" % (cnr, self.search_base.classes))

			default_groups.append(grp_dns[role])

		return default_groups


	if district_enabled:
		verify_container(getDN (schoolNr, base='district'), ou_module, co, lo, superordinate, baseDN)

	print "verify ou for school nr %s" % schoolNr
	search_base = School.get_search_base(schoolNr)
	# list of needed sub-containers, the dictionary-key adds the container as default during create in verify_container
	container = {
		'0printerPath': [search_base.printers],
		'1userPath': [search_base.users, search_base.students, search_base.teachers, search_base.admins],
		'2computerPath': [search_base.computers, 'cn=server,{}'.format(search_base.computers), 'cn=dc,cn=server,{}'.format(search_base.computers)],
		'3networkPath': [search_base.networks],
		'4groupPath': [search_base.groups, search_base.workgroups, search_base.teachers_group, search_base.classes, search_base.rooms],
		'5dhcpPath': [search_base.dhcp],
		'6policyPath': [search_base.policies],
		'7sharePath': [search_base.shares, search_base.classShares],
		'8none': ['cn=dc,cn=server,{}'.format(search_base.computers)]
	}
	if configRegistry.is_true('ucsschool/ldap/noneducational/create/objects', True):
		container['1userPath'].extend([search_base.staff, search_base.teachersAndStaff])
		container['4groupPath'].append(search_base.staff_group)
	# FIXME: die Policies sollten besser mit der Gruppe verknüpft werden, um
	# z.B. Mitarbeiter und Lehrer im selben Container pflegen zu können
	#container_policies = { 'cn=%s,cn=users' % cn_teachers: ['cn=default-lehrer,cn=UMC,cn=policies,' + baseDN] }

		dccn = ''
	myline = '%s\t%s' % ( schoolNr, dccn )
	hooks.pre( 'ou', 'A', line = myline )
	search_base = School.get_search_base(schoolNr)

	# verify global dc groups
	groups_administrative = [search_base.administrative_dc_group, search_base.administrative_member_group]
	groups_education = [search_base.educational_dc_group, search_base.educational_member_group]
	groups_administrativeOU = [search_base.administrative_ou_dc_group, search_base.administrative_ou_member_group]
	groups_educationOU = [search_base.educational_ou_dc_group, search_base.educational_ou_member_group]
		"cn=DC-Edukativnetz,cn=ucsschool,cn=groups,%s" % baseDN,
		"cn=Member-Edukativnetz,cn=ucsschool,cn=groups,%s" % baseDN]
	groups_administrativeOU=[
		"cn=OU%s-DC-Verwaltungsnetz,cn=ucsschool,cn=groups,%s" % (schoolNr.lower(), baseDN),
		"cn=OU%s-Member-Verwaltungsnetz,cn=ucsschool,cn=groups,%s" % (schoolNr.lower(), baseDN)]
	groups_educationOU=[
		"cn=OU%s-DC-Edukativnetz,cn=ucsschool,cn=groups,%s" % (schoolNr.lower(), baseDN),
		"cn=OU%s-Member-Edukativnetz,cn=ucsschool,cn=groups,%s" % (schoolNr.lower(), baseDN)]

	if configRegistry.is_true('ucsschool/ldap/noneducational/create/objects', True):
		groups = groups_administrative + groups_education + groups_administrativeOU + groups_educationOU

		dcobject = object_exists(
			server_module, co, lo, 'sub', superordinate, baseDN,
			univention.admin.filter.expression('cn', dccn), None)

		if dcobject:
			zone = "edukativ"
			dcobject.open()

			# TODO FIXME The following snippet does not make any sense:
			# if the DC is member of DC-Verwaltungsnetz then is added again to that group?!? Looks like this code is unused.
			for grp in dcobject['groups']:
				if grp.startswith(univention.admin.uldap.explodeDn(search_base.administrative_dc_group)[0]):
					zone = "verwaltung"
			groups = []
			if zone == "edukativ":
				groups.append(search_base.educational_dc_group)
				groups.append(search_base.educational_ou_dc_group)
			if zone == "verwaltung":
				groups.append(search_base.administrative_dc_group)
				groups.append(search_base.administrative_ou_dc_group)
			modified = False
			for grp in groups:
				if not grp in dcobject['groups']:

					dcobject['groups'].append(grp)
			if modified:
				dcobject.modify()
		


	created, dn = verify_container(ou_base, ou_module, co, lo, superordinate, baseDN, path='')
	if created:
		# get name of new dc

		if displayName is not None:
			r = lo.modify(ou_base, [('displayName', lo.get(ou_base, ['displayName']).get('displayName',[]), [displayName])])

	for path in sorted(container.keys()):
	keys.sort()
	for path in keys:
		for dn in container[path]:
			if path[1:] == 'none':
				path=' '
			verify_container(dn, cn_module, co, lo, superordinate, baseDN, path=path[1:])

	# create groups if not existant
	grp_ouadmins = search_base.admin_group
	groups = [
		(grp_ouadmins, grp_policy_admins),
		(search_base.students_ou_group, grp_policy_pupils),
		(search_base.teachers_ou_group, grp_policy_teachers),
	]

	if configRegistry.is_true('ucsschool/ldap/noneducational/create/objects', True):
		groups.append((search_base.staff_ou_group, grp_policy_staff))
			 ( "cn=%s%s,cn=groups,%s" % (grp_prefix_staff, schoolNr.lower(), getDN(schoolNr)),	grp_policy_staff ),
			 )
	if configRegistry.is_true('ucsschool/import/attach/policy/default-umc-users', True):
		domain_users_school = "cn=Domain Users %s,cn=groups,%s" % (schoolNr.lower(), getDN(schoolNr))
		groups.append((domain_users_school, "cn=default-umc-users,cn=UMC,cn=policies,%s" % (baseDN,)))

			else:
				dccn = 'dc%s-01' % schoolNr.lower ()

		dcgroups = [search_base.educational_ou_dc_group, search_base.educational_dc_group]
					"cn=DC-Edukativnetz,cn=ucsschool,cn=groups,%s" % (baseDN, )]

		if dc == 'verwaltung':
			if not configRegistry.is_true('ucsschool/ldap/noneducational/create/objects', True):

					dccn = configRegistry.get('hostname')
				else:
					dccn = 'dc%sv-01' % schoolNr.lower () # this is the naming convention, a trailing v for Verwaltungsnetz DCs
			dcgroups = [search_base.administrative_ou_dc_group, search_base.administrative_dc_group]
					"cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,%s" % (baseDN, )]

		# create server if not exsistant
		objects = univention.admin.modules.lookup(computer_module, co, lo, scope='sub', superordinate=superordinate, base=baseDN,

		if not server_exists and not dcName:
			try:
				if dc == 'verwaltung':
					grpdn = search_base.administrative_ou_dc_group
				else:
					grpdn = search_base.educational_ou_dc_group
				hostlist = lo.get(grpdn, ['uniqueMember']).get('uniqueMember',[])
			except ldap.NO_SUCH_OBJECT:
				hostlist = []

	if (schoolNr, classNr.lower()) in verified_group_shares:
		return True

	position_dn = ClassShare(school=schoolNr, name=classNr).dn
	module = univention.admin.modules.get("shares/share")
	position_basedn = univention.admin.uldap.position(baseDN)
	univention.admin.modules.init (lo, position_basedn, module)

		print "need to create groupshare %s"%position_dn

		# get gid form corresponding group
		school_class = SchoolClass(school=schoolNr, name=classNr)
		class_share = ClassShare.from_school_class(school_class)
		group_dn = school_class.dn
		gids=lo.get(group_dn,['gidNumber'])
		gid = 0
		if len(gids) > 1: # TODO FIXME This doesn't look correct to me - gids is a dict and not a list!

		object.open()
		object["name"] = "%s"%classNr
		object["host"] = serverfqdn
		object["path"] = class_share.get_share_path()
			object["path"] = "/home/" + os.path.join(schoolNr, "groups/klassen/%s" % (classNr,))
		else:
			object["path"] = "/home/groups/klassen/%s" % (classNr,)
		object["writeable"] = "1"
		object["sambaWriteable"] = "1"
		object["sambaBrowseable"] = "1"

			# FIXME / TODO
			# Test should be following:
			# if ( ( ( parts[0].startswith( 'cn=%s' % grp_prefix_pupils) or parts[0].startswith( 'cn=%s' % grp_prefix_pupils) ) and parts[1] == 'cn=groups' and parts[2].startswith('ou=') ) or
			# 	 ( parts[1] == 'cn=%s' % cn_classes and parts[2] == 'cn=%s' % cn_pupils and parts[3] == 'cn=groups' and parts[4].startswith('ou=') ) ):

			search_base = School.get_search_base(None)
			cn_pupils = ldap.explode_dn(search_base.students, True)[0]
			cn_classes = ldap.explode_dn(search_base.classes, True)[0]
			grp_prefix_pupils = search_base.group_prefix_students
			grp_prefix_teachers = search_base.group_prefix_teachers

			if ( parts[0].startswith( 'cn=%s' % grp_prefix_pupils ) or
				 parts[0].startswith( 'cn=%s' % grp_prefix_teachers ) or
				 (parts[1] == 'cn=%s' % cn_classes and parts[2] == 'cn=%s' % cn_pupils)):
				# group looks like a default group, so we don't need it anymore
				print "remove from group: %s"%group
				remove_groups.append(group)

					main_person.isTeacher = '0'
					main_person.isStaff   = '0'

					search_base = School.get_search_base(ou)
					if object.dn.endswith(',%s' % search_base.teachersAndStaff):
						main_person.isTeacher = '1'
						main_person.isStaff = '1'
					elif object.dn.endswith(',%s' % search_base.teachers):
						main_person.isTeacher = '1'
					elif object.dn.endswith(',%s' % search_base.staff):
						main_person.isStaff = '1'

					if ou in main_person.allsNrs:

				zone = parsed[6]

			verify_school_ou(schoolNr, co, lo, baseDN)
			search_base = School.get_search_base(schoolNr)

			try:
				ip = ipaddr.IPv4Network(IP)

			groups = {}
			if ctype == "memberserver":
				if zone == "edukativ":
					groups[search_base.educational_ou_member_group] = 1
					groups[search_base.educational_member_group] = 1
				if zone == "verwaltung":
					groups[search_base.administrative_ou_member_group] = 1
					groups[search_base.administrative_member_group] = 1

			# invoke pre hooks
			hooks.pre( 'computer', 'A', line = line )

			ClassID = parsed[2]
			Descrpt = parsed[3]

			group_dn = SchoolClass(school=schoolNr, name=ClassID).dn
			share_dn = ClassShare(school=schoolNr, name=ClassID).dn

			verify_school_ou(schoolNr, co, lo, baseDN)



	slave = slaves[0]
	ouDn = oulist[0].dn
	search_base = School.get_search_base(options.ou)

	group_filter = univention.admin.filter.conjunction('&', [
		univention.admin.filter.conjunction('|', [
			univention.admin.uldap.explodeDn(search_base.educational_ou_dc_group)[0],
			univention.admin.uldap.explodeDn(search_base.administrative_ou_dc_group)[0],
		]),
		univention.admin.filter.expression('uniqueMember', slave.dn),
	])
	groups = univention.admin.modules.lookup(group_module, co, lo, scope='sub', base=baseDN, filter=group_filter)
	if not groups:
		print 'ERROR: cannot move domaincontroller slave with hostname "%s" to OU "%s"' % (options.dcname, options.ou)

		print 'ERROR: specified OU %r does not exist' % ou_name
		sys.exit(1)

	search_base = School.get_search_base(ou_name)
	# get list of desired group memberships
	group_dn_list = {
		TYPE_DC_ADMINISTRATIVE: [search_base.administrative_ou_dc_group, search_base.administrative_dc_group],
		TYPE_DC_EDUCATIONAL: [search_base.educational_dc_group, search_base.educational_ou_dc_group]
	}[dc_type]
										  'cn=OU%s-DC-Edukativnetz,cn=ucsschool,cn=groups,%s' % (ou_name.lower(), baseDN),
										  ],
					  }[dc_type]
	for grpdn in group_dn_list:
		verify_group(grpdn, co, lo, superordinate, baseDN)





# <http://www.gnu.org/licenses/>.

. /usr/share/univention-lib/all.sh
. /usr/share/ucs-school-lib/base.sh

display_help() {
	cat <<-EOL

while read service; do
	case "$service" in
		"UCS@school Education")
			target_server_all_dcs="$(ucr_names_default ucsschool/ldap/default/groupname/all-educational-dc)"
			target_server_ou_dcs="$(ucr_names_default ucsschool/ldap/default/groupname/ou-educational-dc)"
			target_server_ucsschool_service="$service"
			;;
		"UCS@school Administration")
			target_server_all_dcs="$(ucr_names_default ucsschool/ldap/default/groupname/all-administrativ-dc)"
			target_server_ou_dcs="$(ucr_names_default ucsschool/ldap/default/groupname/ou-administrativ-dc)"
			target_server_ucsschool_service="$service"
			;;
	esac


	echo -n "Check group memberschip : "
	test_output=$(univention-ssh "$ROOTPWD" "root@${target_school_dc_ip}" \
		/usr/sbin/udm groups/group list --filter name="$target_server_all_dcs" | sed -n "/^ *hosts: $target_ldap_hostdn$/p")
	if [ -z "$test_output" ]; then
		echo -e "\033[60Gfailed"
		echo "$hostname is not member of the group $target_server_all_dcs, this needs to be fixed first manually."
		exit 1
	fi
	test_output=$(univention-ssh "$ROOTPWD" "root@${target_school_dc_ip}" \
		/usr/sbin/udm groups/group list --filter name="$(replace_ou "$target_server_ou_dcs" "$my_school_ou")" | sed -n "/^ *hosts: $target_ldap_hostdn$/p")
	if [ -z "$test_output" ]; then
		echo -e "\033[60Gfailed"
		echo "$hostname is not member of the group $(replace_ou "$target_server_ou_dcs" "$my_school_ou"), this needs to be fixed first manually."
		exit 1
	else
		echo -e "\033[60Gdone"




import univention.admin.handlers.groups.group
import univention.admin.handlers.users.user
import univention.admin.objects
from ucsschool.lib.models import School, SchoolClass, Staff, Student, Teacher


class Problem(Exception):



def parse_line(lo, line):
	school = School(name=line['school'])
	oubase = school.dn
	uid = line['name']
	try:
		dn = lo.search(filter_format('uid=%s', (uid,)), oubase, unique=True)[0][0]

			raise StudentDoesNotExists(line, uid)
		else:
			raise StudentIsInAnotherSchool(line, uid, dn)
	if not dn.endswith(Student.get_container(school.name)):
		if not dn.endswith(Teacher.get_container(school.name)) or not dn.endswith(Staff.get_container(school.name)):
			print('Ignoring teacher/staff %r' % (uid,))
			return
		msg('ERROR: %s (%s %s) is not a student/teacher/staff.' % (uid, line['firstname'], line['lastname']))

	correct = False
	invalid_groups = set()
	for gdn, group in groups: # pylint: disable=W0612
		if not gdn.endswith(SchoolClass.get_container(school.name)):
			if not gdn.endswith(oubase) and re.search(',ou=[^,]+,%s$' % (ucr['ldap/base'],), gdn, re.I):
				raise StudentIsInAnotherClassInAnotherSchool(line, uid, dn, gdn)
			continue  # ignore workgroups / Domain Users




@!@
# -*- coding: utf-8 -*-
import re


def replace_ucr_variables(template):
	variable_token = re.compile('@[$]@')

	dir_ucsschool = {
		'ALL_ADM_DC': configRegistry.get('ucsschool/ldap/default/groupname/all-administrativ-dc', 'DC-Verwaltungsnetz'),
		'ALL_ADM_MEMBER': configRegistry.get('ucsschool/ldap/default/groupname/all-administrativ-member', 'Member-Verwaltungsnetz'),
		'ALL_EDU_DC': configRegistry.get('ucsschool/ldap/default/groupname/all-educational-dc', 'DC-Edukativnetz'),
		'ALL_EDU_MEMBER': configRegistry.get('ucsschool/ldap/default/groupname/all-educational-member', 'Member-Edukativnetz'),
	}

	while 1:
		i = variable_token.finditer(template)
		try:
			start = i.next()
			end = i.next()
			name = template[start.end():end.start()]

			template = template[:start.start()] + dir_ucsschool.get(name,'') + template[end.end():]
		except StopIteration:
			break

	return template


aclset += """
# start 61ucsschool_presettings

# revert rule from UCS; Bug #41402
access to attrs=entry,objectClass,uniqueMember,ou,uid,loginShell,homeDirectory,uidNumber,gidNumber,sn,cn,gecos,description,memberUid
	by dn.regex=".*cn=computers,ou=([^,]+),(ou=[^,]+,)?@%@ldap/base@%@" none break
	by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none break
	by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none break
	by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none break
	by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none break
	by set="user/objectClass & ([ucsschoolStudent] | [ucsschoolTeacher] | [ucsschoolStaff] | [ucsschoolAdministrator])" none break
	by * +0 break

# Slave-Controller und Member-Server duerfen Samba-Domaenenobjekt(e) modifizieren
access to filter="(objectClass=sambaDomain)"
	by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by * +0 break

# grant write access to domaincontroller slave/member server for certain univention app center settings
access to dn.regex="^univentionAppID=([^,]+),cn=([^,]+),cn=apps,cn=univention,@%@ldap/base@%@$" filter="(objectClass=univentionApp)"
	by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by * +0 break

access to dn.regex="^cn=([^,]+),cn=apps,cn=univention,@%@ldap/base@%@$" attrs=children,entry
	by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by * +0 break

access to dn="cn=apps,cn=univention,@%@ldap/base@%@" attrs=children,entry
	by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by * +0 break

# Slave controllers and memberservers require write access to virtual machine manager objects
access to dn.regex="^univentionVirtualMachineUUID=([^,]+),cn=Information,cn=Virtual Machine Manager,@%@ldap/base@%@" filter="(objectClass=univentionVirtualMachine)"
	by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by * +0 break

access to dn.regex="^cn=([^,]+),cn=CloudConnection,cn=Virtual Machine Manager,@%@ldap/base@%@" filter="(objectClass=univentionVirtualMachineCloudConnection)"
	by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by * +0 break

access to dn="cn=(Information|CloudConnection),cn=Virtual Machine Manager,@%@ldap/base@%@" attrs=children,entry
	by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by dn.regex="^[^,]+,cn=dc,cn=computers,@%@ldap/base@%@$$" write
	by dn.regex="^[^,]+,cn=memberserver,cn=computers,@%@ldap/base@%@$$" write
	by * +0 break


# Slave-Controller und Member-Server benoetigen idmap-Container
access to dn.base="cn=idmap,cn=univention,@%@ldap/base@%@"
	by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by * +0 break

# Slave-Controller und Member-Server benoetigen ID-Mapping
access to dn.subtree="cn=idmap,cn=univention,@%@ldap/base@%@" filter="(|(&(objectClass=sambaUnixIdPool)(objectClass=organizationalRole)(objectClass=top))(&(objectClass=sambaIdmapEntry)(objectClass=sambaSidEntry)))"
	by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by * +0 break

# Slave-Controller und Member-Server benoetigen nicht alle Container
access to dn.subtree="cn=backup,@%@ldap/base@%@"
	by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
	by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
	by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
	by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
	by * +0 break

access to dn.subtree="cn=printers,@%@ldap/base@%@"
	by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
	by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
	by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
	by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
	by * +0 break

access to dn.subtree="cn=networks,@%@ldap/base@%@"
	by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
	by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
	by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
	by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
	by * +0 break

access to dn.regex="^(.*,)?cn=(cups|ppolicy|packages|services|templates|admin-settings|default containers|saml-serviceprovider),cn=univention,@%@ldap/base@%@$$"
	by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
	by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
	by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
	by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
	by * +0 break

# end 61ucsschool_presettings
"""

print replace_ucr_variables(aclset)
@!@




def replace_ucr_variables(template):
	variable_token = re.compile('@[$]@')

	dir_ucsschool = {
		'DISTRICT':       'ou=[^,]+,' if configRegistry.is_true('ucsschool/ldap/district/enable') else '',
		'PUPILS':         configRegistry.get('ucsschool/ldap/default/container/pupils', 'schueler'),
		'TEACHERS':       configRegistry.get('ucsschool/ldap/default/container/teachers', 'lehrer'),
		'STAFF':          configRegistry.get('ucsschool/ldap/default/container/staff', 'mitarbeiter'),
		'TEACHERS-STAFF': configRegistry.get('ucsschool/ldap/default/container/teachers-and-staff', 'lehrer und mitarbeiter'),
		'ADMINS':         configRegistry.get('ucsschool/ldap/default/container/admins', 'admins'),
		'GRPADMINS':      configRegistry.get('ucsschool/ldap/default/groupprefix/admins', 'admins-'),
		'EXAM':           configRegistry.get('ucsschool/ldap/default/container/exam', 'examusers'),
		'CLASS':          configRegistry.get('ucsschool/ldap/default/container/class', 'klassen'),
		'ROOMS':          configRegistry.get('ucsschool/ldap/default/container/rooms', 'raeume'),
		'ALL_ADM_DC': configRegistry.get('ucsschool/ldap/default/groupname/all-administrativ-dc', 'DC-Verwaltungsnetz'),
		'ALL_ADM_MEMBER': configRegistry.get('ucsschool/ldap/default/groupname/all-administrativ-member', 'Member-Verwaltungsnetz'),
		'ALL_EDU_DC': configRegistry.get('ucsschool/ldap/default/groupname/all-educational-dc', 'DC-Edukativnetz'),
		'ALL_EDU_MEMBER': configRegistry.get('ucsschool/ldap/default/groupname/all-educational-member', 'Member-Edukativnetz'),
	}


	while 1:
		i = variable_token.finditer(template)
		try:

aclset += """
# DC Slaves need write access to the members of the group Domain Computers
access to dn.exact="cn=Domain Computers,cn=groups,@%@ldap/base@%@" attrs="uniqueMember,memberUid"
	by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by * +0 break

# Slave DCs can read and write policy containers for MS GPOs and msPrintConnectionPolicy objects
access to dn.subtree="cn=policies,cn=system,@%@ldap/base@%@" filter="(|(objectClass=msGPOContainer)(objectClass=organizationalRole)(objectClass=msPrintConnectionPolicy))"
	by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by * +0 break

# Slave DCs can read and write policy containers for MS WMI filter objects
access to dn.subtree="cn=WMIPolicy,cn=system,@%@ldap/base@%@" filter="(|(objectClass=msWMISom)(objectClass=organizationalRole))"
	by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by * +0 break

