Index: doc/manual/import-hooks-de.xml
===================================================================
--- doc/manual/import-hooks-de.xml (Revision 74236)
+++ doc/manual/import-hooks-de.xml (Arbeitskopie)
@@ -116,12 +116,20 @@
zugeordnet wird.
- Über drei weitere &ucsUCR;-Variablen kann das Verhalten des Hooks gesteuert
+ Über vier weitere &ucsUCR;-Variablen kann das Verhalten des Hooks gesteuert
werden:
+ ucsschool/import/generate/share/marktplatz/name
+
+
+ Diese Variable definiert den Namen der Freigabe. Der Standard ist Marktplatz.
+
+
+
+
ucsschool/import/generate/share/marktplatz/sharepath
Index: doc/manual/performance-de.xml
===================================================================
--- doc/manual/performance-de.xml (Revision 74236)
+++ doc/manual/performance-de.xml (Arbeitskopie)
@@ -93,6 +93,10 @@
+
+ Der Teil des Gruppennamens der hier <Edukativnetz> ist, kann seit &ucsUAS;-Version 4.1 R2 v7
+ verändert werden. Siehe dazu auch .
+
Index: doc/manual/setup-school-generic-de.xml
===================================================================
--- doc/manual/setup-school-generic-de.xml (Revision 74236)
+++ doc/manual/setup-school-generic-de.xml (Arbeitskopie)
@@ -39,14 +39,13 @@
Zugriffsrechte gesetzt werden. Dabei kann der Zugriff für einzelne Benutzer oder ganze Gruppen
erlaubt bzw. gesperrt werden. Um den Schülern den Zugriff auf die physikalischen Drucker zu
verbieten, muss an den Druckerfreigaben für diese Drucker der Zugriff durch Benutzer der
- OU-spezifischen Gruppe
- schueler-
- OU
-
- > (z.B. schueler-gsmitte)
- verboten werden. Für den PDF-Drucker PDFDrucker sollten keine
- Einschränkungen
- gemacht werden.
+ OU-spezifischen Gruppe schueler-OU
+ (z.B. schueler-gsmitte) verboten werden. Für den PDF-Drucker
+ PDFDrucker sollten keine Einschränkungen gemacht werden.
+
+ Der Teil des Gruppennamens der hier <schueler-> ist, kann seit &ucsUAS;-Version 4.1 R2 v7 verändert
+ werden. Siehe dazu auch .
+
Schüler haben damit nur noch die Möglichkeit Druckaufträge an den
@@ -228,6 +227,9 @@
Anlegen einer OU kann durch das Setzen der &ucsUCRV;
ucsschool/import/generate/marktplatz auf den
Wert no verhindert werden.
+
+ Weiterführnde Informationen zur Marktplatz-Freigabe finden sich unter .
+
Diese Freigaben müssen zwingend auf dem Schulserver bereitgestellt
@@ -280,6 +282,10 @@
Die Freigabe erlaubt der Gruppe lehrer-<OU> den
administrativen
Zugriff auf das Basisverzeichnis /home/<OU>/schueler.
+
+ Der Teil des Gruppennamens der hier <schueler-> bzw.<lehrer-> ist, kann seit
+ &ucsUAS;-Version 4.1 R2 v7 verändert werden. Siehe dazu auch .
+
Per Voreinstellung wird der Lehrergruppe Lesezugriff gewährt.
@@ -310,23 +316,23 @@
Option zu Schuladministratoren umgewandelt werden.
-
+
Die zusätzliche Gruppenmitgliedschaft muss manuell über das &ucsUMC;-Modul
- Benutzer
- auf dem &ucsMaster; hinzugefügt werden. Auf dem Reiter
- Gruppen
- muss das Benutzerkonto in die Gruppe
+ Benutzer auf dem &ucsMaster; hinzugefügt werden. Auf dem Reiter
+ Gruppen muss das Benutzerkonto in die Gruppe
admins-OU
(für die OU gym17 ist dies die Gruppe
admins-gym17) aufgenommen werden.
-
+
+ Der Teil des Gruppennamens der hier <admins-> ist, kann seit &ucsUAS;-Version 4.1 R2 v7
+ verändert werden. Siehe dazu auch .
+
+
Im &ucsUMC;-Modul Benutzer muss außerdem im Reiter
- Optionen
- die Option
-
+ Optionen die Option
eingeschaltet werden.
Index: doc/manual/structure-de.xml
===================================================================
--- doc/manual/structure-de.xml (Revision 74236)
+++ doc/manual/structure-de.xml (Arbeitskopie)
@@ -329,6 +329,84 @@
+
+ Gruppen-, Verzeichnis- und Containernamen
+
+ Seit &ucsUAS;-Version 4.1 R2 v7 können mit Hilfe von UCR-Variablen Teile der Gruppen-, Verzeichnis- und Containernamen
+ vor der Installation der &ucsUAS;-App bestimmt werden.
+
+
+ Beispielsweise wird die Gruppe Member-Edukativnetz durch Setzen
+ der UCR-Variablen ucsschool/ldap/default/groupname/all-educational-member=Membre-Enseignement
+ mit dem Namen Membre-Enseignement angelegt.
+
+
+ Sollen zum Beispiel die Benutzerkonten von Schülern nicht im Container
+ cn=schueler,cn=groups,ou=gymmitte,dc=example,dc=com gespeichert werden, sondern unter
+ cn=ecolier,cn=groups,ou=gymmitte,dc=example,dc=com, muss
+ ucsschool/ldap/default/container/pupils=ecolier gesetzt werden.
+
+
+ Die Bedeutung der aller UCR-Variablen können Sie durch das Lesen der Hilfetexte zu den UCR-Variablen erfahren
+ (siehe ).
+
+
+
+ Die folgenden Teile von Containernamen (z.B. in cn=admins,cn=groups,ou=gymmitte,dc=example,dc=com) können gesetzt werden:
+
+
+ admins: ucsschool/ldap/default/container/admins
+ schueler: ucsschool/ldap/default/container/pupils
+ mitarbeiter: ucsschool/ldap/default/container/staff
+ lehrer und mitarbeiter: ucsschool/ldap/default/container/teachers-and-staff
+ lehrer: ucsschool/ldap/default/container/teachers
+ klassen: ucsschool/ldap/default/container/class
+ raeume: ucsschool/ldap/default/container/rooms
+ examusers: ucsschool/ldap/default/container/exam
+
+
+
+
+ Die folgenden Präfixe von Gruppennamen (z.B. in schueler-gymmitte) können gesetzt werden:
+
+
+ schueler-: ucsschool/ldap/default/groupprefix/pupils
+ lehrer-: ucsschool/ldap/default/groupprefix/teachers
+ admins-: ucsschool/ldap/default/groupprefix/admins
+ mitarbeiter-: ucsschool/ldap/default/groupprefix/staff
+
+
+ Die folgenden Gruppennamen können per UCR gesetzt werden. Bei Namen die %(ou)s enthalten
+ wird dieses vom System durch das jeweilige Schulkürzel ersetzt (z.B. gymmitte in
+ OUgymmitte-DC-Edukativnetz).
+
+
+ DC-Edukativnetz: ucsschool/ldap/default/groupname/all-educational-dc
+ Member-Edukativnetz: ucsschool/ldap/default/groupname/all-educational-member
+ DC-Verwaltungsnetz: ucsschool/ldap/default/groupname/all-administrativ-dc
+ Member-Verwaltungsnetz: ucsschool/ldap/default/groupname/all-administrativ-member
+ OU%(ou)s-DC-Edukativnetz: ucsschool/ldap/default/groupname/ou-educational-dc
+ OU%(ou)s-Member-Edukativnetz: ucsschool/ldap/default/groupname/ou-educational-member
+ OU%(ou)s-DC-Verwaltungsnetz: ucsschool/ldap/default/groupname/ou-administrativ-dc
+ OU%(ou)s-Member-Verwaltungsnetz: ucsschool/ldap/default/groupname/ou-administrativ-member
+ OU%(ou)s-Klassenarbeit: ucsschool/ldap/default/groupname/exam
+
+
+ Die folgenden Verzeichnisnamen können per UCR gesetzt werden (z.B. klassen in /home/groups/klassen/3b):
+
+
+ klassen: ucsschool/ldap/default/share/class
+ schueler: ucsschool/ldap/default/share/pupils
+ lehrer: ucsschool/ldap/default/share/teachers
+ Unterrichtsmaterial: ucsschool/datadistribution/datadir/sender
+ Unterrichtsmaterial: ucsschool/datadistribution/datadir/recipient
+ Klassenarbeiten: ucsschool/ldap/default/share/exams
+ schueler, lehrer, mitarbeiter: ucsschool/import/roleshare/.*/path
+ Marktplatz: ucsschool/import/generate/share/marktplatz/name
+
+
+
+
Weitere &ucsUAS;-Objekte
Index: ucs-school-import/debian/ucs-school-import.univention-config-registry-variables
===================================================================
--- ucs-school-import/debian/ucs-school-import.univention-config-registry-variables (Revision 74236)
+++ ucs-school-import/debian/ucs-school-import.univention-config-registry-variables (Arbeitskopie)
@@ -4,54 +4,150 @@
Type=str
Categories=ucsschool-base
+[ucsschool/ldap/default/container/admins]
+Description[de]=Standard-Container-Name für Administratoren. Standard ist "admins".
+Description[en]=Default container name for administrators. Default is "admins".
+Type=str
+Categories=ucsschool-base
+
+[ucsschool/ldap/default/container/class]
+Description[de]=Standard-Container-Name für Schulklassen. Standard ist "klassen".
+Description[en]=Default container name for school classes. Default is "klassen".
+Type=str
+Categories=ucsschool-base
+
+[ucsschool/ldap/default/container/exam]
+Description[de]=Standard-Container-Name für Schüler in einer Prüfung. Standard ist "examusers".
+Description[en]=Default container name name for pupils writing exams. Default is "examusers".
+Type=str
+Categories=ucsschool-base
+
[ucsschool/ldap/default/container/pupils]
-Description[de]=Standard-Container für Schüler
-Description[en]=Default container for pupils
+Description[de]=Standard-Container-Name für Schüler. Standard ist "schueler".
+Description[en]=Default container name for pupils. Default is "schueler".
Type=str
Categories=ucsschool-base
+[ucsschool/ldap/default/container/rooms]
+Description[de]=Standard-Container-Name für Klassenräume. Standard ist "raeume".
+Description[en]=Default container name for class rooms. Default is "raeume".
+Type=str
+Categories=ucsschool-base
+
+[ucsschool/ldap/default/container/staff]
+Description[de]=Standard-Container-Name für Mitarbeiter. Standard ist "mitarbeiter".
+Description[en]=Default container name for staff members. Default is "mitarbeiter".
+Type=str
+Categories=ucsschool-base
+
[ucsschool/ldap/default/container/teachers]
-Description[de]=Standard-Container für Lehrer
-Description[en]=Default container for teachers
+Description[de]=Standard-Container-Name für Lehrer. Standard ist "lehrer".
+Description[en]=Default container name for teachers. Default is "lehrer".
Type=str
Categories=ucsschool-base
-[ucsschool/ldap/default/container/admins]
-Description[de]=Standard-Container für Administratoren
-Description[en]=Default container for administrators
+[ucsschool/ldap/default/container/teachers-and-staff]
+Description[de]=Standard-Container-Name für Benutzer die gleichzeitig Lehrer und Mitarbeiter sind. Standard ist "lehrer und mitarbeiter".
+Description[en]=Default container name for users that are both teachers and staff members. Default is "lehrer und mitarbeiter".
Type=str
Categories=ucsschool-base
-[ucsschool/ldap/default/container/staff]
-Description[de]=Standard-Container für Mitarbeiter
-Description[en]=Default container for staff members
+[ucsschool/ldap/default/groupname/exam]
+Description[de]=Standard Gruppenname für Schüler in einer Prüfung. Das "%(ou)s" im Namen wird mit dem Schulkürzel (OU) ersetzt. Standard ist "OU%(ou)s-Klassenarbeit".
+Description[en]=Default group name for pupils writing exams. The "%(ou)s" in the name will be replaced by the short name of the school (OU). Default is "OU%(ou)s-Klassenarbeit".
Type=str
Categories=ucsschool-base
-[ucsschool/ldap/default/groupprefix/pupils]
-Description[de]=Standard-Prefix für die Schüler-Gruppen
-Description[en]=Default prefix for pupils groups
+[ucsschool/ldap/default/groupname/all-administrativ-dc]
+Description[de]=Standard Gruppenname für Domain Controller in Verwaltungsnetzen. Standard ist "DC-Verwaltungsnetz".
+Description[en]=Default group name for domain controllers in administrativ networks. Default is "DC-Verwaltungsnetz".
Type=str
Categories=ucsschool-base
-[ucsschool/ldap/default/groupprefix/teachers]
-Description[de]=Standard-Prefix für die Lehrer-Gruppen
-Description[en]=Default prefix for teacher groups
+[ucsschool/ldap/default/groupname/all-administrativ-member]
+Description[de]=Standard Gruppenname für Member Server in Verwaltungsnetzen. Standard ist "Member-Verwaltungsnetz".
+Description[en]=Default group name for member servers in administrativ networks. Default is "Member-Verwaltungsnetz".
Type=str
Categories=ucsschool-base
+[ucsschool/ldap/default/groupname/all-educational-dc]
+Description[de]=Standard Gruppenname für Domain Controller in Edukativnetzen. Standard ist "DC-Edukativnetz".
+Description[en]=Default group name for domain controllers in educational networks. Default is "DC-Edukativnetz".
+Type=str
+Categories=ucsschool-base
+
+[ucsschool/ldap/default/groupname/all-educational-member]
+Description[de]=Standard Gruppenname für Member Server in Edukativnetzen. Standard ist "Member-Edukativnetz".
+Description[en]=Default group name for member servers in educational networks. Default is "Member-Edukativnetz".
+Type=str
+Categories=ucsschool-base
+
+[ucsschool/ldap/default/groupname/ou-administrativ-dc]
+Description[de]=Standard Gruppenname für Domain Controller im Verwaltungsnetz einer bestimmten Schule. Das "%(ou)s" im Namen wird mit dem Schulkürzel (OU) ersetzt. Standard ist "OU%(ou)s-DC-Verwaltungsnetz".
+Description[en]=Default group name for domain controllers in the administrativ network. The "%(ou)s" in the name will be replaced by the short name of the school (OU). Default is "OU%(ou)s-DC-Verwaltungsnetz".
+Type=str
+Categories=ucsschool-base
+
+[ucsschool/ldap/default/groupname/ou-administrativ-member]
+Description[de]=Standard Gruppenname für Member Server im Verwaltungsnetz einer bestimmten Schule. Das "%(ou)s" im Namen wird mit dem Schulkürzel (OU) ersetzt. Standard ist "OU%(ou)s-Member-Verwaltungsnetz".
+Description[en]=Default group name for member servers in the administrativ network. The "%(ou)s" in the name will be replaced by the short name of the school (OU). Default is "OU%(ou)s-Member-Verwaltungsnetz".
+Type=str
+Categories=ucsschool-base
+
+[ucsschool/ldap/default/groupname/ou-educational-dc]
+Description[de]=Standard Gruppenname für Domain Controller im Edukativnetz einer bestimmten Schule. Das "%(ou)s" im Namen wird mit dem Schulkürzel (OU) ersetzt. Standard ist "OU%(ou)s-DC-Edukativnetz".
+Description[en]=Default group name for domain controllers in the educational network. The "%(ou)s" in the name will be replaced by the short name of the school (OU). Default is "OU%(ou)s-DC-Edukativnetz".
+Type=str
+Categories=ucsschool-base
+
+[ucsschool/ldap/default/groupname/ou-educational-member]
+Description[de]=Standard Gruppenname für Member Server im Edukativnetz einer bestimmten Schule. Das "%(ou)s" im Namen wird mit dem Schulkürzel (OU) ersetzt. Standard ist "OU%(ou)s-Member-Edukativnetz".
+Description[en]=Default group name for member servers in the educational network. The "%(ou)s" in the name will be replaced by the short name of the school (OU). Default is "OU%(ou)s-Member-Edukativnetz".
+Type=str
+Categories=ucsschool-base
+
[ucsschool/ldap/default/groupprefix/admins]
-Description[de]=Standard-Prefix für die Administrator-Gruppen
-Description[en]=Default prefix for admin groups
+Description[de]=Standard-Prefix für die Administrator-Gruppen. Standard ist "admins-".
+Description[en]=Default prefix for admin groups. Default is "admins-".
Type=str
Categories=ucsschool-base
+[ucsschool/ldap/default/groupprefix/pupils]
+Description[de]=Standard-Prefix für die Schüler-Gruppen. Standard ist "schueler-".
+Description[en]=Default prefix for pupils groups. Default is "schueler-".
+Type=str
+Categories=ucsschool-base
+
[ucsschool/ldap/default/groupprefix/staff]
-Description[de]=Standard-Prefix für die Mitarbeiter-Gruppen
-Description[en]=Default prefix for staff groups
+Description[de]=Standard-Prefix für die Mitarbeiter-Gruppen. Standard ist "mitarbeiter-".
+Description[en]=Default prefix for staff groups. Default is "mitarbeiter-".
Type=str
Categories=ucsschool-base
+[ucsschool/ldap/default/groupprefix/teachers]
+Description[de]=Standard-Prefix für die Lehrer-Gruppen. Standard ist "lehrer-".
+Description[en]=Default prefix for teacher groups. Default is "lehrer-".
+Type=str
+Categories=ucsschool-base
+
+[ucsschool/ldap/default/share/class]
+Description[de]=Standard Verzeichnisname für die Klassen-Freigabe. Standard ist "klassen".
+Description[en]=Default directory name for the class share. Default is "klassen".
+Type=str
+Categories=ucsschool-base
+
+[ucsschool/ldap/default/share/pupils]
+Description[de]=Standard Verzeichnisname für die Schüler-Verzeichnisse. Standard ist "schueler".
+Description[en]=Default directory name for the pupils directories. Default is "schueler".
+Type=str
+Categories=ucsschool-base
+
+[ucsschool/ldap/default/share/teachers]
+Description[de]=Standard Verzeichnisname für die Lehrer-Verzeichnisse. Standard ist "lehrer".
+Description[en]=Default directory name for the teachers directories. Default is "lehrer".
+Type=str
+Categories=ucsschool-base
+
[ucsschool/ldap/default/dcs]
Description[de]=Spezifiziert welche Schul-DCs beim Erzeugen einer Schule angelegt werden sollen (Werte: edukativ und/oder verwaltung)
Description[en]=Specifies which school DCs are created during the school set up (values: edukativ and/or verwaltung)
@@ -64,6 +160,12 @@
Type=str
Categories=ucsschool-base
+[ucsschool/import/generate/share/marktplatz/name]
+Description[de]=Name der Freigabe (Default: "Marktplatz").
+Description[en]=Name of share (default: "Marktplatz").
+Type=str
+Categories=ucsschool-base
+
[ucsschool/import/generate/share/marktplatz/sharepath]
Description[de]=Vorgabepfad der Freigabe "Marktplatz" (Default: /home/$ou/groups/Marktplatz)
Description[en]=Default path of share "Marktplatz" (default: /home/$ou/groups/Marktplatz)
@@ -125,7 +227,7 @@
Categories=ucsschool-base
[ucsschool/import/roleshare]
-Description[de]=Falls diese Variable nicht auf "false" oder "no" gesetzt, dann werden Homeverzeichnisse für Benutzer und Klassengruppen in einer rollen- und schulspezifischen Struktur von Unterverzeichnissen angelegt, z.B. unter /home/$ou/schueler/.
+Description[de]=Falls diese Variable nicht auf "false" oder "no" gesetzt wird, werden Homeverzeichnisse für Benutzer und Klassengruppen in einer rollen- und schulspezifischen Struktur von Unterverzeichnissen angelegt, z.B. unter /home/$ou/schueler/.
Description[en]=If this variable is not set to "false" or "no", then home directories for users and class groups will be created in a role and school specific structure of subdirectories, e.g. in /home/$ou/schueler/.
Type=str
Categories=ucsschool-base
Index: ucs-school-import/modules/ucsschool/importer/contrib/csv.py
===================================================================
--- ucs-school-import/modules/ucsschool/importer/contrib/csv.py (Revision 74236)
+++ ucs-school-import/modules/ucsschool/importer/contrib/csv.py (Arbeitskopie)
@@ -346,7 +346,7 @@
def next(self):
if self.line_num == 0:
- # Used only for its side effect.