# Lehrer, Mitarbeiter und OU-Admins duerfen Schueler-Passwoerter aendern

	by * +0 break

# Lehrer, Mitarbeiter und OU-Admins duerfen Raum-Gruppen anlegen und bearbeiten
access to dn.regex="^cn=@$@ROOMS@$@,cn=groups,ou=([^,]+),@$@DISTRICT@$@@%@ldap/base@%@$$" attrs=children,entry
	by set.expand="[$1] & ([ldap:///]+user/entryDN+[?entryDN?base?%28%7C%28objectClass%3DucsschoolTeacher%29%28objectClass%3DucsschoolAdministrator%29%28objectClass%3DucsschoolStaff%29%29])/ucsschoolSchool" write
@$@# old rule@$@	by dn.regex="^uid=([^,]+),cn=(@$@TEACHERS@$@|@$@TEACHERS-STAFF@$@|@$@STAFF@$@|@$@ADMINS@$@),cn=users,ou=$1,@$@DISTRICT@$@@%@ldap/base@%@$$" write
	by * +0 break

access to dn.regex="^cn=([^,]+),cn=@$@ROOMS@$@,cn=groups,ou=([^,]+),@$@DISTRICT@$@@%@ldap/base@%@$$" filter="(&(!(|(uidNumber=*)(objectClass=SambaSamAccount)))(objectClass=univentionGroup))"
	by set.expand="[$2] & ([ldap:///]+user/entryDN+[?entryDN?base?%28%7C%28objectClass%3DucsschoolTeacher%29%28objectClass%3DucsschoolAdministrator%29%28objectClass%3DucsschoolStaff%29%29])/ucsschoolSchool" write
@$@# old rule@$@	by dn.regex="^uid=([^,]+),cn=(@$@TEACHERS@$@|@$@TEACHERS-STAFF@$@|@$@STAFF@$@|@$@ADMINS@$@),cn=users,ou=$2,@$@DISTRICT@$@@%@ldap/base@%@$$" write
	by * +0 break

	by * +0 break

access to dn.subtree="cn=temporary,cn=univention,@%@ldap/base@%@"
	by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
	by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
	by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
	by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
	by * +0 break

# OU-Admins duerfen MAC-Adressen im Rechner- und DHCP-Objekt aendern


# domaincontroller slaves and memberservers of management group are not allowed to replicate pupils and teachers
access to dn.regex="^.+,cn=(@$@TEACHERS@$@|@$@PUPILS@$@),cn=users,ou=[^,]+,@$@DISTRICT@$@@%@ldap/base@%@$$"
	by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
	by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
	by * +0 break

access to filter="(|(objectClass=ucsschoolStudent)(&(objectClass=ucsschoolTeacher)(!(objectClass=ucsschoolStaff))))"
	by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
	by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
	by * +0 break

# domaincontroller slaves and memberservers of educational group are not allowed to replicate staff users
access to dn.regex="^.+,cn=@$@STAFF@$@,cn=users,ou=[^,]+,@$@DISTRICT@$@@%@ldap/base@%@$$"
	by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
	by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
	by * +0 break

access to filter="(&(objectClass=ucsschoolStaff)(!(objectClass=ucsschoolTeacher))(!(objectClass=ucsschoolAdministrator)))"
	by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
	by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
	by * +0 break

# FIXME: this rule allows to read all passwords underneath of all OU's instead of only the password belonging to the OU; explain why or fix it

# TODO: are the following attributes missing here?: 'sambaBadPasswordCount', 'krb5PasswordEnd', 'shadowMax', 'sambaAcctFlags', 'sambaPasswordHistory'
# Memberserver duerfen Passwoerter aller Objekte unterhalb einer Schule lesen
access to dn.regex="^(.+,)?ou=([^,]+),@$@DISTRICT@$@@%@ldap/base@%@$$" attrs=userPassword,krb5Key,krb5KDCFlags,sambaNTPassword,sambaLMPassword,shadowLastChange,sambaPwdLastSet,pwhistory,krb5KeyVersionNumber,sambaPwdCanChange,sambaPwdMustChange
	by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" +rscxd
	by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" +rscxd
	by * +0 break

# Alle DC-Slaves muessen alle Benutzercontainer und Gruppen jeder Schule lesen koennen
access to dn.regex="^ou=([^,]+),@$@DISTRICT@$@@%@ldap/base@%@$$" filter="objectClass=ucsschoolOrganizationalUnit"
	by group/univentionGroup/uniqueMember.expand="cn=OU$1-@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by group/univentionGroup/uniqueMember.expand="cn=OU$1-@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by dn.regex="^cn=.*,cn=server,cn=computers,ou=([^,]+),@$@DISTRICT@$@@%@ldap/base@%@$$" +rscxd
	by * +0 break

access to dn.regex="^cn=(users|groups|@$@EXAM@$@),ou=([^,]+),@$@DISTRICT@$@@%@ldap/base@%@$$"
	by group/univentionGroup/uniqueMember.expand="cn=OU$2-@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by group/univentionGroup/uniqueMember.expand="cn=OU$2-@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by dn.regex="^cn=.*,cn=server,cn=computers,ou=([^,]+),@$@DISTRICT@$@@%@ldap/base@%@$$" +rscxd
	by * +0 break

access to dn.regex="^([^,]+),cn=groups,ou=([^,]+),@$@DISTRICT@$@@%@ldap/base@%@$$"
	by group/univentionGroup/uniqueMember.expand="cn=OU$2-@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by group/univentionGroup/uniqueMember.expand="cn=OU$2-@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by dn.regex="^cn=.*,cn=server,cn=computers,ou=([^,]+),@$@DISTRICT@$@@%@ldap/base@%@$$" +rscxd
	by * +0 break

access to dn.regex="^cn=(@$@PUPILS@$@|@$@TEACHERS@$@|@$@TEACHERS-STAFF@$@|@$@STAFF@$@|@$@ADMINS@$@),cn=users,ou=([^,]+),@$@DISTRICT@$@@%@ldap/base@%@$$"
	by group/univentionGroup/uniqueMember.expand="cn=OU$2-@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by group/univentionGroup/uniqueMember.expand="cn=OU$2-@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by dn.regex="^cn=.*,cn=server,cn=computers,ou=([^,]+),@$@DISTRICT@$@@%@ldap/base@%@$$" +rscxd
	by * +0 break

# DC-Slaves muessen die Benutzer ihrer Schule lesen und schreiben duerfen
access to dn.regex="^uid=([^,]+),cn=(@$@PUPILS@$@|@$@TEACHERS@$@|@$@TEACHERS-STAFF@$@|@$@STAFF@$@|@$@ADMINS@$@),cn=users,ou=([^,]+),@$@DISTRICT@$@@%@ldap/base@%@$$"
	by set="([cn=OU]+this/ucsschoolSchool+[-@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@])/uniqueMember & user" write
	by * +0 break
access to dn.regex="^uid=([^,]+),cn=@$@EXAM@$@,ou=([^,]+),@$@DISTRICT@$@@%@ldap/base@%@$$"
	by set="([cn=OU]+this/ucsschoolSchool+[-@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@])/uniqueMember & user" write
	by * +0 break

# Schul-Slave-Server duerfen nur Eintraege ihrer OU lesen und schreiben (Passwortaenderungen etc.)

# Lehrer und Memberserver duerfen sie lesen, ou-eigene bekommen Standard-ACLs, ou-fremde Server/user duerfen nichts
access to dn.regex="^(.+,)?ou=([^,]+),@$@DISTRICT@$@@%@ldap/base@%@$$"
	by set.expand="[ldap:///ou=$2,@%@ldap/base@%@?ou?base?%28%21%28objectClass%3DucsschoolOrganizationalUnit%29%29]/ou" +0 break
	by group/univentionGroup/uniqueMember.expand="cn=OU$2-@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by group/univentionGroup/uniqueMember.expand="cn=OU$2-@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by group/univentionLDAPACL/univentionLDAPAccessWrite.expand="ou=$2,@$@DISTRICT@$@@%@ldap/base@%@" write
	by dn.regex="^uid=([^,]+),cn=(@$@TEACHERS@$@|@$@TEACHERS-STAFF@$@|@$@STAFF@$@|@$@ADMINS@$@),cn=users,ou=$2,@$@DISTRICT@$@@%@ldap/base@%@$$" +rscxd continue
	by set.expand="[$2] & ([ldap:///]+user/entryDN+[?entryDN?base?%28%7C%28objectClass%3DucsschoolTeacher%29%28objectClass%3DucsschoolAdministrator%29%28objectClass%3DucsschoolStaff%29%29])/ucsschoolSchool" +rscxd continue
	by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" +0 stop
	by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" +0 stop
	by set.expand="([ldap:///]+user/entryDN+[?entryDN?base?%28%7C%28objectClass%3DucsschoolTeacher%29%28objectClass%3DucsschoolAdministrator%29%28objectClass%3DucsschoolStaff%29%29])/ucsschoolSchool" +0 stop
	by dn.regex="^.*,ou=$2,@$@DISTRICT@$@@%@ldap/base@%@$$" +rscxd break
	by dn.regex="^.*,ou=([^,]+),@$@DISTRICT@$@@%@ldap/base@%@$$" +0 stop

	by * +0 break

# Slave-Controller duerfen Klassen-Gruppen bearbeiten (AUSNAHME! Wird fuer Lehrerzuordnung in UMC benoetigt!)
access to dn.regex="^cn=@$@CLASS@$@,cn=@$@PUPILS@$@,cn=groups,ou=([^,]+),@$@DISTRICT@$@@%@ldap/base@%@$$" attrs=children,entry
	by group/univentionGroup/uniqueMember.expand="cn=OU$1-@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by group/univentionGroup/uniqueMember.expand="cn=OU$1-@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by * +0 break

access to dn.regex="^cn=([^,]+),cn=klassen,cn=@$@PUPILS@$@,cn=groups,ou=([^,]+),@$@DISTRICT@$@@%@ldap/base@%@$$" filter="(&(!(|(uidNumber=*)(objectClass=SambaSamAccount)))(objectClass=univentionGroup))"
	by group/univentionGroup/uniqueMember.expand="cn=OU$2-@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by group/univentionGroup/uniqueMember.expand="cn=OU$2-@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by * +0 break

# Schulserver duerfen die Passwoerter aller globalen Objekte replizieren
access to dn.regex="^(.+,)?cn=(users|kerberos|computers),@%@ldap/base@%@$$"
	by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" +rscxd
	by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" +rscxd
	by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" +rscxd
	by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" +rscxd
	by * +0 break
"""


(-)ucs-school-ldap-acls-master/70ucsschool-ldap-acls-master.inst (-1 / +7 lines)

Lines 32-37	Link Here

VERSION=7

VERSION=7

. /usr/share/univention-join/joinscripthelper.lib

. /usr/share/univention-join/joinscripthelper.lib

. /usr/share/univention-lib/ldap.sh

. /usr/share/univention-lib/ldap.sh

. /usr/share/ucs-school-lib/base.sh

joinscript_init

joinscript_init

eval "$(univention-config-registry shell)"

eval "$(univention-config-registry shell)"

Lines 43-49	Link Here

	--set name="ucsschool"

	--set name="ucsschool"

# create global groups required for LDAP ACLs for UCS@school

# create global groups required for LDAP ACLs for UCS@school

for grp in "DC-Verwaltungsnetz" "Member-Verwaltungsnetz" "DC-Edukativnetz" "Member-Edukativnetz" ; do

for grp in \

		"$(ucr_names_default ucsschool/ldap/default/groupname/all-administrativ-dc)" \

		"$(ucr_names_default ucsschool/ldap/default/groupname/all-administrativ-member)" \

		"$(ucr_names_default ucsschool/ldap/default/groupname/all-educational-dc)" \

		"$(ucr_names_default ucsschool/ldap/default/groupname/all-educational-member)"; do

	univention-directory-manager groups/group create "$@" \

	univention-directory-manager groups/group create "$@" \

		--ignore_exist \

		--ignore_exist \

		--position="cn=ucsschool,cn=groups,$ldap_base" \

		--position="cn=ucsschool,cn=groups,$ldap_base" \

(-)ucs-school-ldap-acls-master/debian/control (-1 / +1 lines)

Lines 9-15	Link Here

Package: ucs-school-ldap-acls-master

Package: ucs-school-ldap-acls-master

Architecture: all

Architecture: all

Depends: univention-ldap-server, univention-ldap-config

Depends: univention-ldap-server, univention-ldap-config, shell-ucs-school

Conflicts: univention-server-slave, univention-server-member, univention-mobile-client, univention-managed-client, univention-basesystem

Conflicts: univention-server-slave, univention-server-member, univention-mobile-client, univention-managed-client, univention-basesystem

Description: Special LDAP ACLs for UCS@school

Description: Special LDAP ACLs for UCS@school

 This package provides additional LDAP ACLs for slapd

 This package provides additional LDAP ACLs for slapd




	def get_container(cls, school=None):
		return ucr.get('ldap/base')

	@classmethod
	def cn_name(cls, name, default):
		ucr_var = 'ucsschool/ldap/default/container/%s' % name
		return ucr.get(ucr_var, default)

	def create_default_containers(self, lo):
		search_base = self.get_search_base(self.name)
		cn_pupils = ldap.explode_dn(search_base.students, True)[0]
		cn_teachers = ldap.explode_dn(search_base.teachers, True)[0]
		cn_admins = ldap.explode_dn(search_base.admins, True)[0]
		cn_classes = ldap.explode_dn(search_base.classes, True)[0]
		cn_rooms = ldap.explode_dn(search_base.rooms, True)[0]
		user_containers = [cn_pupils, cn_teachers, cn_admins]
		group_containers = [cn_pupils, [cn_classes], cn_teachers, cn_rooms]
		if self.shall_create_administrative_objects():
			cn_staff = ldap.explode_dn(search_base.staff, True)[0]
			cn_teachers_staff = ldap.explode_dn(search_base.teachersAndStaff, True)[0]
			user_containers.extend([cn_staff, cn_teachers_staff])
			group_containers.append(cn_staff)
		containers_with_path = {

			for cn in containers:
				last_dn = _add_container(cn, last_dn, self.dn, path, lo)

	def group_name(self, prefix_var, default_prefix):
		ucr_var = 'ucsschool/ldap/default/groupprefix/%s' % prefix_var
		name_part = ucr.get(ucr_var, default_prefix)
		school_part = self.name.lower()
		return '%s%s' % (name_part, school_part)

	def get_umc_policy_dn(self, name):
		# at least the default ones should exist due to the join script
		return ucr.get('ucsschool/ldap/default/policy/umc/%s' % name, 'cn=ucsschool-umc-%s-default,cn=UMC,cn=policies,%s' % (name, ucr.get('ldap/base')))

			group.create(lo)

		# cn=ouadmins
		search_base = self.get_search_base(self.name)
		group = BasicGroup.cache("{}{}".format(search_base.group_prefix_admins, self.name.lower()), container=search_base.globalGroupContainer)
		group.create(lo)
		group.add_umc_policy(self.get_umc_policy_dn('admins'), lo)
		try:

			udm_obj.modify()

		# cn=schueler
		group = Group.cache("{}{}".format(search_base.group_prefix_students, self.name.lower()), self.name)
		group.create(lo)
		group.add_umc_policy(self.get_umc_policy_dn('pupils'), lo)

		# cn=lehrer
		group = Group.cache("{}{}".format(search_base.group_prefix_teachers, self.name.lower()), self.name)
		group.create(lo)
		group.add_umc_policy(self.get_umc_policy_dn('teachers'), lo)

		# cn=mitarbeiter
		if self.shall_create_administrative_objects():
			group = Group.cache("{}{}".format(search_base.group_prefix_staff, self.name.lower()), self.name)
			group.create(lo)
			group.add_umc_policy(self.get_umc_policy_dn('staff'), lo)


			return flatten([self.get_administrative_group_name(group_type, True, ou_specific, as_dn), self.get_administrative_group_name(group_type, False, ou_specific, as_dn)])
		if ou_specific == 'both':
			return flatten([self.get_administrative_group_name(group_type, domain_controller, False, as_dn), self.get_administrative_group_name(group_type, domain_controller, True, as_dn)])
		search_base = self.get_search_base(self.name)
		base_dn = ucr.get('ldap/base')
		if group_type == 'administrative':
			if domain_controller:
				if ou_specific:
					dn = search_base.administrative_ou_dc_group
				else:
					dn = search_base.administrative_dc_group
			else:
				if ou_specific:
					dn = search_base.administrative_ou_member_group
				else:
					dn = search_base.administrative_member_group
		else:
			if domain_controller:
				if ou_specific:
					dn = search_base.educational_ou_dc_group
				else:
					dn = search_base.educational_dc_group
			else:
				if ou_specific:
					dn = search_base.educational_ou_member_group
				else:
					dn = search_base.educational_member_group
		if as_dn:
			return dn
		else:
			return ldap.explode_dn(dn, True)[0]

	def get_administrative_server_names(self, lo):
		dn = self.get_administrative_group_name('administrative', ou_specific=True, as_dn=True)

(-)ucs-school-lib/python/models/share.py (-2 / +2 lines)

138

139

	def get_share_path(self):

139

	def get_share_path(self):

140

		if ucr.is_true('ucsschool/import/roleshare', True):

140

		if ucr.is_true('ucsschool/import/roleshare', True):

141

			return '/home/%s/groups/klassen/%s' % (self.school_group.school, self.name)

141

			return '/home/%s/groups/%s/%s' % (self.school_group.school, self.get_search_base(self.school).share_name_class, self.name)

142

		else:

142

		else:

143

			return '/home/groups/klassen/%s' % self.name

143

			return '/home/groups/%s/%s' % (self.get_search_base(self.school).share_name_class, self.name)




		return [self.get_group_dn('Domain Users %s' % school, school) for school in self.schools]

	def get_students_groups(self):
		prefix = self.get_search_base(self.school).group_prefix_students
		return [self.get_group_dn('%s%s' % (prefix, school), school) for school in self.schools]

	def get_teachers_groups(self):
		prefix = self.get_search_base(self.school).group_prefix_teachers
		return [self.get_group_dn('%s%s' % (prefix, school), school) for school in self.schools]

	def get_staff_groups(self):
		prefix = self.get_search_base(self.school).group_prefix_staff
		return [self.get_group_dn('%s%s' % (prefix, school), school) for school in self.schools]

	def groups_used(self, lo):


	@classmethod
	def from_student_dn(cls, lo, school, dn):
		examUserPrefix = cls.get_search_base(school).user_prefix_exam
		dn = 'uid=%s%s,%s' % (escape_dn_chars(examUserPrefix), explode_dn(dn, True)[0], cls.get_container(school))
		return cls.from_dn(dn, school, lo)

(-)ucs-school-lib/python/roleshares.py (-2 / +2 lines)

Lines 36-42	Link Here

import univention.config_registry

import univention.config_registry

from ucsschool.lib.roles import role_pupil, role_teacher, role_staff

from ucsschool.lib.roles import role_pupil, role_teacher, role_staff

from ucsschool.lib.i18n import ucs_school_name_i18n

from ucsschool.lib.i18n import ucs_school_name_i18n

from ucsschool.lib.models import Group, School

from ucsschool.lib.models import Group, School, Share

from ucsschool.lib.schoolldap import LDAP_Connection, USER_READ, USER_WRITE, MACHINE_READ

from ucsschool.lib.schoolldap import LDAP_Connection, USER_READ, USER_WRITE, MACHINE_READ

import univention.admin.uexceptions

import univention.admin.uexceptions

import univention.admin.uldap as udm_uldap

import univention.admin.uldap as udm_uldap

Lines 147-153	Link Here

147

		ucr.load()

147

		ucr.load()

148

149

	school_ou = school.name

149

	school_ou = school.name

150

	share_container_dn = school.get_search_base(school.name).shares

150

	share_container_dn = Share.get_container(school.name)

151

152

	teacher_groupname = '-'.join((ucs_school_name_i18n(role_teacher), school_ou))

152

	teacher_groupname = '-'.join((ucs_school_name_i18n(role_teacher), school_ou))

153

	teacher_group = Group(name=teacher_groupname, school=school_ou).get_udm_object(ldap_user_read)

153

	teacher_group = Group(name=teacher_groupname, school=school_ou).get_udm_object(ldap_user_read)




# /usr/share/common-licenses/AGPL-3; if not, see
# <http://www.gnu.org/licenses/>.

import inspect
import re
from functools import wraps
from ldap.filter import escape_filter_chars, filter_format

import univention.admin.config
import univention.admin.modules
import univention.admin.modules as udm_modules
import univention.config_registry
import univention.uldap
import univention.admin.config
import univention.admin.modules
from univention.admin.filter import conjunction, parse
from univention.admin.uexceptions import noObject

import univention.admin.modules as udm_modules
from univention.management.console.protocol.message import Message

from univention.lib.i18n import Translation

from functools import wraps
import re
import inspect
from ldap.filter import escape_filter_chars, filter_format

from univention.management.console.config import ucr
from univention.management.console.ldap import get_machine_connection, get_admin_connection, get_user_connection#, reset_cache as reset_connection_cache
from univention.management.console.log import MODULE
from univention.management.console.ldap import get_machine_connection, get_admin_connection, get_user_connection#, reset_cache as reset_connection_cache
from univention.management.console.modules import Base, UMC_Error
from univention.management.console.modules.decorators import sanitize
from univention.management.console.modules.sanitizers import StringSanitizer
from univention.management.console.protocol.message import Message

# load UDM modules
udm_modules.update()

		self._school = school or availableSchools[0]
		self._schoolDN = dn or School.cache(self.school).dn

		#
		# When adding/updating UCRV defaults, also add/update them in shell/base.sh.
		#

		#
		# When changing any of ucsschool/ldap/default/groupname/all-{administrativ, educational}-{dc, member}
		# copy the changes to ucs-school-ldap-acls-master/{61ucsschool_presettings, 65ucsschool}.
		#

		# containers
		self._containerAdmins = ucr.get('ucsschool/ldap/default/container/admins', 'admins')
		self._containerStudents = ucr.get('ucsschool/ldap/default/container/pupils', 'schueler')
		self._containerStaff = ucr.get('ucsschool/ldap/default/container/staff', 'mitarbeiter')

		self._containerClass = ucr.get('ucsschool/ldap/default/container/class', 'klassen')
		self._containerRooms = ucr.get('ucsschool/ldap/default/container/rooms', 'raeume')
		self._examUserContainerName = ucr.get('ucsschool/ldap/default/container/exam', 'examusers')
		# group names
		self._examGroupName = ucr.get('ucsschool/ldap/default/groupname/exam',
			'OU%(ou)s-Klassenarbeit') % {'ou': self._school.lower()}
		self._all_administrativ_dc = ucr.get('ucsschool/ldap/default/groupname/all-administrativ-dc',
			'DC-Verwaltungsnetz')
		self._all_administrativ_member = ucr.get('ucsschool/ldap/default/groupname/all-administrativ-member',
			'Member-Verwaltungsnetz')
		self._all_educational_dc = ucr.get('ucsschool/ldap/default/groupname/all-educational-dc',
			'DC-Edukativnetz')
		self._all_educational_member = ucr.get('ucsschool/ldap/default/groupname/all-educational-member',
			'Member-Edukativnetz')
		self._ou_administrativ_dc = ucr.get('ucsschool/ldap/default/groupname/ou-administrativ-dc',
			'OU%(ou)s-DC-Verwaltungsnetz') % {'ou': self._school.lower()}
		self._ou_administrativ_member = ucr.get('ucsschool/ldap/default/groupname/ou-administrativ-member',
			'OU%(ou)s-Member-Verwaltungsnetz') % {'ou': self._school.lower()}
		self._ou_educational_dc = ucr.get('ucsschool/ldap/default/groupname/ou-educational-dc',
			'OU%(ou)s-DC-Edukativnetz') % {'ou': self._school.lower()}
		self._ou_educational_member = ucr.get('ucsschool/ldap/default/groupname/ou-educational-member',
			'OU%(ou)s-Member-Edukativnetz') % {'ou': self._school.lower()}
		# group prefixes
		self.group_prefix_students = ucr.get('ucsschool/ldap/default/groupprefix/pupils', 'schueler-')
		self.group_prefix_teachers = ucr.get('ucsschool/ldap/default/groupprefix/teachers', 'lehrer-')
		self.group_prefix_admins = ucr.get('ucsschool/ldap/default/groupprefix/admins', 'admins-')
		self.group_prefix_staff = ucr.get('ucsschool/ldap/default/groupprefix/staff', 'mitarbeiter-')
		# user prefix
		self.user_prefix_exam = ucr.get('ucsschool/ldap/default/userprefix/exam', 'exam-')
		# share/directory names
		self.share_name_class = ucr.get('ucsschool/ldap/default/share/class', 'klassen')
		self.share_name_pupils = ucr.get('ucsschool/ldap/default/share/pupils', 'schueler')
		self.share_name_teachers = ucr.get('ucsschool/ldap/default/share/teachers', 'lehrer')
		self.share_name_exams = ucr.get('ucsschool/ldap/default/share/exams', 'Klassenarbeiten')
		self.share_name_marktplatz = ucr.get('ucsschool/import/generate/share/marktplatz/name', 'Marktplatz')