+ # Used only for its side effect.
self.fieldnames
self.row = self.reader.next()
self.line_num = self.reader.line_num
Index: ucs-school-import/modules/ucsschool/importer/models/import_user.py
===================================================================
--- ucs-school-import/modules/ucsschool/importer/models/import_user.py (Revision 74236)
+++ ucs-school-import/modules/ucsschool/importer/models/import_user.py (Arbeitskopie)
@@ -44,7 +44,9 @@
from ucsschool.lib.models.utils import create_passwd
from ucsschool.importer.configuration import Configuration
from ucsschool.importer.factory import Factory
-from ucsschool.importer.exceptions import BadPassword, FormatError, InvalidBirthday, InvalidClassName, InvalidEmail, MissingMailDomain, MissingMandatoryAttribute, MissingSchoolName, NotSupportedError, NoUsername, NoUsernameAtAll, UDMValueError, UniqueIdError, UnkownDisabledSetting, UnknownProperty, UsernameToLong
+from ucsschool.importer.exceptions import (BadPassword, FormatError, InvalidBirthday, InvalidClassName, InvalidEmail,
+ MissingMailDomain, MissingMandatoryAttribute, MissingSchoolName, NotSupportedError, NoUsername, NoUsernameAtAll,
+ UDMValueError, UniqueIdError, UnkownDisabledSetting, UnknownProperty, UsernameToLong)
from ucsschool.importer.utils.logging import get_logger
from ucsschool.importer.utils.pyhooks_loader import PyHooksLoader
from ucsschool.importer.utils.user_pyhook import UserPyHook
@@ -94,7 +96,7 @@
self.config = Configuration()
self.reader = self.factory.make_reader()
self.logger = get_logger()
- self.username_max_length = 20 - len(self.ucr.get("ucsschool/ldap/default/userprefix/exam", "exam-"))
+ self.username_max_length = 20 - len(Student.get_search_base(school).user_prefix_exam)
self._lo = None
self._userexpiry = None
super(ImportUser, self).__init__(name, school, **kwargs)
@@ -160,7 +162,10 @@
:param superordinate: str: superordinate
:return: object of ImportUser subclass from LDAP or raises noObject
"""
- filter_s = filter_format("(&(objectClass=ucsschoolType)(ucsschoolSourceUID=%s)(ucsschoolRecordUID=%s))", (source_uid, record_uid))
+ filter_s = filter_format(
+ "(&(objectClass=ucsschoolType)(ucsschoolSourceUID=%s)(ucsschoolRecordUID=%s))",
+ (source_uid, record_uid)
+ )
obj = cls.get_only_udm_obj(connection, filter_s, superordinate=superordinate)
if not obj:
raise noObject("No user with source_uid={0} and record_uid={1} found.".format(source_uid, record_uid))
@@ -190,9 +195,17 @@
try:
udm_obj[property_] = value
except (KeyError, noProperty) as exc:
- raise UnknownProperty("UDM property '{}' could not be set: {}".format(property_, exc), entry=self.entry_count, import_user=self)
+ raise UnknownProperty(
+ "UDM property '{}' could not be set: {}".format(property_, exc),
+ entry=self.entry_count,
+ import_user=self
+ )
except (valueError, valueInvalidSyntax) as exc:
- raise UDMValueError("UDM property '{}' could not be set: {}".format(property_, exc), entry=self.entry_count, import_user=self)
+ raise UDMValueError(
+ "UDM property '{}' could not be set: {}".format(property_, exc),
+ entry=self.entry_count,
+ import_user=self
+ )
def has_expired(self, connection):
"""
@@ -334,7 +347,11 @@
try:
activate = self.config["activate_new_users"]["default"]
except KeyError:
- raise UnkownDisabledSetting("Cannot find 'disabled' ('activate_new_users') setting for role '{}' or " "'default'.".format(self.role_sting), self.entry_count, import_user=self)
+ raise UnkownDisabledSetting(
+ "Cannot find 'disabled' ('activate_new_users') setting for role '{}' or 'default'.".format(self.role_sting),
+ self.entry_count,
+ import_user=self
+ )
self.disabled = "none" if activate else "all"
def make_firstname(self):
@@ -379,7 +396,11 @@
try:
maildomain = self.ucr["mail/hosteddomains"].split()[0]
except (AttributeError, IndexError):
- raise MissingMailDomain("Could not retrieve mail domain from configuration nor from UCRV " "mail/hosteddomains.", entry=self.entry_count, import_user=self)
+ raise MissingMailDomain(
+ "Could not retrieve mail domain from configuration nor from UCRV mail/hosteddomains.",
+ entry=self.entry_count,
+ import_user=self
+ )
self.email = self.format_from_scheme("email", self.config["scheme"]["email"], maildomain=maildomain).lower()
def make_password(self):
@@ -425,7 +446,12 @@
elif self.schools and isinstance(self.schools, basestring):
self.make_schools() # this will recurse back, but schools will be a list then
else:
- raise MissingSchoolName("Primary school name (ou) was not set on the cmdline or in the configuration file " "and was not found in the input data.", entry=self.entry_count, import_user=self)
+ raise MissingSchoolName(
+ "Primary school name (ou) was not set on the cmdline or in the configuration file and was not found in "
+ "the input data.",
+ entry=self.entry_count,
+ import_user=self
+ )
def make_schools(self):
"""
@@ -556,10 +582,19 @@
try:
[self.udm_properties.get(ma) or getattr(self, ma) for ma in self.config["mandatory_attributes"]]
except (AttributeError, KeyError) as exc:
- raise MissingMandatoryAttribute("A mandatory attribute was not set: {}.".format(exc), self.config["mandatory_attributes"], entry=self.entry_count, import_user=self)
+ raise MissingMandatoryAttribute(
+ "A mandatory attribute was not set: {}.".format(exc),
+ self.config["mandatory_attributes"],
+ entry=self.entry_count,
+ import_user=self
+ )
if self.record_uid in self._unique_ids["recordUID"]:
- raise UniqueIdError("RecordUID '{}' has already been used in this import.".format(self.record_uid), entry=self.entry_count, import_user=self)
+ raise UniqueIdError(
+ "RecordUID '{}' has already been used in this import.".format(self.record_uid),
+ entry=self.entry_count,
+ import_user=self
+ )
self._unique_ids["recordUID"].add(self.record_uid)
if check_username:
@@ -567,14 +602,26 @@
raise NoUsername("No username was created.", entry=self.entry_count, import_user=self)
if len(self.name) > self.username_max_length:
- raise UsernameToLong("Username '{}' is longer than allowed.".format(self.name), entry=self.entry_count, import_user=self)
+ raise UsernameToLong(
+ "Username '{}' is longer than allowed.".format(self.name),
+ entry=self.entry_count,
+ import_user=self
+ )
if self.name in self._unique_ids["name"]:
- raise UniqueIdError("Username '{}' has already been used in this import.".format(self.name), entry=self.entry_count, import_user=self)
+ raise UniqueIdError(
+ "Username '{}' has already been used in this import.".format(self.name),
+ entry=self.entry_count,
+ import_user=self
+ )
self._unique_ids["name"].add(self.name)
if len(self.password) < self.config["password_length"]:
- raise BadPassword("Password is shorter than {} characters.".format(self.config["password_length"]), entry=self.entry_count, import_user=self)
+ raise BadPassword(
+ "Password is shorter than {} characters.".format(self.config["password_length"]),
+ entry=self.entry_count,
+ import_user=self
+ )
if self.email:
# email_pattern:
@@ -584,10 +631,18 @@
# * all characters are allowed (international domains)
email_pattern = r"[^@]+@.+\..+"
if not re.match(email_pattern, self.email):
- raise InvalidEmail("Email address '{}' has invalid format.".format(self.email), entry=self.entry_count, import_user=self)
+ raise InvalidEmail(
+ "Email address '{}' has invalid format.".format(self.email),
+ entry=self.entry_count,
+ import_user=self
+ )
if self.email in self._unique_ids["email"]:
- raise UniqueIdError("Email address '{}' has already been used in this import.".format(self.email), entry=self.entry_count, import_user=self)
+ raise UniqueIdError(
+ "Email address '{}' has already been used in this import.".format(self.email),
+ entry=self.entry_count,
+ import_user=self
+ )
self._unique_ids["email"].add(self.email)
if self.birthday:
@@ -594,7 +649,11 @@
try:
datetime.datetime.strptime(self.birthday, "%Y-%m-%d")
except ValueError as exc:
- raise InvalidBirthday("Birthday has invalid format: {}.".format(exc), entry=self.entry_count, import_user=self)
+ raise InvalidBirthday(
+ "Birthday has invalid format: {}.".format(exc),
+ entry=self.entry_count,
+ import_user=self
+ )
@property
def role_sting(self):
@@ -709,7 +768,12 @@
for meth_name, meth_list in pyhook_cache.items():
self._pyhook_cache[meth_name] = [x[0] for x in sorted(meth_list, key=lambda x: x[1], reverse=True)]
- self.logger.info("Registered hooks: %r.", dict([(meth_name, ["{}.{}".format(m.im_class.__name__, m.im_func.func_name) for m in meths]) for meth_name, meths in self._pyhook_cache.items()]))
+ self.logger.info("Registered hooks: %r.", dict(
+ [
+ (meth_name, ["{}.{}".format(m.im_class.__name__, m.im_func.func_name) for m in meths])
+ for meth_name, meths in self._pyhook_cache.items()
+ ]
+ ))
return pyhooks
def _prevent_mapped_attributes_in_udm_properties(self):
@@ -723,10 +787,16 @@
forbidden_attributes = set(x.udm_name for x in self._attributes.values() if x.udm_name)
bad_props = set(self.udm_properties.keys()).intersection(forbidden_attributes)
if bad_props:
- raise NotSupportedError("UDM properties '{}' must be set as attributes of the {} object (not in " "udm_properties).".format("', '".join(bad_props), self.__class__.__name__))
+ raise NotSupportedError(
+ "UDM properties '{}' must be set as attributes of the {} object (not in udm_properties).".format(
+ "', '".join(bad_props), self.__class__.__name__)
+ )
if "e-mail" in self.udm_properties.keys() and not self.email:
# this might be an mistake, so let's warn the user
- self.logger.warn("UDM property 'e-mail' is used for storing contact information. The users mailbox " "address is stored in the 'email' attribute of the {} object (not in udm_properties).".format(self.__class__.__name__))
+ self.logger.warn(
+ "UDM property 'e-mail' is used for storing contact information. The users mailbox address is stored in "
+ "the 'email' attribute of the {} object (not in udm_properties).".format(self.__class__.__name__)
+ )
def update(self, other):
"""
Index: ucs-school-import/tests/test_move_domaincontroller_to_ou
===================================================================
--- ucs-school-import/tests/test_move_domaincontroller_to_ou (Revision 74236)
+++ ucs-school-import/tests/test_move_domaincontroller_to_ou (Arbeitskopie)
@@ -37,6 +37,8 @@
exit 1
fi
+. /usr/share/ucs-school-lib/base.sh
+
eval "$(ucr shell)"
./create_ou test1 dctest1
@@ -51,8 +53,10 @@
udm computers/domaincontroller_slave create --position "cn=computers,$ldap_base" --set name=dctest7-01
./create_ou test7
-udm computers/domaincontroller_slave modify --dn "cn=dctest7-01,cn=computers,$ldap_base" --append groups="cn=OUtest7-DC-Edukativnetz,cn=ucsschool,cn=groups,$ldap_base"
+test7_dc="$(ucr_names_default ucsschool/ldap/default/groupname/ou-educational-dc test7)"
+udm computers/domaincontroller_slave modify --dn "cn=dctest7-01,cn=computers,$ldap_base" --append groups="cn=$test7_dc,cn=ucsschool,cn=groups,$ldap_base"
+
echo "TEST: DC is unknown"
./move_domaincontroller_to_ou --dcname UnKnOwN --ou test1
echo "EXITCODE: $?"
Index: ucs-school-import/usr/share/ucs-school-import/hooks/ou_create_post.d/52marktplatz_create
===================================================================
--- ucs-school-import/usr/share/ucs-school-import/hooks/ou_create_post.d/52marktplatz_create (Revision 74236)
+++ ucs-school-import/usr/share/ucs-school-import/hooks/ou_create_post.d/52marktplatz_create (Arbeitskopie)
@@ -1,7 +1,7 @@
#!/bin/bash
#
# 52marktplatz_create
-# Creates a Markplatz share for the specified OUs
+# Creates a Marktplatz share for the specified OUs
#
# Depends: ucs-school-import
#
@@ -35,11 +35,14 @@
[ $# -ne 2 ] && echo "USAGE: $(basename $0) FILE DN" && exit 1
. /usr/share/univention-lib/ucr.sh
+. /usr/share/ucs-school-lib/base.sh
eval "$(ucr shell)"
+name="$(ucr_names_default ucsschool/import/generate/share/marktplatz/name)"
+
if ! is_ucr_true "ucsschool/import/generate/share/marktplatz" ; then
- echo "$(basename $0): creation of share 'Marktplatz' has been disabled by ucsschool/import/generate/share/marktplatz"
+ echo "$(basename $0): creation of share '$name' has been disabled by ucsschool/import/generate/share/marktplatz"
exit 0
fi
@@ -58,9 +61,9 @@
sharepath="$ucsschool_import_generate_share_marktplatz_sharepath"
if [ -z "$sharepath" ] ; then
if [ -z "$ucsschool_import_roleshare" ] || is_ucr_true "ucsschool/import/roleshare"; then
- sharepath="/home/$ou/groups/Marktplatz"
+ sharepath="/home/$ou/groups/$name"
else
- sharepath="/home/groups/Marktplatz"
+ sharepath="/home/groups/$name"
fi
fi
@@ -77,12 +80,12 @@
udm shares/share create --ignore_exists \
--position "cn=shares,ou=${ou}${district},${ldap_base}" \
- --set name=Marktplatz \
+ --set name="${name}" \
--set "host=${dcname}" \
--set "path=${sharepath}" \
--set "directorymode=${sharemode}" \
--set "group=${grpuidnumber}"
-echo "$(basename $0): added new share Markplatz for server ${dcname}"
+echo "$(basename $0): added new share '$name' for server ${dcname}"
exit 0
Index: ucs-school-import/usr/share/ucs-school-import/scripts/ucs-school-import
===================================================================
--- ucs-school-import/usr/share/ucs-school-import/scripts/ucs-school-import (Revision 74236)
+++ ucs-school-import/usr/share/ucs-school-import/scripts/ucs-school-import (Arbeitskopie)
@@ -77,8 +77,8 @@
import univention.lib.policy_result
from ucsschool.lib.roles import role_pupil, role_teacher, role_staff
from ucsschool.lib.roleshares import roleshare_home_subdir
-from ucsschool.lib.models.utils import stopped_notifier, add_stream_logger_to_schoollib
-from ucsschool.lib.models.utils import create_passwd
+from ucsschool.lib.models.utils import stopped_notifier, add_stream_logger_to_schoollib, create_passwd
+from ucsschool.lib.models import School, SchoolClass, ClassShare
ldap_errors = (ldap.LDAPError, univention.admin.uexceptions.base,)
@@ -106,17 +106,6 @@
pwLengthOu = {}
-cn_pupils = configRegistry.get('ucsschool/ldap/default/container/pupils', 'schueler')
-cn_teachers = configRegistry.get('ucsschool/ldap/default/container/teachers', 'lehrer')
-cn_teachers_staff = configRegistry.get('ucsschool/ldap/default/container/teachers-and-staff', 'lehrer und mitarbeiter')
-cn_admins = configRegistry.get('ucsschool/ldap/default/container/admins', 'admins')
-cn_staff = configRegistry.get('ucsschool/ldap/default/container/staff', 'mitarbeiter')
-
-grp_prefix_pupils = configRegistry.get('ucsschool/ldap/default/groupprefix/pupils', 'schueler-')
-grp_prefix_teachers = configRegistry.get('ucsschool/ldap/default/groupprefix/teachers', 'lehrer-')
-grp_prefix_admins = configRegistry.get('ucsschool/ldap/default/groupprefix/admins', 'admins-')
-grp_prefix_staff = configRegistry.get('ucsschool/ldap/default/groupprefix/staff', 'mitarbeiter-')
-
grp_policy_pupils = configRegistry.get('ucsschool/ldap/default/policy/umc/pupils', 'cn=ucsschool-umc-pupils-default,cn=UMC,cn=policies,%s' % baseDN)
grp_policy_teachers = configRegistry.get('ucsschool/ldap/default/policy/umc/teachers', 'cn=ucsschool-umc-teachers-default,cn=UMC,cn=policies,%s' % baseDN)
grp_policy_admins = configRegistry.get('ucsschool/ldap/default/policy/umc/admins', 'cn=ucsschool-umc-admins-default,cn=UMC,cn=policies,%s' % baseDN)
@@ -137,17 +126,7 @@
# IP address prefix len conecerning the netmask
default_prefixlen = 24
-if not (cn_pupils and cn_teachers and cn_teachers_staff and cn_admins and cn_staff):
- print '''ERROR: Unable to proceed: one of the following UCR variables is not set correctly:
- ucsschool/ldap/default/container/pupils
- ucsschool/ldap/default/container/teachers
- ucsschool/ldap/default/container/teachers-and-staff
- ucsschool/ldap/default/container/staff
- ucsschool/ldap/default/container/admins
-'''
- sys.exit(1)
-
def is_valid_ou_name(name):
""" check if given OU name is valid """
return bool(re.match('^[a-zA-Z0-9](([a-zA-Z0-9_]*)([a-zA-Z0-9]$))?$', name))
@@ -272,6 +251,7 @@
else:
self.allsNrs = [self.sNr]
self.other_sNr = []
+ self.search_base = School.get_search_base(self.allsNrs[0])
# split into multiple class number if comma is present
if ',' in self.cNr:
@@ -326,14 +306,13 @@
def getPosition_dn(self):
# resolution order for the position is pupil, teacher, staff
- cn = cn_pupils
if role_teacher in self.getRole() and role_staff in self.getRole():
- cn = cn_teachers_staff
- elif role_teacher in self.getRole():
- cn = cn_teachers
+ return self.search_base.teachersAndStaff
+ elif role_teacher in self.getRole ():
+ return self.search_base.teachers
elif role_staff in self.getRole():
- cn = cn_staff
- return "cn=%s,cn=users,%s" % (cn, getDN(self.sNr))
+ return self.search_base.staff
+ return self.search_base.students
def getDN(self):
return "uid=" + self.login + "," + self.getPosition_dn()
@@ -342,17 +321,20 @@
default_groups = []
# default group
- default_groups.append("cn=Domain Users " + self.sNr + ",cn=groups,%s" % (getDN(self.sNr), ))
+ default_groups.append("cn=Domain Users %s,%s" % (self.sNr, self.search_base.groups))
+ grp_dns = {
+ role_teacher: self.search_base.teachers_ou_group,
+ role_pupil: self.search_base.students_ou_group,
+ role_staff: self.search_base.staff_ou_group}
for role in self.getRole():
- user_grp_prefix = {role_teacher: grp_prefix_teachers, role_pupil: grp_prefix_pupils, role_staff: grp_prefix_staff}[role]
if role == role_staff and not configRegistry.is_true('ucsschool/ldap/noneducational/create/objects', True):
continue
# class if available
for cnr in self.cNr:
- default_groups.append("cn=" + cnr + ",cn=klassen,cn=%s,cn=groups,%s" % (cn_pupils, getDN(self.sNr)))
+ default_groups.append("cn=%s,%s" % (cnr, self.search_base.classes))
- default_groups.append("cn=%s%s,cn=groups,%s" % (user_grp_prefix, self.sNr, getDN(self.sNr)))
+ default_groups.append(grp_dns[role])
return default_groups
@@ -509,21 +491,22 @@
verify_container(getDN(schoolNr, base='district'), ou_module, co, lo, superordinate, baseDN)
print "verify ou for school nr %s" % schoolNr
+ search_base = School.get_search_base(schoolNr)
# list of needed sub-containers, the dictionary-key adds the container as default during create in verify_container
container = {
- '0printerPath': ['cn=printers'],
- '1userPath': ['cn=users', 'cn=%s,cn=users' % cn_pupils, 'cn=%s,cn=users' % cn_teachers, 'cn=%s,cn=users' % cn_admins],
- '2computerPath': ['cn=computers', 'cn=server,cn=computers', 'cn=dc,cn=server,cn=computers'],
- '3networkPath': ['cn=networks'],
- '4groupPath': ['cn=groups', 'cn=%s,cn=groups' % cn_pupils, 'cn=%s,cn=groups' % cn_teachers, 'cn=klassen,cn=%s,cn=groups' % cn_pupils, 'cn=raeume,cn=groups'],
- '5dhcpPath': ['cn=dhcp'],
- '6policyPath': ['cn=policies'],
- '7sharePath': ['cn=shares', 'cn=klassen,cn=shares'],
- '8none': ['cn=dc,cn=server,cn=computers']
+ '0printerPath': [search_base.printers],
+ '1userPath': [search_base.users, search_base.students, search_base.teachers, search_base.admins],
+ '2computerPath': [search_base.computers, 'cn=server,{}'.format(search_base.computers), 'cn=dc,cn=server,{}'.format(search_base.computers)],
+ '3networkPath': [search_base.networks],
+ '4groupPath': [search_base.groups, search_base.workgroups, search_base.teachers_group, search_base.classes, search_base.rooms],
+ '5dhcpPath': [search_base.dhcp],
+ '6policyPath': [search_base.policies],
+ '7sharePath': [search_base.shares, search_base.classShares],
+ '8none': ['cn=dc,cn=server,{}'.format(search_base.computers)]
}
if configRegistry.is_true('ucsschool/ldap/noneducational/create/objects', True):
- container['1userPath'].extend(['cn=%s,cn=users' % cn_staff, 'cn=%s,cn=users' % cn_teachers_staff])
- container['4groupPath'].append('cn=%s,cn=groups' % cn_staff)
+ container['1userPath'].extend([search_base.staff, search_base.teachersAndStaff])
+ container['4groupPath'].append(search_base.staff_group)
# FIXME: die Policies sollten besser mit der Gruppe verknüpft werden, um
# z.B. Mitarbeiter und Lehrer im selben Container pflegen zu können
# container_policies = { 'cn=%s,cn=users' % cn_teachers: ['cn=default-lehrer,cn=UMC,cn=policies,' + baseDN] }
@@ -538,20 +521,13 @@
dccn = ''
myline = '%s\t%s' % (schoolNr, dccn)
hooks.pre('ou', 'A', line=myline)
+ search_base = School.get_search_base(schoolNr)
# verify global dc groups
- groups_administrative = [
- "cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,%s" % baseDN,
- "cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,%s" % baseDN]
- groups_education = [
- "cn=DC-Edukativnetz,cn=ucsschool,cn=groups,%s" % baseDN,
- "cn=Member-Edukativnetz,cn=ucsschool,cn=groups,%s" % baseDN]
- groups_administrativeOU = [
- "cn=OU%s-DC-Verwaltungsnetz,cn=ucsschool,cn=groups,%s" % (schoolNr.lower(), baseDN),
- "cn=OU%s-Member-Verwaltungsnetz,cn=ucsschool,cn=groups,%s" % (schoolNr.lower(), baseDN)]
- groups_educationOU = [
- "cn=OU%s-DC-Edukativnetz,cn=ucsschool,cn=groups,%s" % (schoolNr.lower(), baseDN),
- "cn=OU%s-Member-Edukativnetz,cn=ucsschool,cn=groups,%s" % (schoolNr.lower(), baseDN)]
+ groups_administrative = [search_base.administrative_dc_group, search_base.administrative_member_group]
+ groups_education = [search_base.educational_dc_group, search_base.educational_member_group]
+ groups_administrativeOU = [search_base.administrative_ou_dc_group, search_base.administrative_ou_member_group]
+ groups_educationOU = [search_base.educational_ou_dc_group, search_base.educational_ou_member_group]
if configRegistry.is_true('ucsschool/ldap/noneducational/create/objects', True):
groups = groups_administrative + groups_education + groups_administrativeOU + groups_educationOU
@@ -573,15 +549,15 @@
# TODO FIXME The following snippet does not make any sense:
# if the DC is member of DC-Verwaltungsnetz then is added again to that group?!? Looks like this code is unused.
for grp in dcobject['groups']:
- if grp.startswith("cn=DC-Verwaltungsnetz,"):
+ if grp.startswith(univention.admin.uldap.explodeDn(search_base.administrative_dc_group)[0]):
zone = "verwaltung"
groups = []
if zone == "edukativ":
- groups.append("cn=DC-Edukativnetz,cn=ucsschool,cn=groups,%s" % baseDN)
- groups.append("cn=OU%s-DC-Edukativnetz,cn=ucsschool,cn=groups,%s" % (schoolNr.lower(), baseDN))
+ groups.append(search_base.educational_dc_group)
+ groups.append(search_base.educational_ou_dc_group)
if zone == "verwaltung":
- groups.append("cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,%s" % baseDN)
- groups.append("cn=OU%s-DC-Verwaltungsnetz,cn=ucsschool,cn=groups,%s" % (schoolNr.lower(), baseDN))
+ groups.append(search_base.administrative_dc_group)
+ groups.append(search_base.administrative_ou_dc_group)
modified = False
for grp in groups:
if grp not in dcobject['groups']:
@@ -630,24 +606,22 @@
if displayName is not None:
r = lo.modify(ou_base, [('displayName', lo.get(ou_base, ['displayName']).get('displayName', []), [displayName])])
- keys = container.keys()
- keys.sort()
- for path in keys:
+ for path in sorted(container.keys()):
for dn in container[path]:
if path[1:] == 'none':
path = ' '
- verify_container('%s,%s' % (dn, ou_base), cn_module, co, lo, superordinate, baseDN, path=path[1:])
+ verify_container(dn, cn_module, co, lo, superordinate, baseDN, path=path[1:])
# create groups if not existant
- grp_ouadmins = "cn=%s%s,cn=ouadmins,cn=groups,%s" % (grp_prefix_admins, schoolNr.lower(), baseDN)
+ grp_ouadmins = search_base.admin_group
groups = [
(grp_ouadmins, grp_policy_admins),
- ("cn=%s%s,cn=groups,%s" % (grp_prefix_pupils, schoolNr.lower(), getDN(schoolNr)), grp_policy_pupils),
- ("cn=%s%s,cn=groups,%s" % (grp_prefix_teachers, schoolNr.lower(), getDN(schoolNr)), grp_policy_teachers),
+ (search_base.students_ou_group, grp_policy_pupils),
+ (search_base.teachers_ou_group, grp_policy_teachers),
]
if configRegistry.is_true('ucsschool/ldap/noneducational/create/objects', True):
- groups.append(("cn=%s%s,cn=groups,%s" % (grp_prefix_staff, schoolNr.lower(), getDN(schoolNr)), grp_policy_staff), )
+ groups.append((search_base.staff_ou_group, grp_policy_staff))
if configRegistry.is_true('ucsschool/import/attach/policy/default-umc-users', True):
domain_users_school = "cn=Domain Users %s,cn=groups,%s" % (schoolNr.lower(), getDN(schoolNr))
groups.append((domain_users_school, "cn=default-umc-users,cn=UMC,cn=policies,%s" % (baseDN,)))
@@ -684,7 +658,7 @@
else:
dccn = 'dc%s-01' % schoolNr.lower()
- dcgroups = ["cn=OU%s-DC-Edukativnetz,cn=ucsschool,cn=groups,%s" % (schoolNr.lower(), baseDN), "cn=DC-Edukativnetz,cn=ucsschool,cn=groups,%s" % (baseDN, )]
+ dcgroups = [search_base.educational_ou_dc_group, search_base.educational_dc_group]
if dc == 'verwaltung':
if not configRegistry.is_true('ucsschool/ldap/noneducational/create/objects', True):
@@ -696,10 +670,7 @@
dccn = configRegistry.get('hostname')
else:
dccn = 'dc%sv-01' % schoolNr.lower() # this is the naming convention, a trailing v for Verwaltungsnetz DCs
- dcgroups = [
- "cn=OU%s-DC-Verwaltungsnetz,cn=ucsschool,cn=groups,%s" % (schoolNr.lower(), baseDN),
- "cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,%s" % (baseDN, )
- ]
+ dcgroups = [search_base.administrative_ou_dc_group, search_base.administrative_dc_group]
# create server if not exsistant
objects = univention.admin.modules.lookup(
@@ -722,9 +693,9 @@
if not server_exists and not dcName:
try:
if dc == 'verwaltung':
- grpdn = 'cn=OU%s-DC-Verwaltungsnetz,cn=ucsschool,cn=groups,%s' % (schoolNr.lower(), baseDN)
+ grpdn = search_base.administrative_ou_dc_group
else:
- grpdn = 'cn=OU%s-DC-Edukativnetz,cn=ucsschool,cn=groups,%s' % (schoolNr.lower(), baseDN)
+ grpdn = search_base.educational_ou_dc_group
hostlist = lo.get(grpdn, ['uniqueMember']).get('uniqueMember', [])
except ldap.NO_SUCH_OBJECT:
hostlist = []
@@ -1096,7 +1067,7 @@
if (schoolNr, classNr.lower()) in verified_group_shares:
return True
- position_dn = "cn=%s,cn=klassen,cn=shares,%s" % (classNr, getDN(schoolNr, basedn=base))
+ position_dn = ClassShare(school=schoolNr, name=classNr).dn
module = univention.admin.modules.get("shares/share")
position_basedn = univention.admin.uldap.position(baseDN)
univention.admin.modules.init(lo, position_basedn, module)
@@ -1132,7 +1103,9 @@
print "need to create groupshare %s" % position_dn
# get gid form corresponding group
- group_dn = "cn=%s,cn=klassen,cn=%s,cn=groups,%s" % (classNr, cn_pupils, getDN(schoolNr, basedn=base))
+ school_class = SchoolClass(school=schoolNr, name=classNr)
+ class_share = ClassShare.from_school_class(school_class)
+ group_dn = school_class.dn
gids = lo.get(group_dn, ['gidNumber'])
gid = 0
if len(gids) > 1: # TODO FIXME This doesn't look correct to me - gids is a dict and not a list!
@@ -1181,10 +1154,7 @@
object.open()
object["name"] = "%s" % classNr
object["host"] = serverfqdn
- if configRegistry.is_true('ucsschool/import/roleshare', True):
- object["path"] = "/home/" + os.path.join(schoolNr, "groups/klassen/%s" % (classNr,))
- else:
- object["path"] = "/home/groups/klassen/%s" % (classNr,)
+ object["path"] = class_share.get_share_path()
object["writeable"] = "1"
object["sambaWriteable"] = "1"
object["sambaBrowseable"] = "1"
@@ -1325,7 +1295,7 @@
object["username"] = person.login
object["primaryGroup"] = default_groups[0]
subdir = roleshare_home_subdir(person.sNr, person.getRole(), configRegistry)
- object["unixhome"] = "/home/" + os.path.join(subdir, person.login)
+ object["unixhome"] = os.path.join("/home", subdir, person.login)
object["firstname"] = person.name
object["lastname"] = person.sname
object["e-mail"] = person.mail
@@ -1347,12 +1317,18 @@
# FIXME / TODO
# Test should be following:
# if ( ( ( parts[0].startswith( 'cn=%s' % grp_prefix_pupils) or parts[0].startswith( 'cn=%s' % grp_prefix_pupils) ) and parts[1] == 'cn=groups' and parts[2].startswith('ou=') ) or
- # ( parts[1] == 'cn=klassen' and parts[2] == 'cn=%s' % cn_pupils and parts[3] == 'cn=groups' and parts[4].startswith('ou=') ) ):
+ # ( parts[1] == 'cn=%s' % cn_classes and parts[2] == 'cn=%s' % cn_pupils and parts[3] == 'cn=groups' and parts[4].startswith('ou=') ) ):
+ search_base = School.get_search_base(None)
+ cn_pupils = ldap.explode_dn(search_base.students, True)[0]
+ cn_classes = ldap.explode_dn(search_base.classes, True)[0]
+ grp_prefix_pupils = search_base.group_prefix_students
+ grp_prefix_teachers = search_base.group_prefix_teachers
+
if (
parts[0].startswith('cn=%s' % grp_prefix_pupils) or
parts[0].startswith('cn=%s' % grp_prefix_teachers) or
- (parts[1] == 'cn=klassen' and parts[2] == 'cn=%s' % cn_pupils)
+ (parts[1] == 'cn=%s' % cn_classes and parts[2] == 'cn=%s' % cn_pupils)
):
# group looks like a default group, so we don't need it anymore
print "remove from group: %s" % group
@@ -1493,7 +1469,7 @@
if len(groups) > 1:
object["groups"] = groups[1:]
subdir = roleshare_home_subdir(person.sNr, person.getRole(), configRegistry)
- object["unixhome"] = "/home/" + os.path.join(subdir, person.login)
+ object["unixhome"] = os.path.join("/home", subdir, person.login)
if object.has_key('mailbox'):
object["mailbox"] = "/var/spool/%s/" % person.login
object["password"] = password
@@ -1639,12 +1615,13 @@
main_person.isTeacher = '0'
main_person.isStaff = '0'
- if object.dn.endswith(',cn=%s,cn=users,%s' % (cn_teachers_staff, getDN(ou))):
+ search_base = School.get_search_base(ou)
+ if object.dn.endswith(',%s' % search_base.teachersAndStaff):
main_person.isTeacher = '1'
main_person.isStaff = '1'
- elif object.dn.endswith(',cn=%s,cn=users,%s' % (cn_teachers, getDN(ou))):
+ elif object.dn.endswith(',%s' % search_base.teachers):
main_person.isTeacher = '1'
- elif object.dn.endswith(',cn=%s,cn=users,%s' % (cn_staff, getDN(ou))):
+ elif object.dn.endswith(',%s' % search_base.staff):
main_person.isStaff = '1'
if ou in main_person.allsNrs:
@@ -2253,6 +2230,7 @@
zone = parsed[6]
verify_school_ou(schoolNr, co, lo, baseDN)
+ search_base = School.get_search_base(schoolNr)
try:
ip = ipaddr.IPv4Network(IP)
@@ -2269,11 +2247,11 @@
groups = {}
if ctype == "memberserver":
if zone == "edukativ":
- groups["cn=OU%s-Member-Edukativnetz,cn=ucsschool,cn=groups,%s" % (schoolNr.lower(), baseDN)] = 1
- groups["cn=Member-Edukativnetz,cn=ucsschool,cn=groups,%s" % baseDN] = 1
+ groups[search_base.educational_ou_member_group] = 1
+ groups[search_base.educational_member_group] = 1
if zone == "verwaltung":
- groups["cn=OU%s-Member-Verwaltungsnetz,cn=ucsschool,cn=groups,%s" % (schoolNr.lower(), baseDN)] = 1
- groups["cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,%s" % baseDN] = 1
+ groups[search_base.administrative_ou_member_group] = 1
+ groups[search_base.administrative_member_group] = 1
# invoke pre hooks
hooks.pre('computer', 'A', line=line)
@@ -2378,8 +2356,8 @@
ClassID = parsed[2]
Descrpt = parsed[3]
- group_dn = "cn=%s,cn=klassen,cn=%s,cn=groups,%s" % (ClassID, cn_pupils, getDN(schoolNr))
- share_dn = "cn=%s,cn=klassen,cn=shares,%s" % (ClassID, getDN(schoolNr))
+ group_dn = SchoolClass(school=schoolNr, name=ClassID).dn
+ share_dn = ClassShare(school=schoolNr, name=ClassID).dn
verify_school_ou(schoolNr, co, lo, baseDN)
@@ -2922,11 +2900,12 @@
slave = slaves[0]
ouDn = oulist[0].dn
+ search_base = School.get_search_base(options.ou)
group_filter = univention.admin.filter.conjunction('&', [
univention.admin.filter.conjunction('|', [
- univention.admin.filter.expression('cn', 'OU%s-DC-Edukativnetz' % options.ou),
- univention.admin.filter.expression('cn', 'OU%s-DC-Verwaltungsnetz' % options.ou),
+ univention.admin.uldap.explodeDn(search_base.educational_ou_dc_group)[0],
+ univention.admin.uldap.explodeDn(search_base.administrative_ou_dc_group)[0],
]),
univention.admin.filter.expression('uniqueMember', slave.dn),
])
@@ -3027,16 +3006,11 @@
print 'ERROR: specified OU %r does not exist' % ou_name
sys.exit(1)
+ search_base = School.get_search_base(ou_name)
# get list of desired group memberships
group_dn_list = {
- TYPE_DC_ADMINISTRATIVE: [
- 'cn=OU%s-DC-Verwaltungsnetz,cn=ucsschool,cn=groups,%s' % (ou_name.lower(), baseDN),
- 'cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,%s' % (baseDN,),
- ],
- TYPE_DC_EDUCATIONAL: [
- 'cn=DC-Edukativnetz,cn=ucsschool,cn=groups,%s' % (baseDN,),
- 'cn=OU%s-DC-Edukativnetz,cn=ucsschool,cn=groups,%s' % (ou_name.lower(), baseDN),
- ],
+ TYPE_DC_ADMINISTRATIVE: [search_base.administrative_ou_dc_group, search_base.administrative_dc_group],
+ TYPE_DC_EDUCATIONAL: [search_base.educational_dc_group, search_base.educational_ou_dc_group]
}[dc_type]
for grpdn in group_dn_list:
verify_group(grpdn, co, lo, superordinate, baseDN)
Index: ucs-school-import/usr/share/ucs-school-import/scripts/ucs-school-join-secondary-samba4
===================================================================
--- ucs-school-import/usr/share/ucs-school-import/scripts/ucs-school-join-secondary-samba4 (Revision 74236)
+++ ucs-school-import/usr/share/ucs-school-import/scripts/ucs-school-join-secondary-samba4 (Arbeitskopie)
@@ -31,6 +31,7 @@
# .
. /usr/share/univention-lib/all.sh
+. /usr/share/ucs-school-lib/base.sh
display_help() {
cat <<-EOL
@@ -195,11 +196,13 @@
while read service; do
case "$service" in
"UCS@school Education")
- target_server_ucsschool_type=Edukativnetz
+ target_server_all_dcs="$(ucr_names_default ucsschool/ldap/default/groupname/all-educational-dc)"
+ target_server_ou_dcs="$(ucr_names_default ucsschool/ldap/default/groupname/ou-educational-dc)"
target_server_ucsschool_service="$service"
;;
"UCS@school Administration")
- target_server_ucsschool_type=Verwaltungsnetz
+ target_server_all_dcs="$(ucr_names_default ucsschool/ldap/default/groupname/all-administrativ-dc)"
+ target_server_ou_dcs="$(ucr_names_default ucsschool/ldap/default/groupname/ou-administrativ-dc)"
target_server_ucsschool_service="$service"
;;
esac
@@ -258,17 +261,17 @@
echo -n "Check group memberschip : "
test_output=$(univention-ssh "$ROOTPWD" "root@${target_school_dc_ip}" \
- /usr/sbin/udm groups/group list --filter name="DC-$target_server_ucsschool_type" | sed -n "/^ *hosts: $target_ldap_hostdn$/p")
+ /usr/sbin/udm groups/group list --filter name="$target_server_all_dcs" | sed -n "/^ *hosts: $target_ldap_hostdn$/p")
if [ -z "$test_output" ]; then
echo -e "\033[60Gfailed"
- echo "$hostname is not member of the group DC-$target_server_ucsschool_type, this needs to be fixed first manually."
+ echo "$hostname is not member of the group $target_server_all_dcs, this needs to be fixed first manually."
exit 1
fi
test_output=$(univention-ssh "$ROOTPWD" "root@${target_school_dc_ip}" \
- /usr/sbin/udm groups/group list --filter name="OU$my_school_ou-DC-$target_server_ucsschool_type" | sed -n "/^ *hosts: $target_ldap_hostdn$/p")
+ /usr/sbin/udm groups/group list --filter name="$(replace_ou "$target_server_ou_dcs" "$my_school_ou")" | sed -n "/^ *hosts: $target_ldap_hostdn$/p")
if [ -z "$test_output" ]; then
echo -e "\033[60Gfailed"
- echo "$hostname is not member of the group OU$my_school_ou-DC-$target_server_ucsschool_type, this needs to be fixed first manually."