	@classmethod
	def getOU(cls, dn):


	@property
	def students(self):
		"""cn=schueler,cn=users,<ou dn>"""
		return "cn=%s,cn=users,%s" % (self._containerStudents, self.schoolDN)

	@property
	def students_group(self):
		"""cn=schueler,cn=groups,<ou dn>"""
		return "cn=%s,cn=groups,%s" % (self._containerStudents, self.schoolDN)

	@property
	def students_ou_group(self):
		"""cn=schueler-%(ou)s,cn=groups,<ou dn> (ou already replaced)"""
		return "cn=%s%s,cn=groups,%s" % (self.group_prefix_students, self.school, self.schoolDN)

	@property
	def teachers(self):
		"""cn=lehrer,cn=users,<ou dn>"""
		return "cn=%s,cn=users,%s" % (self._containerTeachers, self.schoolDN)

	@property
	def teachers_group(self):
		"""cn=lehrer,cn=groups,<ou dn>"""
		return "cn=%s,cn=groups,%s" % (self._containerTeachers, self.schoolDN)

	@property
	def teachers_ou_group(self):
		"""cn=lehrer-%(ou)s,cn=groups,<ou dn> (ou already replaced)"""
		return "cn=%s%s,cn=groups,%s" % (self.group_prefix_teachers, self.school, self.schoolDN)

	@property
	def teachersAndStaff(self):
		"""cn=lehrer und mitarbeiter,cn=users,<ou dn>"""
		return "cn=%s,cn=users,%s" % (self._containerTeachersAndStaff, self.schoolDN)

	@property
	def staff(self):
		"""cn=mitarbeiter,cn=users,<ou dn>"""
		return "cn=%s,cn=users,%s" % (self._containerStaff, self.schoolDN)

	@property
	def staff_group(self):
		"""cn=mitarbeiter,cn=groups,<ou dn>"""
		return "cn=%s,cn=groups,%s" % (self._containerStaff, self.schoolDN)

	@property
	def staff_ou_group(self):
		"""cn=mitarbeiter-%(ou)s,cn=groups,<ou dn> (ou already replaced)"""
		return "cn=%s%s,cn=groups,%s" % (self.group_prefix_staff, self.school, self.schoolDN)

	@property
	def admins(self):
		"""cn=admins,cn=users,<ou dn>"""
		return "cn=%s,cn=users,%s" % (self._containerAdmins, self.schoolDN)

	@property
	def admin_group(self):
		"""cn=admins-%(ou)s,cn=ouadmins,cn=groups,<ou dn> (ou already replaced)"""
		return "cn=%s%s,cn=ouadmins,cn=groups,%s" % (self.group_prefix_admins, self.school, self.schoolDN)

	@property
	def classShares(self):
		return "cn=%s,cn=shares,%s" % (self._containerClass, self.schoolDN)



	@property
	def educationalDCGroup(self):
		"""deprecated, please use educational_ou_dc_group"""
		return self.educational_ou_dc_group

	@property
	def educationalMemberGroup(self):
		"""deprecated, please use educational_ou_member_group"""
		return self.educational_ou_member_group

	@property
	def administrativeDCGroup(self):
		"""deprecated, please use administrative_ou_dc_group"""
		return self.administrative_ou_dc_group

	@property
	def administrativeMemberGroup(self):
		"""deprecated, please use administrative_ou_member_group"""
		return self.administrative_ou_member_group

	@property
	def administrative_dc_group(self):
		"""cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,<ldap base>"""
		return "cn=%s,cn=ucsschool,cn=groups,%s" % (self._all_administrativ_dc, self._ldapBase)

	@property
	def administrative_member_group(self):
		"""cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,<ldap base>"""
		return "cn=%s,cn=ucsschool,cn=groups,%s" % (self._all_administrativ_member, self._ldapBase)

	@property
	def educational_dc_group(self):
		"""cn=DC-Edukativnetz,cn=ucsschool,cn=groups,<ldap base>"""
		return "cn=%s,cn=ucsschool,cn=groups,%s" % (self._all_educational_dc, self._ldapBase)

	@property
	def educational_member_group(self):
		"""cn=Member-Edukativnetz,cn=ucsschool,cn=groups,<ldap base>"""
		return "cn=%s,cn=ucsschool,cn=groups,%s" % (self._all_educational_member, self._ldapBase)

	@property
	def educational_ou_dc_group(self):
		"""cn=OU%(ou)s-DC-Edukativnetz,cn=ucsschool,cn=groups,<ldap base> (ou already replaced)"""
		return "cn=%s,cn=ucsschool,cn=groups,%s" % (self._ou_educational_dc, self._ldapBase)

	@property
	def educational_ou_member_group(self):
		"""cn=OU%(ou)s-Member-Edukativnetz,cn=ucsschool,cn=groups,<ldap base> (ou already replaced)"""
		return "cn=%s,cn=ucsschool,cn=groups,%s" % (self._ou_educational_member, self._ldapBase)

	@property
	def administrative_ou_dc_group(self):
		"""cn=OU%(ou)s-DC-Verwaltungsnetz,cn=ucsschool,cn=groups,<ldap base> (ou already replaced)"""
		return "cn=%s,cn=ucsschool,cn=groups,%s" % (self._ou_administrativ_dc, self._ldapBase)

	@property
	def administrative_ou_member_group(self):
		"""cn=OU%(ou)s-Member-Verwaltungsnetz,cn=ucsschool,cn=groups,<ldap base> (ou already replaced)"""
		return "cn=%s,cn=ucsschool,cn=groups,%s" % (self._ou_administrativ_member, self._ldapBase)

	@property
	def examGroupName(self):
		"""OU%(ou)s-Klassenarbeit (only name, not a DN, ou already replaced)"""
		return self._examGroupName
		return self._examGroupNameTemplate % ucr_value_keywords

	@property
	def examGroup(self):
		"""cn=OU%(ou)s-Klassenarbeit,cn=ucsschool,cn=groups,<ldap base> (ou already replaced)"""
		return "cn=%s,cn=ucsschool,cn=groups,%s" % (self.examGroupName, self._ldapBase)

	def isWorkgroup(self, groupDN):




	#
	# $ servers_school_ous -h $(ucr get ldap/master) -p $(ucr get ldap/master/port)
	# ou=bar,dc=example,dc=com
	local ldap_hostdn ldap_base ldap_server ldap_port IFS res
	. /usr/share/univention-lib/ucr.sh

	ldap_base="$(/usr/sbin/univention-config-registry get ldap/base)"

	res=""
	for oudn in $(univention-ldapsearch $ldap_server $ldap_port -xLLL -b "$ldap_base" 'objectClass=ucsschoolOrganizationalUnit' dn | ldapsearch-wrapper | sed -nre 's/^dn: //p') ; do
		ouname="$(school_ou "$oudn")"
		search_str="(|(cn=$(ucr_names_default ucsschool/ldap/default/groupname/ou-educational-dc ${ouname}))(cn=$(ucr_names_default ucsschool/ldap/default/groupname/ou-administrativ-dc OU${ouname})))"
		if ! is_ucr_true ucsschool/singlemaster; then
			search_str="(&${search_str}(uniqueMember=${ldap_hostdn}))"
			search_str="(&(|(cn=OU${ouname}-DC-Edukativnetz)(cn=OU${ouname}-DC-Verwaltungsnetz))(uniqueMember=${ldap_hostdn}))"
		fi
		if univention-ldapsearch $ldap_server $ldap_port -xLLL "$search_str" dn | grep -q "^dn: "; then
			res="$res

	done
	echo -n "${res}" | egrep -v "^\s*$"
}

replace_ou() {
	# syntax: replace_ou <template> <ou>
	#
	# Replace '%(ou)s' in <template> with <ou>
	#
	# example:
	# $ replace_ou "OU%(ou)s-DC-Edukativnetz" "myschool"
	# "OUmyschool-DC-Edukativnetz
	if [ "$#" != 2 ]; then
		echo "syntax: replace_ou <template> <ou>"
		return 1
	fi
	echo -n "$1" | sed "s/%(ou)s/$2/"
}

ucr_names_default() {
	# syntax: ucr_names_default <ucr> [ou]
	#
	# Get UCR value or default, optionally replace '%(ou)s'.
	#
	# example:
	# $ ucr_names_default "ucsschool/ldap/default/container/pupils"
	# "schueler
	# $ ucr_names_default "ucsschool/ldap/default/groupname/ou-administrativ-dc" "myschool"
	# "OUmyschool-DC-Verwaltungsnetz"
	local res

	if [ "$#" -lt 1 -o "$#" -gt 2 ]; then
		echo "syntax: ucr_names_default <ucr> [ou]"
		return 1
	fi
	if [ $(echo -n "$1" | cut -f 1-3 -d '/') != 'ucsschool/ldap/default' ]; then
		echo "<ucr> must be a UCR variable from ucsschool/ldap/default/*/*"
		return 1
	fi

	#
	# When adding/updating UCRV defaults, also add/update them in python/schoolldap.py.
	#

	res="$(ucr get $1)"
	if [ -z "$res" ]; then
		case "$1" in
			# containers
			'ucsschool/ldap/default/container/admins') res='admins';;
			'ucsschool/ldap/default/container/pupils') res='schueler';;
			'ucsschool/ldap/default/container/staff') res='mitarbeiter';;
			'ucsschool/ldap/default/container/teachers-and-staff') res='lehrer und mitarbeiter';;
			'ucsschool/ldap/default/container/teachers') res='lehrer';;
			'ucsschool/ldap/default/container/class') res='klassen';;
			'ucsschool/ldap/default/container/rooms') res='raeume';;
			'ucsschool/ldap/default/container/exam') res='examusers';;
			# group names
			'ucsschool/ldap/default/groupname/exam') res='OU%(ou)%s-Klassenarbeit';;
			'ucsschool/ldap/default/groupname/all-administrativ-dc') res='DC-Verwaltungsnetz';;
			'ucsschool/ldap/default/groupname/all-administrativ-member') res='Member-Verwaltungsnetz';;
			'ucsschool/ldap/default/groupname/all-educational-dc') res='DC-Edukativnetz';;
			'ucsschool/ldap/default/groupname/all-educational-member') res='Member-Edukativnetz';;
			'ucsschool/ldap/default/groupname/ou-administrativ-dc') res='OU%(ou)s-DC-Verwaltungsnetz';;
			'ucsschool/ldap/default/groupname/ou-administrativ-member') res='OU%(ou)s-Member-Verwaltungsnetz';;
			'ucsschool/ldap/default/groupname/ou-educational-dc') res='OU%(ou)s-DC-Edukativnetz';;
			'ucsschool/ldap/default/groupname/ou-educational-member') res='OU%(ou)s-Member-Edukativnetz';;
			# group prefixes
			'ucsschool/ldap/default/groupprefix/pupils') res='schueler-';;
			'ucsschool/ldap/default/groupprefix/teachers') res='lehrer-';;
			'ucsschool/ldap/default/groupprefix/admins') res='admins-';;
			'ucsschool/ldap/default/groupprefix/staff') res='mitarbeiter-';;
			# user prefix
			'ucsschool/ldap/default/userprefix/exam') res='exam-';;
			# share/directory names
			'ucsschool/ldap/default/share/class') res='klassen';;
			'ucsschool/ldap/default/share/pupils') res='schueler';;
			'ucsschool/ldap/default/share/teachers') res='lehrer';;
			'ucsschool/ldap/default/share/exams') res='Klassenarbeiten';;
			'ucsschool/import/generate/share/marktplatz/name') res='Marktplatz';;
		esac
	fi
	if [ -z "$res" ]; then
		echo "Error: Unknown UCR $1."
		return 1
	fi

	if [ -z "$2" ]; then
		echo -n "$res"
	else
		replace_ou "$res" "$2"
	fi
}

(-)ucs-school-netlogon-user-logonscripts/99ucs-school-netlogon-user-logonscripts.inst (-3 / +6 lines)

Lines 32-40	Link Here

VERSION="1"

VERSION="1"

. /usr/share/univention-join/joinscripthelper.lib

. /usr/share/univention-join/joinscripthelper.lib

. /usr/share/ucs-school-lib/base.sh

joinscript_init

joinscript_init

eval "$(univention-config-registry shell)"

eval "$(univention-config-registry shell)"

share_name="$(ucr_names_default ucsschool/import/generate/share/marktplatz/name)"

# samba 4 netlogon share

# samba 4 netlogon share

myrealm=$(echo $kerberos_realm |  awk '{print tolower($0)}')

myrealm=$(echo $kerberos_realm |  awk '{print tolower($0)}')

Lines 43-51	Link Here

fi

fi

univention-config-registry set \

univention-config-registry set \

    ucsschool/userlogon/commonshares?"Marktplatz" \

    ucsschool/userlogon/commonshares?"$share_name" \

    ucsschool/userlogon/commonshares/server/Marktplatz?"$hostname" \

    "ucsschool/userlogon/commonshares/server/$share_name?$hostname" \

    ucsschool/userlogon/commonshares/letter/Marktplatz?"M" \

    "ucsschool/userlogon/commonshares/letter/$share_name?M" \

    ucsschool/userlogon/classshareletter?"K" \

    ucsschool/userlogon/classshareletter?"K" \

    ucsschool/netlogon/ucs-school-netlogon-user-logonscripts/script?'user\%USERNAME%.vbs'

    ucsschool/netlogon/ucs-school-netlogon-user-logonscripts/script?'user\%USERNAME%.vbs'

(-)ucs-school-netlogon-user-logonscripts/debian/control (+1 lines)

Lines 13-18	Link Here

 univention-directory-listener,

 univention-directory-listener,

 ucs-school-netlogon,

 ucs-school-netlogon,

 shell-univention-lib,

 shell-univention-lib,

 shell-ucs-school,

 univention-config

 univention-config

Description: ucs@school userspecific netlogon scripts

Description: ucs@school userspecific netlogon scripts

 This package provides a listener-module that creates

 This package provides a listener-module that creates




#DEBHELPER#

. /usr/share/univention-lib/all.sh
. /usr/share/ucs-school-lib/base.sh

eval "$(ucr shell)"
share_name="$(ucr_names_default ucsschool/import/generate/share/marktplatz/name)"

univention-config-registry set \
	samba/homedirletter?I \
    ucsschool/userlogon/commonshares?"$share_name" \
    "ucsschool/userlogon/commonshares/server/$share_name?$hostname" \
    "ucsschool/userlogon/commonshares/letter/$share_name?M" \
    ucsschool/userlogon/classshareletter?"K" \
    ucsschool/netlogon/ucs-school-netlogon-user-logonscripts/script?'user\%USERNAME%.vbs' \
	ucsschool/userlogon/myshares/enabled?no

(-)ucs-school-umc-computerroom/umc/python/computerroom/__init__.py (-1 / +1 lines)

Lines 727-733	Link Here

727

			vset[vunset[-1]] = shareMode

727

			vset[vunset[-1]] = shareMode

728

			vextract.append('samba/othershares/hosts/deny')

728

			vextract.append('samba/othershares/hosts/deny')

729

			vappend[vextract[-1]] = hosts

729

			vappend[vextract[-1]] = hosts

730

			vextract.append('samba/share/Marktplatz/hosts/deny')

730

			vextract.append('samba/share/{}/hosts/deny'.format(School.get_search_base(self._italc.school).share_name_marktplatz))

731

			vappend[vextract[-1]] = hosts

731

			vappend[vextract[-1]] = hosts

732

		else:

732

		else:

733

			vunset_now.append('samba/sharemode/room/%s' % self._italc.room)

733

			vunset_now.append('samba/sharemode/room/%s' % self._italc.room)

(-)ucs-school-umc-csv-import/umc/python/schoolcsvimport/util.py (-1 / +1 lines)

Lines 117-123	Link Here

117

			firstname = firstname[:5] + '.'

117

			firstname = firstname[:5] + '.'

118

119

		username = firstname + lastname[:5]

119

		username = firstname + lastname[:5]

120

		maxlength = 20 - len(ucr.get('ucsschool/ldap/default/userprefix/exam', 'exam-'))

120

		maxlength = 20 - len(self.get_search_base(self.school).user_prefix_exam)

121

		return replace_invalid_chars(username[:maxlength])

121

		return replace_invalid_chars(username[:maxlength])

122

123

	@classmethod

123

	@classmethod

(-)ucs-school-umc-distribution/debian/ucs-school-umc-distribution.univention-config-registry-variables (+11 lines)

Line 0	Link Here

[ucsschool/datadistribution/datadir/recipient]

Description[de]=Standardname für das Projektverzeichnis in das Unterrichtsmaterial verteilt wird. Standard ist "Unterrichtsmaterial".

Description[en]=Default name for the project directory into which teaching material will be distributed. Default is "Unterrichtsmaterial".

Type=str

Categories=ucsschool-base

[ucsschool/datadistribution/datadir/sender]

Description[de]=Standardname für das Projektverzeichnis aus dem Unterrichtsmaterial eingesammelt wird. Standard ist "Unterrichtsmaterial".

Description[en]=Default name for the project directory from which teaching material will be collected. Default is "Unterrichtsmaterial".

Type=str

Categories=ucsschool-base

(-)ucs-school-umc-distribution/umc/python/distribution/util.py (-1 / +1 lines)

Lines 291-297	Link Here

291

	@property

291

	@property

292

	def isDistributed(self):

292

	def isDistributed(self):

293

		'''True if files have already been distributed.'''

293

		'''True if files have already been distributed.'''

294

		# distributed files can still be found in the internal property 'files',

294

		# distributed files can still be found in the internal property 'files',Unterrichtsmaterial

295

		# however, upon distribution they are removed from the cache directory;

295

		# however, upon distribution they are removed from the cache directory;

296

		# thus, if one of the specified files does not exist, the project has

296

		# thus, if one of the specified files does not exist, the project has

297

		# already been distributed

297

		# already been distributed

(-)ucs-school-umc-exam/debian/control (+1 lines)

Lines 31-36	Link Here

 python-ucs-school,

 python-ucs-school,

 ucs-school-import,

 ucs-school-import,

 shell-univention-lib,

 shell-univention-lib,

 shell-ucs-school,

 univention-ldap-config (>= 9.0.27-3),

 univention-ldap-config (>= 9.0.27-3),

Description: UMC module delivering backend services for ucs-school-umc-exam

Description: UMC module delivering backend services for ucs-school-umc-exam

 UMC module delivering backend services for ucs-school-umc-exam

 UMC module delivering backend services for ucs-school-umc-exam




[ $# -ne 2 ] && echo "USAGE: $(basename $0) FILE DN" && exit 1

. /usr/share/univention-lib/ucr.sh
. /usr/share/ucs-school-lib/base.sh

eval "$(ucr shell)"


	district=",ou=${ou:0:2}"
fi

examusers="$(ucr_names_default ucsschool/ldap/default/container/exam)"
if [ -z "$examusers" ] ; then
	examusers='examusers'
fi

udm container/cn create --ignore_exists \
	--position "ou=${ou}${district},${ldap_base}" \
	--set name="${examusers}" \

ou_specific_examgroupname="$(ucr_names_default ucsschool/ldap/default/groupname/exam)"
if [ -z "$examgroupname" ] ; then
	examgroupname='OU%(ou)s-Klassenarbeit'
fi
ou_specific_examgroupname=$(python -c "print '$examgroupname' % {'ou': '$ou'}")

udm groups/group create --ignore_exists \
	--position "cn=ucsschool,cn=groups,${ldap_base}" \




import univention.config_registry
import univention.uldap
import univention.admin.uldap
from ucsschool.lib.models import ExamStudent
from univention.lib.umc_connection import UMCConnection
from univention.admin.uexceptions import noObject
from ldap.filter import escape_filter_chars

		self.hostname = self.ucr.get('hostname')
		self.umcp = self.get_UMCP_connection()
		self.lo = self.get_LDAP_connection()
		self.exam_prefix = self.ucr.get('ucsschool/ldap/default/userprefix/exam', 'exam-')
		self.DIR_ROOMS = '/var/cache/ucs-school-umc-computerroom'
		self.DIR_EXAMS = self.ucr.get('ucsschool/exam/cache', '/var/lib/ucs-school-umc-schoolexam')


			ou_list = self.lo.search(filter='(objectClass=ucsschoolOrganizationalUnit)')
			for ou_dn, ou_attrs in ou_list:
				ou_name = ou_attrs['ou'][0]
				exam_prefix = ExamStudent.get_search_base(ou_name).user_prefix_exam
				try:
					userlist = mod_user.lookup({}, lo, 'uid=%s*' % (escape_filter_chars(exam_prefix),), base=ExamStudent.get_container(ou_name))
				except noObject:
					# no exam users container in this OU
					continue




import traceback
import re
from ldap.filter import filter_format
from ldap import explode_dn

from univention.management.console.config import ucr
from univention.management.console.log import MODULE

	def __init__(self):
		SchoolBaseModule.__init__(self)

		self._examUserPrefix = ucr.get('ucsschool/ldap/default/userprefix/exam', 'exam-')

		## cache objects
		self._udm_modules = dict()
		self._examGroup = None

	def examUserContainerDN(self, ldap_admin_write, ldap_position, school):
		'''lookup examUserContainerDN, create it if missing'''
		if not self._examUserContainerDN:
			examUsers = ExamStudent.get_container(school)
			examUserContainerName = explode_dn(ExamStudent.get_search_base(school).examUsers, True)[0]
			examUserContainerName = search_base._examUserContainerName
			try:
				ldap_admin_write.searchDn('(objectClass=organizationalRole)', examUsers, scope='base')
			except univention.admin.uexceptions.noObject:

		user_orig = user.get_udm_object(ldap_admin_write)

		### uid and DN of exam_user
		exam_user_prefix = ExamStudent.get_search_base(school).user_prefix_exam
		exam_user_uid = "".join((exam_user_prefix, user_orig['username']))
		exam_user_dn = "uid=%s,%s" % (exam_user_uid, self.examUserContainerDN(ldap_admin_write, ldap_position, user.school))

		try:

(-)ucs-school-umc-installer/umc/python/schoolinstaller/__init__.py (-2 / +2 lines)

Lines 572-580	Link Here

572

				for islave in slaves:

572

				for islave in slaves:

573

					islave.open()

573

					islave.open()

574

					# compare group DNs case insensitive

574

					# compare group DNs case insensitive

575

					if search_base.educationalDCGroup.lower() in [x.lower() for x in islave['groups']]:

575

					if search_base.educational_ou_dc_group.lower() in [x.lower() for x in islave['groups']]:

576

						values['educational_slaves'].append(islave['name'])

576

						values['educational_slaves'].append(islave['name'])

577

					if search_base.administrativeDCGroup.lower() in [x.lower() for x in islave['groups']]:

577

					if search_base.administrative_ou_dc_group.lower() in [x.lower() for x in islave['groups']]:

578

						values['administrative_slaves'].append(islave['name'])

578

						values['administrative_slaves'].append(islave['name'])

579

		except univention.uldap.ldap.LDAPError as err:

579

		except univention.uldap.ldap.LDAPError as err:

580

			MODULE.warn('LDAP connection to %s failed: %s' % (master, err))

580

			MODULE.warn('LDAP connection to %s failed: %s' % (master, err))




import univention.testing.udm
import univention.testing.utils as utils
from univention.testing.ucsschool import UMCConnection
from ucsschool.lib.models import SchoolClass


def _dir(userName):

		pattern,
		basedn):
	if cName != 'None':
		cdn = SchoolClass(school=school, name=cName).dn
			cName,
			school,
			basedn)
	else:
		cdn = cName
	param = {'school': school,

				klasse1_dn = udm.create_object(
					'groups/group',
					name='%s-1A' % school,
					position=SchoolClass.get_container(oudn)
				)
				klasse2_dn = udm.create_object(
					'groups/group',
					name='%s-2B' % school,
					position=SchoolClass.get_container(school)
				)
				tea, teadn = schoolenv.create_user(school, is_teacher=True)
				stu1, stu1_dn = schoolenv.create_user(school)

(-)ucs-test-ucsschool/90_ucsschool/101_exam_mode (-1 / +2 lines)

Lines 13-18	Link Here

import univention.testing.ucr as ucr_test

import univention.testing.ucr as ucr_test

import univention.testing.ucsschool as utu

import univention.testing.ucsschool as utu

import univention.testing.udm

import univention.testing.udm

from ucsschool.lib.models import SchoolClass

def main():

def main():

	with univention.testing.udm.UCSTestUDM() as udm:

	with univention.testing.udm.UCSTestUDM() as udm:

Lines 27-33	Link Here

				else:

				else:

					edudc = ucr.get('hostname')

					edudc = ucr.get('hostname')

				school, oudn = schoolenv.create_ou(name_edudc=edudc)

				school, oudn = schoolenv.create_ou(name_edudc=edudc)

				klasse_dn = udm.create_object('groups/group',name='%s-AA1' % school, position="cn=klassen,cn=schueler,cn=groups,%s" % oudn)

				klasse_dn = udm.create_object('groups/group',name='%s-AA1' % school, position=SchoolClass.get_container(school))

				tea, teadn = schoolenv.create_user(school, is_teacher=True)

				tea, teadn = schoolenv.create_user(school, is_teacher=True)

				stu, studn = schoolenv.create_user(school)

				stu, studn = schoolenv.create_user(school)




import univention.testing.ucsschool as utu
import univention.testing.udm
import univention.testing.utils as utils
from ucsschool.lib.models import ExamStudent, SchoolClass


def main():
	with univention.testing.udm.UCSTestUDM() as udm:
		with utu.UCSTestSchool() as schoolenv:

				klasse_dn = udm.create_object(
						'groups/group',
						name='%s-AA1' % school,
						position=SchoolClass.get_container(school)
						)
				tea, teadn = schoolenv.create_user(school, is_teacher=True)
				stu, studn = schoolenv.create_user(school)


				try:
					expected_memberUid = ["%s$" % pc2.name, "exam-%s" % stu]
					expected_uniqueMember = [pc2.dn, ExamStudent(school=school, name=stu).dn]

					# Get the current attributes values
					lo = getMachineConnection()
					exam_group_dn = ExamStudent.get_search_base(school).examGroup
					memberUid = lo.search(base=exam_group_dn)[0][1].get('memberUid')
					uniqueMember = lo.search(base=exam_group_dn)[0][1].get('uniqueMember')
					




import univention.testing.ucr as ucr_test
import univention.testing.ucsschool as utu
import univention.testing.udm
from ucsschool.lib.models import SchoolClass


def main():
	with univention.testing.udm.UCSTestUDM() as udm:
		with utu.UCSTestSchool() as schoolenv:

					edudc = ucr.get('hostname')

				school, oudn = schoolenv.create_ou(name_edudc=edudc)
				klasse_dn = udm.create_object('groups/group',name='%s-AA1' % school, position=SchoolClass.get_container(school))

				tea, teadn = schoolenv.create_user(school, is_teacher=True)
				stu, studn = schoolenv.create_user(school)




import univention.testing.ucr as ucr_test
import univention.testing.ucsschool as utu
import univention.testing.utils as utils
from ucsschool.lib.models import ClassShare, SchoolClass


BACKUP_PATH = '/home/backup/groups'

def ldap_info(cn):

	utils.verify_ldap_object(share_dn(new_name, school), should_exist=True)

def share_dn(class_name, school):
	return ClassShare(school=school, name=class_name).dn
		return 'cn=%s,cn=klassen,cn=shares,ou=%s,%s' % (
				class_name, school,ucr.get('ldap/base'))

def class_dn(class_name, school):
	return SchoolClass(school=school, name=class_name).dn
		return 'cn=%s,cn=klassen,cn=schueler,cn=groups,ou=%s,%s' % (
				class_name, school,ucr.get('ldap/base'))

def share_path(class_name, school):
	sc = SchoolClass(school=school, name=class_name)
	path = ClassShare(school=school, name=class_name, school_group=sc).get_share_path()
	if os.path.exists(path):
		return path


(-)ucs-test-ucsschool/90_ucsschool/110_set_default-umc-users (-1 / +2 lines)

Lines 10-15	Link Here

import ldap

import ldap

import univention.testing.ucr as ucr_test

import univention.testing.ucr as ucr_test

import univention.testing.utils as utils

import univention.testing.utils as utils

from ucsschool.lib.models import Group

def main():

def main():

Lines 45-51	Link Here

					utils.fail('Attribute %s was not found in ldap object %r' % (

					utils.fail('Attribute %s was not found in ldap object %r' % (

						'univentionPolicyReference', base))

						'univentionPolicyReference', base))

				except ldap.NO_SUCH_OBJECT as e:

				except ldap.NO_SUCH_OBJECT as e:

					if "cn=groups,%s" % (schoolenv.get_ou_base_dn(school),) in str(e):

					if Group.get_container(school) in str(e):

						print ('* Cought an expected exception: %r' % e)

						print ('* Cought an expected exception: %r' % e)

					else:

					else:

						utils.fail('Unexpected Exception: %r' % e)

						utils.fail('Unexpected Exception: %r' % e)

(-)ucs-test-ucsschool/90_ucsschool/131_check_for_nfs_shares (-1 / +1 lines)

Lines 19-25	Link Here

			for share in Share.get_all(lo, school.name):

			for share in Share.get_all(lo, school.name):

				share_udm = share.get_udm_object(lo)

				share_udm = share.get_udm_object(lo)

				if "nfs" in share_udm.options:

				if "nfs" in share_udm.options:

					if share.name in ["Marktplatz", "iTALC-Installation"]:

					if share.name in [Share.get_search_base(school).share_name_marktplatz, "iTALC-Installation"]:

						print("*** Ignoring //{}/{} (Bug #42514)".format(school.name, share.name))

						print("*** Ignoring //{}/{} (Bug #42514)".format(school.name, share.name))

					else:

					else:

						nfs_shares.append((school.name, share.name))

						nfs_shares.append((school.name, share.name))

(-)ucs-test-ucsschool/90_ucsschool/16_s4_slave_automatic_srv_record (-2 / +2 lines)

Lines 132-138	Link Here

132

					position = "cn=dc,cn=server,cn=computers,%s" % (school.dn,),

132

					position = "cn=dc,cn=server,cn=computers,%s" % (school.dn,),

133

					domain = ucr.get('domainname'),

133

					domain = ucr.get('domainname'),

134

					service = ("S4 SlavePDC", _local_ucsschool_service),

134

					service = ("S4 SlavePDC", _local_ucsschool_service),

135

					groups = ("cn=DC-Edukativnetz,cn=ucsschool,cn=groups,%(ldap/base)s" % ucr)

135

					groups = (school.get_search_base(school.name).educational_dc_group)

136

137

138

				positive_test_fqdn = ".".join((positive_test_hostname, ucr.get('domainname')))

138

				positive_test_fqdn = ".".join((positive_test_hostname, ucr.get('domainname')))

Lines 144-150	Link Here

144

					position = "cn=dc,cn=server,cn=computers,%s" % (school.dn,),

144

					position = "cn=dc,cn=server,cn=computers,%s" % (school.dn,),

145

					domain = ucr.get('domainname'),

145

					domain = ucr.get('domainname'),

146

					service = ("S4 SlavePDC", _not_local_ucsschool_service),

146

					service = ("S4 SlavePDC", _not_local_ucsschool_service),

147

					groups = ("cn=DC-Edukativnetz,cn=ucsschool,cn=groups,%(ldap/base)s" % ucr)

147

					groups = (school.get_search_base(school.name).educational_dc_group)

148

149

150

				negative_test_fqdn = ".".join((negative_test_hostname, ucr.get('domainname')))

150

				negative_test_fqdn = ".".join((negative_test_hostname, ucr.get('domainname')))




import univention.testing.ucsschool as utu
import univention.testing.udm as udm_test
import univention.testing.utils as utils
from ucsschool.lib.models import School


def listUnion(firstList, secondList):
	return list(set(firstList).union(set(secondList)))


				utils.wait_for_replication_and_postrun()

				basedn = ucr.get('ldap/base')
				search_base = School.get_search_base(school)
				position = search_base.admins
				groups = [search_base.admin_group]
				dn, schooladmin = udm.create_user(position=position, groups=groups)
				groups = ["cn=Domain Admins,cn=groups,%s" % (basedn,)]
				dn, domainadmin = udm.create_user(position=position, groups=groups)




import univention.testing.utils as utils
from essential.importusers_cli_v2 import CLI_Import_v2_Tester
from essential.importusers import Person
from ucsschool.lib.models import SchoolClass, WorkGroup


class Test(CLI_Import_v2_Tester):

		self.log.debug('*** Creating groups...')
		global_group_dn, global_group_name = self.udm.create_group()
		workgroup_A_dn, workgroup_A_name = self.udm.create_group(
			position=WorkGroup.get_container(self.ou_A.name),
			name="{}-{}".format(self.ou_A.name, uts.random_groupname()))
		class_A_dn, class_A_name = self.udm.create_group(
			position=SchoolClass.get_container(self.ou_A.name),
			name="{}-{}".format(self.ou_A.name, uts.random_groupname()))
		cn_A_dn = self.udm.create_object('container/cn', position=self.ou_A.dn, name='kurs-%s' % uts.random_string())
		extra_A_group1_dn, extra_A_group1_name = self.udm.create_group(position=cn_A_dn)

			name="{}-{}".format(self.ou_A.name, uts.random_groupname()))

		workgroup_B_dn, workgroup_B_name = self.udm.create_group(
			position=WorkGroup.get_container(self.ou_B.name),
			name="{}-{}".format(self.ou_B.name, uts.random_groupname()))
		class_B_dn, class_B_name = self.udm.create_group(
			position=SchoolClass.get_container(self.ou_B.name),
			name="{}-{}".format(self.ou_B.name, uts.random_groupname()))
		cn_B_dn = self.udm.create_object('container/cn', position=self.ou_B.dn, name='kurs-%s' % uts.random_string())
		extra_B_group1_dn, extra_B_group1_name = self.udm.create_group(position=cn_B_dn)




import univention.testing.utils as utils
from essential.importusers_cli_v2 import CLI_Import_v2_Tester
from essential.importusers import Person
from ucsschool.lib.models import SchoolClass


class Test(CLI_Import_v2_Tester):


		def create_user_w_two_classes(record_uid, source_uid, same_ou=True):
			cls1_dn, cls1_name = self.udm.create_group(
				position=SchoolClass.get_container(self.ou_A.name),
				name="{}-{}".format(self.ou_A.name, uts.random_groupname()))
			if same_ou:
				dn = self.ou_A.dn

				name = self.ou_B.name
				school = sorted([self.ou_A.name, self.ou_B.name])[0]
			cls2_dn, cls2_name = self.udm.create_group(
				position=SchoolClass.get_container(name),
				name="{}-{}".format(name, uts.random_groupname()))
			person = Person(school, role)
			person.update(record_uid=record_uid, source_uid=source_uid, username=uts.random_username())

(-)ucs-test-ucsschool/90_ucsschool/22_computerroom_two_rooms_settings_interference (-1 / +2 lines)

Lines 11-16	Link Here

from essential.computerroom import Room, Computers, add_printer, remove_printer, clean_folder, run_commands

from essential.computerroom import Room, Computers, add_printer, remove_printer, clean_folder, run_commands

from essential.internetrule import InternetRule

from essential.internetrule import InternetRule

from essential.workgroup import Workgroup

from essential.workgroup import Workgroup

from ucsschool.lib.models import Share

from univention.testing.ucsschool import UMCConnection

from univention.testing.ucsschool import UMCConnection

from univention.testing.network import NetworkRedirector

from univention.testing.network import NetworkRedirector

import datetime

import datetime

Lines 153-159	Link Here

153

										ucr)

154

										ucr)

154

								# For DEBUG purposes

155

								# For DEBUG purposes

155

								# run_commands([['ucr', 'search', room1.name], ['ucr','search', room2.name], ['atq']], {})

156

								# run_commands([['ucr', 'search', room1.name], ['ucr','search', room2.name], ['atq']], {})

156

								clean_folder('/home/gsmitte/groups/Marktplatz/')

157

								clean_folder('/home/gsmitte/groups/{}/'.format(Share.get_search_base(school).share_name_marktplatz))

157

								clean_folder('/home/%s/lehrer/%s/' % (school, tea))

158

								clean_folder('/home/%s/lehrer/%s/' % (school, tea))

158

							#TODO Exception Errno4

159

							#TODO Exception Errno4

159

							except httplib.HTTPException as e:

160

							except httplib.HTTPException as e:

(-)ucs-test-ucsschool/90_ucsschool/40_schoolwizard_school_create (-52 / +22 lines)

Lines 9-14	Link Here

import subprocess

import subprocess

import simplejson as json

import simplejson as json

from ucsschool.lib.models import Group

import univention.testing.ucr as ucr_test

import univention.testing.ucr as ucr_test

import univention.testing.utils as utils

import univention.testing.utils as utils

import univention.testing.strings as uts

import univention.testing.strings as uts

Lines 46-51	Link Here

	return stdout, stderr, pipe.returncode

	return stdout, stderr, pipe.returncode

def grp_dns(ou_name, edu=True):

	search_base = Group.get_search_base(ou_name)

	if edu:

		return [search_base.educational_ou_dc_group, search_base.educational_dc_group]

	else:

		return [search_base.administrative_ou_dc_group, search_base.administrative_dc_group]

def main():

def main():

	remove_ous = []

	remove_ous = []

	testschool = UCSTestSchool()

	testschool = UCSTestSchool()

Lines 64-73	Link Here

			utils.verify_ldap_object(dc_dn, expected_attr={'cn': [dc_name]}, strict=True, should_exist=False)

			utils.verify_ldap_object(dc_dn, expected_attr={'cn': [dc_name]}, strict=True, should_exist=False)

		else:

		else:

			utils.verify_ldap_object(dc_dn, expected_attr={'cn': [dc_name]}, strict=True, should_exist=True)

			utils.verify_ldap_object(dc_dn, expected_attr={'cn': [dc_name]}, strict=True, should_exist=True)

			for grp_dn in ('cn=OU%(ou)s-DC-Edukativnetz,cn=ucsschool,cn=groups,%(basedn)s',

			for grp_dn in grp_dns(ou_name):

						   'cn=DC-Edukativnetz,cn=ucsschool,cn=groups,%(basedn)s',

):

				grp_dn = grp_dn % {'ou': ou_name, 'basedn': ucr.get('ldap/base')}

				utils.verify_ldap_object(grp_dn, expected_attr={'uniqueMember': [dc_dn]}, strict=False, should_exist=True)

				utils.verify_ldap_object(grp_dn, expected_attr={'uniqueMember': [dc_dn]}, strict=False, should_exist=True)

		msg = 'new random OU, new random DC'

		msg = 'new random OU, new random DC'

Lines 80-89	Link Here

			utils.fail('Cannot create %s' % msg)

			utils.fail('Cannot create %s' % msg)

		dc_dn = 'cn=%s,cn=dc,cn=server,cn=computers,%s' % (dc_name, testschool.get_ou_base_dn(ou_name))

		dc_dn = 'cn=%s,cn=dc,cn=server,cn=computers,%s' % (dc_name, testschool.get_ou_base_dn(ou_name))

		utils.verify_ldap_object(dc_dn, expected_attr={'cn': [dc_name]}, strict=True, should_exist=True)

		utils.verify_ldap_object(dc_dn, expected_attr={'cn': [dc_name]}, strict=True, should_exist=True)

		for grp_dn in ('cn=OU%(ou)s-DC-Edukativnetz,cn=ucsschool,cn=groups,%(basedn)s',

		for grp_dn in grp_dns(ou_name):

					   'cn=DC-Edukativnetz,cn=ucsschool,cn=groups,%(basedn)s',

):

			grp_dn = grp_dn % {'ou': ou_name, 'basedn': ucr.get('ldap/base')}

			utils.verify_ldap_object(grp_dn, expected_attr={'uniqueMember': [dc_dn]}, strict=False, should_exist=True)

			utils.verify_ldap_object(grp_dn, expected_attr={'uniqueMember': [dc_dn]}, strict=False, should_exist=True)

		msg = 'new random OU, existing DC in other OU'

		msg = 'new random OU, existing DC in other OU'

Lines 95-104	Link Here

			utils.fail('Cannot create %s' % msg)

			utils.fail('Cannot create %s' % msg)

		# reusing first DC

		# reusing first DC

		utils.verify_ldap_object(dc_dn, expected_attr={'cn': [dc_name]}, strict=True, should_exist=True)

100

		utils.verify_ldap_object(dc_dn, expected_attr={'cn': [dc_name]}, strict=True, should_exist=True)

		for grp_dn in ('cn=OU%(ou)s-DC-Edukativnetz,cn=ucsschool,cn=groups,%(basedn)s',

101

		for grp_dn in grp_dns(ou_name):

					   'cn=DC-Edukativnetz,cn=ucsschool,cn=groups,%(basedn)s',

100

):

101

			grp_dn = grp_dn % {'ou': ou_name, 'basedn': ucr.get('ldap/base')}

102

			utils.verify_ldap_object(grp_dn, expected_attr={'uniqueMember': [dc_dn]}, strict=False, should_exist=True)

102

			utils.verify_ldap_object(grp_dn, expected_attr={'uniqueMember': [dc_dn]}, strict=False, should_exist=True)

103

104

		msg = 'new random OU with existing DC in cn=computers,BASEDN'

104

		msg = 'new random OU with existing DC in cn=computers,BASEDN'

Lines 119-128	Link Here

119

				utils.fail('Cannot create %s' % msg)

119

				utils.fail('Cannot create %s' % msg)

120

121

			utils.verify_ldap_object(dc_dn, expected_attr={'cn': [dc_name]}, strict=True, should_exist=True)

121

			utils.verify_ldap_object(dc_dn, expected_attr={'cn': [dc_name]}, strict=True, should_exist=True)

122

			for grp_dn in ('cn=OU%(ou)s-DC-Edukativnetz,cn=ucsschool,cn=groups,%(basedn)s',

122

			for grp_dn in grp_dns(ou_name):

123

						   'cn=DC-Edukativnetz,cn=ucsschool,cn=groups,%(basedn)s',

124

):

125

				grp_dn = grp_dn % {'ou': ou_name, 'basedn': ucr.get('ldap/base')}

126

				utils.verify_ldap_object(grp_dn, expected_attr={'uniqueMember': [dc_dn]}, strict=False, should_exist=True)

123

				utils.verify_ldap_object(grp_dn, expected_attr={'uniqueMember': [dc_dn]}, strict=False, should_exist=True)

127

124

128

125

Lines 136-145	Link Here

136

			utils.fail('Cannot create %s' % msg)

133

			utils.fail('Cannot create %s' % msg)

137

		dc_dn = 'cn=%s,cn=dc,cn=server,cn=computers,%s' % (dc_name, testschool.get_ou_base_dn(ou_name))

134

		dc_dn = 'cn=%s,cn=dc,cn=server,cn=computers,%s' % (dc_name, testschool.get_ou_base_dn(ou_name))

138

		utils.verify_ldap_object(dc_dn, expected_attr={'cn': [dc_name]}, strict=True, should_exist=True)

135

		utils.verify_ldap_object(dc_dn, expected_attr={'cn': [dc_name]}, strict=True, should_exist=True)

139

		for grp_dn in ('cn=OU%(ou)s-DC-Edukativnetz,cn=ucsschool,cn=groups,%(basedn)s',

136

		for grp_dn in grp_dns(ou_name):

140

					   'cn=DC-Edukativnetz,cn=ucsschool,cn=groups,%(basedn)s',

141

):

142

			grp_dn = grp_dn % {'ou': ou_name, 'basedn': ucr.get('ldap/base')}

143

			utils.verify_ldap_object(grp_dn, expected_attr={'uniqueMember': [dc_dn]}, strict=False, should_exist=True)

137

			utils.verify_ldap_object(grp_dn, expected_attr={'uniqueMember': [dc_dn]}, strict=False, should_exist=True)

144

138

145

		dc_name = uts.random_string()

139

		dc_name = uts.random_string()

Lines 148-157	Link Here

148

			utils.fail('Cannot create %s' % msg)

142

			utils.fail('Cannot create %s' % msg)

149

		dc_dn = 'cn=%s,cn=dc,cn=server,cn=computers,%s' % (dc_name, testschool.get_ou_base_dn(ou_name))

143

		dc_dn = 'cn=%s,cn=dc,cn=server,cn=computers,%s' % (dc_name, testschool.get_ou_base_dn(ou_name))

150

		utils.verify_ldap_object(dc_dn, expected_attr={'cn': [dc_name]}, strict=True, should_exist=True)

144

		utils.verify_ldap_object(dc_dn, expected_attr={'cn': [dc_name]}, strict=True, should_exist=True)

151

		for grp_dn in ('cn=OU%(ou)s-DC-Edukativnetz,cn=ucsschool,cn=groups,%(basedn)s',

145

		for grp_dn in grp_dns(ou_name):

152

					   'cn=DC-Edukativnetz,cn=ucsschool,cn=groups,%(basedn)s',

153

):

154

			grp_dn = grp_dn % {'ou': ou_name, 'basedn': ucr.get('ldap/base')}

155

			utils.verify_ldap_object(grp_dn, expected_attr={'uniqueMember': [dc_dn]}, strict=False, should_exist=True)

146

			utils.verify_ldap_object(grp_dn, expected_attr={'uniqueMember': [dc_dn]}, strict=False, should_exist=True)