+ echo "$hostname is not member of the group $(replace_ou "$target_server_ou_dcs" "$my_school_ou"), this needs to be fixed first manually."
exit 1
else
echo -e "\033[60Gdone"
Index: ucs-school-import/usr/share/ucs-school-import/scripts/ucs-school-verify-class-memberships
===================================================================
--- ucs-school-import/usr/share/ucs-school-import/scripts/ucs-school-verify-class-memberships (Revision 74236)
+++ ucs-school-import/usr/share/ucs-school-import/scripts/ucs-school-verify-class-memberships (Arbeitskopie)
@@ -42,6 +42,7 @@
import univention.admin.handlers.groups.group
import univention.admin.handlers.users.user
import univention.admin.objects
+from ucsschool.lib.models import School, SchoolClass, Staff, Student, Teacher
class Problem(Exception):
@@ -160,7 +161,8 @@
def parse_line(lo, line):
- oubase = 'ou=%s,%s' % (line['school'], ucr['ldap/base'],)
+ school = School(name=line['school'])
+ oubase = school.dn
uid = line['name']
try:
dn = lo.search(filter_format('uid=%s', (uid,)), oubase, unique=True)[0][0]
@@ -173,8 +175,8 @@
raise StudentDoesNotExists(line, uid)
else:
raise StudentIsInAnotherSchool(line, uid, dn)
- if not dn.endswith(',cn=schueler,cn=users,%s' % (oubase,)):
- if not dn.endswith(',cn=lehrer,cn=users,%s' % (oubase,)) or not dn.endswith(',cn=mitarbeiter,cn=users,%s' % (oubase,)):
+ if not dn.endswith(Student.get_container(school.name)):
+ if not dn.endswith(Teacher.get_container(school.name)) or not dn.endswith(Staff.get_container(school.name)):
print('Ignoring teacher/staff %r' % (uid,))
return
msg('ERROR: %s (%s %s) is not a student/teacher/staff.' % (uid, line['firstname'], line['lastname']))
@@ -186,7 +188,7 @@
correct = False
invalid_groups = set()
for gdn, group in groups: # pylint: disable=W0612
- if not gdn.endswith(',cn=klassen,cn=schueler,cn=groups,%s' % (oubase,)):
+ if not gdn.endswith(SchoolClass.get_container(school.name)):
if not gdn.endswith(oubase) and re.search(',ou=[^,]+,%s$' % (ucr['ldap/base'],), gdn, re.I):
raise StudentIsInAnotherClassInAnotherSchool(line, uid, dn, gdn)
continue # ignore workgroups / Domain Users
Index: ucs-school-ldap-acls-master/61ucsschool_presettings
===================================================================
--- ucs-school-ldap-acls-master/61ucsschool_presettings (Revision 74236)
+++ ucs-school-ldap-acls-master/61ucsschool_presettings (Arbeitskopie)
@@ -1,65 +1,95 @@
+@!@
+# -*- coding: utf-8 -*-
+import re
+
+
+def replace_ucr_variables(template):
+ variable_token = re.compile('@[$]@')
+
+ dir_ucsschool = {
+ 'ALL_ADM_DC': configRegistry.get('ucsschool/ldap/default/groupname/all-administrativ-dc', 'DC-Verwaltungsnetz'),
+ 'ALL_ADM_MEMBER': configRegistry.get('ucsschool/ldap/default/groupname/all-administrativ-member', 'Member-Verwaltungsnetz'),
+ 'ALL_EDU_DC': configRegistry.get('ucsschool/ldap/default/groupname/all-educational-dc', 'DC-Edukativnetz'),
+ 'ALL_EDU_MEMBER': configRegistry.get('ucsschool/ldap/default/groupname/all-educational-member', 'Member-Edukativnetz'),
+ }
+
+ while 1:
+ i = variable_token.finditer(template)
+ try:
+ start = i.next()
+ end = i.next()
+ name = template[start.end():end.start()]
+
+ template = template[:start.start()] + dir_ucsschool.get(name,'') + template[end.end():]
+ except StopIteration:
+ break
+
+ return template
+
+
+aclset += """
# start 61ucsschool_presettings
# revert rule from UCS; Bug #41402
access to attrs=entry,objectClass,uniqueMember,ou,uid,loginShell,homeDirectory,uidNumber,gidNumber,sn,cn,gecos,description,memberUid
by dn.regex=".*cn=computers,ou=([^,]+),(ou=[^,]+,)?@%@ldap/base@%@" none break
- by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" none break
- by group/univentionGroup/uniqueMember="cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" none break
- by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" none break
- by group/univentionGroup/uniqueMember="cn=Member-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" none break
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none break
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none break
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none break
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none break
by set="user/objectClass & ([ucsschoolStudent] | [ucsschoolTeacher] | [ucsschoolStaff] | [ucsschoolAdministrator])" none break
by * +0 break
# Slave-Controller und Member-Server duerfen Samba-Domaenenobjekt(e) modifizieren
access to filter="(objectClass=sambaDomain)"
- by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
- by group/univentionGroup/uniqueMember="cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
- by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
- by group/univentionGroup/uniqueMember="cn=Member-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
by * +0 break
# grant write access to domaincontroller slave/member server for certain univention app center settings
access to dn.regex="^univentionAppID=([^,]+),cn=([^,]+),cn=apps,cn=univention,@%@ldap/base@%@$" filter="(objectClass=univentionApp)"
- by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
- by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
- by group/univentionGroup/uniqueMember="cn=Member-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
- by group/univentionGroup/uniqueMember="cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
by * +0 break
access to dn.regex="^cn=([^,]+),cn=apps,cn=univention,@%@ldap/base@%@$" attrs=children,entry
- by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
- by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
- by group/univentionGroup/uniqueMember="cn=Member-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
- by group/univentionGroup/uniqueMember="cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
by * +0 break
access to dn="cn=apps,cn=univention,@%@ldap/base@%@" attrs=children,entry
- by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
- by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
- by group/univentionGroup/uniqueMember="cn=Member-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
- by group/univentionGroup/uniqueMember="cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
by * +0 break
# Slave controllers and memberservers require write access to virtual machine manager objects
access to dn.regex="^univentionVirtualMachineUUID=([^,]+),cn=Information,cn=Virtual Machine Manager,@%@ldap/base@%@" filter="(objectClass=univentionVirtualMachine)"
- by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
- by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
- by group/univentionGroup/uniqueMember="cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
- by group/univentionGroup/uniqueMember="cn=Member-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
by * +0 break
access to dn.regex="^cn=([^,]+),cn=CloudConnection,cn=Virtual Machine Manager,@%@ldap/base@%@" filter="(objectClass=univentionVirtualMachineCloudConnection)"
- by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
- by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
- by group/univentionGroup/uniqueMember="cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
- by group/univentionGroup/uniqueMember="cn=Member-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
by * +0 break
access to dn="cn=(Information|CloudConnection),cn=Virtual Machine Manager,@%@ldap/base@%@" attrs=children,entry
- by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
- by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
- by group/univentionGroup/uniqueMember="cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
- by group/univentionGroup/uniqueMember="cn=Member-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
by dn.regex="^[^,]+,cn=dc,cn=computers,@%@ldap/base@%@$$" write
by dn.regex="^[^,]+,cn=memberserver,cn=computers,@%@ldap/base@%@$$" write
by * +0 break
@@ -66,47 +96,51 @@
# Slave-Controller und Member-Server benoetigen idmap-Container
access to dn.base="cn=idmap,cn=univention,@%@ldap/base@%@"
- by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
- by group/univentionGroup/uniqueMember="cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
- by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
- by group/univentionGroup/uniqueMember="cn=Member-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
by * +0 break
# Slave-Controller und Member-Server benoetigen ID-Mapping
access to dn.subtree="cn=idmap,cn=univention,@%@ldap/base@%@" filter="(|(&(objectClass=sambaUnixIdPool)(objectClass=organizationalRole)(objectClass=top))(&(objectClass=sambaIdmapEntry)(objectClass=sambaSidEntry)))"
- by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
- by group/univentionGroup/uniqueMember="cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
- by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
- by group/univentionGroup/uniqueMember="cn=Member-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
by * +0 break
# Slave-Controller und Member-Server benoetigen nicht alle Container
access to dn.subtree="cn=backup,@%@ldap/base@%@"
- by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
- by group/univentionGroup/uniqueMember="cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
- by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
- by group/univentionGroup/uniqueMember="cn=Member-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
by * +0 break
access to dn.subtree="cn=printers,@%@ldap/base@%@"
- by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
- by group/univentionGroup/uniqueMember="cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
- by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
- by group/univentionGroup/uniqueMember="cn=Member-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
by * +0 break
access to dn.subtree="cn=networks,@%@ldap/base@%@"
- by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
- by group/univentionGroup/uniqueMember="cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
- by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
- by group/univentionGroup/uniqueMember="cn=Member-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
by * +0 break
access to dn.regex="^(.*,)?cn=(cups|ppolicy|packages|services|templates|admin-settings|default containers|saml-serviceprovider),cn=univention,@%@ldap/base@%@$$"
- by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
- by group/univentionGroup/uniqueMember="cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
- by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
- by group/univentionGroup/uniqueMember="cn=Member-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
by * +0 break
# end 61ucsschool_presettings
+"""
+
+print replace_ucr_variables(aclset)
+@!@
Index: ucs-school-ldap-acls-master/65ucsschool
===================================================================
--- ucs-school-ldap-acls-master/65ucsschool (Revision 74236)
+++ ucs-school-ldap-acls-master/65ucsschool (Arbeitskopie)
@@ -13,19 +13,23 @@
def replace_ucr_variables(template):
variable_token = re.compile('@[$]@')
- dir_ucsschool = { }
- dir_ucsschool[ 'DISTRICT' ] = ''
- if configRegistry.get('ucsschool/ldap/district/enable','no').lower() in ( 'yes', 'true', '1' ):
- dir_ucsschool[ 'DISTRICT' ] = 'ou=[^,]+,'
- dir_ucsschool[ 'PUPILS' ] = configRegistry.get('ucsschool/ldap/default/container/pupils', 'schueler')
- dir_ucsschool[ 'TEACHERS' ] = configRegistry.get('ucsschool/ldap/default/container/teachers', 'lehrer')
- dir_ucsschool[ 'STAFF' ] = configRegistry.get('ucsschool/ldap/default/container/staff', 'mitarbeiter')
- dir_ucsschool[ 'TEACHERS-STAFF' ] = configRegistry.get('ucsschool/ldap/default/container/teachers-and-staff', 'lehrer und mitarbeiter')
- dir_ucsschool[ 'ADMINS' ] = configRegistry.get('ucsschool/ldap/default/container/admins', 'admins')
- dir_ucsschool[ 'GRPADMINS' ] = configRegistry.get('ucsschool/ldap/default/groupprefix/admins', 'admins-')
- dir_ucsschool[ 'EXAM' ] = configRegistry.get('ucsschool/ldap/default/container/exam', 'examusers')
+ dir_ucsschool = {
+ 'DISTRICT': 'ou=[^,]+,' if configRegistry.is_true('ucsschool/ldap/district/enable') else '',
+ 'PUPILS': configRegistry.get('ucsschool/ldap/default/container/pupils', 'schueler'),
+ 'TEACHERS': configRegistry.get('ucsschool/ldap/default/container/teachers', 'lehrer'),
+ 'STAFF': configRegistry.get('ucsschool/ldap/default/container/staff', 'mitarbeiter'),
+ 'TEACHERS-STAFF': configRegistry.get('ucsschool/ldap/default/container/teachers-and-staff', 'lehrer und mitarbeiter'),
+ 'ADMINS': configRegistry.get('ucsschool/ldap/default/container/admins', 'admins'),
+ 'GRPADMINS': configRegistry.get('ucsschool/ldap/default/groupprefix/admins', 'admins-'),
+ 'EXAM': configRegistry.get('ucsschool/ldap/default/container/exam', 'examusers'),
+ 'CLASS': configRegistry.get('ucsschool/ldap/default/container/class', 'klassen'),
+ 'ROOMS': configRegistry.get('ucsschool/ldap/default/container/rooms', 'raeume'),
+ 'ALL_ADM_DC': configRegistry.get('ucsschool/ldap/default/groupname/all-administrativ-dc', 'DC-Verwaltungsnetz'),
+ 'ALL_ADM_MEMBER': configRegistry.get('ucsschool/ldap/default/groupname/all-administrativ-member', 'Member-Verwaltungsnetz'),
+ 'ALL_EDU_DC': configRegistry.get('ucsschool/ldap/default/groupname/all-educational-dc', 'DC-Edukativnetz'),
+ 'ALL_EDU_MEMBER': configRegistry.get('ucsschool/ldap/default/groupname/all-educational-member', 'Member-Edukativnetz'),
+ }
-
while 1:
i = variable_token.finditer(template)
try:
@@ -43,20 +47,20 @@
aclset += """
# DC Slaves need write access to the members of the group Domain Computers
access to dn.exact="cn=Domain Computers,cn=groups,@%@ldap/base@%@" attrs="uniqueMember,memberUid"
- by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
- by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
by * +0 break
# Slave DCs can read and write policy containers for MS GPOs and msPrintConnectionPolicy objects
access to dn.subtree="cn=policies,cn=system,@%@ldap/base@%@" filter="(|(objectClass=msGPOContainer)(objectClass=organizationalRole)(objectClass=msPrintConnectionPolicy))"
- by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
- by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
by * +0 break
# Slave DCs can read and write policy containers for MS WMI filter objects
access to dn.subtree="cn=WMIPolicy,cn=system,@%@ldap/base@%@" filter="(|(objectClass=msWMISom)(objectClass=organizationalRole))"
- by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
- by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
by * +0 break
# Lehrer, Mitarbeiter und OU-Admins duerfen Schueler-Passwoerter aendern
@@ -70,12 +74,12 @@
by * +0 break
# Lehrer, Mitarbeiter und OU-Admins duerfen Raum-Gruppen anlegen und bearbeiten
-access to dn.regex="^cn=raeume,cn=groups,ou=([^,]+),@$@DISTRICT@$@@%@ldap/base@%@$$" attrs=children,entry
+access to dn.regex="^cn=@$@ROOMS@$@,cn=groups,ou=([^,]+),@$@DISTRICT@$@@%@ldap/base@%@$$" attrs=children,entry
by set.expand="[$1] & ([ldap:///]+user/entryDN+[?entryDN?base?%28%7C%28objectClass%3DucsschoolTeacher%29%28objectClass%3DucsschoolAdministrator%29%28objectClass%3DucsschoolStaff%29%29])/ucsschoolSchool" write
@$@# old rule@$@ by dn.regex="^uid=([^,]+),cn=(@$@TEACHERS@$@|@$@TEACHERS-STAFF@$@|@$@STAFF@$@|@$@ADMINS@$@),cn=users,ou=$1,@$@DISTRICT@$@@%@ldap/base@%@$$" write
by * +0 break
-access to dn.regex="^cn=([^,]+),cn=raeume,cn=groups,ou=([^,]+),@$@DISTRICT@$@@%@ldap/base@%@$$" filter="(&(!(|(uidNumber=*)(objectClass=SambaSamAccount)))(objectClass=univentionGroup))"
+access to dn.regex="^cn=([^,]+),cn=@$@ROOMS@$@,cn=groups,ou=([^,]+),@$@DISTRICT@$@@%@ldap/base@%@$$" filter="(&(!(|(uidNumber=*)(objectClass=SambaSamAccount)))(objectClass=univentionGroup))"
by set.expand="[$2] & ([ldap:///]+user/entryDN+[?entryDN?base?%28%7C%28objectClass%3DucsschoolTeacher%29%28objectClass%3DucsschoolAdministrator%29%28objectClass%3DucsschoolStaff%29%29])/ucsschoolSchool" write
@$@# old rule@$@ by dn.regex="^uid=([^,]+),cn=(@$@TEACHERS@$@|@$@TEACHERS-STAFF@$@|@$@STAFF@$@|@$@ADMINS@$@),cn=users,ou=$2,@$@DISTRICT@$@@%@ldap/base@%@$$" write
by * +0 break
@@ -145,10 +149,10 @@
by * +0 break
access to dn.subtree="cn=temporary,cn=univention,@%@ldap/base@%@"
- by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
- by group/univentionGroup/uniqueMember="cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
- by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
- by group/univentionGroup/uniqueMember="cn=Member-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
by * +0 break
# OU-Admins duerfen MAC-Adressen im Rechner- und DHCP-Objekt aendern
@@ -172,24 +176,24 @@
# domaincontroller slaves and memberservers of management group are not allowed to replicate pupils and teachers
access to dn.regex="^.+,cn=(@$@TEACHERS@$@|@$@PUPILS@$@),cn=users,ou=[^,]+,@$@DISTRICT@$@@%@ldap/base@%@$$"
- by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
- by group/univentionGroup/uniqueMember="cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
by * +0 break
access to filter="(|(objectClass=ucsschoolStudent)(&(objectClass=ucsschoolTeacher)(!(objectClass=ucsschoolStaff))))"
- by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
- by group/univentionGroup/uniqueMember="cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
by * +0 break
# domaincontroller slaves and memberservers of educational group are not allowed to replicate staff users
access to dn.regex="^.+,cn=@$@STAFF@$@,cn=users,ou=[^,]+,@$@DISTRICT@$@@%@ldap/base@%@$$"
- by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
- by group/univentionGroup/uniqueMember="cn=Member-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
by * +0 break
access to filter="(&(objectClass=ucsschoolStaff)(!(objectClass=ucsschoolTeacher))(!(objectClass=ucsschoolAdministrator)))"
- by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
- by group/univentionGroup/uniqueMember="cn=Member-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
by * +0 break
# FIXME: this rule allows to read all passwords underneath of all OU's instead of only the password belonging to the OU; explain why or fix it
@@ -196,41 +200,41 @@
# TODO: are the following attributes missing here?: 'sambaBadPasswordCount', 'krb5PasswordEnd', 'shadowMax', 'sambaAcctFlags', 'sambaPasswordHistory'
# Memberserver duerfen Passwoerter aller Objekte unterhalb einer Schule lesen
access to dn.regex="^(.+,)?ou=([^,]+),@$@DISTRICT@$@@%@ldap/base@%@$$" attrs=userPassword,krb5Key,krb5KDCFlags,sambaNTPassword,sambaLMPassword,shadowLastChange,sambaPwdLastSet,pwhistory,krb5KeyVersionNumber,sambaPwdCanChange,sambaPwdMustChange
- by group/univentionGroup/uniqueMember="cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" +rscxd
- by group/univentionGroup/uniqueMember="cn=Member-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" +rscxd
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" +rscxd
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" +rscxd
by * +0 break
# Alle DC-Slaves muessen alle Benutzercontainer und Gruppen jeder Schule lesen koennen
access to dn.regex="^ou=([^,]+),@$@DISTRICT@$@@%@ldap/base@%@$$" filter="objectClass=ucsschoolOrganizationalUnit"
- by group/univentionGroup/uniqueMember.expand="cn=OU$1-DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
- by group/univentionGroup/uniqueMember.expand="cn=OU$1-DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
+ by group/univentionGroup/uniqueMember.expand="cn=OU$1-@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
+ by group/univentionGroup/uniqueMember.expand="cn=OU$1-@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
by dn.regex="^cn=.*,cn=server,cn=computers,ou=([^,]+),@$@DISTRICT@$@@%@ldap/base@%@$$" +rscxd
by * +0 break
access to dn.regex="^cn=(users|groups|@$@EXAM@$@),ou=([^,]+),@$@DISTRICT@$@@%@ldap/base@%@$$"
- by group/univentionGroup/uniqueMember.expand="cn=OU$2-DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
- by group/univentionGroup/uniqueMember.expand="cn=OU$2-DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
+ by group/univentionGroup/uniqueMember.expand="cn=OU$2-@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
+ by group/univentionGroup/uniqueMember.expand="cn=OU$2-@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
by dn.regex="^cn=.*,cn=server,cn=computers,ou=([^,]+),@$@DISTRICT@$@@%@ldap/base@%@$$" +rscxd
by * +0 break
access to dn.regex="^([^,]+),cn=groups,ou=([^,]+),@$@DISTRICT@$@@%@ldap/base@%@$$"
- by group/univentionGroup/uniqueMember.expand="cn=OU$2-DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
- by group/univentionGroup/uniqueMember.expand="cn=OU$2-DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
+ by group/univentionGroup/uniqueMember.expand="cn=OU$2-@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
+ by group/univentionGroup/uniqueMember.expand="cn=OU$2-@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
by dn.regex="^cn=.*,cn=server,cn=computers,ou=([^,]+),@$@DISTRICT@$@@%@ldap/base@%@$$" +rscxd
by * +0 break
access to dn.regex="^cn=(@$@PUPILS@$@|@$@TEACHERS@$@|@$@TEACHERS-STAFF@$@|@$@STAFF@$@|@$@ADMINS@$@),cn=users,ou=([^,]+),@$@DISTRICT@$@@%@ldap/base@%@$$"
- by group/univentionGroup/uniqueMember.expand="cn=OU$2-DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
- by group/univentionGroup/uniqueMember.expand="cn=OU$2-DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
+ by group/univentionGroup/uniqueMember.expand="cn=OU$2-@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
+ by group/univentionGroup/uniqueMember.expand="cn=OU$2-@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
by dn.regex="^cn=.*,cn=server,cn=computers,ou=([^,]+),@$@DISTRICT@$@@%@ldap/base@%@$$" +rscxd
by * +0 break
# DC-Slaves muessen die Benutzer ihrer Schule lesen und schreiben duerfen
access to dn.regex="^uid=([^,]+),cn=(@$@PUPILS@$@|@$@TEACHERS@$@|@$@TEACHERS-STAFF@$@|@$@STAFF@$@|@$@ADMINS@$@),cn=users,ou=([^,]+),@$@DISTRICT@$@@%@ldap/base@%@$$"
- by set="([cn=OU]+this/ucsschoolSchool+[-DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@])/uniqueMember & user" write
+ by set="([cn=OU]+this/ucsschoolSchool+[-@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@])/uniqueMember & user" write
by * +0 break
access to dn.regex="^uid=([^,]+),cn=@$@EXAM@$@,ou=([^,]+),@$@DISTRICT@$@@%@ldap/base@%@$$"
- by set="([cn=OU]+this/ucsschoolSchool+[-DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@])/uniqueMember & user" write
+ by set="([cn=OU]+this/ucsschoolSchool+[-@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@])/uniqueMember & user" write
by * +0 break
# Schul-Slave-Server duerfen nur Eintraege ihrer OU lesen und schreiben (Passwortaenderungen etc.)
@@ -237,13 +241,13 @@
# Lehrer und Memberserver duerfen sie lesen, ou-eigene bekommen Standard-ACLs, ou-fremde Server/user duerfen nichts
access to dn.regex="^(.+,)?ou=([^,]+),@$@DISTRICT@$@@%@ldap/base@%@$$"
by set.expand="[ldap:///ou=$2,@%@ldap/base@%@?ou?base?%28%21%28objectClass%3DucsschoolOrganizationalUnit%29%29]/ou" +0 break
- by group/univentionGroup/uniqueMember.expand="cn=OU$2-DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
- by group/univentionGroup/uniqueMember.expand="cn=OU$2-DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
+ by group/univentionGroup/uniqueMember.expand="cn=OU$2-@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
+ by group/univentionGroup/uniqueMember.expand="cn=OU$2-@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
by group/univentionLDAPACL/univentionLDAPAccessWrite.expand="ou=$2,@$@DISTRICT@$@@%@ldap/base@%@" write
by dn.regex="^uid=([^,]+),cn=(@$@TEACHERS@$@|@$@TEACHERS-STAFF@$@|@$@STAFF@$@|@$@ADMINS@$@),cn=users,ou=$2,@$@DISTRICT@$@@%@ldap/base@%@$$" +rscxd continue
by set.expand="[$2] & ([ldap:///]+user/entryDN+[?entryDN?base?%28%7C%28objectClass%3DucsschoolTeacher%29%28objectClass%3DucsschoolAdministrator%29%28objectClass%3DucsschoolStaff%29%29])/ucsschoolSchool" +rscxd continue
- by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" +0 stop
- by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" +0 stop
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" +0 stop
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" +0 stop
by set.expand="([ldap:///]+user/entryDN+[?entryDN?base?%28%7C%28objectClass%3DucsschoolTeacher%29%28objectClass%3DucsschoolAdministrator%29%28objectClass%3DucsschoolStaff%29%29])/ucsschoolSchool" +0 stop
by dn.regex="^.*,ou=$2,@$@DISTRICT@$@@%@ldap/base@%@$$" +rscxd break
by dn.regex="^.*,ou=([^,]+),@$@DISTRICT@$@@%@ldap/base@%@$$" +0 stop
@@ -250,22 +254,22 @@
by * +0 break
# Slave-Controller duerfen Klassen-Gruppen bearbeiten (AUSNAHME! Wird fuer Lehrerzuordnung in UMC benoetigt!)
-access to dn.regex="^cn=klassen,cn=@$@PUPILS@$@,cn=groups,ou=([^,]+),@$@DISTRICT@$@@%@ldap/base@%@$$" attrs=children,entry
- by group/univentionGroup/uniqueMember.expand="cn=OU$1-DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
- by group/univentionGroup/uniqueMember.expand="cn=OU$1-DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
+access to dn.regex="^cn=@$@CLASS@$@,cn=@$@PUPILS@$@,cn=groups,ou=([^,]+),@$@DISTRICT@$@@%@ldap/base@%@$$" attrs=children,entry
+ by group/univentionGroup/uniqueMember.expand="cn=OU$1-@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
+ by group/univentionGroup/uniqueMember.expand="cn=OU$1-@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
by * +0 break
access to dn.regex="^cn=([^,]+),cn=klassen,cn=@$@PUPILS@$@,cn=groups,ou=([^,]+),@$@DISTRICT@$@@%@ldap/base@%@$$" filter="(&(!(|(uidNumber=*)(objectClass=SambaSamAccount)))(objectClass=univentionGroup))"
- by group/univentionGroup/uniqueMember.expand="cn=OU$2-DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
- by group/univentionGroup/uniqueMember.expand="cn=OU$2-DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
+ by group/univentionGroup/uniqueMember.expand="cn=OU$2-@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
+ by group/univentionGroup/uniqueMember.expand="cn=OU$2-@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
by * +0 break
# Schulserver duerfen die Passwoerter aller globalen Objekte replizieren
access to dn.regex="^(.+,)?cn=(users|kerberos|computers),@%@ldap/base@%@$$"
- by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" +rscxd
- by group/univentionGroup/uniqueMember="cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" +rscxd
- by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" +rscxd
- by group/univentionGroup/uniqueMember="cn=Member-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" +rscxd
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" +rscxd
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" +rscxd
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" +rscxd
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" +rscxd
by * +0 break
"""
Index: ucs-school-ldap-acls-master/70ucsschool-ldap-acls-master.inst
===================================================================
--- ucs-school-ldap-acls-master/70ucsschool-ldap-acls-master.inst (Revision 74236)
+++ ucs-school-ldap-acls-master/70ucsschool-ldap-acls-master.inst (Arbeitskopie)
@@ -32,6 +32,8 @@
VERSION=7
. /usr/share/univention-join/joinscripthelper.lib
. /usr/share/univention-lib/ldap.sh
+. /usr/share/ucs-school-lib/base.sh
+
joinscript_init
eval "$(univention-config-registry shell)"
@@ -43,7 +45,11 @@
--set name="ucsschool"
# create global groups required for LDAP ACLs for UCS@school
-for grp in "DC-Verwaltungsnetz" "Member-Verwaltungsnetz" "DC-Edukativnetz" "Member-Edukativnetz" ; do
+for grp in \
+ "$(ucr_names_default ucsschool/ldap/default/groupname/all-administrativ-dc)" \
+ "$(ucr_names_default ucsschool/ldap/default/groupname/all-administrativ-member)" \
+ "$(ucr_names_default ucsschool/ldap/default/groupname/all-educational-dc)" \
+ "$(ucr_names_default ucsschool/ldap/default/groupname/all-educational-member)"; do
univention-directory-manager groups/group create "$@" \
--ignore_exist \
--position="cn=ucsschool,cn=groups,$ldap_base" \
Index: ucs-school-ldap-acls-master/debian/control
===================================================================
--- ucs-school-ldap-acls-master/debian/control (Revision 74236)
+++ ucs-school-ldap-acls-master/debian/control (Arbeitskopie)
@@ -9,7 +9,7 @@
Package: ucs-school-ldap-acls-master
Architecture: all
-Depends: univention-ldap-server, univention-ldap-config
+Depends: univention-ldap-server, univention-ldap-config, shell-ucs-school
Conflicts: univention-server-slave, univention-server-member, univention-mobile-client, univention-managed-client, univention-basesystem
Description: Special LDAP ACLs for UCS@school
This package provides additional LDAP ACLs for slapd
Index: ucs-school-lib/python/models/school.py
===================================================================
--- ucs-school-lib/python/models/school.py (Revision 74236)
+++ ucs-school-lib/python/models/school.py (Arbeitskopie)
@@ -80,22 +80,18 @@
def get_container(cls, school=None):
return ucr.get('ldap/base')
- @classmethod
- def cn_name(cls, name, default):
- ucr_var = 'ucsschool/ldap/default/container/%s' % name
- return ucr.get(ucr_var, default)
-
def create_default_containers(self, lo):
- cn_pupils = self.cn_name('pupils', 'schueler')
- cn_teachers = self.cn_name('teachers', 'lehrer')
- cn_admins = self.cn_name('admins', 'admins')
- cn_classes = self.cn_name('class', 'klassen')
- cn_rooms = self.cn_name('rooms', 'raeume')
+ search_base = self.get_search_base(self.name)
+ cn_pupils = ldap.explode_dn(search_base.students, True)[0]
+ cn_teachers = ldap.explode_dn(search_base.teachers, True)[0]
+ cn_admins = ldap.explode_dn(search_base.admins, True)[0]
+ cn_classes = ldap.explode_dn(search_base.classes, True)[0]
+ cn_rooms = ldap.explode_dn(search_base.rooms, True)[0]
user_containers = [cn_pupils, cn_teachers, cn_admins]
group_containers = [cn_pupils, [cn_classes], cn_teachers, cn_rooms]
if self.shall_create_administrative_objects():
- cn_staff = self.cn_name('staff', 'mitarbeiter')
- cn_teachers_staff = self.cn_name('teachers-and-staff', 'lehrer und mitarbeiter')
+ cn_staff = ldap.explode_dn(search_base.staff, True)[0]
+ cn_teachers_staff = ldap.explode_dn(search_base.teachersAndStaff, True)[0]
user_containers.extend([cn_staff, cn_teachers_staff])
group_containers.append(cn_staff)
containers_with_path = {
@@ -127,12 +123,6 @@
for cn in containers:
last_dn = _add_container(cn, last_dn, self.dn, path, lo)
- def group_name(self, prefix_var, default_prefix):
- ucr_var = 'ucsschool/ldap/default/groupprefix/%s' % prefix_var
- name_part = ucr.get(ucr_var, default_prefix)
- school_part = self.name.lower()
- return '%s%s' % (name_part, school_part)
-
def get_umc_policy_dn(self, name):
# at least the default ones should exist due to the join script
return ucr.get('ucsschool/ldap/default/policy/umc/%s' % name, 'cn=ucsschool-umc-%s-default,cn=UMC,cn=policies,%s' % (name, ucr.get('ldap/base')))
@@ -153,8 +143,8 @@
group.create(lo)
# cn=ouadmins
- admin_group_container = 'cn=ouadmins,cn=groups,%s' % ucr.get('ldap/base')
- group = BasicGroup.cache(self.group_name('admins', 'admins-'), container=admin_group_container)
+ search_base = self.get_search_base(self.name)
+ group = BasicGroup.cache("{}{}".format(search_base.group_prefix_admins, self.name.lower()), container=search_base.globalGroupContainer)
group.create(lo)
group.add_umc_policy(self.get_umc_policy_dn('admins'), lo)
try:
@@ -169,18 +159,18 @@
udm_obj.modify()
# cn=schueler
- group = Group.cache(self.group_name('pupils', 'schueler-'), self.name)
+ group = Group.cache("{}{}".format(search_base.group_prefix_students, self.name.lower()), self.name)
group.create(lo)
group.add_umc_policy(self.get_umc_policy_dn('pupils'), lo)
# cn=lehrer
- group = Group.cache(self.group_name('teachers', 'lehrer-'), self.name)
+ group = Group.cache("{}{}".format(search_base.group_prefix_teachers, self.name.lower()), self.name)
group.create(lo)
group.add_umc_policy(self.get_umc_policy_dn('teachers'), lo)
# cn=mitarbeiter
if self.shall_create_administrative_objects():
- group = Group.cache(self.group_name('staff', 'mitarbeiter-'), self.name)
+ group = Group.cache("{}{}".format(search_base.group_prefix_staff, self.name.lower()), self.name)
group.create(lo)
group.add_umc_policy(self.get_umc_policy_dn('staff'), lo)
@@ -237,20 +227,34 @@
return flatten([self.get_administrative_group_name(group_type, True, ou_specific, as_dn), self.get_administrative_group_name(group_type, False, ou_specific, as_dn)])
if ou_specific == 'both':
return flatten([self.get_administrative_group_name(group_type, domain_controller, False, as_dn), self.get_administrative_group_name(group_type, domain_controller, True, as_dn)])
+ search_base = self.get_search_base(self.name)
+ base_dn = ucr.get('ldap/base')
if group_type == 'administrative':
- name = 'Verwaltungsnetz'
+ if domain_controller:
+ if ou_specific:
+ dn = search_base.administrative_ou_dc_group
+ else:
+ dn = search_base.administrative_dc_group
+ else:
+ if ou_specific:
+ dn = search_base.administrative_ou_member_group
+ else:
+ dn = search_base.administrative_member_group
else:
- name = 'Edukativnetz'
- if domain_controller:
- name = 'DC-%s' % name
- else:
- name = 'Member-%s' % name
- if ou_specific:
- name = 'OU%s-%s' % (self.name.lower(), name)
+ if domain_controller:
+ if ou_specific:
+ dn = search_base.educational_ou_dc_group
+ else:
+ dn = search_base.educational_dc_group
+ else:
+ if ou_specific:
+ dn = search_base.educational_ou_member_group
+ else:
+ dn = search_base.educational_member_group
if as_dn:
- return 'cn=%s,cn=ucsschool,cn=groups,%s' % (name, ucr.get('ldap/base'))
+ return dn
else:
- return name
+ return ldap.explode_dn(dn, True)[0]
def get_administrative_server_names(self, lo):
dn = self.get_administrative_group_name('administrative', ou_specific=True, as_dn=True)
Index: ucs-school-lib/python/models/share.py
===================================================================
--- ucs-school-lib/python/models/share.py (Revision 74236)
+++ ucs-school-lib/python/models/share.py (Arbeitskopie)
@@ -138,6 +138,6 @@
def get_share_path(self):
if ucr.is_true('ucsschool/import/roleshare', True):
- return '/home/%s/groups/klassen/%s' % (self.school_group.school, self.name)
+ return '/home/%s/groups/%s/%s' % (self.school_group.school, self.get_search_base(self.school).share_name_class, self.name)
else:
- return '/home/groups/klassen/%s' % self.name
+ return '/home/groups/%s/%s' % (self.get_search_base(self.school).share_name_class, self.name)
Index: ucs-school-lib/python/models/user.py
===================================================================
--- ucs-school-lib/python/models/user.py (Revision 74236)
+++ ucs-school-lib/python/models/user.py (Arbeitskopie)
@@ -445,15 +445,15 @@
return [self.get_group_dn('Domain Users %s' % school, school) for school in self.schools]
def get_students_groups(self):
- prefix = ucr.get('ucsschool/ldap/default/groupprefix/pupils', 'schueler-')
+ prefix = self.get_search_base(self.school).group_prefix_students
return [self.get_group_dn('%s%s' % (prefix, school), school) for school in self.schools]
def get_teachers_groups(self):
- prefix = ucr.get('ucsschool/ldap/default/groupprefix/teachers', 'lehrer-')
+ prefix = self.get_search_base(self.school).group_prefix_teachers
return [self.get_group_dn('%s%s' % (prefix, school), school) for school in self.schools]
def get_staff_groups(self):
- prefix = ucr.get('ucsschool/ldap/default/groupprefix/staff', 'mitarbeiter-')
+ prefix = self.get_search_base(self.school).group_prefix_staff
return [self.get_group_dn('%s%s' % (prefix, school), school) for school in self.schools]
def groups_used(self, lo):
@@ -677,6 +677,6 @@
@classmethod
def from_student_dn(cls, lo, school, dn):
- examUserPrefix = ucr.get('ucsschool/ldap/default/userprefix/exam', 'exam-')
+ examUserPrefix = cls.get_search_base(school).user_prefix_exam
dn = 'uid=%s%s,%s' % (escape_dn_chars(examUserPrefix), explode_dn(dn, True)[0], cls.get_container(school))
return cls.from_dn(dn, school, lo)
Index: ucs-school-lib/python/roleshares.py
===================================================================
--- ucs-school-lib/python/roleshares.py (Revision 74236)
+++ ucs-school-lib/python/roleshares.py (Arbeitskopie)
@@ -36,7 +36,7 @@
import univention.config_registry
from ucsschool.lib.roles import role_pupil, role_teacher, role_staff
from ucsschool.lib.i18n import ucs_school_name_i18n
-from ucsschool.lib.models import Group, School
+from ucsschool.lib.models import Group, School, Share
from ucsschool.lib.schoolldap import LDAP_Connection, USER_READ, USER_WRITE, MACHINE_READ
import univention.admin.uexceptions
import univention.admin.uldap as udm_uldap
@@ -151,7 +151,7 @@
ucr.load()
school_ou = school.name
- share_container_dn = school.get_search_base(school.name).shares
+ share_container_dn = Share.get_container(school.name)
teacher_groupname = '-'.join((ucs_school_name_i18n(role_teacher), school_ou))
teacher_group = Group(name=teacher_groupname, school=school_ou).get_udm_object(ldap_user_read)
Index: ucs-school-lib/python/schoolldap.py
===================================================================
--- ucs-school-lib/python/schoolldap.py (Revision 74236)
+++ ucs-school-lib/python/schoolldap.py (Arbeitskopie)
@@ -30,29 +30,26 @@
# /usr/share/common-licenses/AGPL-3; if not, see
# .
+import inspect
+import re
+from functools import wraps
+from ldap.filter import escape_filter_chars, filter_format
+
+import univention.admin.config
+import univention.admin.modules
+import univention.admin.modules as udm_modules
import univention.config_registry
import univention.uldap
-import univention.admin.config
-import univention.admin.modules
from univention.admin.filter import conjunction, parse
from univention.admin.uexceptions import noObject
-
-import univention.admin.modules as udm_modules
-from univention.management.console.protocol.message import Message
-
from univention.lib.i18n import Translation
-
-from functools import wraps
-import re
-import inspect
-from ldap.filter import escape_filter_chars, filter_format
-
from univention.management.console.config import ucr
+from univention.management.console.ldap import get_machine_connection, get_admin_connection, get_user_connection#, reset_cache as reset_connection_cache
from univention.management.console.log import MODULE
-from univention.management.console.ldap import get_machine_connection, get_admin_connection, get_user_connection # , reset_cache as reset_connection_cache
from univention.management.console.modules import Base, UMC_Error
from univention.management.console.modules.decorators import sanitize
from univention.management.console.modules.sanitizers import StringSanitizer
+from univention.management.console.protocol.message import Message
# load UDM modules
udm_modules.update()
@@ -164,7 +161,16 @@
self._school = school or availableSchools[0]
self._schoolDN = dn or School.cache(self.school).dn
- # prefixes
+ #
+ # When adding/updating UCRV defaults, also add/update them in shell/base.sh.
+ #
+
+ #
+ # When changing any of ucsschool/ldap/default/groupname/all-{administrativ, educational}-{dc, member}
+ # copy the changes to ucs-school-ldap-acls-master/{61ucsschool_presettings, 65ucsschool}.