156

147

157

148

Lines 167-181	Link Here

167

		dc_dn = 'cn=%s,cn=dc,cn=server,cn=computers,%s' % (dc_name, testschool.get_ou_base_dn(ou_name))

158

		dc_dn = 'cn=%s,cn=dc,cn=server,cn=computers,%s' % (dc_name, testschool.get_ou_base_dn(ou_name))

168

		dc_dn_administrative = 'cn=%s,cn=dc,cn=server,cn=computers,%s' % (dc_name_administrative, testschool.get_ou_base_dn(ou_name))

159

		dc_dn_administrative = 'cn=%s,cn=dc,cn=server,cn=computers,%s' % (dc_name_administrative, testschool.get_ou_base_dn(ou_name))

169

		utils.verify_ldap_object(dc_dn_administrative, expected_attr={'cn': [dc_name_administrative]}, strict=True, should_exist=True)

160

		utils.verify_ldap_object(dc_dn_administrative, expected_attr={'cn': [dc_name_administrative]}, strict=True, should_exist=True)

170

		for grp_dn in ('cn=OU%(ou)s-DC-Edukativnetz,cn=ucsschool,cn=groups,%(basedn)s',

161

		for grp_dn in grp_dns(ou_name):

171

					   'cn=DC-Edukativnetz,cn=ucsschool,cn=groups,%(basedn)s',

172

):

173

			grp_dn = grp_dn % {'ou': ou_name, 'basedn': ucr.get('ldap/base')}

174

			utils.verify_ldap_object(grp_dn, expected_attr={'uniqueMember': [dc_dn]}, strict=False, should_exist=True)

162

			utils.verify_ldap_object(grp_dn, expected_attr={'uniqueMember': [dc_dn]}, strict=False, should_exist=True)

175

		for grp_dn in ('cn=OU%(ou)s-DC-Verwaltungsnetz,cn=ucsschool,cn=groups,%(basedn)s',

163

		for grp_dn in grp_dns(ou_name, False):

176

					   'cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,%(basedn)s',

177

):

178

			grp_dn = grp_dn % {'ou': ou_name, 'basedn': ucr.get('ldap/base')}

179

			utils.verify_ldap_object(grp_dn, expected_attr={'uniqueMember': [dc_dn_administrative]}, strict=False, should_exist=True)

164

			utils.verify_ldap_object(grp_dn, expected_attr={'uniqueMember': [dc_dn_administrative]}, strict=False, should_exist=True)

180

165

181

166

Lines 189-198	Link Here

189

			utils.fail('Cannot create %s' % msg)

174

			utils.fail('Cannot create %s' % msg)

190

		dc_dn = 'cn=%s,cn=dc,cn=server,cn=computers,%s' % (dc_name, testschool.get_ou_base_dn(ou_name))

175

		dc_dn = 'cn=%s,cn=dc,cn=server,cn=computers,%s' % (dc_name, testschool.get_ou_base_dn(ou_name))

191

		utils.verify_ldap_object(dc_dn, expected_attr={'cn': [dc_name]}, strict=True, should_exist=True)

176

		utils.verify_ldap_object(dc_dn, expected_attr={'cn': [dc_name]}, strict=True, should_exist=True)

192

		for grp_dn in ('cn=OU%(ou)s-DC-Edukativnetz,cn=ucsschool,cn=groups,%(basedn)s',

177

		for grp_dn in grp_dns(ou_name):

193

					   'cn=DC-Edukativnetz,cn=ucsschool,cn=groups,%(basedn)s',

194

):

195

			grp_dn = grp_dn % {'ou': ou_name, 'basedn': ucr.get('ldap/base')}

196

			utils.verify_ldap_object(grp_dn, expected_attr={'uniqueMember': [dc_dn]}, strict=False, should_exist=True)

178

			utils.verify_ldap_object(grp_dn, expected_attr={'uniqueMember': [dc_dn]}, strict=False, should_exist=True)

197

179

198

		dc_name_administrative = uts.random_string()

180

		dc_name_administrative = uts.random_string()

Lines 201-215	Link Here

201

			utils.fail('Cannot create %s' % msg)

183

			utils.fail('Cannot create %s' % msg)

202

		dc_dn_administrative = 'cn=%s,cn=dc,cn=server,cn=computers,%s' % (dc_name_administrative, testschool.get_ou_base_dn(ou_name))

184

		dc_dn_administrative = 'cn=%s,cn=dc,cn=server,cn=computers,%s' % (dc_name_administrative, testschool.get_ou_base_dn(ou_name))

203

		utils.verify_ldap_object(dc_dn_administrative, expected_attr={'cn': [dc_name_administrative]}, strict=True, should_exist=True)

185

		utils.verify_ldap_object(dc_dn_administrative, expected_attr={'cn': [dc_name_administrative]}, strict=True, should_exist=True)

204

		for grp_dn in ('cn=OU%(ou)s-DC-Edukativnetz,cn=ucsschool,cn=groups,%(basedn)s',

186

		for grp_dn in grp_dns(ou_name):

205

					   'cn=DC-Edukativnetz,cn=ucsschool,cn=groups,%(basedn)s',

206

):

207

			grp_dn = grp_dn % {'ou': ou_name, 'basedn': ucr.get('ldap/base')}

208

			utils.verify_ldap_object(grp_dn, expected_attr={'uniqueMember': [dc_dn]}, strict=False, should_exist=True)

187

			utils.verify_ldap_object(grp_dn, expected_attr={'uniqueMember': [dc_dn]}, strict=False, should_exist=True)

209

		for grp_dn in ('cn=OU%(ou)s-DC-Verwaltungsnetz,cn=ucsschool,cn=groups,%(basedn)s',

188

		for grp_dn in grp_dns(ou_name, False):

210

					   'cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,%(basedn)s',

211

):

212

			grp_dn = grp_dn % {'ou': ou_name, 'basedn': ucr.get('ldap/base')}

213

			utils.verify_ldap_object(grp_dn, expected_attr={'uniqueMember': [dc_dn_administrative]}, strict=False, should_exist=True)

189

			utils.verify_ldap_object(grp_dn, expected_attr={'uniqueMember': [dc_dn_administrative]}, strict=False, should_exist=True)

214

190

215

		msg = 'new random OU with existing administrative DC in cn=computers,BASEDN'

191

		msg = 'new random OU with existing administrative DC in cn=computers,BASEDN'

Lines 232-246	Link Here

232

208

233

			dc_dn = 'cn=%s,cn=dc,cn=server,cn=computers,%s' % (dc_name, testschool.get_ou_base_dn(ou_name))

209

			dc_dn = 'cn=%s,cn=dc,cn=server,cn=computers,%s' % (dc_name, testschool.get_ou_base_dn(ou_name))

234

			utils.verify_ldap_object(dc_dn, expected_attr={'cn': [dc_name]}, strict=True, should_exist=True)

210

			utils.verify_ldap_object(dc_dn, expected_attr={'cn': [dc_name]}, strict=True, should_exist=True)

235

			for grp_dn in ('cn=OU%(ou)s-DC-Edukativnetz,cn=ucsschool,cn=groups,%(basedn)s',

211

			for grp_dn in grp_dns(ou_name):

236

						   'cn=DC-Edukativnetz,cn=ucsschool,cn=groups,%(basedn)s',

237

):

238

				grp_dn = grp_dn % {'ou': ou_name, 'basedn': ucr.get('ldap/base')}

239

				utils.verify_ldap_object(grp_dn, expected_attr={'uniqueMember': [dc_dn]}, strict=False, should_exist=True)

212

				utils.verify_ldap_object(grp_dn, expected_attr={'uniqueMember': [dc_dn]}, strict=False, should_exist=True)

240

			for grp_dn in ('cn=OU%(ou)s-DC-Verwaltungsnetz,cn=ucsschool,cn=groups,%(basedn)s',

213

			for grp_dn in grp_dns(ou_name, False):

241

						   'cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,%(basedn)s',

242

):

243

				grp_dn = grp_dn % {'ou': ou_name, 'basedn': ucr.get('ldap/base')}

244

				utils.verify_ldap_object(grp_dn, expected_attr={'uniqueMember': [dc_dn_administrative]}, strict=False, should_exist=True)

214

				utils.verify_ldap_object(grp_dn, expected_attr={'uniqueMember': [dc_dn_administrative]}, strict=False, should_exist=True)

245

215

246

	finally:

216

	finally:




#!/usr/share/ucs-test/runner python
## -*- coding: utf-8 -*-
## desc: check marktplatz creation
## roles: [domaincontroller_master]
## tags: [apptest,ucsschool]
## exposure: dangerous
## packages: [ucs-school-umc-computerroom]
## bugs: [40785, 41231]

import univention.testing.ucr as ucr_test
import univention.testing.ucsschool as utu
import univention.testing.strings as uts
from univention.testing import utils
from univention.config_registry import handler_set, handler_unset


def main():
	with utu.UCSTestSchool() as schoolenv, ucr_test.UCSTestConfigRegistry() as ucr:
		for should_exist, variable, name in [(False, None, ''), (True, 'yes', 'Marktplatz'), (True, 'yes', uts.random_name()), (False, 'no', '')]:
			if variable is None:
				handler_unset(['ucsschool/import/generate/share/marktplatz'])
			else:
				print '### Setting ucsschool/import/generate/share/marktplatz=%s.' % variable
				handler_set(['ucsschool/import/generate/share/marktplatz=%s' % (variable,)])

			print '### Creating school. Expecting Marktplatz to exists = %r' % (should_exist,)
			if should_exist:
				if name:
					print '### Setting share name to %r.' % name
					handler_set(['ucsschool/import/generate/share/marktplatz/name={}'.format(name)])
				else:
					print '### Not setting share name, should be "Marktplatz".'
					handler_unset(['ucsschool/import/generate/share/marktplatz/name'])

			school, oudn = schoolenv.create_ou(name_edudc=ucr.get('hostname'))
			utils.wait_for_replication()
			utils.verify_ldap_object(
				'cn={},cn=shares,{}'.format(name or 'Marktplatz', oudn),
				strict=True,
				should_exist=should_exist)

if __name__ == '__main__':
	main()




from essential.schoolroom import ComputerRoom
import univention.testing.ucr as ucr_test
import univention.testing.ucsschool as utu
from ucsschool.lib.models import ClassShare, Share


def main():

			acl.assert_teacher_group('write')
			acl.assert_student_group('write')

			shares_dn = Share.get_container(school)
			acl.assert_shares(shares_dn, 'write')
			shares_dn = Share(school=school, name=Share.get_search_base(school).share_name_marktplatz).dn
			acl.assert_shares(shares_dn, 'write')
			shares_dn = ClassShare.get_container(school)
			acl.assert_shares(shares_dn, 'read')

			acl.assert_temps('write')

(-)ucs-test-ucsschool/90_ucsschool/75_ldap_acls_staff (-1 / +2 lines)

Lines 10-15	Link Here

from essential.acl import Acl

from essential.acl import Acl

from essential.computerroom import Computers

from essential.computerroom import Computers

from essential.schoolroom import ComputerRoom

from essential.schoolroom import ComputerRoom

from ucsschool.lib.models import Share

import univention.testing.ucr as ucr_test

import univention.testing.ucr as ucr_test

import univention.testing.ucsschool as utu

import univention.testing.ucsschool as utu

Lines 50-56	Link Here

			share_dn = open_ldap_co.searchDn(filter=filter_format('(&(objectClass=univentionShare)(cn=%s))', (class_name,)))[0]

			share_dn = open_ldap_co.searchDn(filter=filter_format('(&(objectClass=univentionShare)(cn=%s))', (class_name,)))[0]

			acl.assert_share_object_access(share_dn, 'read', 'ALLOWED')

			acl.assert_share_object_access(share_dn, 'read', 'ALLOWED')

			acl.assert_share_object_access(share_dn, 'write', 'DENIED')

			acl.assert_share_object_access(share_dn, 'write', 'DENIED')

			share_dn = 'cn=Marktplatz,cn=shares,%s' % (oudn,)

			share_dn = Share(school=school, name=Share.get_search_base(school).share_name_marktplatz).dn

			acl.assert_share_object_access(share_dn, 'read', 'ALLOWED')

			acl.assert_share_object_access(share_dn, 'read', 'ALLOWED')

			acl.assert_share_object_access(share_dn, 'write', 'DENIED')

			acl.assert_share_object_access(share_dn, 'write', 'DENIED')




from essential.schoolroom import ComputerRoom
import univention.testing.ucr as ucr_test
import univention.testing.ucsschool as utu
from ucsschool.lib.models import ClassShare, Share


def main():

			acl.assert_teacher_group('write')
			acl.assert_student_group('write')

			shares_dn = Share.get_container(school)
			acl.assert_shares(shares_dn, 'write')
			shares_dn = Share(school=school, name=Share.get_search_base(school).share_name_marktplatz).dn
			acl.assert_shares(shares_dn, 'write')
			shares_dn = ClassShare.get_container(school)
			acl.assert_shares(shares_dn, 'read')

			acl.assert_temps('write')




from essential.schoolroom import ComputerRoom
import univention.testing.ucr as ucr_test
import univention.testing.ucsschool as utu
from ucsschool.lib.models import ClassShare, Share


def main():


			acl.assert_teacher_group('write')

			shares_dn = Share.get_container(school)
			acl.assert_shares(shares_dn, 'write')
			shares_dn = Share(school=school, name=Share.get_search_base(school).share_name_marktplatz).dn
			acl.assert_shares(shares_dn, 'write')
			shares_dn = ClassShare.get_container(school)
			acl.assert_shares(shares_dn, 'read')

			acl.assert_temps('write')




from univention.uldap import getMachineConnection
import univention.testing.ucr as ucr_test
import univention.testing.ucsschool as utu
from ucsschool.lib.models import Group, Policy


class FailAcl(Exception):
	pass


			room = ComputerRoom(school, host_members=computers_dns)
			room.add()

			room_container_dn = ComputerRoom.get_container(school)
			shares_dn = 'cn=shares,%s' % school_dn

			# unused?
			#
			# shares_dn = search_base.shares
			#
			# teacher_group2_dn = search_base.teachers_ou_group
			# student_group2_dn = search_base.students_ou_group
			#
			# teacher_group_dn = search_base.teachers_group
			# student_group_dn = search_base.students_group

			teacher_group_dn = 'cn=lehrer,cn=groups,%s' % school_dn
			student_group_dn = 'cn=schueler,cn=groups,%s' % school_dn

			gid_temp_dn = 'cn=gid,cn=temporary,cn=univention,%s' % base_dn
			gidNumber_temp_dn = 'cn=gidNumber,cn=temporary,cn=univention,%s' % base_dn
			sid_temp_dn = 'cn=sid,cn=temporary,cn=univention,%s' % base_dn

			mac_temp_dn = 'cn=mac,cn=temporary,cn=univention,%s' % base_dn

			global_univention_dn = 'cn=univention,%s' % base_dn
			global_policies_dn = Policy.get_container(school)
			global_dns_dn = 'cn=dns,%s' % base_dn
			global_groups_dn = Group.get_container(school)

			dhcp_dn = 'cn=%s,cn=%s,cn=dhcp,%s' % (computers_hostnames[0], school, base_dn)





@!@
# -*- coding: utf-8 -*-
import re


def replace_ucr_variables(template):
	variable_token = re.compile('@[$]@')

	dir_ucsschool = {
		'ALL_ADM_DC': configRegistry.get('ucsschool/ldap/default/groupname/all-administrativ-dc', 'DC-Verwaltungsnetz'),
		'ALL_ADM_MEMBER': configRegistry.get('ucsschool/ldap/default/groupname/all-administrativ-member', 'Member-Verwaltungsnetz'),
		'ALL_EDU_DC': configRegistry.get('ucsschool/ldap/default/groupname/all-educational-dc', 'DC-Edukativnetz'),
		'ALL_EDU_MEMBER': configRegistry.get('ucsschool/ldap/default/groupname/all-educational-member', 'Member-Edukativnetz'),
	}

	while 1:
		i = variable_token.finditer(template)
		try:
			start = i.next()
			end = i.next()
			name = template[start.end():end.start()]

			template = template[:start.start()] + dir_ucsschool.get(name,'') + template[end.end():]
		except StopIteration:
			break

	return template


aclset += """
# -*- coding: utf-8 -*-

# Slave-Controller und Member-Server duerfen Samba-Domaenenobjekt(e) modifizieren
access to filter="(objectClass=sambaDomain)"
   by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
   by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
   by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
   by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
   by * none break

# Slave-Controller und Memberserver duerfen ausschliesslich den univention-Container replizieren
access to dn="cn=univention,@%@ldap/base@%@"
   by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
   by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
   by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
   by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
   by * none break

# Slave-Controller may replicate license container
access to dn.subtree="cn=license,cn=univention,@%@ldap/base@%@"
   by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
   by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
   by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
   by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
   by * none break

# Slave-Controller duerfen custom attributes-Container und dessen Inhalt replizieren
access to dn.subtree="cn=custom attributes,cn=univention,@%@ldap/base@%@"
   by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
   by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
   by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
   by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
   by * none break

# Slave-Controller benoetigen den Console-Container fuer die Berechtigungen an der Lehrerconsole
access to dn.subtree="cn=console,cn=univention,@%@ldap/base@%@"
   by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
   by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
   by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
   by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
   by * none break 

# Slave-Controller benoetigen den UMC-Container fuer die Berechtigungen an der Lehrerconsole
access to dn.subtree="cn=UMC,cn=univention,@%@ldap/base@%@"
   by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
   by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
   by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
   by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
   by * none break 

# grant write access to domaincontroller slave/member server for certain univention app center settings
access to dn.regex="^univentionAppID=([^,]+),cn=([^,]+),cn=apps,cn=univention,@%@ldap/base@%@$" filter="(objectClass=univentionApp)"
        by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
        by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
        by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
        by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
        by * none break

access to dn.regex="^cn=([^,]+),cn=apps,cn=univention,@%@ldap/base@%@$" attrs=children,entry
        by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
        by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
        by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
        by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
        by * none break

access to dn="cn=apps,cn=univention,@%@ldap/base@%@" attrs=children,entry
        by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
        by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
        by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
        by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
        by * none break

# grant read access to domaincontroller slave/member server for all other univention app center settings
access to dn.subtree="cn=apps,cn=univention,@%@ldap/base@%@"
   by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
   by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
   by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
   by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
   by * none break 

access to dn.subtree="cn=udm_module,cn=univention,@%@ldap/base@%@"
   by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
   by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
   by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
   by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
   by * none break 

access to dn.subtree="cn=udm_hook,cn=univention,@%@ldap/base@%@"
   by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
   by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
   by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
   by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
   by * none break 

access to dn.subtree="cn=udm_syntax,cn=univention,@%@ldap/base@%@"
   by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
   by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
   by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
   by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
   by * none break 

access to dn.subtree="cn=ldapacl,cn=univention,@%@ldap/base@%@"
   by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
   by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
   by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
   by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
   by * none break 

access to dn.subtree="cn=ldapschema,cn=univention,@%@ldap/base@%@"
   by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
   by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
   by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
   by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
   by * none break 

# Slave-Controller und Member-Server benoetigen idmap-Container
access to dn.base="cn=idmap,cn=univention,@%@ldap/base@%@"
   by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
   by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
   by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
   by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
   by * none break 

# Slave-Controller und Member-Server benoetigen ID-Mapping
access to dn.subtree="cn=idmap,cn=univention,@%@ldap/base@%@" filter="(|(&(objectClass=sambaUnixIdPool)(objectClass=organizationalRole)(objectClass=top))(&(objectClass=sambaIdmapEntry)(objectClass=sambaSidEntry)))"
   by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
   by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
   by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
   by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
   by * none break

# Slave-Controller und Memberserver duerfen samba-Container und dessen Inhalt replizieren
access to dn.subtree="cn=samba,@%@ldap/base@%@"
   by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
   by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
   by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
   by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
   by * none break

# Slave-Controller needs the builtin groups
access to dn.subtree="cn=Builtin,@%@ldap/base@%@"
   by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
   by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
   by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
   by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
   by * none break 

# sonst duerfen sie nichts aus cn=univention,BASEDN replizieren
access to dn.subtree="cn=univention,@%@ldap/base@%@"
   by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
   by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
   by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
   by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
   by * none break




def replace_ucr_variables(template):
	variable_token = re.compile('@[$]@')

	dir_ucsschool = {
		'DISTRICT':       'ou=[^,]+,' if configRegistry.is_true('ucsschool/ldap/district/enable') else '',
		'PUPILS':         configRegistry.get('ucsschool/ldap/default/container/pupils', 'schueler'),
		'TEACHERS':       configRegistry.get('ucsschool/ldap/default/container/teachers', 'lehrer'),
		'STAFF':          configRegistry.get('ucsschool/ldap/default/container/staff', 'mitarbeiter'),
		'TEACHERS-STAFF': configRegistry.get('ucsschool/ldap/default/container/teachers-and-staff', 'lehrer und mitarbeiter'),
		'ADMINS':         configRegistry.get('ucsschool/ldap/default/container/admins', 'admins'),
		'GRPADMINS':      configRegistry.get('ucsschool/ldap/default/groupprefix/admins', 'admins-'),
		'ROOMS':          configRegistry.get('ucsschool/ldap/default/container/rooms', 'raeume'),
		'ALL_ADM_DC': configRegistry.get('ucsschool/ldap/default/groupname/all-administrativ-dc', 'DC-Verwaltungsnetz'),
		'ALL_ADM_MEMBER': configRegistry.get('ucsschool/ldap/default/groupname/all-administrativ-member', 'Member-Verwaltungsnetz'),
		'ALL_EDU_DC': configRegistry.get('ucsschool/ldap/default/groupname/all-educational-dc', 'DC-Edukativnetz'),
		'ALL_EDU_MEMBER': configRegistry.get('ucsschool/ldap/default/groupname/all-educational-member', 'Member-Edukativnetz'),
	}


	while 1:
		i = variable_token.finditer(template)
		try:

	return template


if configRegistry.is_true('ucsschool/ldap/district/enable','no'):
if configRegistry.get('ucsschool/ldap/district/enable','no').lower() in ( 'yes', 'true', '1' ):
   aclset += """
# DCs und Memberserver erhalten Lesezugriff auf das OU-Objekt selbst (im DISTRICT-Mode notwendig)
access to dn.regex="^ou=([^,]+),@%@ldap/base@%@$$"
	by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
	by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
	by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
	by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
	by * none break

"""


# Slave controllers and memberservers require write access to virtual machine manager objects
access to dn.regex="^univentionVirtualMachineUUID=([^,]+),cn=Information,cn=Virtual Machine Manager,@%@ldap/base@%@" filter="(objectClass=univentionVirtualMachine)"
	by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by dn.regex="^[^,]+,cn=dc,cn=computers,@%@ldap/base@%@$$" write
	by dn.regex="^[^,]+,cn=memberserver,cn=computers,@%@ldap/base@%@$$" write
	by * read break

access to dn.regex="^cn=([^,]+),cn=CloudConnection,cn=Virtual Machine Manager,@%@ldap/base@%@" filter="(objectClass=univentionVirtualMachineCloudConnection)"
	by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by dn.regex="^[^,]+,cn=dc,cn=computers,@%@ldap/base@%@$$" write
	by dn.regex="^[^,]+,cn=memberserver,cn=computers,@%@ldap/base@%@$$" write
	by * read break

access to dn="cn=(Information|CloudConnection),cn=Virtual Machine Manager,@%@ldap/base@%@" attrs=children,entry
	by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by dn.regex="^[^,]+,cn=dc,cn=computers,@%@ldap/base@%@$$" write
	by dn.regex="^[^,]+,cn=memberserver,cn=computers,@%@ldap/base@%@$$" write
	by * read break