+ #
+
+ # containers
self._containerAdmins = ucr.get('ucsschool/ldap/default/container/admins', 'admins')
self._containerStudents = ucr.get('ucsschool/ldap/default/container/pupils', 'schueler')
self._containerStaff = ucr.get('ucsschool/ldap/default/container/staff', 'mitarbeiter')
@@ -173,12 +179,38 @@
self._containerClass = ucr.get('ucsschool/ldap/default/container/class', 'klassen')
self._containerRooms = ucr.get('ucsschool/ldap/default/container/rooms', 'raeume')
self._examUserContainerName = ucr.get('ucsschool/ldap/default/container/exam', 'examusers')
- self._examGroupNameTemplate = ucr.get('ucsschool/ldap/default/groupname/exam', 'OU%(ou)s-Klassenarbeit')
-
+ # group names
+ self._examGroupName = ucr.get('ucsschool/ldap/default/groupname/exam',
+ 'OU%(ou)s-Klassenarbeit') % {'ou': self._school.lower()}
+ self._all_administrativ_dc = ucr.get('ucsschool/ldap/default/groupname/all-administrativ-dc',
+ 'DC-Verwaltungsnetz')
+ self._all_administrativ_member = ucr.get('ucsschool/ldap/default/groupname/all-administrativ-member',
+ 'Member-Verwaltungsnetz')
+ self._all_educational_dc = ucr.get('ucsschool/ldap/default/groupname/all-educational-dc',
+ 'DC-Edukativnetz')
+ self._all_educational_member = ucr.get('ucsschool/ldap/default/groupname/all-educational-member',
+ 'Member-Edukativnetz')
+ self._ou_administrativ_dc = ucr.get('ucsschool/ldap/default/groupname/ou-administrativ-dc',
+ 'OU%(ou)s-DC-Verwaltungsnetz') % {'ou': self._school.lower()}
+ self._ou_administrativ_member = ucr.get('ucsschool/ldap/default/groupname/ou-administrativ-member',
+ 'OU%(ou)s-Member-Verwaltungsnetz') % {'ou': self._school.lower()}
+ self._ou_educational_dc = ucr.get('ucsschool/ldap/default/groupname/ou-educational-dc',
+ 'OU%(ou)s-DC-Edukativnetz') % {'ou': self._school.lower()}
+ self._ou_educational_member = ucr.get('ucsschool/ldap/default/groupname/ou-educational-member',
+ 'OU%(ou)s-Member-Edukativnetz') % {'ou': self._school.lower()}
+ # group prefixes
self.group_prefix_students = ucr.get('ucsschool/ldap/default/groupprefix/pupils', 'schueler-')
self.group_prefix_teachers = ucr.get('ucsschool/ldap/default/groupprefix/teachers', 'lehrer-')
self.group_prefix_admins = ucr.get('ucsschool/ldap/default/groupprefix/admins', 'admins-')
self.group_prefix_staff = ucr.get('ucsschool/ldap/default/groupprefix/staff', 'mitarbeiter-')
+ # user prefix
+ self.user_prefix_exam = ucr.get('ucsschool/ldap/default/userprefix/exam', 'exam-')
+ # share/directory names
+ self.share_name_class = ucr.get('ucsschool/ldap/default/share/class', 'klassen')
+ self.share_name_pupils = ucr.get('ucsschool/ldap/default/share/pupils', 'schueler')
+ self.share_name_teachers = ucr.get('ucsschool/ldap/default/share/teachers', 'lehrer')
+ self.share_name_exams = ucr.get('ucsschool/ldap/default/share/exams', 'Klassenarbeiten')
+ self.share_name_marktplatz = ucr.get('ucsschool/import/generate/share/marktplatz/name', 'Marktplatz')
@classmethod
def getOU(cls, dn):
@@ -247,25 +279,65 @@
@property
def students(self):
+ """cn=schueler,cn=users,"""
return "cn=%s,cn=users,%s" % (self._containerStudents, self.schoolDN)
@property
+ def students_group(self):
+ """cn=schueler,cn=groups,"""
+ return "cn=%s,cn=groups,%s" % (self._containerStudents, self.schoolDN)
+
+ @property
+ def students_ou_group(self):
+ """cn=schueler-%(ou)s,cn=groups, (ou already replaced)"""
+ return "cn=%s%s,cn=groups,%s" % (self.group_prefix_students, self.school, self.schoolDN)
+
+ @property
def teachers(self):
+ """cn=lehrer,cn=users,"""
return "cn=%s,cn=users,%s" % (self._containerTeachers, self.schoolDN)
@property
+ def teachers_group(self):
+ """cn=lehrer,cn=groups,"""
+ return "cn=%s,cn=groups,%s" % (self._containerTeachers, self.schoolDN)
+
+ @property
+ def teachers_ou_group(self):
+ """cn=lehrer-%(ou)s,cn=groups, (ou already replaced)"""
+ return "cn=%s%s,cn=groups,%s" % (self.group_prefix_teachers, self.school, self.schoolDN)
+
+ @property
def teachersAndStaff(self):
+ """cn=lehrer und mitarbeiter,cn=users,"""
return "cn=%s,cn=users,%s" % (self._containerTeachersAndStaff, self.schoolDN)
@property
def staff(self):
+ """cn=mitarbeiter,cn=users,"""
return "cn=%s,cn=users,%s" % (self._containerStaff, self.schoolDN)
@property
+ def staff_group(self):
+ """cn=mitarbeiter,cn=groups,"""
+ return "cn=%s,cn=groups,%s" % (self._containerStaff, self.schoolDN)
+
+ @property
+ def staff_ou_group(self):
+ """cn=mitarbeiter-%(ou)s,cn=groups, (ou already replaced)"""
+ return "cn=%s%s,cn=groups,%s" % (self.group_prefix_staff, self.school, self.schoolDN)
+
+ @property
def admins(self):
+ """cn=admins,cn=users,"""
return "cn=%s,cn=users,%s" % (self._containerAdmins, self.schoolDN)
@property
+ def admin_group(self):
+ """cn=admins-%(ou)s,cn=ouadmins,cn=groups, (ou already replaced)"""
+ return "cn=%s%s,cn=ouadmins,cn=groups,%s" % (self.group_prefix_admins, self.school, self.schoolDN)
+
+ @property
def classShares(self):
return "cn=%s,cn=shares,%s" % (self._containerClass, self.schoolDN)
@@ -291,28 +363,72 @@
@property
def educationalDCGroup(self):
- return "cn=OU%s-DC-Edukativnetz,cn=ucsschool,cn=groups,%s" % (self.school, self._ldapBase)
+ """deprecated, please use educational_ou_dc_group"""
+ return self.educational_ou_dc_group
@property
def educationalMemberGroup(self):
- return "cn=OU%s-Member-Edukativnetz,cn=ucsschool,cn=groups,%s" % (self.school, self._ldapBase)
+ """deprecated, please use educational_ou_member_group"""
+ return self.educational_ou_member_group
@property
def administrativeDCGroup(self):
- return "cn=OU%s-DC-Verwaltungsnetz,cn=ucsschool,cn=groups,%s" % (self.school, self._ldapBase)
+ """deprecated, please use administrative_ou_dc_group"""
+ return self.administrative_ou_dc_group
@property
def administrativeMemberGroup(self):
- return "cn=OU%s-Member-Verwaltungsnetz,cn=ucsschool,cn=groups,%s" % (self.school, self._ldapBase)
+ """deprecated, please use administrative_ou_member_group"""
+ return self.administrative_ou_member_group
@property
+ def administrative_dc_group(self):
+ """cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,"""
+ return "cn=%s,cn=ucsschool,cn=groups,%s" % (self._all_administrativ_dc, self._ldapBase)
+
+ @property
+ def administrative_member_group(self):
+ """cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,"""
+ return "cn=%s,cn=ucsschool,cn=groups,%s" % (self._all_administrativ_member, self._ldapBase)
+
+ @property
+ def educational_dc_group(self):
+ """cn=DC-Edukativnetz,cn=ucsschool,cn=groups,"""
+ return "cn=%s,cn=ucsschool,cn=groups,%s" % (self._all_educational_dc, self._ldapBase)
+
+ @property
+ def educational_member_group(self):
+ """cn=Member-Edukativnetz,cn=ucsschool,cn=groups,"""
+ return "cn=%s,cn=ucsschool,cn=groups,%s" % (self._all_educational_member, self._ldapBase)
+
+ @property
+ def educational_ou_dc_group(self):
+ """cn=OU%(ou)s-DC-Edukativnetz,cn=ucsschool,cn=groups, (ou already replaced)"""
+ return "cn=%s,cn=ucsschool,cn=groups,%s" % (self._ou_educational_dc, self._ldapBase)
+
+ @property
+ def educational_ou_member_group(self):
+ """cn=OU%(ou)s-Member-Edukativnetz,cn=ucsschool,cn=groups, (ou already replaced)"""
+ return "cn=%s,cn=ucsschool,cn=groups,%s" % (self._ou_educational_member, self._ldapBase)
+
+ @property
+ def administrative_ou_dc_group(self):
+ """cn=OU%(ou)s-DC-Verwaltungsnetz,cn=ucsschool,cn=groups, (ou already replaced)"""
+ return "cn=%s,cn=ucsschool,cn=groups,%s" % (self._ou_administrativ_dc, self._ldapBase)
+
+ @property
+ def administrative_ou_member_group(self):
+ """cn=OU%(ou)s-Member-Verwaltungsnetz,cn=ucsschool,cn=groups, (ou already replaced)"""
+ return "cn=%s,cn=ucsschool,cn=groups,%s" % (self._ou_administrativ_member, self._ldapBase)
+
+ @property
def examGroupName(self):
- # replace '%(ou)s' strings in generic exam_group_name
- ucr_value_keywords = {'ou': self.school}
- return self._examGroupNameTemplate % ucr_value_keywords
+ """OU%(ou)s-Klassenarbeit (only name, not a DN, ou already replaced)"""
+ return self._examGroupName
@property
def examGroup(self):
+ """cn=OU%(ou)s-Klassenarbeit,cn=ucsschool,cn=groups, (ou already replaced)"""
return "cn=%s,cn=ucsschool,cn=groups,%s" % (self.examGroupName, self._ldapBase)
def isWorkgroup(self, groupDN):
Index: ucs-school-lib/shell/base.sh
===================================================================
--- ucs-school-lib/shell/base.sh (Revision 74236)
+++ ucs-school-lib/shell/base.sh (Arbeitskopie)
@@ -110,7 +110,7 @@
#
# $ servers_school_ous -h $(ucr get ldap/master) -p $(ucr get ldap/master/port)
# ou=bar,dc=example,dc=com
- local ldap_hostdn ldap_base ldap_server ldap_port IFS
+ local ldap_hostdn ldap_base ldap_server ldap_port IFS res
. /usr/share/univention-lib/ucr.sh
ldap_base="$(/usr/sbin/univention-config-registry get ldap/base)"
@@ -140,10 +140,9 @@
res=""
for oudn in $(univention-ldapsearch $ldap_server $ldap_port -xLLL -b "$ldap_base" 'objectClass=ucsschoolOrganizationalUnit' dn | ldapsearch-wrapper | sed -nre 's/^dn: //p') ; do
ouname="$(school_ou "$oudn")"
- if is_ucr_true ucsschool/singlemaster; then
- search_str="(|(cn=OU${ouname}-DC-Edukativnetz)(cn=OU${ouname}-DC-Verwaltungsnetz))"
- else
- search_str="(&(|(cn=OU${ouname}-DC-Edukativnetz)(cn=OU${ouname}-DC-Verwaltungsnetz))(uniqueMember=${ldap_hostdn}))"
+ search_str="(|(cn=$(ucr_names_default ucsschool/ldap/default/groupname/ou-educational-dc ${ouname}))(cn=$(ucr_names_default ucsschool/ldap/default/groupname/ou-administrativ-dc OU${ouname})))"
+ if ! is_ucr_true ucsschool/singlemaster; then
+ search_str="(&${search_str}(uniqueMember=${ldap_hostdn}))"
fi
if univention-ldapsearch $ldap_server $ldap_port -xLLL "$search_str" dn | grep -q "^dn: "; then
res="$res
@@ -152,3 +151,92 @@
done
echo -n "${res}" | egrep -v "^\s*$"
}
+
+replace_ou() {
+ # syntax: replace_ou
+ #
+ # Replace '%(ou)s' in with
+ #
+ # example:
+ # $ replace_ou "OU%(ou)s-DC-Edukativnetz" "myschool"
+ # "OUmyschool-DC-Edukativnetz
+ if [ "$#" != 2 ]; then
+ echo "syntax: replace_ou "
+ return 1
+ fi
+ echo -n "$1" | sed "s/%(ou)s/$2/"
+}
+
+ucr_names_default() {
+ # syntax: ucr_names_default [ou]
+ #
+ # Get UCR value or default, optionally replace '%(ou)s'.
+ #
+ # example:
+ # $ ucr_names_default "ucsschool/ldap/default/container/pupils"
+ # "schueler
+ # $ ucr_names_default "ucsschool/ldap/default/groupname/ou-administrativ-dc" "myschool"
+ # "OUmyschool-DC-Verwaltungsnetz"
+ local res
+
+ if [ "$#" -lt 1 -o "$#" -gt 2 ]; then
+ echo "syntax: ucr_names_default [ou]"
+ return 1
+ fi
+ if [ $(echo -n "$1" | cut -f 1-3 -d '/') != 'ucsschool/ldap/default' ]; then
+ echo " must be a UCR variable from ucsschool/ldap/default/*/*"
+ return 1
+ fi
+
+ #
+ # When adding/updating UCRV defaults, also add/update them in python/schoolldap.py.
+ #
+
+ res="$(ucr get $1)"
+ if [ -z "$res" ]; then
+ case "$1" in
+ # containers
+ 'ucsschool/ldap/default/container/admins') res='admins';;
+ 'ucsschool/ldap/default/container/pupils') res='schueler';;
+ 'ucsschool/ldap/default/container/staff') res='mitarbeiter';;
+ 'ucsschool/ldap/default/container/teachers-and-staff') res='lehrer und mitarbeiter';;
+ 'ucsschool/ldap/default/container/teachers') res='lehrer';;
+ 'ucsschool/ldap/default/container/class') res='klassen';;
+ 'ucsschool/ldap/default/container/rooms') res='raeume';;
+ 'ucsschool/ldap/default/container/exam') res='examusers';;
+ # group names
+ 'ucsschool/ldap/default/groupname/exam') res='OU%(ou)%s-Klassenarbeit';;
+ 'ucsschool/ldap/default/groupname/all-administrativ-dc') res='DC-Verwaltungsnetz';;
+ 'ucsschool/ldap/default/groupname/all-administrativ-member') res='Member-Verwaltungsnetz';;
+ 'ucsschool/ldap/default/groupname/all-educational-dc') res='DC-Edukativnetz';;
+ 'ucsschool/ldap/default/groupname/all-educational-member') res='Member-Edukativnetz';;
+ 'ucsschool/ldap/default/groupname/ou-administrativ-dc') res='OU%(ou)s-DC-Verwaltungsnetz';;
+ 'ucsschool/ldap/default/groupname/ou-administrativ-member') res='OU%(ou)s-Member-Verwaltungsnetz';;
+ 'ucsschool/ldap/default/groupname/ou-educational-dc') res='OU%(ou)s-DC-Edukativnetz';;
+ 'ucsschool/ldap/default/groupname/ou-educational-member') res='OU%(ou)s-Member-Edukativnetz';;
+ # group prefixes
+ 'ucsschool/ldap/default/groupprefix/pupils') res='schueler-';;
+ 'ucsschool/ldap/default/groupprefix/teachers') res='lehrer-';;
+ 'ucsschool/ldap/default/groupprefix/admins') res='admins-';;
+ 'ucsschool/ldap/default/groupprefix/staff') res='mitarbeiter-';;
+ # user prefix
+ 'ucsschool/ldap/default/userprefix/exam') res='exam-';;
+ # share/directory names
+ 'ucsschool/ldap/default/share/class') res='klassen';;
+ 'ucsschool/ldap/default/share/pupils') res='schueler';;
+ 'ucsschool/ldap/default/share/teachers') res='lehrer';;
+ 'ucsschool/ldap/default/share/exams') res='Klassenarbeiten';;
+ 'ucsschool/import/generate/share/marktplatz/name') res='Marktplatz';;
+ esac
+ fi
+ if [ -z "$res" ]; then
+ echo "Error: Unknown UCR $1."
+ return 1
+ fi
+
+ if [ -z "$2" ]; then
+ echo -n "$res"
+ else
+ replace_ou "$res" "$2"
+ fi
+}
Index: ucs-school-netlogon-user-logonscripts/99ucs-school-netlogon-user-logonscripts.inst
===================================================================
--- ucs-school-netlogon-user-logonscripts/99ucs-school-netlogon-user-logonscripts.inst (Revision 74236)
+++ ucs-school-netlogon-user-logonscripts/99ucs-school-netlogon-user-logonscripts.inst (Arbeitskopie)
@@ -32,9 +32,12 @@
VERSION="1"
. /usr/share/univention-join/joinscripthelper.lib
+. /usr/share/ucs-school-lib/base.sh
+
joinscript_init
eval "$(univention-config-registry shell)"
+share_name="$(ucr_names_default ucsschool/import/generate/share/marktplatz/name)"
# samba 4 netlogon share
myrealm=$(echo $kerberos_realm | awk '{print tolower($0)}')
@@ -43,9 +46,9 @@
fi
univention-config-registry set \
- ucsschool/userlogon/commonshares?"Marktplatz" \
- ucsschool/userlogon/commonshares/server/Marktplatz?"$hostname" \
- ucsschool/userlogon/commonshares/letter/Marktplatz?"M" \
+ ucsschool/userlogon/commonshares?"$share_name" \
+ "ucsschool/userlogon/commonshares/server/$share_name?$hostname" \
+ "ucsschool/userlogon/commonshares/letter/$share_name?M" \
ucsschool/userlogon/classshareletter?"K" \
ucsschool/netlogon/ucs-school-netlogon-user-logonscripts/script?'user\%USERNAME%.vbs'
Index: ucs-school-netlogon-user-logonscripts/debian/control
===================================================================
--- ucs-school-netlogon-user-logonscripts/debian/control (Revision 74236)
+++ ucs-school-netlogon-user-logonscripts/debian/control (Arbeitskopie)
@@ -13,6 +13,7 @@
univention-directory-listener,
ucs-school-netlogon,
shell-univention-lib,
+ shell-ucs-school,
univention-config
Description: ucs@school userspecific netlogon scripts
This package provides a listener-module that creates
Index: ucs-school-netlogon-user-logonscripts/debian/ucs-school-netlogon-user-logonscripts.postinst
===================================================================
--- ucs-school-netlogon-user-logonscripts/debian/ucs-school-netlogon-user-logonscripts.postinst (Revision 74236)
+++ ucs-school-netlogon-user-logonscripts/debian/ucs-school-netlogon-user-logonscripts.postinst (Arbeitskopie)
@@ -33,14 +33,16 @@
#DEBHELPER#
. /usr/share/univention-lib/all.sh
+. /usr/share/ucs-school-lib/base.sh
eval "$(ucr shell)"
+share_name="$(ucr_names_default ucsschool/import/generate/share/marktplatz/name)"
univention-config-registry set \
samba/homedirletter?I \
- ucsschool/userlogon/commonshares?"Marktplatz" \
- ucsschool/userlogon/commonshares/server/Marktplatz?"$hostname" \
- ucsschool/userlogon/commonshares/letter/Marktplatz?"M" \
+ ucsschool/userlogon/commonshares?"$share_name" \
+ "ucsschool/userlogon/commonshares/server/$share_name?$hostname" \
+ "ucsschool/userlogon/commonshares/letter/$share_name?M" \
ucsschool/userlogon/classshareletter?"K" \
ucsschool/netlogon/ucs-school-netlogon-user-logonscripts/script?'user\%USERNAME%.vbs' \
ucsschool/userlogon/myshares/enabled?no
Index: ucs-school-umc-computerroom/umc/python/computerroom/__init__.py
===================================================================
--- ucs-school-umc-computerroom/umc/python/computerroom/__init__.py (Revision 74236)
+++ ucs-school-umc-computerroom/umc/python/computerroom/__init__.py (Arbeitskopie)
@@ -727,7 +727,7 @@
vset[vunset[-1]] = shareMode
vextract.append('samba/othershares/hosts/deny')
vappend[vextract[-1]] = hosts
- vextract.append('samba/share/Marktplatz/hosts/deny')
+ vextract.append('samba/share/{}/hosts/deny'.format(School.get_search_base(self._italc.school).share_name_marktplatz))
vappend[vextract[-1]] = hosts
else:
vunset_now.append('samba/sharemode/room/%s' % self._italc.room)
Index: ucs-school-umc-csv-import/umc/python/schoolcsvimport/util.py
===================================================================
--- ucs-school-umc-csv-import/umc/python/schoolcsvimport/util.py (Revision 74236)
+++ ucs-school-umc-csv-import/umc/python/schoolcsvimport/util.py (Arbeitskopie)
@@ -126,7 +126,7 @@
firstname = firstname[:5] + '.'
username = firstname + lastname[:5]
- maxlength = 20 - len(ucr.get('ucsschool/ldap/default/userprefix/exam', 'exam-'))
+ maxlength = 20 - len(self.get_search_base(self.school).user_prefix_exam)
return replace_invalid_chars(username[:maxlength])
@classmethod
Index: ucs-school-umc-distribution/debian/ucs-school-umc-distribution.univention-config-registry-variables
===================================================================
--- ucs-school-umc-distribution/debian/ucs-school-umc-distribution.univention-config-registry-variables (Revision 0)
+++ ucs-school-umc-distribution/debian/ucs-school-umc-distribution.univention-config-registry-variables (Arbeitskopie)
@@ -0,0 +1,11 @@
+[ucsschool/datadistribution/datadir/recipient]
+Description[de]=Standardname für das Projektverzeichnis in das Unterrichtsmaterial verteilt wird. Standard ist "Unterrichtsmaterial".
+Description[en]=Default name for the project directory into which teaching material will be distributed. Default is "Unterrichtsmaterial".
+Type=str
+Categories=ucsschool-base
+
+[ucsschool/datadistribution/datadir/sender]
+Description[de]=Standardname für das Projektverzeichnis aus dem Unterrichtsmaterial eingesammelt wird. Standard ist "Unterrichtsmaterial".
+Description[en]=Default name for the project directory from which teaching material will be collected. Default is "Unterrichtsmaterial".
+Type=str
+Categories=ucsschool-base
Index: ucs-school-umc-distribution/umc/python/distribution/util.py
===================================================================
--- ucs-school-umc-distribution/umc/python/distribution/util.py (Revision 74236)
+++ ucs-school-umc-distribution/umc/python/distribution/util.py (Arbeitskopie)
@@ -281,7 +281,7 @@
@property
def isDistributed(self):
'''True if files have already been distributed.'''