# Slave controller and memberservers may replicate the Virtual Machine Manager container
access to dn.subtree="cn=Virtual Machine Manager,@%@ldap/base@%@"
   by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
   by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
   by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
   by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
   by * read break

# Slave controller and memberservers may replicate the mail container
access to dn.subtree="cn=mail,@%@ldap/base@%@"
   by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
   by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
   by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
   by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
   by * read break

access to dn.regex="^@%@ldap/base@%@$$"


# DC Slaves need write access to the members of the group Domain Computers
access to dn.exact="cn=Domain Computers,cn=groups,@%@ldap/base@%@" attrs="uniqueMember,memberUid"
    by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
    by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
    by * none break

# Slave-Controller und Memberserver duerfen globale Container computers, shares, dns, dhcp, kerberos und policies sowie Benutzer lesen
access to dn.regex="(^(.+,)?cn=(groups|dns|dhcp|policies|computers|kerberos|shares),|^(uid=[^,]+,|)cn=users,|^)@%@ldap/base@%@$$"
	by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
	by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
	by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
	by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
	by * none break

# Slave DCs can read MS system container
access to dn.base="cn=system,@%@ldap/base@%@"
    by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
    by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
    by * none break

# Slave DCs can read and write policy containers for MS GPOs and msPrintConnectionPolicy objects
access to dn.subtree="cn=policies,cn=system,@%@ldap/base@%@" filter="(|(objectClass=msGPOContainer)(objectClass=organizationalRole)(objectClass=msPrintConnectionPolicy))"
    by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
    by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
    by * none break

# Slave DCs can read and write policy containers for MS WMI filter objects
access to dn.subtree="cn=WMIPolicy,cn=system,@%@ldap/base@%@" filter="(|(objectClass=msWMISom)(objectClass=organizationalRole))"
    by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
    by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
    by * none break

# Lehrer, Mitarbeiter und OU-Admins duerfen Schueler-Passwoerter aendern

	by * none break

# Lehrer und ouadmins duerfen Raum-Gruppen anlegen und bearbeiten
access to dn.regex="^cn=@$@ROOMS@$@,cn=groups,ou=([^,]+),@$@DISTRICT@$@@%@ldap/base@%@$$" attrs=children,entry
	by dn.regex="^uid=([^,]+),cn=(@$@TEACHERS@$@|@$@TEACHERS-STAFF@$@|@$@STAFF@$@|@$@ADMINS@$@),cn=users,ou=$1,@$@DISTRICT@$@@%@ldap/base@%@$$" write
	by * none break

access to dn.regex="^cn=([^,]+),cn=@$@ROOMS@$@,cn=groups,ou=([^,]+),@$@DISTRICT@$@@%@ldap/base@%@$$" filter="(&(!(|(uidNumber=*)(objectClass=SambaSamAccount)))(objectClass=univentionGroup))"
	by dn.regex="^uid=([^,]+),cn=(@$@TEACHERS@$@|@$@TEACHERS-STAFF@$@|@$@STAFF@$@|@$@ADMINS@$@),cn=users,ou=$2,@$@DISTRICT@$@@%@ldap/base@%@$$" write
	by * none break



# domaincontroller slaves and memberservers of management group are not allowed to replicate pupils and teachers
access to dn.regex="^.+,cn=(@$@TEACHERS@$@|@$@PUPILS@$@),cn=users,ou=[^,]+,@$@DISTRICT@$@@%@ldap/base@%@$$"
	by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
	by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
	by * none break

# domaincontroller slaves and memberservers of educational group are not allowed to replicate staff users
access to dn.regex="^.+,cn=@$@STAFF@$@,cn=users,ou=[^,]+,@$@DISTRICT@$@@%@ldap/base@%@$$"
	by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
	by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
	by * none break

# domaincontroller slaves and memberservers may replicate the OU "domain controllers"
access to dn.subtree="ou=domain controllers,@%@ldap/base@%@"
   by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
   by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
   by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
   by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
   by * read break

# Memberserver duerfen bestimmte Attribute lesen
access to dn.regex="^(.+,)?ou=([^,]+),@$@DISTRICT@$@@%@ldap/base@%@$$" attrs=userPassword,krb5Key,krb5KDCFlags,sambaNTPassword,sambaLMPassword,shadowLastChange,sambaPwdLastSet,pwhistory,krb5KeyVersionNumber,univentionWindowsReinstall,sambaPwdCanChange,sambaPwdMustChange
	by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
	by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
	by * none break

# Slave-Controller duerfen Eintraege Ihrer ou lesen und schreiben (Passwortaenderungen etc.)
# Lehrer und Memberserver duerfen sie lesen, ou-eigene bekommen Standard-ACLs, ou-fremde Server/user duerfen nichts
access to dn.regex="^(.+,)?ou=([^,]+),@$@DISTRICT@$@@%@ldap/base@%@$$"
	by group/univentionGroup/uniqueMember.expand="cn=OU$2-@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by group/univentionGroup/uniqueMember.expand="cn=OU$2-@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
    by group/univentionLDAPACL/univentionLDAPAccessWrite.expand="ou=$2,@$@DISTRICT@$@@%@ldap/base@%@" write
	by group/univentionGroup/uniqueMember.expand="cn=OU$2-@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
	by group/univentionGroup/uniqueMember.expand="cn=OU$2-@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
	by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
	by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
    by dn.regex="^uid=([^,]+),cn=(@$@TEACHERS@$@|@$@TEACHERS-STAFF@$@|@$@STAFF@$@|@$@ADMINS@$@),cn=users,ou=$2,@$@DISTRICT@$@@%@ldap/base@%@$$" read
    by dn.regex="^uid=(.+,)?cn=users,ou=$2,@$@DISTRICT@$@@%@ldap/base@%@$$" none break
    by dn.regex="^uid=(.+,)?ou=([^,]+),@$@DISTRICT@$@@%@ldap/base@%@$$" none


# Slave-Controller duerfen Klassen-Gruppen bearbeiten (AUSNAHME! Wird fuer Lehrerzuordnung in UMC benoetigt!)
access to dn.regex="^cn=klassen,cn=@$@PUPILS@$@,cn=groups,ou=([^,]+),@$@DISTRICT@$@@%@ldap/base@%@$$" attrs=children,entry
	by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by * none break

access to dn.regex="^cn=([^,]+),cn=klassen,cn=@$@PUPILS@$@,cn=groups,ou=([^,]+),@$@DISTRICT@$@@%@ldap/base@%@$$" filter="(&(!(|(uidNumber=*)(objectClass=SambaSamAccount)))(objectClass=univentionGroup))"
	by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by * none break

# Slave-Controller duerfen nagios-Container und Inhalt replizieren
access to dn.subtree="cn=nagios,@%@ldap/base@%@"
	by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
	by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
	by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
	by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
	by * none break

# Schüler, Lehrer, Mitarbeiter, Admins duerfen globale Container univention, policies, groups und dns lesen 


# Slave-Controller und normale Lehrer duerfen sonst nichts lesen, Schueler sowieso nicht
access to *
	by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
	by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
	by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
	by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
	by * none break

"""




## bugs: [40870, 41601, 41609, 41620]
## exposure: dangerous

import os.path
from univention.testing.ucsschool import UCSTestSchool
from univention.testing.ucr import UCSTestConfigRegistry
from univention.testing.udm import UCSTestUDM

		# TODO: change school and uid at once!
		# TODO: user without classes

		search_base = User.get_search_base(b)
		domain_users_school = 'cn=Domain Users {},{}'.format(b, search_base.groups)
		teacher_group = search_base.teachers_ou_group
		staff_group = search_base.staff_ou_group
		students_group = search_base.students_ou_group
		grp1_name = uts.random_username()
		grp2_name = uts.random_username()
		two_klasses = '{0}-{1},{0}-{2}'.format(a, grp1_name, grp2_name)
		workgroup_dn, workgroup_name = udm.create_group(position=WorkGroup.get_container(a))
		global_group_dn, global_group_name = udm.create_group()

		search_base = User.get_search_base(a)
		users = [
			(env.create_user(a, classes=two_klasses), [students_group, domain_users_school, global_group_dn]),
			(env.create_user(a, is_teacher=True, classes=two_klasses), [domain_users_school, teacher_group, global_group_dn]),
			(env.create_user(a, is_staff=True), [domain_users_school, staff_group, global_group_dn]),
			(env.create_user(a, is_teacher=True, is_staff=True, classes=two_klasses), [domain_users_school, teacher_group, staff_group, global_group_dn]),
			(env.create_user(a, is_staff=True), 'mitarbeiter',
				[domain_users_school, staff_group, global_group_dn]),
			(env.create_user(a, is_teacher=True, is_staff=True, classes=two_klasses), 'lehrer',
				[domain_users_school, teacher_group, staff_group, global_group_dn]),
		]
		lo = env.open_ldap_connection()
		workgroup = WorkGroup.from_dn(workgroup_dn, a, lo)
		users_dns = [dn for (user, dn,), groups in users]
		udm.modify_object('groups/group', dn=global_group_dn, append={'users': users_dns})
		workgroup.users.extend(users_dns)
		workgroup.modify(lo)

		for (user, dn,), groups in users:

			print '################################'
			print '#### moving user at', dn, 'to', b


			user = User.from_dn(dn, a, lo)
			attrs = {
				'homeDirectory': [os.path.join('/home/', user.get_roleshare_home_subdir(), user.name)],
				'ucsschoolSchool': [b],
				'departmentNumber': [b],
				# TODO: add sambaHomeDrive sambaHomePath sambaLogonScript sambaProfilePath

(-)ucs-test-ucsschool/90_ucsschool/98_samba4_evaluate_windows_gpo (-2 / +2 lines)

Lines 26-32	Link Here

from datetime import datetime, timedelta

from datetime import datetime, timedelta

from ucsschool.lib.schoolldap import SchoolSearchBase

from ucsschool.lib.schoolldap import SchoolSearchBase

from ucsschool.lib.models import School

from ucsschool.lib.models import School, SchoolClass

from essential.computerroom import Room

from essential.computerroom import Room

from essential.exam import Exam

from essential.exam import Exam

Lines 566-572	Link Here

566

	klasse_dn = udm.create_object(

566

	klasse_dn = udm.create_object(

567

		'groups/group',

567

		'groups/group',

568

		name=schoolclassname,

568

		name=schoolclassname,

569

		position="cn=klassen,cn=schueler,cn=groups,%s" % school_dn

569

		position=SchoolClass.get_container(school)

570

571

572

	student_pwd = "univention"

572

	student_pwd = "univention"




import univention.testing.ucr as ucr_test
import univention.testing.ucsschool as utu
import univention.testing.strings as uts
from ucsschool.lib.models import ComputerRoom, School


class FailAcl(Exception):

		self.access_allowance = access_allowance
		self.ucr = ucr_test.UCSTestConfigRegistry()
		self.ucr.load()
		self.search_base = School.get_search_base(self.school)

	def assert_acl(self, target_dn, access, attrs, access_allowance=None):
		"""Test ACL rule:\n

	def assert_room(self, room_dn, access):
		"""Lehrer und ouadmins duerfen Raum-Gruppen anlegen und bearbeiten
		"""
		target_dn = ComputerRoom.get_container(self.school)
		attrs = [
			'children',
			'entry',

		"""Lehrer, Mitarbeiter und Mitglieder der lokalen Administratoren
		duerfen Arbeitsgruppen anlegen und aendern
		"""
		group_dn = self.search_base.teachers_group
		attrs = [
			'children',
			'entry',

		self.assert_acl(group_dn, access, attrs)

	def assert_student_group(self, access):
		group_dn = self.search_base.students_group
		attrs = [
			'children',
			'entry',

(-)ucs-test-ucsschool/90_ucsschool/essential/computerroom.py (-12 / +16 lines)

Lines 7-12	Link Here

from ucsschool.lib.models import IPComputer as IPComputerLib

from ucsschool.lib.models import IPComputer as IPComputerLib

from ucsschool.lib.models import MacComputer as MacComputerLib

from ucsschool.lib.models import MacComputer as MacComputerLib

from ucsschool.lib.models import WindowsComputer as WindowsComputerLib

from ucsschool.lib.models import WindowsComputer as WindowsComputerLib

from ucsschool.lib.models import School as SchoolLib

from ucsschool.lib.models import ComputerRoom as ComputerRoomLib

from univention.testing.ucsschool import UMCConnection

from univention.testing.ucsschool import UMCConnection

import copy

import copy

import datetime

import datetime

Lines 92-101	Link Here

	def __init__(self, school, name=None, dn=None, description=None, host_members=None):

	def __init__(self, school, name=None, dn=None, description=None, host_members=None):

		self.school = school

		self.school = school

		self.name = name if name else uts.random_name()

		self.name = name if name else uts.random_name()

		self.dn = dn if dn else 'cn=%s-%s,cn=raeume,cn=groups,%s' % (

		self.dn = dn if dn else ComputerRoomLib(school=school, name='{}-{}'.format(school, self.name)).dn

			school, self.name, utu.UCSTestSchool().get_ou_base_dn(school))

		self.description = description if description else uts.random_name()

		self.description = description if description else uts.random_name()

		self.host_members = host_members or []

		self.host_members = host_members or []

100

		self.marktplatz_name = SchoolLib.get_search_base(self.school).share_name_marktplatz

101

100

	def get_room_user(self, umc_connection):

102

	def get_room_user(self, umc_connection):

101

		print 'Executing command: computerroom/rooms in school:', self.school

103

		print 'Executing command: computerroom/rooms in school:', self.school

Lines 286-320	Link Here

286

			utils.fail('Write to home directory result (%r), expected (%r)' % (write[0], expected_result))

288

			utils.fail('Write to home directory result (%r), expected (%r)' % (write[0], expected_result))

287

289

288

	def check_marktplatz_read(self, user, ip_address, passwd='univention', expected_result=0):

290

	def check_marktplatz_read(self, user, ip_address, passwd='univention', expected_result=0):

289

		print '.... Check Marktplatz read ....'

291

		print '.... Check Marktplatz ({}) read ....'.format(self.marktplatz_name)

290

		cmd_read_marktplatz = ['smbclient', '//%(ip)s/Marktplatz', '-U', '%(user)s', '-c', 'dir']

292

		cmd_read_marktplatz = ['smbclient', '//%(ip)s/%(marktplatz_name)s', '-U', '%(user)s', '-c', 'dir']

291

		read = run_commands(

293

		read = run_commands(

292

			[cmd_read_marktplatz],

294

			[cmd_read_marktplatz],

293

295

294

				'ip': ip_address,

296

				'ip': ip_address,

295

				'user': '{0}%{1}'.format(user, passwd)

297

				'user': '{0}%{1}'.format(user, passwd),

298

				'marktplatz_name': self.marktplatz_name

296

299

297

300

298

		if read[0] != expected_result:

301

		if read[0] != expected_result:

299

			print 'FAIL .. Read Marktplatz directory result (%r), expected (%r)' % (read[0], expected_result)

302

			print 'FAIL .. Read Marktplatz (%s) directory result (%r), expected (%r)' % (self.marktplatz_name, read[0], expected_result)

300

			utils.fail('Read Marktplatz directory result (%r), expected (%r)' % (read[0], expected_result))

303

			utils.fail('Read Marktplatz (%s) directory result (%r), expected (%r)' % (self.marktplatz_name, read[0], expected_result))

301

304

302

	def check_marktplatz_write(self, user, ip_address, passwd='univention', expected_result=0):

305

	def check_marktplatz_write(self, user, ip_address, passwd='univention', expected_result=0):

303

		print '.... Check Marktplatz write ....'

306

		print '.... Check Marktplatz ({}) write ....'.format(self.marktplatz_name)

304

		f = tempfile.NamedTemporaryFile(dir='/tmp')

307

		f = tempfile.NamedTemporaryFile(dir='/tmp')

305

		cmd_write_marktplatz = ['smbclient', '//%(ip)s/Marktplatz', '-U', '%(user)s', '-c', 'put %(filename)s']

308

		cmd_write_marktplatz = ['smbclient', '//%(ip)s/%(marktplatz_name)s', '-U', '%(user)s', '-c', 'put %(filename)s']

306

		write = run_commands(

309

		write = run_commands(

307

			[cmd_write_marktplatz],

310

			[cmd_write_marktplatz],

308

311

309

				'ip': ip_address,

312

				'ip': ip_address,

310

				'user': '{0}%{1}'.format(user, passwd),

313

				'user': '{0}%{1}'.format(user, passwd),

311

				'filename': '%s %s' % (f.name, f.name.split('/')[-1])

314

				'filename': '%s %s' % (f.name, f.name.split('/')[-1]),

315

				'marktplatz_name': self.marktplatz_name

312

316

313

317

314

		f.close()

318

		f.close()

315

		if write[0] != expected_result:

319

		if write[0] != expected_result:

316

			print 'FAIL .. Write to Marktplatz directory result (%r), expected (%r)' % (write[0], expected_result)

320

			print 'FAIL .. Write to Marktplatz (%s) directory result (%r), expected (%r)' % (self.marktplatz_name, write[0], expected_result)

317

			utils.fail('Write to Marktplatz directory result (%r), expected (%r)' % (write[0], expected_result))

321

			utils.fail('Write to Marktplatz (%s) directory result (%r), expected (%r)' % (self.marktplatz_name, write[0], expected_result))

318

322

319

	def check_share_access(self, user, ip_address, expected_home_result, expected_marktplatz_result):

323

	def check_share_access(self, user, ip_address, expected_home_result, expected_marktplatz_result):

320

		self.check_home_read(user, ip_address, expected_result=expected_home_result)

324

		self.check_home_read(user, ip_address, expected_result=expected_home_result)




import univention.testing.strings as uts
import univention.testing.ucr as ucr_test
import univention.testing.utils as utils
from ucsschool.lib.models import School


class Distribution(object):

		path = ''
		self.ucr.load()
		roleshare = self.ucr.get('ucsschool/import/roleshare')
		collect_from = self.ucr.get('ucsschool/datadistribution/datadir/sender', 'Unterrichtsmaterial')
		distribute_to = self.ucr.get('ucsschool/datadistribution/datadir/recipient', 'Unterrichtsmaterial')
		search_base = School.get_search_base(self.school)
		if purpose == 'distribute':
			if roleshare == 'no' or roleshare is False:
				path = '/home/{}/{}/{}/'.format(user, distribute_to, self.name)
			else:
				path = '/home/{}/{}/{}/{}/{}'.format(
					self.school,
					search_base.share_name_pupils,
					user,
					distribute_to,
					self.name)
		elif purpose == 'collect':
			if roleshare == 'no' or roleshare is False:
				path = '/home/{}/{}/{}/{}/'.format(
						self.sender,
						collect_from,
						self.name,
						user)
			else:
				path = '/home/{}/{}/{}/{}/{}/{}'.format(
					self.school,
					search_base.share_name_teachers,
					self.sender,
					collect_from,
					self.name,
					user)
		return path




import univention.testing.strings as uts
import univention.testing.ucr as ucr_test
import univention.testing.utils as utils
from ucsschool.lib.models import School


class StartFail(Exception):

		self.shareMode = shareMode
		self.internetRule = internetRule
		self.customRule = customRule
		self.search_base = School.get_search_base(self.school)

		if umcConnection:
			self.umcConnection = umcConnection

	def check_collect(self):
		account = utils.UCSTestDomainAdminCredentials()
		admin = account.username
		path = '/home/%s/%s/%s' % (admin, self.search_base.share_name_exams, self.name)
		path_files = get_dir_files(path)
		if not set(self.files).issubset(set(path_files)):
			utils.fail('%r were not collected to %r' % (self.files, path))

			utils.fail('%r were not uploaded to %r' % (self.files, path))

	def check_distribute(self):
		path = '/home/%s/%s' % (self.school, self.search_base.share_name_pupils)
		path_files = get_dir_files(path)
		if not set(self.files).issubset(set(path_files)):
			utils.fail('%r were not uploaded to %r' % (self.files, path))

(-)ucs-test-ucsschool/90_ucsschool/essential/importcomputers.py (-5 / +5 lines)

Lines 144-154	Link Here

144

		print 'verify computer: %s' % self.name

144

		print 'verify computer: %s' % self.name

145

146

		utils.verify_ldap_object(self.dn, expected_attr=self.expected_attributes(), should_exist=True)

146

		utils.verify_ldap_object(self.dn, expected_attr=self.expected_attributes(), should_exist=True)

147

		search_base = SchoolLib.get_search_base(self.school)

148

		verwaltung_member_group1 = 'cn=OU%s-Member-Verwaltungsnetz,cn=ucsschool,cn=groups,%s' % (self.school, configRegistry.get('ldap/base'))

148

		verwaltung_member_group1 = search_base.administrative_ou_member_group

149

		verwaltung_member_group2 = 'cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,%s' % (configRegistry.get('ldap/base'))

149

		verwaltung_member_group2 = search_base.administrative_member_group

150

		edukativ_member_group1 = 'cn=OU%s-Member-Edukativnetz,cn=ucsschool,cn=groups,%s' % (self.school, configRegistry.get('ldap/base'))

150

		edukativ_member_group1 = search_base.educational_ou_member_group

151

		edukativ_member_group2 = 'cn=Member-Edukativnetz,cn=ucsschool,cn=groups,%s' % (configRegistry.get('ldap/base'))

151

		edukativ_member_group2 = search_base.educational_member_group

152

		if self.zone == 'verwaltung':

152

		if self.zone == 'verwaltung':

153

			utils.verify_ldap_object(verwaltung_member_group1, expected_attr={'uniqueMember': [self.dn]}, strict=False, should_exist=True)

153

			utils.verify_ldap_object(verwaltung_member_group1, expected_attr={'uniqueMember': [self.dn]}, strict=False, should_exist=True)

154

			utils.verify_ldap_object(verwaltung_member_group2, expected_attr={'uniqueMember': [self.dn]}, strict=False, should_exist=True)

154

			utils.verify_ldap_object(verwaltung_member_group2, expected_attr={'uniqueMember': [self.dn]}, strict=False, should_exist=True)




import univention.testing.strings as uts
from ucsschool.lib.models import SchoolClass as GroupLib
from ucsschool.lib.models import School as SchoolLib
from ucsschool.lib.models import ClassShare as ClassShareLib
import ucsschool.lib.models.utils

from essential.importou import remove_ou, get_school_base

configRegistry = univention.config_registry.ConfigRegistry()
configRegistry.load()

cn_pupils = configRegistry.get('ucsschool/ldap/default/container/pupils', 'schueler')


class Group:

	def __init__(self, school):


		self.school_base = get_school_base(self.school)

		self.dn = GroupLib(school=self.school, name=self.name).dn
		self.share_dn = ClassShareLib(school=self.school, name=self.name).dn

	def set_mode_to_modify(self):
		self.mode = 'M'

(-)ucs-test-ucsschool/90_ucsschool/essential/importou.py (-59 / +57 lines)

Lines 11-16	Link Here

import random

import random

import subprocess

import subprocess

import string

import string

import ldap

import univention.admin.modules

import univention.admin.modules

import univention.admin.filter

import univention.admin.filter

univention.admin.modules.update()

univention.admin.modules.update()

Lines 299-310	Link Here

299

	old_dhcpd_ldap_base = ucr.get('dhcpd/ldap/base')

300

	old_dhcpd_ldap_base = ucr.get('dhcpd/ldap/base')

300

	lo = univention.uldap.getMachineConnection()

301

	lo = univention.uldap.getMachineConnection()

301

	base_dn = ucr.get('ldap/base')

302

	base_dn = ucr.get('ldap/base')

303

	search_base = School.get_search_base(ou)

302

304

303

	cn_pupils = ucr.get('ucsschool/ldap/default/container/pupils', 'schueler')

305

	cn_pupils = ldap.explode_dn(search_base.students, True)[0]

304

	cn_teachers = ucr.get('ucsschool/ldap/default/container/teachers', 'lehrer')

306

	cn_teachers = ldap.explode_dn(search_base.teachers, True)[0]

305

	cn_teachers_staff = ucr.get('ucsschool/ldap/default/container/teachers-and-staff', 'lehrer und mitarbeiter')

307

	cn_teachers_staff = ldap.explode_dn(search_base.teachersAndStaff, True)[0]

306

	cn_admins = ucr.get('ucsschool/ldap/default/container/admins', 'admins')

308

	cn_admins = ldap.explode_dn(search_base.admins, True)[0]

307

	cn_staff = ucr.get('ucsschool/ldap/default/container/staff', 'mitarbeiter')

309

	cn_staff = ldap.explode_dn(search_base.staff, True)[0]

310

	cn_class = ldap.explode_dn(search_base.classes, True)[0]

311

	cn_rooms = ldap.explode_dn(search_base.rooms, True)[0]

308

312

309

	singlemaster = ucr.is_true('ucsschool/singlemaster')

313

	singlemaster = ucr.is_true('ucsschool/singlemaster')

310

	noneducational_create_objects = ucr.is_true('ucsschool/ldap/noneducational/create/objects')

314

	noneducational_create_objects = ucr.is_true('ucsschool/ldap/noneducational/create/objects')

Lines 332-374	Link Here

332

336

333

	utils.verify_ldap_object(ou_base, expected_attr={'ou': [ou], 'ucsschoolClassShareFileServer': [sharefileserver_dn], 'ucsschoolHomeShareFileServer': [sharefileserver_dn]}, should_exist=must_exist)

337

	utils.verify_ldap_object(ou_base, expected_attr={'ou': [ou], 'ucsschoolClassShareFileServer': [sharefileserver_dn], 'ucsschoolHomeShareFileServer': [sharefileserver_dn]}, should_exist=must_exist)

334

338

335

	utils.verify_ldap_object('cn=printers,%s' % ou_base, expected_attr={'cn': ['printers']}, should_exist=must_exist)

339

	utils.verify_ldap_object(search_base.printers, expected_attr={'cn': ['printers']}, should_exist=must_exist)

336

	utils.verify_ldap_object('cn=users,%s' % ou_base, expected_attr={'cn': ['users']}, should_exist=must_exist)

340

	utils.verify_ldap_object(search_base.users, expected_attr={'cn': ['users']}, should_exist=must_exist)

337

	utils.verify_ldap_object('cn=%s,cn=users,%s' % (cn_pupils, ou_base), expected_attr={'cn': [cn_pupils]}, should_exist=must_exist)

341

	utils.verify_ldap_object(search_base.students, expected_attr={'cn': [cn_pupils]}, should_exist=must_exist)

338

	utils.verify_ldap_object('cn=%s,cn=users,%s' % (cn_teachers, ou_base), expected_attr={'cn': [cn_teachers]}, should_exist=must_exist)

342

	utils.verify_ldap_object(search_base.teachers, expected_attr={'cn': [cn_teachers]}, should_exist=must_exist)

339

	utils.verify_ldap_object('cn=%s,cn=users,%s' % (cn_admins, ou_base), expected_attr={'cn': [cn_admins]}, should_exist=must_exist)

343

	utils.verify_ldap_object(search_base.admins, expected_attr={'cn': [cn_admins]}, should_exist=must_exist)

340

	utils.verify_ldap_object('cn=%s,cn=users,%s' % (cn_admins, ou_base), expected_attr={'cn': [cn_admins]}, should_exist=must_exist)

341

344

342

	utils.verify_ldap_object('cn=computers,%s' % ou_base, expected_attr={'cn': ['computers']}, should_exist=must_exist)

345

	utils.verify_ldap_object(search_base.computers, expected_attr={'cn': ['computers']}, should_exist=must_exist)

343

	utils.verify_ldap_object('cn=server,cn=computers,%s' % ou_base, expected_attr={'cn': ['server']}, should_exist=must_exist)

346

	utils.verify_ldap_object('cn=server,cn=computers,%s' % ou_base, expected_attr={'cn': ['server']}, should_exist=must_exist)

344

	utils.verify_ldap_object('cn=dc,cn=server,cn=computers,%s' % ou_base, expected_attr={'cn': ['dc']}, should_exist=must_exist)

347

	utils.verify_ldap_object('cn=dc,cn=server,cn=computers,%s' % ou_base, expected_attr={'cn': ['dc']}, should_exist=must_exist)

345

	utils.verify_ldap_object('cn=networks,%s' % ou_base, expected_attr={'cn': ['networks']}, should_exist=must_exist)

348

	utils.verify_ldap_object(search_base.networks, expected_attr={'cn': ['networks']}, should_exist=must_exist)

346

	utils.verify_ldap_object('cn=groups,%s' % ou_base, expected_attr={'cn': ['groups']}, should_exist=must_exist)

349

	utils.verify_ldap_object(search_base.groups, expected_attr={'cn': ['groups']}, should_exist=must_exist)

347

	utils.verify_ldap_object('cn=%s,cn=groups,%s' % (cn_pupils, ou_base), expected_attr={'cn': [cn_pupils]}, should_exist=must_exist)

350

	utils.verify_ldap_object(search_base.workgroups, expected_attr={'cn': [cn_pupils]}, should_exist=must_exist)

348

	utils.verify_ldap_object('cn=%s,cn=groups,%s' % (cn_teachers, ou_base), expected_attr={'cn': [cn_teachers]}, should_exist=must_exist)

351

	utils.verify_ldap_object(search_base.teachers_group, expected_attr={'cn': [cn_teachers]}, should_exist=must_exist)

349

	utils.verify_ldap_object('cn=klassen,cn=%s,cn=groups,%s' % (cn_pupils, ou_base), expected_attr={'cn': ['klassen']}, should_exist=must_exist)

352

	utils.verify_ldap_object(search_base.classes, expected_attr={'cn': [cn_class]}, should_exist=must_exist)

350

	utils.verify_ldap_object('cn=raeume,cn=groups,%s' % ou_base, expected_attr={'cn': ['raeume']}, should_exist=must_exist)

353

	utils.verify_ldap_object(search_base.rooms, expected_attr={'cn': [cn_rooms]}, should_exist=must_exist)

351

354

352

	utils.verify_ldap_object('cn=dhcp,%s' % ou_base, expected_attr={'cn': ['dhcp']}, should_exist=must_exist)

355

	utils.verify_ldap_object(search_base.dhcp, expected_attr={'cn': ['dhcp']}, should_exist=must_exist)

353

	utils.verify_ldap_object('cn=policies,%s' % ou_base, expected_attr={'cn': ['policies']}, should_exist=must_exist)

356

	utils.verify_ldap_object(search_base.policies, expected_attr={'cn': ['policies']}, should_exist=must_exist)

354

	utils.verify_ldap_object('cn=shares,%s' % ou_base, expected_attr={'cn': ['shares']}, should_exist=must_exist)

357

	utils.verify_ldap_object(search_base.shares, expected_attr={'cn': ['shares']}, should_exist=must_exist)

355

	utils.verify_ldap_object('cn=klassen,cn=shares,%s' % ou_base, expected_attr={'cn': ['klassen']}, should_exist=must_exist)

358

	utils.verify_ldap_object(search_base.classShares, expected_attr={'cn': [cn_class]}, should_exist=must_exist)

356

	utils.verify_ldap_object('cn=dc,cn=server,cn=computers,%s' % ou_base, expected_attr={'cn': ['dc']}, should_exist=must_exist)

359

	utils.verify_ldap_object('cn=dc,cn=server,cn=computers,%s' % ou_base, expected_attr={'cn': ['dc']}, should_exist=must_exist)

357

360

358

	if noneducational_create_objects:

361

	if noneducational_create_objects:

359

		utils.verify_ldap_object('cn=%s,cn=users,%s' % (cn_staff, ou_base), should_exist=must_exist)

362

		utils.verify_ldap_object(search_base.staff, should_exist=must_exist)

360

		utils.verify_ldap_object('cn=%s,cn=users,%s' % (cn_teachers_staff, ou_base), should_exist=must_exist)

363

		utils.verify_ldap_object(search_base.teachersAndStaff, should_exist=must_exist)

361

		utils.verify_ldap_object('cn=%s,cn=groups,%s' % (cn_staff, ou_base), should_exist=must_exist)

364

		utils.verify_ldap_object(search_base.staff_group, should_exist=must_exist)

362

	else:

365

	else:

363

		utils.verify_ldap_object('cn=%s,cn=users,%s' % (cn_staff, ou_base), should_exist=False)

366

		utils.verify_ldap_object(search_base.staff, should_exist=False)

364

		utils.verify_ldap_object('cn=%s,cn=users,%s' % (cn_teachers_staff, ou_base), should_exist=False)

367

		utils.verify_ldap_object(search_base.teachersAndStaff, should_exist=False)

365

		utils.verify_ldap_object('cn=%s,cn=groups,%s' % (cn_staff, ou_base), should_exist=False)

368

		utils.verify_ldap_object(search_base.staff_group, should_exist=False)

366

369

367

	if noneducational_create_objects:

370

	if noneducational_create_objects:

368

		utils.verify_ldap_object('cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,%s' % base_dn, should_exist=True)

371

		utils.verify_ldap_object(search_base.administrative_dc_group, should_exist=True)

369

		utils.verify_ldap_object('cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,%s' % base_dn, should_exist=True)

372

		utils.verify_ldap_object(search_base.administrative_member_group, should_exist=True)

370

		utils.verify_ldap_object('cn=OU%s-DC-Verwaltungsnetz,cn=ucsschool,cn=groups,%s' % (ou, base_dn), should_exist=True)

373

		utils.verify_ldap_object(search_base.administrative_ou_dc_group)

371

		utils.verify_ldap_object('cn=OU%s-Member-Verwaltungsnetz,cn=ucsschool,cn=groups,%s' % (ou, base_dn), should_exist=True)

374

		utils.verify_ldap_object(search_base.administrative_ou_member_group)

372

	# This will fail because we don't cleanup these groups in cleanup_ou

375

	# This will fail because we don't cleanup these groups in cleanup_ou

373

	#else:

376

	#else:

374

	#	utils.verify_ldap_object("cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,%s" % base_dn, should_exist=False)

377

	#	utils.verify_ldap_object("cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,%s" % base_dn, should_exist=False)

Lines 382-403	Link Here

382

	if dc_administrative:

385

	if dc_administrative:

383

		verify_dc(ou, dc_administrative, TYPE_DC_ADMINISTRATIVE, base_dn, must_exist)

386

		verify_dc(ou, dc_administrative, TYPE_DC_ADMINISTRATIVE, base_dn, must_exist)

384

387

385

	grp_prefix_pupils = ucr.get('ucsschool/ldap/default/groupprefix/pupils', 'schueler-')

386

	grp_prefix_teachers = ucr.get('ucsschool/ldap/default/groupprefix/teachers', 'lehrer-')

387

	grp_prefix_admins = ucr.get('ucsschool/ldap/default/groupprefix/admins', 'admins-')

388

	grp_prefix_staff = ucr.get('ucsschool/ldap/default/groupprefix/staff', 'mitarbeiter-')

389

390

	grp_policy_pupils = ucr.get('ucsschool/ldap/default/policy/umc/pupils', 'cn=ucsschool-umc-pupils-default,cn=UMC,cn=policies,%s' % base_dn)

388

	grp_policy_pupils = ucr.get('ucsschool/ldap/default/policy/umc/pupils', 'cn=ucsschool-umc-pupils-default,cn=UMC,cn=policies,%s' % base_dn)

391

	grp_policy_teachers = ucr.get('ucsschool/ldap/default/policy/umc/teachers', 'cn=ucsschool-umc-teachers-default,cn=UMC,cn=policies,%s' % base_dn)

389

	grp_policy_teachers = ucr.get('ucsschool/ldap/default/policy/umc/teachers', 'cn=ucsschool-umc-teachers-default,cn=UMC,cn=policies,%s' % base_dn)

392

	grp_policy_admins = ucr.get('ucsschool/ldap/default/policy/umc/admins', 'cn=ucsschool-umc-admins-default,cn=UMC,cn=policies,%s' % base_dn)

390

	grp_policy_admins = ucr.get('ucsschool/ldap/default/policy/umc/admins', 'cn=ucsschool-umc-admins-default,cn=UMC,cn=policies,%s' % base_dn)

393

	grp_policy_staff = ucr.get('ucsschool/ldap/default/policy/umc/staff', 'cn=ucsschool-umc-staff-default,cn=UMC,cn=policies,%s' % base_dn)

391

	grp_policy_staff = ucr.get('ucsschool/ldap/default/policy/umc/staff', 'cn=ucsschool-umc-staff-default,cn=UMC,cn=policies,%s' % base_dn)

394

392

395

	utils.verify_ldap_object("cn=%s%s,cn=ouadmins,cn=groups,%s" % (grp_prefix_admins, ou, base_dn), expected_attr={'univentionPolicyReference': [grp_policy_admins]}, should_exist=True)

393

	utils.verify_ldap_object(search_base.admin_group, expected_attr={'univentionPolicyReference': [grp_policy_admins]}, should_exist=True)

396

	utils.verify_ldap_object("cn=%s%s,cn=groups,%s" % (grp_prefix_pupils, ou, ou_base), expected_attr={'univentionPolicyReference': [grp_policy_pupils]}, should_exist=must_exist)

394

	utils.verify_ldap_object(search_base.students_ou_group, expected_attr={'univentionPolicyReference': [grp_policy_pupils]}, should_exist=must_exist)

397

	utils.verify_ldap_object("cn=%s%s,cn=groups,%s" % (grp_prefix_teachers, ou, ou_base), expected_attr={'univentionPolicyReference': [grp_policy_teachers]}, should_exist=must_exist)

395

	utils.verify_ldap_object(search_base.teachers_ou_group, expected_attr={'univentionPolicyReference': [grp_policy_teachers]}, should_exist=must_exist)

398

396

399

	if noneducational_create_objects:

397

	if noneducational_create_objects:

400

		utils.verify_ldap_object("cn=%s%s,cn=groups,%s" % (grp_prefix_staff, ou, ou_base), expected_attr={'univentionPolicyReference': [grp_policy_staff]}, should_exist=must_exist)

398

		utils.verify_ldap_object(search_base.staff_ou_group, expected_attr={'univentionPolicyReference': [grp_policy_staff]}, should_exist=must_exist)

401

399

402

	dcmaster_module = univention.admin.modules.get("computers/domaincontroller_master")

400

	dcmaster_module = univention.admin.modules.get("computers/domaincontroller_master")

403

	dcbackup_module = univention.admin.modules.get("computers/domaincontroller_backup")

401

	dcbackup_module = univention.admin.modules.get("computers/domaincontroller_backup")

Lines 413-420	Link Here

413

	# check group membership

411

	# check group membership

414

	#  slave should be member

412

	#  slave should be member

415

	#  master and backup should not be member

413

	#  master and backup should not be member

416

	dcgroups = ["cn=OU%s-DC-Edukativnetz,cn=ucsschool,cn=groups,%s" % (ou, base_dn),

414

	dcgroups = [search_base.educational_ou_dc_group, search_base.educational_dc_group]

417

				"cn=DC-Edukativnetz,cn=ucsschool,cn=groups,%s" % (base_dn)]

418

415

419

	if must_exist:

416

	if must_exist:

420

		if masterobjs:

417

		if masterobjs:

Lines 490-522	Link Here

490

		base_dn = ucr.get('ldap/base')

487

		base_dn = ucr.get('ldap/base')

491

	ou_base = get_ou_base(ou, ucr.is_true('ucsschool/ldap/district/enable', False))

488

	ou_base = get_ou_base(ou, ucr.is_true('ucsschool/ldap/district/enable', False))

492

	dc_dn = 'cn=%s,cn=dc,cn=server,cn=computers,%s' % (dc_name, ou_base)

489

	dc_dn = 'cn=%s,cn=dc,cn=server,cn=computers,%s' % (dc_name, ou_base)

490

	search_base = School.get_search_base(ou)

493

491

494

	# define list of (un-)desired group memberships ==> [(IS_MEMBER, GROUP_DN), ...]

492

	# define list of (un-)desired group memberships ==> [(IS_MEMBER, GROUP_DN), ...]

495

	group_dn_list = []

493

	group_dn_list = []

496

	if dc_type == TYPE_DC_ADMINISTRATIVE:

494

	if dc_type == TYPE_DC_ADMINISTRATIVE:

497

		group_dn_list += [

495

		group_dn_list += [

498

			(True, 'cn=OU%s-DC-Verwaltungsnetz,cn=ucsschool,cn=groups,%s' % (ou.lower(), base_dn)),

496

			(True, search_base.administrative_ou_dc_group),

499

			(True, 'cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,%s' % (base_dn, )),

497

			(True, search_base.administrative_dc_group),

500

			(False, 'cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,%s' % base_dn),

498

			(False, search_base.administrative_member_group),

501

			(False, 'cn=OU%s-Member-Verwaltungsnetz,cn=ucsschool,cn=groups,%s' % (ou, base_dn)),

499

			(False, search_base.administrative_ou_member_group),

502

			(False, 'cn=OU%s-DC-Edukativnetz,cn=ucsschool,cn=groups,%s' % (ou.lower(), base_dn)),

500

			(False, search_base.educational_ou_dc_group),

503

			(False, 'cn=DC-Edukativnetz,cn=ucsschool,cn=groups,%s' % (base_dn, )),

501

			(False, search_base.educational_dc_group),

504

			(False, 'cn=Member-Edukativnetz,cn=ucsschool,cn=groups,%s' % base_dn),

502

			(False, search_base.educational_member_group),

505

			(False, 'cn=OU%s-Member-Edukativnetz,cn=ucsschool,cn=groups,%s' % (ou, base_dn)),

503

			(False, search_base.educational_ou_member_group),

506

504

507

	else:

505

	else:

508

		group_dn_list += [

506

		group_dn_list += [

509

			(True, 'cn=OU%s-DC-Edukativnetz,cn=ucsschool,cn=groups,%s' % (ou.lower(), base_dn)),

507

			(True, search_base.educational_ou_dc_group),

510

			(True, 'cn=DC-Edukativnetz,cn=ucsschool,cn=groups,%s' % (base_dn, )),

508

			(True, search_base.educational_dc_group),

511

			(False, 'cn=Member-Edukativnetz,cn=ucsschool,cn=groups,%s' % base_dn),

509

			(False, search_base.educational_member_group),

512

			(False, 'cn=OU%s-Member-Edukativnetz,cn=ucsschool,cn=groups,%s' % (ou, base_dn)),

510

			(False, search_base.educational_ou_member_group),

513

511

514

		if ucr.is_true('ucsschool/ldap/noneducational/create/objects', must_exist):

512

		if ucr.is_true('ucsschool/ldap/noneducational/create/objects', must_exist):

515

			group_dn_list += [

513

			group_dn_list += [

516

				(False, 'cn=OU%s-DC-Verwaltungsnetz,cn=ucsschool,cn=groups,%s' % (ou.lower(), base_dn)),

514

				(False, search_base.administrative_ou_dc_group),

517

				(False, 'cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,%s' % (base_dn, )),

515

				(False, search_base.administrative_dc_group),

518

				(False, 'cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,%s' % base_dn),

516

				(False, search_base.administrative_member_group),

519

				(False, 'cn=OU%s-Member-Verwaltungsnetz,cn=ucsschool,cn=groups,%s' % (ou, base_dn)),

517

				(False, search_base.administrative_ou_member_group),

520

518

521

519

522

	utils.verify_ldap_object(dc_dn, should_exist=must_exist)

520

	utils.verify_ldap_object(dc_dn, should_exist=must_exist)




from univention.testing.decorators import SetTimeout
import univention.uldap
import univention.config_registry
from ucsschool.lib.models import SchoolClass as SchoolClassLib
from ucsschool.lib.models import Student as StudentLib
from ucsschool.lib.models import Teacher as TeacherLib
from ucsschool.lib.models import Staff as StaffLib

configRegistry = univention.config_registry.ConfigRegistry()
configRegistry.load()

cn_pupils = configRegistry.get('ucsschool/ldap/default/container/pupils', 'schueler')
cn_teachers = configRegistry.get('ucsschool/ldap/default/container/teachers', 'lehrer')
cn_teachers_staff = configRegistry.get('ucsschool/ldap/default/container/teachers-and-staff', 'lehrer und mitarbeiter')
cn_staff = configRegistry.get('ucsschool/ldap/default/container/staff', 'mitarbeiter')

grp_prefix_pupils = configRegistry.get('ucsschool/ldap/default/groupprefix/pupils', 'schueler-')
grp_prefix_teachers = configRegistry.get('ucsschool/ldap/default/groupprefix/teachers', 'lehrer-')
grp_prefix_admins = configRegistry.get('ucsschool/ldap/default/groupprefix/admins', 'admins-')
grp_prefix_staff = configRegistry.get('ucsschool/ldap/default/groupprefix/staff', 'mitarbeiter-')


class Person(object):

	def __init__(self, school, role):

		self.username = uts.random_name()
		self.school = school
		self.schools = [school]
		self.search_base = SchoolLib.get_search_base(self.school)
		self.role = role
		self.record_uid = None
		self.source_uid = None

		self.mail = '%s@%s' % (self.username, configRegistry.get('domainname'))
		self.school_classes = {}
		if self.is_student():
			self.user_type = StudentLib
			self.role_group_dn = self.search_base.students_ou_group
		elif self.is_teacher():
			self.user_type = TeacherLib
			self.role_group_dn = self.search_base.teachers_ou_group
		elif self.is_teacher_staff():
			self.user_type = TeachersAndStaffLib
			self.role_group_dn = self.search_base.teachers_ou_group
		elif self.is_staff():
			self.user_type = StaffLib
			self.role_group_dn = self.search_base.staff_ou_group
		self.mode = 'A'
		self.active = True
		self.password = None

		self.append_random_groups()

	def make_dn(self):
		return self.user_type(school=self.school, name=self.username).dn

	def make_school_base(self):
		return get_school_base(self.school)

		if self.description:
			attr['description'] = [self.description]

		subdir = ''
		if configRegistry.is_true('ucsschool/import/roleshare', True):
			subdir = self.user_type(school=self.school, name=self.username).get_roleshare_home_subdir()
		else:
			subdir = ''
		attr['homeDirectory'] = [os.path.join('/home', subdir, self.username)]
			elif self.is_teacher_staff():
				subdir = os.path.join(self.school, 'lehrer')
			elif self.is_staff():
				subdir = os.path.join(self.school, 'mitarbeiter')
		attr['homeDirectory'] = ['/home/%s' % os.path.join(subdir, self.username)]

		if self.is_active():
			attr['krb5KDCFlags'] = ['126']


		for school, classes in self.school_classes.iteritems():
			for cl in classes:
				cl_group_dn = SchoolClassLib(school=school, name=cl).dn
				utils.verify_ldap_object(cl_group_dn, expected_attr={'uniqueMember': [self.dn], 'memberUid': [self.username]}, strict=False, should_exist=True)

		utils.verify_ldap_object(self.role_group_dn, expected_attr={'uniqueMember': [self.dn], 'memberUid': [self.username]}, strict=False, should_exist=True)
		utils.verify_ldap_object(role_group_dn, expected_attr={'uniqueMember': [self.dn], 'memberUid': [self.username]}, strict=False, should_exist=True)
		print 'person OK: %s' % self.username