- # distributed files can still be found in the internal property 'files',
+ # distributed files can still be found in the internal property 'files',Unterrichtsmaterial
# however, upon distribution they are removed from the cache directory;
# thus, if one of the specified files does not exist, the project has
# already been distributed
Index: ucs-school-umc-exam/debian/control
===================================================================
--- ucs-school-umc-exam/debian/control (Revision 74236)
+++ ucs-school-umc-exam/debian/control (Arbeitskopie)
@@ -31,6 +31,7 @@
python-ucs-school,
ucs-school-import,
shell-univention-lib,
+ shell-ucs-school,
univention-ldap-config (>= 9.0.27-3),
Description: UMC module delivering backend services for ucs-school-umc-exam
UMC module delivering backend services for ucs-school-umc-exam
Index: ucs-school-umc-exam/hooks/ou_create_post.d/60schoolexam-master
===================================================================
--- ucs-school-umc-exam/hooks/ou_create_post.d/60schoolexam-master (Revision 74236)
+++ ucs-school-umc-exam/hooks/ou_create_post.d/60schoolexam-master (Arbeitskopie)
@@ -35,6 +35,7 @@
[ $# -ne 2 ] && echo "USAGE: $(basename $0) FILE DN" && exit 1
. /usr/share/univention-lib/ucr.sh
+. /usr/share/ucs-school-lib/base.sh
eval "$(ucr shell)"
@@ -43,20 +44,13 @@
district=",ou=${ou:0:2}"
fi
-examusers="$ucsschool_ldap_default_container_exam"
-if [ -z "$examusers" ] ; then
- examusers='examusers'
-fi
+examusers="$(ucr_names_default ucsschool/ldap/default/container/exam)"
udm container/cn create --ignore_exists \
--position "ou=${ou}${district},${ldap_base}" \
--set name="${examusers}" \
-examgroupname="$ucsschool_ldap_default_groupname_exam"
-if [ -z "$examgroupname" ] ; then
- examgroupname='OU%(ou)s-Klassenarbeit'
-fi
-ou_specific_examgroupname=$(python -c "print '$examgroupname' % {'ou': '$ou'}")
+ou_specific_examgroupname="$(ucr_names_default ucsschool/ldap/default/groupname/exam)"
udm groups/group create --ignore_exists \
--position "cn=ucsschool,cn=groups,${ldap_base}" \
Index: ucs-school-umc-exam/share/exam-and-room-cleanup
===================================================================
--- ucs-school-umc-exam/share/exam-and-room-cleanup (Revision 74236)
+++ ucs-school-umc-exam/share/exam-and-room-cleanup (Arbeitskopie)
@@ -39,7 +39,7 @@
import univention.config_registry
import univention.uldap
import univention.admin.uldap
-from ucsschool.lib.schoolldap import SchoolSearchBase
+from ucsschool.lib.models import ExamStudent
from univention.lib.umc_connection import UMCConnection
from univention.admin.uexceptions import noObject
from ldap.filter import escape_filter_chars
@@ -59,7 +59,6 @@
self.hostname = self.ucr.get('hostname')
self.umcp = self.get_UMCP_connection()
self.lo = self.get_LDAP_connection()
- self.exam_prefix = self.ucr.get('ucsschool/ldap/default/userprefix/exam', 'exam-')
self.DIR_ROOMS = '/var/cache/ucs-school-umc-computerroom'
self.DIR_EXAMS = self.ucr.get('ucsschool/exam/cache', '/var/lib/ucs-school-umc-schoolexam')
@@ -143,9 +142,9 @@
ou_list = self.lo.search(filter='(objectClass=ucsschoolOrganizationalUnit)')
for ou_dn, ou_attrs in ou_list:
ou_name = ou_attrs['ou'][0]
- searchbase = SchoolSearchBase([ou_name], dn=ou_dn)
+ exam_prefix = ExamStudent.get_search_base(ou_name).user_prefix_exam
try:
- userlist = mod_user.lookup({}, lo, 'uid=%s*' % (escape_filter_chars(self.exam_prefix),), base=searchbase.examUsers)
+ userlist = mod_user.lookup({}, lo, 'uid=%s*' % (escape_filter_chars(exam_prefix),), base=ExamStudent.get_container(ou_name))
except noObject:
# no exam users container in this OU
continue
Index: ucs-school-umc-exam/umc/python/schoolexam-master/__init__.py
===================================================================
--- ucs-school-umc-exam/umc/python/schoolexam-master/__init__.py (Revision 74236)
+++ ucs-school-umc-exam/umc/python/schoolexam-master/__init__.py (Arbeitskopie)
@@ -38,6 +38,7 @@
import traceback
import re
from ldap.filter import filter_format
+from ldap import explode_dn
from univention.management.console.config import ucr
from univention.management.console.log import MODULE
@@ -60,8 +61,6 @@
def __init__(self):
SchoolBaseModule.__init__(self)
- self._examUserPrefix = ucr.get('ucsschool/ldap/default/userprefix/exam', 'exam-')
-
# cache objects
self._udm_modules = dict()
self._examGroup = None
@@ -103,9 +102,8 @@
def examUserContainerDN(self, ldap_admin_write, ldap_position, school):
'''lookup examUserContainerDN, create it if missing'''
if not self._examUserContainerDN:
- search_base = School.get_search_base(school)
- examUsers = search_base.examUsers
- examUserContainerName = search_base._examUserContainerName
+ examUsers = ExamStudent.get_container(school)
+ examUserContainerName = explode_dn(ExamStudent.get_search_base(school).examUsers, True)[0]
try:
ldap_admin_write.searchDn('(objectClass=organizationalRole)', examUsers, scope='base')
except univention.admin.uexceptions.noObject:
@@ -149,7 +147,8 @@
user_orig = user.get_udm_object(ldap_admin_write)
# uid and DN of exam_user
- exam_user_uid = "".join((self._examUserPrefix, user_orig['username']))
+ exam_user_prefix = ExamStudent.get_search_base(school).user_prefix_exam
+ exam_user_uid = "".join((exam_user_prefix, user_orig['username']))
exam_user_dn = "uid=%s,%s" % (exam_user_uid, self.examUserContainerDN(ldap_admin_write, ldap_position, user.school))
try:
Index: ucs-school-umc-installer/umc/python/schoolinstaller/__init__.py
===================================================================
--- ucs-school-umc-installer/umc/python/schoolinstaller/__init__.py (Revision 74236)
+++ ucs-school-umc-installer/umc/python/schoolinstaller/__init__.py (Arbeitskopie)
@@ -572,9 +572,9 @@
for islave in slaves:
islave.open()
# compare group DNs case insensitive
- if search_base.educationalDCGroup.lower() in [x.lower() for x in islave['groups']]:
+ if search_base.educational_ou_dc_group.lower() in [x.lower() for x in islave['groups']]:
values['educational_slaves'].append(islave['name'])
- if search_base.administrativeDCGroup.lower() in [x.lower() for x in islave['groups']]:
+ if search_base.administrative_ou_dc_group.lower() in [x.lower() for x in islave['groups']]:
values['administrative_slaves'].append(islave['name'])
except univention.uldap.ldap.LDAPError as err:
MODULE.warn('LDAP connection to %s failed: %s' % (master, err))
Index: ucs-test-ucsschool/90_ucsschool/07_printermoderation_check
===================================================================
--- ucs-test-ucsschool/90_ucsschool/07_printermoderation_check (Revision 74236)
+++ ucs-test-ucsschool/90_ucsschool/07_printermoderation_check (Arbeitskopie)
@@ -21,6 +21,7 @@
import univention.testing.udm
import univention.testing.utils as utils
from univention.testing.ucsschool import UMCConnection
+from ucsschool.lib.models import SchoolClass
def _dir(userName):
@@ -95,10 +96,7 @@
# get the current printed jobs
def queryPrintJobs(connection, printerName, cName, school, pattern, basedn):
if cName != 'None':
- cdn = 'cn=%s,cn=klassen,cn=schueler,cn=groups,ou=%s,%s' % (
- cName,
- school,
- basedn)
+ cdn = SchoolClass(school=school, name=cName).dn
else:
cdn = cName
param = {'school': school, 'class': cdn, 'pattern': pattern}
@@ -169,12 +167,12 @@
klasse1_dn = udm.create_object(
'groups/group',
name='%s-1A' % school,
- position="cn=klassen,cn=schueler,cn=groups,%s" % oudn
+ position=SchoolClass.get_container(oudn)
)
klasse2_dn = udm.create_object(
'groups/group',
name='%s-2B' % school,
- position="cn=klassen,cn=schueler,cn=groups,%s" % oudn
+ position=SchoolClass.get_container(school)
)
tea, teadn = schoolenv.create_user(school, is_teacher=True)
stu1, stu1_dn = schoolenv.create_user(school)
Index: ucs-test-ucsschool/90_ucsschool/101_exam_mode
===================================================================
--- ucs-test-ucsschool/90_ucsschool/101_exam_mode (Revision 74236)
+++ ucs-test-ucsschool/90_ucsschool/101_exam_mode (Arbeitskopie)
@@ -13,6 +13,7 @@
import univention.testing.ucr as ucr_test
import univention.testing.ucsschool as utu
import univention.testing.udm
+from ucsschool.lib.models import SchoolClass
def main():
@@ -28,7 +29,7 @@
else:
edudc = ucr.get('hostname')
school, oudn = schoolenv.create_ou(name_edudc=edudc)
- klasse_dn = udm.create_object('groups/group', name='%s-AA1' % school, position="cn=klassen,cn=schueler,cn=groups,%s" % oudn)
+ klasse_dn = udm.create_object('groups/group', name='%s-AA1' % school, position=SchoolClass.get_container(school))
tea, teadn = schoolenv.create_user(school, is_teacher=True)
stu, studn = schoolenv.create_user(school)
Index: ucs-test-ucsschool/90_ucsschool/101_exam_mode_group_members
===================================================================
--- ucs-test-ucsschool/90_ucsschool/101_exam_mode_group_members (Revision 74236)
+++ ucs-test-ucsschool/90_ucsschool/101_exam_mode_group_members (Arbeitskopie)
@@ -15,6 +15,7 @@
import univention.testing.ucsschool as utu
import univention.testing.udm
import univention.testing.utils as utils
+from ucsschool.lib.models import ExamStudent, SchoolClass
def main():
@@ -27,7 +28,11 @@
else:
edudc = ucr.get('hostname')
school, oudn = schoolenv.create_ou(name_edudc=edudc)
- klasse_dn = udm.create_object('groups/group', name='%s-AA1' % school, position="cn=klassen,cn=schueler,cn=groups,%s" % oudn)
+ klasse_dn = udm.create_object(
+ 'groups/group',
+ name='%s-AA1' % school,
+ position=SchoolClass.get_container(school)
+ )
tea, teadn = schoolenv.create_user(school, is_teacher=True)
stu, studn = schoolenv.create_user(school)
udm.modify_object('groups/group', dn=klasse_dn, append={"users": [teadn]})
@@ -57,17 +62,17 @@
try:
expected_memberUid = ["%s$" % pc2.name, "exam-%s" % stu]
- expected_uniqueMember = ["%s" % pc2.dn, "uid=exam-%s,cn=examusers,%s" % (stu, oudn)]
+ expected_uniqueMember = [pc2.dn, ExamStudent(school=school, name=stu).dn]
# Get the current attributes values
lo = getMachineConnection()
- exam_group_dn = "cn=OU%s-Klassenarbeit,cn=ucsschool,cn=groups,%s" % (school, ucr.get('ldap/base'))
+ exam_group_dn = ExamStudent.get_search_base(school).examGroup
memberUid = lo.search(base=exam_group_dn)[0][1].get('memberUid')
uniqueMember = lo.search(base=exam_group_dn)[0][1].get('uniqueMember')
- if (set(memberUid) != set(expected_memberUid)):
+ if set(memberUid) != set(expected_memberUid):
utils.fail("Current memberUid = %r\nExpected = %r" % (memberUid, expected_memberUid))
- if (set(uniqueMember) != set(expected_uniqueMember)):
+ if set(uniqueMember) != set(expected_uniqueMember):
utils.fail("Current uniqueMember = %r\nExpected= %r" % (uniqueMember, expected_uniqueMember))
finally:
Index: ucs-test-ucsschool/90_ucsschool/101_exam_mode_settings
===================================================================
--- ucs-test-ucsschool/90_ucsschool/101_exam_mode_settings (Revision 74236)
+++ ucs-test-ucsschool/90_ucsschool/101_exam_mode_settings (Arbeitskopie)
@@ -17,6 +17,7 @@
import univention.testing.ucr as ucr_test
import univention.testing.ucsschool as utu
import univention.testing.udm
+from ucsschool.lib.models import SchoolClass
def main():
@@ -33,7 +34,7 @@
edudc = ucr.get('hostname')
school, oudn = schoolenv.create_ou(name_edudc=edudc)
- klasse_dn = udm.create_object('groups/group', name='%s-AA1' % school, position="cn=klassen,cn=schueler,cn=groups,%s" % oudn)
+ klasse_dn = udm.create_object('groups/group', name='%s-AA1' % school, position=SchoolClass.get_container(school))
tea, teadn = schoolenv.create_user(school, is_teacher=True)
stu, studn = schoolenv.create_user(school)
Index: ucs-test-ucsschool/90_ucsschool/102_rename_class
===================================================================
--- ucs-test-ucsschool/90_ucsschool/102_rename_class (Revision 74236)
+++ ucs-test-ucsschool/90_ucsschool/102_rename_class (Arbeitskopie)
@@ -16,7 +16,9 @@
import univention.testing.ucr as ucr_test
import univention.testing.ucsschool as utu
import univention.testing.utils as utils
+from ucsschool.lib.models import ClassShare, SchoolClass
+
BACKUP_PATH = '/home/backup/groups'
@@ -46,17 +48,16 @@
def share_dn(class_name, school):
- with ucr_test.UCSTestConfigRegistry() as ucr:
- return 'cn=%s,cn=klassen,cn=shares,ou=%s,%s' % (class_name, school, ucr.get('ldap/base'))
+ return ClassShare(school=school, name=class_name).dn
def class_dn(class_name, school):
- with ucr_test.UCSTestConfigRegistry() as ucr:
- return 'cn=%s,cn=klassen,cn=schueler,cn=groups,ou=%s,%s' % (class_name, school, ucr.get('ldap/base'))
+ return SchoolClass(school=school, name=class_name).dn
def share_path(class_name, school):
- path = '/home/%s/groups/klassen/%s' % (school, class_name)
+ sc = SchoolClass(school=school, name=class_name)
+ path = ClassShare(school=school, name=class_name, school_group=sc).get_share_path()
if os.path.exists(path):
return path
Index: ucs-test-ucsschool/90_ucsschool/110_set_default-umc-users
===================================================================
--- ucs-test-ucsschool/90_ucsschool/110_set_default-umc-users (Revision 74236)
+++ ucs-test-ucsschool/90_ucsschool/110_set_default-umc-users (Arbeitskopie)
@@ -10,6 +10,7 @@
import ldap
import univention.testing.ucr as ucr_test
import univention.testing.utils as utils
+from ucsschool.lib.models import Group
def main():
@@ -38,7 +39,7 @@
utils.fail('Attribute %s was not found in ldap object %r' % (
'univentionPolicyReference', base))
except ldap.NO_SUCH_OBJECT as e:
- if "cn=groups,%s" % (schoolenv.get_ou_base_dn(school),) in str(e):
+ if Group.get_container(school) in str(e):
print ('* Cought an expected exception: %r' % e)
else:
utils.fail('Unexpected Exception: %r' % e)
Index: ucs-test-ucsschool/90_ucsschool/131_check_for_nfs_shares
===================================================================
--- ucs-test-ucsschool/90_ucsschool/131_check_for_nfs_shares (Revision 74236)
+++ ucs-test-ucsschool/90_ucsschool/131_check_for_nfs_shares (Arbeitskopie)
@@ -19,7 +19,7 @@
for share in Share.get_all(lo, school.name):
share_udm = share.get_udm_object(lo)
if "nfs" in share_udm.options:
- if share.name in ["Marktplatz", "iTALC-Installation"]:
+ if share.name in [Share.get_search_base(school).share_name_marktplatz, "iTALC-Installation"]:
print("*** Ignoring //{}/{} (Bug #42514)".format(school.name, share.name))
else:
nfs_shares.append((school.name, share.name))
Index: ucs-test-ucsschool/90_ucsschool/16_s4_slave_automatic_srv_record
===================================================================
--- ucs-test-ucsschool/90_ucsschool/16_s4_slave_automatic_srv_record (Revision 74236)
+++ ucs-test-ucsschool/90_ucsschool/16_s4_slave_automatic_srv_record (Arbeitskopie)
@@ -135,7 +135,7 @@
position="cn=dc,cn=server,cn=computers,%s" % (school.dn,),
domain=ucr.get('domainname'),
service=("S4 SlavePDC", _local_ucsschool_service),
- groups=("cn=DC-Edukativnetz,cn=ucsschool,cn=groups,%(ldap/base)s" % ucr)
+ groups=(school.get_search_base(school.name).educational_dc_group)
)
positive_test_fqdn = ".".join((positive_test_hostname, ucr.get('domainname')))
@@ -148,7 +148,7 @@
position="cn=dc,cn=server,cn=computers,%s" % (school.dn,),
domain=ucr.get('domainname'),
service=("S4 SlavePDC", _not_local_ucsschool_service),
- groups=("cn=DC-Edukativnetz,cn=ucsschool,cn=groups,%(ldap/base)s" % ucr)
+ groups=(school.get_search_base(school.name).educational_dc_group)
)
negative_test_fqdn = ".".join((negative_test_hostname, ucr.get('domainname')))
Index: ucs-test-ucsschool/90_ucsschool/19_available_umc_modules
===================================================================
--- ucs-test-ucsschool/90_ucsschool/19_available_umc_modules (Revision 74236)
+++ ucs-test-ucsschool/90_ucsschool/19_available_umc_modules (Arbeitskopie)
@@ -11,6 +11,7 @@
import univention.testing.ucsschool as utu
import univention.testing.udm as udm_test
import univention.testing.utils as utils
+from ucsschool.lib.models import School
def listUnion(firstList, secondList):
@@ -156,8 +157,9 @@
utils.wait_for_replication_and_postrun()
basedn = ucr.get('ldap/base')
- position = 'cn=admins,cn=users,ou=%s,%s' % (school, basedn)
- groups = ["cn=admins-%s,cn=ouadmins,cn=groups,%s" % (school, basedn)]
+ search_base = School.get_search_base(school)
+ position = search_base.admins
+ groups = [search_base.admin_group]
dn, schooladmin = udm.create_user(position=position, groups=groups)
groups = ["cn=Domain Admins,cn=groups,%s" % (basedn,)]
dn, domainadmin = udm.create_user(position=position, groups=groups)
Index: ucs-test-ucsschool/90_ucsschool/203_import-users_username_scheme
===================================================================
--- ucs-test-ucsschool/90_ucsschool/203_import-users_username_scheme (Revision 74236)
+++ ucs-test-ucsschool/90_ucsschool/203_import-users_username_scheme (Arbeitskopie)
@@ -10,8 +10,10 @@
import copy
import pprint
+from ldap.dn import escape_dn_chars
import univention.testing.strings as uts
import univention.testing.utils as utils
+from univention.testing.ucs_samba import wait_for_drs_replication
from essential.importusers_cli_v2 import CLI_Import_v2_Tester, PyHooks
from essential.importusers import Person
@@ -85,6 +87,7 @@
fn_config = self.create_config_json(config=config)
self.save_ldap_status()
self.run_import(['-c', fn_config, '-i', fn_csv])
+ wait_for_drs_replication('cn={}'.format(escape_dn_chars(person.username)))
person.set_mode_to_delete()
self.check_new_and_removed_users(0, 1)
person.verify()
Index: ucs-test-ucsschool/90_ucsschool/213_import-users_modify_with_several_groups
===================================================================
--- ucs-test-ucsschool/90_ucsschool/213_import-users_modify_with_several_groups (Revision 74236)
+++ ucs-test-ucsschool/90_ucsschool/213_import-users_modify_with_several_groups (Arbeitskopie)
@@ -12,6 +12,7 @@
import univention.testing.utils as utils
from essential.importusers_cli_v2 import CLI_Import_v2_Tester
from essential.importusers import Person
+from ucsschool.lib.models import SchoolClass, WorkGroup
class Test(CLI_Import_v2_Tester):
@@ -39,10 +40,10 @@
self.log.debug('*** Creating groups...')