(-)ucs-test-ucsschool/90_ucsschool/essential/internetrule.py (-2 / +2 lines)

Lines 16-21	Link Here

import univention.testing.utils as utils

import univention.testing.utils as utils

from univention.testing.ucsschool import UCSTestSchool

from univention.testing.ucsschool import UCSTestSchool

import univention.testing.ucsschool as utu

import univention.testing.ucsschool as utu

from ucsschool.lib.models import SchoolClass as SchoolClassLib

class InternetRule(object):

class InternetRule(object):

Lines 240-247	Link Here

240

			ucsschool = UCSTestSchool()

241

			ucsschool = UCSTestSchool()

241

			groupdn = ucsschool.get_workinggroup_dn(school, groupName)

242

			groupdn = ucsschool.get_workinggroup_dn(school, groupName)

242

		elif groupType == 'class':

243

		elif groupType == 'class':

243

			groupdn = 'cn=%s-%s,cn=klassen,cn=schueler,cn=groups,%s' % (

244

			groupdn = SchoolClassLib(school=schoolenv.name, name="{}-{}".format(school, groupName)).dn

244

				school, groupName, school_basedn)

245

246

		if default:

246

		if default:

247

			name = '$default$'

247

			name = '$default$'




from univention.testing.ucsschool import UMCConnection
import univention.testing.ucr as ucr_test
from univention.testing.ucsschool import UCSTestSchool
from ucsschool.lib.models import SchoolClass as SchoolClassLib


class GetFail(Exception):

					k, classes_names))

	def dn(self):
		return SchoolClassLib(school=self.school, name="{}-{}".format(self.school, self.name)).dn
			self.school, self.name, UCSTestSchool().get_ou_base_dn(self.school)
		)

	def get(self):
		"""Get class"""

(-)ucs-test-ucsschool/90_ucsschool/essential/school.py (-45 / +44 lines)

Lines 4-9	Link Here

.. moduleauthor:: Ammar Najjar <najjar@univention.de>

.. moduleauthor:: Ammar Najjar <najjar@univention.de>

"""

"""

import ldap

from essential.importcomputers import random_ip

from essential.importcomputers import random_ip

from essential.importou import DCNotFound, DCMembership, DhcpdLDAPBase, TYPE_DC_ADMINISTRATIVE

from essential.importou import DCNotFound, DCMembership, DhcpdLDAPBase, TYPE_DC_ADMINISTRATIVE

from essential.importou import get_ou_base, verify_dc, get_school_ou_from_dn, TYPE_DC_EDUCATIONAL

from essential.importou import get_ou_base, verify_dc, get_school_ou_from_dn, TYPE_DC_EDUCATIONAL

Lines 13-18	Link Here

import univention.testing.ucr as ucr_test

import univention.testing.ucr as ucr_test

import univention.testing.utils as utils

import univention.testing.utils as utils

import univention.uldap

import univention.uldap

from ucsschool.lib.models import (School as LibSchool, ComputerRoom as LibComputerRoom, SchoolClass as LibSchoolClass,

	Staff as LibStaff, TeachersAndStaff as LibTeachersAndStaff, Teacher as LibTeacher, Student as LibStudent)

class GetFail(Exception):

class GetFail(Exception):

Lines 190-196	Link Here

190

				k, names))

193

				k, names))

191

194

192

	def dn(self):

195

	def dn(self):

193

		 return UCSTestSchool().get_ou_base_dn(self.name)

196

		return UCSTestSchool().get_ou_base_dn(self.name)

194

197

195

	def remove(self):

198

	def remove(self):

196

		"""Remove school"""

199

		"""Remove school"""

Lines 278-289	Link Here

278

		old_dhcpd_ldap_base = ucr.get('dhcpd/ldap/base')

281

		old_dhcpd_ldap_base = ucr.get('dhcpd/ldap/base')

279

		lo = univention.uldap.getMachineConnection()

282

		lo = univention.uldap.getMachineConnection()

280

		base_dn = ucr.get('ldap/base')

283

		base_dn = ucr.get('ldap/base')

284

		search_base = LibSchool.get_search_base(ou)

281

285

282

		cn_pupils = ucr.get('ucsschool/ldap/default/container/pupils', 'schueler')

286

		cn_pupils = ldap.explode_dn(LibStudent.get_container(ou), True)[0]

283

		cn_teachers = ucr.get('ucsschool/ldap/default/container/teachers', 'lehrer')

287

		cn_teachers = ldap.explode_dn(LibTeacher.get_container(ou), True)[0]

284

		cn_teachers_staff = ucr.get('ucsschool/ldap/default/container/teachers-and-staff', 'lehrer und mitarbeiter')

288

		cn_teachers_staff = ldap.explode_dn(LibTeachersAndStaff.get_container(ou), True)[0]

285

		cn_admins = ucr.get('ucsschool/ldap/default/container/admins', 'admins')

289

		cn_admins = ldap.explode_dn(search_base.admins, True)[0]

286

		cn_staff = ucr.get('ucsschool/ldap/default/container/staff', 'mitarbeiter')

290

		cn_staff = ldap.explode_dn(LibStaff.get_container(ou), True)[0]

291

		cn_class = ldap.explode_dn(LibSchoolClass.get_container(ou), True)[0]

292

		cn_rooms = ldap.explode_dn(LibComputerRoom.get_container(ou), True)[0]

287

293

288

		singlemaster = ucr.is_true('ucsschool/singlemaster')

294

		singlemaster = ucr.is_true('ucsschool/singlemaster')

289

		noneducational_create_objects = ucr.is_true('ucsschool/ldap/noneducational/create/objects')

295

		noneducational_create_objects = ucr.is_true('ucsschool/ldap/noneducational/create/objects')

Lines 317-359	Link Here

317

323

318

		utils.verify_ldap_object(ou_base, expected_attr={'ou': [ou], 'ucsschoolClassShareFileServer': [classsharefileserver_dn], 'ucsschoolHomeShareFileServer': [homesharefileserver_dn]}, should_exist=must_exist)

324

		utils.verify_ldap_object(ou_base, expected_attr={'ou': [ou], 'ucsschoolClassShareFileServer': [classsharefileserver_dn], 'ucsschoolHomeShareFileServer': [homesharefileserver_dn]}, should_exist=must_exist)

319

325

320

		utils.verify_ldap_object('cn=printers,%s' % ou_base, expected_attr={'cn': ['printers']}, should_exist=must_exist)

326

		utils.verify_ldap_object(search_base.printers, expected_attr={'cn': ['printers']}, should_exist=must_exist)

321

		utils.verify_ldap_object('cn=users,%s' % ou_base, expected_attr={'cn': ['users']}, should_exist=must_exist)

327

		utils.verify_ldap_object(search_base.users, expected_attr={'cn': ['users']}, should_exist=must_exist)

322

		utils.verify_ldap_object('cn=%s,cn=users,%s' % (cn_pupils, ou_base), expected_attr={'cn': [cn_pupils]}, should_exist=must_exist)

328

		utils.verify_ldap_object(search_base.students, expected_attr={'cn': [cn_pupils]}, should_exist=must_exist)

323

		utils.verify_ldap_object('cn=%s,cn=users,%s' % (cn_teachers, ou_base), expected_attr={'cn': [cn_teachers]}, should_exist=must_exist)

329

		utils.verify_ldap_object(search_base.teachers, expected_attr={'cn': [cn_teachers]}, should_exist=must_exist)

324

		utils.verify_ldap_object('cn=%s,cn=users,%s' % (cn_admins, ou_base), expected_attr={'cn': [cn_admins]}, should_exist=must_exist)

330

		utils.verify_ldap_object(search_base.admins, expected_attr={'cn': [cn_admins]}, should_exist=must_exist)

325

		utils.verify_ldap_object('cn=%s,cn=users,%s' % (cn_admins, ou_base), expected_attr={'cn': [cn_admins]}, should_exist=must_exist)

326

331

327

		utils.verify_ldap_object('cn=computers,%s' % ou_base, expected_attr={'cn': ['computers']}, should_exist=must_exist)

332

		utils.verify_ldap_object(search_base.computers, expected_attr={'cn': ['computers']}, should_exist=must_exist)

328

		utils.verify_ldap_object('cn=server,cn=computers,%s' % ou_base, expected_attr={'cn': ['server']}, should_exist=must_exist)

333

		utils.verify_ldap_object('cn=server,cn=computers,%s' % ou_base, expected_attr={'cn': ['server']}, should_exist=must_exist)

329

		utils.verify_ldap_object('cn=dc,cn=server,cn=computers,%s' % ou_base, expected_attr={'cn': ['dc']}, should_exist=must_exist)

334

		utils.verify_ldap_object('cn=dc,cn=server,cn=computers,%s' % ou_base, expected_attr={'cn': ['dc']}, should_exist=must_exist)

330

		utils.verify_ldap_object('cn=networks,%s' % ou_base, expected_attr={'cn': ['networks']}, should_exist=must_exist)

335

		utils.verify_ldap_object(search_base.networks, expected_attr={'cn': ['networks']}, should_exist=must_exist)

331

		utils.verify_ldap_object('cn=groups,%s' % ou_base, expected_attr={'cn': ['groups']}, should_exist=must_exist)

336

		utils.verify_ldap_object(search_base.groups, expected_attr={'cn': ['groups']}, should_exist=must_exist)

332

		utils.verify_ldap_object('cn=%s,cn=groups,%s' % (cn_pupils, ou_base), expected_attr={'cn': [cn_pupils]}, should_exist=must_exist)

337

		utils.verify_ldap_object(search_base.workgroups, expected_attr={'cn': [cn_pupils]}, should_exist=must_exist)

333

		utils.verify_ldap_object('cn=%s,cn=groups,%s' % (cn_teachers, ou_base), expected_attr={'cn': [cn_teachers]}, should_exist=must_exist)

338

		utils.verify_ldap_object(search_base.teachers_group, expected_attr={'cn': [cn_teachers]}, should_exist=must_exist)

334

		utils.verify_ldap_object('cn=klassen,cn=%s,cn=groups,%s' % (cn_pupils, ou_base), expected_attr={'cn': ['klassen']}, should_exist=must_exist)

339

		utils.verify_ldap_object(search_base.classes, expected_attr={'cn': [cn_class]}, should_exist=must_exist)

335

		utils.verify_ldap_object('cn=raeume,cn=groups,%s' % ou_base, expected_attr={'cn': ['raeume']}, should_exist=must_exist)

340

		utils.verify_ldap_object(search_base.rooms, expected_attr={'cn': [cn_rooms]}, should_exist=must_exist)

336

341

337

		utils.verify_ldap_object('cn=dhcp,%s' % ou_base, expected_attr={'cn': ['dhcp']}, should_exist=must_exist)

342

		utils.verify_ldap_object(search_base.dhcp, expected_attr={'cn': ['dhcp']}, should_exist=must_exist)

338

		utils.verify_ldap_object('cn=policies,%s' % ou_base, expected_attr={'cn': ['policies']}, should_exist=must_exist)

343

		utils.verify_ldap_object(search_base.policies, expected_attr={'cn': ['policies']}, should_exist=must_exist)

339

		utils.verify_ldap_object('cn=shares,%s' % ou_base, expected_attr={'cn': ['shares']}, should_exist=must_exist)

344

		utils.verify_ldap_object(search_base.shares, expected_attr={'cn': ['shares']}, should_exist=must_exist)

340

		utils.verify_ldap_object('cn=klassen,cn=shares,%s' % ou_base, expected_attr={'cn': ['klassen']}, should_exist=must_exist)

345

		utils.verify_ldap_object(search_base.classShares, expected_attr={'cn': [cn_class]}, should_exist=must_exist)

341

		utils.verify_ldap_object('cn=dc,cn=server,cn=computers,%s' % ou_base, expected_attr={'cn': ['dc']}, should_exist=must_exist)

346

		utils.verify_ldap_object('cn=dc,cn=server,cn=computers,%s' % ou_base, expected_attr={'cn': ['dc']}, should_exist=must_exist)

342

347

343

		if noneducational_create_objects:

348

		if noneducational_create_objects:

344

			utils.verify_ldap_object('cn=%s,cn=users,%s' % (cn_staff, ou_base), should_exist=must_exist)

349

			utils.verify_ldap_object(search_base.staff, should_exist=must_exist)

345

			utils.verify_ldap_object('cn=%s,cn=users,%s' % (cn_teachers_staff, ou_base), should_exist=must_exist)

350

			utils.verify_ldap_object(search_base.teachersAndStaff, should_exist=must_exist)

346

			utils.verify_ldap_object('cn=%s,cn=groups,%s' % (cn_staff, ou_base), should_exist=must_exist)

351

			utils.verify_ldap_object(search_base.staff_group, should_exist=must_exist)

347

		else:

352

		else:

348

			utils.verify_ldap_object('cn=%s,cn=users,%s' % (cn_staff, ou_base), should_exist=False)

353

			utils.verify_ldap_object(search_base.staff, should_exist=False)

349

			utils.verify_ldap_object('cn=%s,cn=users,%s' % (cn_teachers_staff, ou_base), should_exist=False)

354

			utils.verify_ldap_object(search_base.teachersAndStaff, should_exist=False)

350

			utils.verify_ldap_object('cn=%s,cn=groups,%s' % (cn_staff, ou_base), should_exist=False)

355

			utils.verify_ldap_object(search_base.staff_group, should_exist=False)

351

356

352

		if noneducational_create_objects:

357

		if noneducational_create_objects:

353

			utils.verify_ldap_object('cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,%s' % base_dn, should_exist=True)

358

			utils.verify_ldap_object(search_base.administrative_dc_group, should_exist=True)

354

			utils.verify_ldap_object('cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,%s' % base_dn, should_exist=True)

359

			utils.verify_ldap_object(search_base.administrative_member_group, should_exist=True)

355

			utils.verify_ldap_object('cn=OU%s-DC-Verwaltungsnetz,cn=ucsschool,cn=groups,%s' % (ou, base_dn), should_exist=True)

360

			utils.verify_ldap_object(search_base.administrative_ou_dc_group)

356

			utils.verify_ldap_object('cn=OU%s-Member-Verwaltungsnetz,cn=ucsschool,cn=groups,%s' % (ou, base_dn), should_exist=True)

361

			utils.verify_ldap_object(search_base.administrative_ou_member_group)

357

		# This will fail because we don't cleanup these groups in cleanup_ou

362

		# This will fail because we don't cleanup these groups in cleanup_ou

358

		#else:

363

		#else:

359

		#	utils.verify_ldap_object("cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,%s" % base_dn, should_exist=False)

364

		#	utils.verify_ldap_object("cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,%s" % base_dn, should_exist=False)

Lines 367-388	Link Here

367

		if dc_administrative:

372

		if dc_administrative:

368

			verify_dc(ou, dc_administrative, TYPE_DC_ADMINISTRATIVE, base_dn, must_exist)

373

			verify_dc(ou, dc_administrative, TYPE_DC_ADMINISTRATIVE, base_dn, must_exist)

369

374

370

		grp_prefix_pupils = ucr.get('ucsschool/ldap/default/groupprefix/pupils', 'schueler-')

371

		grp_prefix_teachers = ucr.get('ucsschool/ldap/default/groupprefix/teachers', 'lehrer-')

372

		grp_prefix_admins = ucr.get('ucsschool/ldap/default/groupprefix/admins', 'admins-')

373

		grp_prefix_staff = ucr.get('ucsschool/ldap/default/groupprefix/staff', 'mitarbeiter-')

374

375

		grp_policy_pupils = ucr.get('ucsschool/ldap/default/policy/umc/pupils', 'cn=ucsschool-umc-pupils-default,cn=UMC,cn=policies,%s' % base_dn)

375

		grp_policy_pupils = ucr.get('ucsschool/ldap/default/policy/umc/pupils', 'cn=ucsschool-umc-pupils-default,cn=UMC,cn=policies,%s' % base_dn)

376

		grp_policy_teachers = ucr.get('ucsschool/ldap/default/policy/umc/teachers', 'cn=ucsschool-umc-teachers-default,cn=UMC,cn=policies,%s' % base_dn)

376

		grp_policy_teachers = ucr.get('ucsschool/ldap/default/policy/umc/teachers', 'cn=ucsschool-umc-teachers-default,cn=UMC,cn=policies,%s' % base_dn)

377

		grp_policy_admins = ucr.get('ucsschool/ldap/default/policy/umc/admins', 'cn=ucsschool-umc-admins-default,cn=UMC,cn=policies,%s' % base_dn)

377

		grp_policy_admins = ucr.get('ucsschool/ldap/default/policy/umc/admins', 'cn=ucsschool-umc-admins-default,cn=UMC,cn=policies,%s' % base_dn)

378

		grp_policy_staff = ucr.get('ucsschool/ldap/default/policy/umc/staff', 'cn=ucsschool-umc-staff-default,cn=UMC,cn=policies,%s' % base_dn)

378

		grp_policy_staff = ucr.get('ucsschool/ldap/default/policy/umc/staff', 'cn=ucsschool-umc-staff-default,cn=UMC,cn=policies,%s' % base_dn)

379

380

		utils.verify_ldap_object("cn=%s%s,cn=ouadmins,cn=groups,%s" % (grp_prefix_admins, ou, base_dn), expected_attr={'univentionPolicyReference': [grp_policy_admins]}, should_exist=True)

380

		utils.verify_ldap_object(search_base.admin_group, expected_attr={'univentionPolicyReference': [grp_policy_admins]}, should_exist=True)

381

		utils.verify_ldap_object("cn=%s%s,cn=groups,%s" % (grp_prefix_pupils, ou, ou_base), expected_attr={'univentionPolicyReference': [grp_policy_pupils]}, should_exist=must_exist)

381

		utils.verify_ldap_object(search_base.students_ou_group, expected_attr={'univentionPolicyReference': [grp_policy_pupils]}, should_exist=must_exist)

382

		utils.verify_ldap_object("cn=%s%s,cn=groups,%s" % (grp_prefix_teachers, ou, ou_base), expected_attr={'univentionPolicyReference': [grp_policy_teachers]}, should_exist=must_exist)

382

		utils.verify_ldap_object(search_base.teachers_ou_group, expected_attr={'univentionPolicyReference': [grp_policy_teachers]}, should_exist=must_exist)

383

384

		if noneducational_create_objects:

384

		if noneducational_create_objects:

385

			utils.verify_ldap_object("cn=%s%s,cn=groups,%s" % (grp_prefix_staff, ou, ou_base), expected_attr={'univentionPolicyReference': [grp_policy_staff]}, should_exist=must_exist)

385

			utils.verify_ldap_object(search_base.staff_ou_group, expected_attr={'univentionPolicyReference': [grp_policy_staff]}, should_exist=must_exist)

386

387

		dcmaster_module = univention.admin.modules.get("computers/domaincontroller_master")

387

		dcmaster_module = univention.admin.modules.get("computers/domaincontroller_master")

388

		dcbackup_module = univention.admin.modules.get("computers/domaincontroller_backup")

388

		dcbackup_module = univention.admin.modules.get("computers/domaincontroller_backup")

Lines 398-405	Link Here

398

		# check group membership

398

		# check group membership

399

		#  slave should be member

399

		#  slave should be member

400

		#  master and backup should not be member

400

		#  master and backup should not be member

401

		dcgroups = ["cn=OU%s-DC-Edukativnetz,cn=ucsschool,cn=groups,%s" % (ou, base_dn),

401

		dcgroups = [search_base.educational_ou_dc_group, search_base.educational_dc_group]

402

					"cn=DC-Edukativnetz,cn=ucsschool,cn=groups,%s" % (base_dn)]

403

402

404

		if must_exist:

403

		if must_exist:

405

			if masterobjs:

404

			if masterobjs:

Lines 443-449	Link Here

443

				# seems to be the first OU, so check the variable settings

442

				# seems to be the first OU, so check the variable settings

444

				if ucr.get('dhcpd/ldap/base') != "cn=dhcp,%s" % (ou_base,):

443

				if ucr.get('dhcpd/ldap/base') != "cn=dhcp,%s" % (ou_base,):

445

					print 'ERROR: dhcpd/ldap/base =', ucr.get('dhcpd/ldap/base')

444

					print 'ERROR: dhcpd/ldap/base =', ucr.get('dhcpd/ldap/base')

446

					print 'ERROR: expected base =', dhcp_dn

445

					print 'ERROR: expected base =', dhcp_dn  # FIXME: unresolve reference: dhcp_dn

447

					raise DhcpdLDAPBase()

446

					raise DhcpdLDAPBase()

448

447

449

			# use the UCR value and check if the DHCP service exists

448

			# use the UCR value and check if the DHCP service exists




from univention.testing.ucsschool import UMCConnection
import univention.testing.strings as uts
import univention.testing.ucr as ucr_test
import univention.testing.ucsschool as utu
import univention.testing.utils as utils
from ucsschool.lib.models import LibComputerRoom


class FailQuery(Exception):

		self.umc_connection.auth(admin, passwd)

	def dn(self):
		return LibComputerRoom(school="myschool", name='{}-{}'.format("myschool", "myname")).dn
				self.school, self.name, utu.UCSTestSchool().get_ou_base_dn(self.school))

	def add(self, should_pass=True):
		param = [{

(-)univention-management-console-module-selective-udm/umc/python/selective-udm/__init__.py (-1 / +2 lines)

Lines 51-56	Link Here

from univention.management.console.log import MODULE

from univention.management.console.log import MODULE

from univention.management.console.modules import UMC_Error

from univention.management.console.modules import UMC_Error

from ucsschool.lib.schoolldap import LDAP_Connection, SchoolBaseModule, ADMIN_WRITE, USER_READ

from ucsschool.lib.schoolldap import LDAP_Connection, SchoolBaseModule, ADMIN_WRITE, USER_READ

from ucsschool.lib.models import SchoolComputer

from univention.management.console.config import ucr

from univention.management.console.config import ucr

Lines 92-98	Link Here

		try:

		try:

			# Set new position

			# Set new position

			ldap_position.setDn(search_base.computers)

			ldap_position.setDn(SchoolComputer.get_container(search_base.school))

			usersid = request.options.get('usersid')

			usersid = request.options.get('usersid')

			self._check_usersid_join_permissions(ldap_user_read, usersid)

			self._check_usersid_join_permissions(ldap_user_read, usersid)

Return to bug 41231