global_group_dn, global_group_name = self.udm.create_group()
workgroup_A_dn, workgroup_A_name = self.udm.create_group(
- position='cn=schueler,cn=groups,%s' % (self.ou_A.dn,),
+ position=WorkGroup.get_container(self.ou_A.name),
name="{}-{}".format(self.ou_A.name, uts.random_groupname()))
class_A_dn, class_A_name = self.udm.create_group(
- position='cn=klassen,cn=schueler,cn=groups,%s' % (self.ou_A.dn,),
+ position=SchoolClass.get_container(self.ou_A.name),
name="{}-{}".format(self.ou_A.name, uts.random_groupname()))
cn_A_dn = self.udm.create_object('container/cn', position=self.ou_A.dn, name='kurs-%s' % uts.random_string())
extra_A_group1_dn, extra_A_group1_name = self.udm.create_group(position=cn_A_dn)
@@ -51,10 +52,10 @@
name="{}-{}".format(self.ou_A.name, uts.random_groupname()))
workgroup_B_dn, workgroup_B_name = self.udm.create_group(
- position='cn=schueler,cn=groups,%s' % (self.ou_B.dn,),
+ position=WorkGroup.get_container(self.ou_B.name),
name="{}-{}".format(self.ou_B.name, uts.random_groupname()))
class_B_dn, class_B_name = self.udm.create_group(
- position='cn=klassen,cn=schueler,cn=groups,%s' % (self.ou_B.dn,),
+ position=SchoolClass.get_container(self.ou_B.name),
name="{}-{}".format(self.ou_B.name, uts.random_groupname()))
cn_B_dn = self.udm.create_object('container/cn', position=self.ou_B.dn, name='kurs-%s' % uts.random_string())
extra_B_group1_dn, extra_B_group1_name = self.udm.create_group(position=cn_B_dn)
Index: ucs-test-ucsschool/90_ucsschool/214_import-users_empty_class_column
===================================================================
--- ucs-test-ucsschool/90_ucsschool/214_import-users_empty_class_column (Revision 74236)
+++ ucs-test-ucsschool/90_ucsschool/214_import-users_empty_class_column (Arbeitskopie)
@@ -13,6 +13,7 @@
import univention.testing.utils as utils
from essential.importusers_cli_v2 import CLI_Import_v2_Tester
from essential.importusers import Person
+from ucsschool.lib.models import SchoolClass
class Test(CLI_Import_v2_Tester):
@@ -45,7 +46,7 @@
def create_user_w_two_classes(record_uid, source_uid, same_ou=True):
cls1_dn, cls1_name = self.udm.create_group(
- position='cn=klassen,cn=schueler,cn=groups,%s' % (self.ou_A.dn,),
+ position=SchoolClass.get_container(self.ou_A.name),
name="{}-{}".format(self.ou_A.name, uts.random_groupname()))
if same_ou:
dn = self.ou_A.dn
@@ -56,7 +57,7 @@
name = self.ou_B.name
school = sorted([self.ou_A.name, self.ou_B.name])[0]
cls2_dn, cls2_name = self.udm.create_group(
- position='cn=klassen,cn=schueler,cn=groups,%s' % (dn,),
+ position=SchoolClass.get_container(name),
name="{}-{}".format(name, uts.random_groupname()))
person = Person(school, role)
person.update(record_uid=record_uid, source_uid=source_uid, username=uts.random_username())
Index: ucs-test-ucsschool/90_ucsschool/22_computerroom_two_rooms_settings_interference
===================================================================
--- ucs-test-ucsschool/90_ucsschool/22_computerroom_two_rooms_settings_interference (Revision 74236)
+++ ucs-test-ucsschool/90_ucsschool/22_computerroom_two_rooms_settings_interference (Arbeitskopie)
@@ -11,6 +11,7 @@
from essential.computerroom import Room, Computers, add_printer, remove_printer, clean_folder, run_commands
from essential.internetrule import InternetRule
from essential.workgroup import Workgroup
+from ucsschool.lib.models import Share
from univention.testing.ucsschool import UMCConnection
from univention.testing.network import NetworkRedirector
import datetime
@@ -113,7 +114,7 @@
room1.check_behavior(room1_old_settings, room1_new_settings, tea, computers_ips[1], printer_name, white_page, global_domains, ucr)
# For DEBUG purposes
# run_commands([['ucr', 'search', room1.name], ['ucr','search', room2.name], ['atq']], {})
- clean_folder('/home/gsmitte/groups/Marktplatz/')
+ clean_folder('/home/gsmitte/groups/{}/'.format(Share.get_search_base(school).share_name_marktplatz))
clean_folder('/home/%s/lehrer/%s/' % (school, tea))
# TODO Exception Errno4
except httplib.HTTPException as e:
Index: ucs-test-ucsschool/90_ucsschool/40_schoolwizard_school_create
===================================================================
--- ucs-test-ucsschool/90_ucsschool/40_schoolwizard_school_create (Revision 74236)
+++ ucs-test-ucsschool/90_ucsschool/40_schoolwizard_school_create (Arbeitskopie)
@@ -9,6 +9,7 @@
import subprocess
import simplejson as json
+from ucsschool.lib.models import Group
import univention.testing.ucr as ucr_test
import univention.testing.utils as utils
import univention.testing.strings as uts
@@ -47,6 +48,14 @@
return stdout, stderr, pipe.returncode
+def grp_dns(ou_name, edu=True):
+ search_base = Group.get_search_base(ou_name)
+ if edu:
+ return [search_base.educational_ou_dc_group, search_base.educational_dc_group]
+ else:
+ return [search_base.administrative_ou_dc_group, search_base.administrative_dc_group]
+
+
def main():
remove_ous = []
testschool = UCSTestSchool()
@@ -65,8 +74,7 @@
utils.verify_ldap_object(dc_dn, expected_attr={'cn': [dc_name]}, strict=True, should_exist=False)
else:
utils.verify_ldap_object(dc_dn, expected_attr={'cn': [dc_name]}, strict=True, should_exist=True)
- for grp_dn in ('cn=OU%(ou)s-DC-Edukativnetz,cn=ucsschool,cn=groups,%(basedn)s', 'cn=DC-Edukativnetz,cn=ucsschool,cn=groups,%(basedn)s', ):
- grp_dn = grp_dn % {'ou': ou_name, 'basedn': ucr.get('ldap/base')}
+ for grp_dn in grp_dns(ou_name):
utils.verify_ldap_object(grp_dn, expected_attr={'uniqueMember': [dc_dn]}, strict=False, should_exist=True)
msg = 'new random OU, new random DC'
@@ -79,8 +87,7 @@
utils.fail('Cannot create %s' % msg)
dc_dn = 'cn=%s,cn=dc,cn=server,cn=computers,%s' % (dc_name, testschool.get_ou_base_dn(ou_name))
utils.verify_ldap_object(dc_dn, expected_attr={'cn': [dc_name]}, strict=True, should_exist=True)
- for grp_dn in ('cn=OU%(ou)s-DC-Edukativnetz,cn=ucsschool,cn=groups,%(basedn)s', 'cn=DC-Edukativnetz,cn=ucsschool,cn=groups,%(basedn)s', ):
- grp_dn = grp_dn % {'ou': ou_name, 'basedn': ucr.get('ldap/base')}
+ for grp_dn in grp_dns(ou_name):
utils.verify_ldap_object(grp_dn, expected_attr={'uniqueMember': [dc_dn]}, strict=False, should_exist=True)
msg = 'new random OU, existing DC in other OU'
@@ -92,8 +99,7 @@
utils.fail('Cannot create %s' % msg)
# reusing first DC
utils.verify_ldap_object(dc_dn, expected_attr={'cn': [dc_name]}, strict=True, should_exist=True)
- for grp_dn in ('cn=OU%(ou)s-DC-Edukativnetz,cn=ucsschool,cn=groups,%(basedn)s', 'cn=DC-Edukativnetz,cn=ucsschool,cn=groups,%(basedn)s', ):
- grp_dn = grp_dn % {'ou': ou_name, 'basedn': ucr.get('ldap/base')}
+ for grp_dn in grp_dns(ou_name):
utils.verify_ldap_object(grp_dn, expected_attr={'uniqueMember': [dc_dn]}, strict=False, should_exist=True)
msg = 'new random OU with existing DC in cn=computers,BASEDN'
@@ -114,8 +120,7 @@
utils.fail('Cannot create %s' % msg)
utils.verify_ldap_object(dc_dn, expected_attr={'cn': [dc_name]}, strict=True, should_exist=True)
- for grp_dn in ('cn=OU%(ou)s-DC-Edukativnetz,cn=ucsschool,cn=groups,%(basedn)s', 'cn=DC-Edukativnetz,cn=ucsschool,cn=groups,%(basedn)s', ):
- grp_dn = grp_dn % {'ou': ou_name, 'basedn': ucr.get('ldap/base')}
+ for grp_dn in grp_dns(ou_name):
utils.verify_ldap_object(grp_dn, expected_attr={'uniqueMember': [dc_dn]}, strict=False, should_exist=True)
msg = 'new random OU, new random DC and then try to add a second new random DC'
@@ -128,8 +133,7 @@
utils.fail('Cannot create %s' % msg)
dc_dn = 'cn=%s,cn=dc,cn=server,cn=computers,%s' % (dc_name, testschool.get_ou_base_dn(ou_name))
utils.verify_ldap_object(dc_dn, expected_attr={'cn': [dc_name]}, strict=True, should_exist=True)
- for grp_dn in ('cn=OU%(ou)s-DC-Edukativnetz,cn=ucsschool,cn=groups,%(basedn)s', 'cn=DC-Edukativnetz,cn=ucsschool,cn=groups,%(basedn)s', ):
- grp_dn = grp_dn % {'ou': ou_name, 'basedn': ucr.get('ldap/base')}
+ for grp_dn in grp_dns(ou_name):
utils.verify_ldap_object(grp_dn, expected_attr={'uniqueMember': [dc_dn]}, strict=False, should_exist=True)
dc_name = uts.random_string()
@@ -138,8 +142,7 @@
utils.fail('Cannot create %s' % msg)
dc_dn = 'cn=%s,cn=dc,cn=server,cn=computers,%s' % (dc_name, testschool.get_ou_base_dn(ou_name))
utils.verify_ldap_object(dc_dn, expected_attr={'cn': [dc_name]}, strict=True, should_exist=True)
- for grp_dn in ('cn=OU%(ou)s-DC-Edukativnetz,cn=ucsschool,cn=groups,%(basedn)s', 'cn=DC-Edukativnetz,cn=ucsschool,cn=groups,%(basedn)s', ):
- grp_dn = grp_dn % {'ou': ou_name, 'basedn': ucr.get('ldap/base')}
+ for grp_dn in grp_dns(ou_name):
utils.verify_ldap_object(grp_dn, expected_attr={'uniqueMember': [dc_dn]}, strict=False, should_exist=True)
msg = 'new random OU, new random administrative DC'
@@ -154,11 +157,9 @@
dc_dn = 'cn=%s,cn=dc,cn=server,cn=computers,%s' % (dc_name, testschool.get_ou_base_dn(ou_name))
dc_dn_administrative = 'cn=%s,cn=dc,cn=server,cn=computers,%s' % (dc_name_administrative, testschool.get_ou_base_dn(ou_name))
utils.verify_ldap_object(dc_dn_administrative, expected_attr={'cn': [dc_name_administrative]}, strict=True, should_exist=True)
- for grp_dn in ('cn=OU%(ou)s-DC-Edukativnetz,cn=ucsschool,cn=groups,%(basedn)s', 'cn=DC-Edukativnetz,cn=ucsschool,cn=groups,%(basedn)s', ):
- grp_dn = grp_dn % {'ou': ou_name, 'basedn': ucr.get('ldap/base')}
+ for grp_dn in grp_dns(ou_name):
utils.verify_ldap_object(grp_dn, expected_attr={'uniqueMember': [dc_dn]}, strict=False, should_exist=True)
- for grp_dn in ('cn=OU%(ou)s-DC-Verwaltungsnetz,cn=ucsschool,cn=groups,%(basedn)s', 'cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,%(basedn)s', ):
- grp_dn = grp_dn % {'ou': ou_name, 'basedn': ucr.get('ldap/base')}
+ for grp_dn in grp_dns(ou_name, False):
utils.verify_ldap_object(grp_dn, expected_attr={'uniqueMember': [dc_dn_administrative]}, strict=False, should_exist=True)
msg = 'new random OU, new random educational DC and then try to add a second new random administrative DC'
@@ -171,8 +172,7 @@
utils.fail('Cannot create %s' % msg)
dc_dn = 'cn=%s,cn=dc,cn=server,cn=computers,%s' % (dc_name, testschool.get_ou_base_dn(ou_name))
utils.verify_ldap_object(dc_dn, expected_attr={'cn': [dc_name]}, strict=True, should_exist=True)
- for grp_dn in ('cn=OU%(ou)s-DC-Edukativnetz,cn=ucsschool,cn=groups,%(basedn)s', 'cn=DC-Edukativnetz,cn=ucsschool,cn=groups,%(basedn)s', ):
- grp_dn = grp_dn % {'ou': ou_name, 'basedn': ucr.get('ldap/base')}
+ for grp_dn in grp_dns(ou_name):
utils.verify_ldap_object(grp_dn, expected_attr={'uniqueMember': [dc_dn]}, strict=False, should_exist=True)
dc_name_administrative = uts.random_string()
@@ -181,11 +181,9 @@
utils.fail('Cannot create %s' % msg)
dc_dn_administrative = 'cn=%s,cn=dc,cn=server,cn=computers,%s' % (dc_name_administrative, testschool.get_ou_base_dn(ou_name))
utils.verify_ldap_object(dc_dn_administrative, expected_attr={'cn': [dc_name_administrative]}, strict=True, should_exist=True)
- for grp_dn in ('cn=OU%(ou)s-DC-Edukativnetz,cn=ucsschool,cn=groups,%(basedn)s', 'cn=DC-Edukativnetz,cn=ucsschool,cn=groups,%(basedn)s', ):
- grp_dn = grp_dn % {'ou': ou_name, 'basedn': ucr.get('ldap/base')}
+ for grp_dn in grp_dns(ou_name):
utils.verify_ldap_object(grp_dn, expected_attr={'uniqueMember': [dc_dn]}, strict=False, should_exist=True)
- for grp_dn in ('cn=OU%(ou)s-DC-Verwaltungsnetz,cn=ucsschool,cn=groups,%(basedn)s', 'cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,%(basedn)s', ):
- grp_dn = grp_dn % {'ou': ou_name, 'basedn': ucr.get('ldap/base')}
+ for grp_dn in grp_dns(ou_name, False):
utils.verify_ldap_object(grp_dn, expected_attr={'uniqueMember': [dc_dn_administrative]}, strict=False, should_exist=True)
msg = 'new random OU with existing administrative DC in cn=computers,BASEDN'
@@ -208,11 +206,9 @@
dc_dn = 'cn=%s,cn=dc,cn=server,cn=computers,%s' % (dc_name, testschool.get_ou_base_dn(ou_name))
utils.verify_ldap_object(dc_dn, expected_attr={'cn': [dc_name]}, strict=True, should_exist=True)
- for grp_dn in ('cn=OU%(ou)s-DC-Edukativnetz,cn=ucsschool,cn=groups,%(basedn)s', 'cn=DC-Edukativnetz,cn=ucsschool,cn=groups,%(basedn)s', ):
- grp_dn = grp_dn % {'ou': ou_name, 'basedn': ucr.get('ldap/base')}
+ for grp_dn in grp_dns(ou_name):
utils.verify_ldap_object(grp_dn, expected_attr={'uniqueMember': [dc_dn]}, strict=False, should_exist=True)
- for grp_dn in ('cn=OU%(ou)s-DC-Verwaltungsnetz,cn=ucsschool,cn=groups,%(basedn)s', 'cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,%(basedn)s', ):
- grp_dn = grp_dn % {'ou': ou_name, 'basedn': ucr.get('ldap/base')}
+ for grp_dn in grp_dns(ou_name, False):
utils.verify_ldap_object(grp_dn, expected_attr={'uniqueMember': [dc_dn_administrative]}, strict=False, should_exist=True)
finally:
Index: ucs-test-ucsschool/90_ucsschool/41_create_marktplatz_share
===================================================================
--- ucs-test-ucsschool/90_ucsschool/41_create_marktplatz_share (Revision 74236)
+++ ucs-test-ucsschool/90_ucsschool/41_create_marktplatz_share (Arbeitskopie)
@@ -1,14 +1,15 @@
#!/usr/share/ucs-test/runner python
## -*- coding: utf-8 -*-
-## desc: computerroom module settings checks
+## desc: check marktplatz creation
## roles: [domaincontroller_master]
## tags: [apptest,ucsschool]
## exposure: dangerous
## packages: [ucs-school-umc-computerroom]
-## bugs: [40785]
+## bugs: [40785, 41231]
import univention.testing.ucr as ucr_test
import univention.testing.ucsschool as utu
+import univention.testing.strings as uts
from univention.testing import utils
from univention.config_registry import handler_set, handler_unset
@@ -15,16 +16,28 @@
def main():
with utu.UCSTestSchool() as schoolenv, ucr_test.UCSTestConfigRegistry() as ucr:
- for should_exist, variable in [(False, None), (True, 'yes'), (False, 'no')]:
+ for should_exist, variable, name in [(False, None, ''), (True, 'yes', 'Marktplatz'), (True, 'yes', uts.random_name()), (False, 'no', '')]:
if variable is None:
handler_unset(['ucsschool/import/generate/share/marktplatz'])
else:
+ print '### Setting ucsschool/import/generate/share/marktplatz=%s.' % variable
handler_set(['ucsschool/import/generate/share/marktplatz=%s' % (variable,)])
print '### Creating school. Expecting Marktplatz to exists = %r' % (should_exist,)
+ if should_exist:
+ if name:
+ print '### Setting share name to %r.' % name
+ handler_set(['ucsschool/import/generate/share/marktplatz/name={}'.format(name)])
+ else:
+ print '### Not setting share name, should be "Marktplatz".'
+ handler_unset(['ucsschool/import/generate/share/marktplatz/name'])
+
school, oudn = schoolenv.create_ou(name_edudc=ucr.get('hostname'))
utils.wait_for_replication()
- utils.verify_ldap_object('cn=Marktplatz,cn=shares,%s' % (oudn,), strict=True, should_exist=should_exist)
+ utils.verify_ldap_object(
+ 'cn={},cn=shares,{}'.format(name or 'Marktplatz', oudn),
+ strict=True,
+ should_exist=should_exist)
if __name__ == '__main__':
main()
Index: ucs-test-ucsschool/90_ucsschool/75_ldap_acls_admins
===================================================================
--- ucs-test-ucsschool/90_ucsschool/75_ldap_acls_admins (Revision 74236)
+++ ucs-test-ucsschool/90_ucsschool/75_ldap_acls_admins (Arbeitskopie)
@@ -12,6 +12,7 @@
from essential.schoolroom import ComputerRoom
import univention.testing.ucr as ucr_test
import univention.testing.ucsschool as utu
+from ucsschool.lib.models import ClassShare, Share
def main():
@@ -52,11 +53,11 @@
acl.assert_teacher_group('write')
acl.assert_student_group('write')
- shares_dn = 'cn=shares,%s' % utu.UCSTestSchool().get_ou_base_dn(school)
+ shares_dn = Share.get_container(school)
acl.assert_shares(shares_dn, 'write')
- shares_dn = 'cn=Marktplatz,cn=shares,%s' % utu.UCSTestSchool().get_ou_base_dn(school)
+ shares_dn = Share(school=school, name=Share.get_search_base(school).share_name_marktplatz).dn
acl.assert_shares(shares_dn, 'write')
- shares_dn = 'cn=klassen,cn=shares,%s' % utu.UCSTestSchool().get_ou_base_dn(school)
+ shares_dn = ClassShare.get_container(school)
acl.assert_shares(shares_dn, 'read')
acl.assert_temps('write')
Index: ucs-test-ucsschool/90_ucsschool/75_ldap_acls_staff
===================================================================
--- ucs-test-ucsschool/90_ucsschool/75_ldap_acls_staff (Revision 74236)
+++ ucs-test-ucsschool/90_ucsschool/75_ldap_acls_staff (Arbeitskopie)
@@ -10,6 +10,7 @@
from essential.acl import Acl
from essential.computerroom import Computers
from essential.schoolroom import ComputerRoom
+from ucsschool.lib.models import Share
import univention.testing.ucr as ucr_test
import univention.testing.ucsschool as utu
@@ -50,7 +51,7 @@
share_dn = open_ldap_co.searchDn(filter=filter_format('(&(objectClass=univentionShare)(cn=%s))', (class_name,)))[0]
acl.assert_share_object_access(share_dn, 'read', 'ALLOWED')
acl.assert_share_object_access(share_dn, 'write', 'DENIED')
- share_dn = 'cn=Marktplatz,cn=shares,%s' % (oudn,)
+ share_dn = Share(school=school, name=Share.get_search_base(school).share_name_marktplatz).dn
acl.assert_share_object_access(share_dn, 'read', 'ALLOWED')
acl.assert_share_object_access(share_dn, 'write', 'DENIED')
Index: ucs-test-ucsschool/90_ucsschool/75_ldap_acls_teacher_and_staff
===================================================================
--- ucs-test-ucsschool/90_ucsschool/75_ldap_acls_teacher_and_staff (Revision 74236)
+++ ucs-test-ucsschool/90_ucsschool/75_ldap_acls_teacher_and_staff (Arbeitskopie)
@@ -12,6 +12,7 @@
from essential.schoolroom import ComputerRoom
import univention.testing.ucr as ucr_test
import univention.testing.ucsschool as utu
+from ucsschool.lib.models import ClassShare, Share
def main():
@@ -40,11 +41,11 @@
acl.assert_teacher_group('write')
acl.assert_student_group('write')
- shares_dn = 'cn=shares,%s' % utu.UCSTestSchool().get_ou_base_dn(school)
+ shares_dn = Share.get_container(school)
acl.assert_shares(shares_dn, 'write')
- shares_dn = 'cn=Marktplatz,cn=shares,%s' % utu.UCSTestSchool().get_ou_base_dn(school)
+ shares_dn = Share(school=school, name=Share.get_search_base(school).share_name_marktplatz).dn
acl.assert_shares(shares_dn, 'write')
- shares_dn = 'cn=klassen,cn=shares,%s' % utu.UCSTestSchool().get_ou_base_dn(school)
+ shares_dn = ClassShare.get_container(school)
acl.assert_shares(shares_dn, 'read')
acl.assert_temps('write')
Index: ucs-test-ucsschool/90_ucsschool/75_ldap_acls_teachers
===================================================================
--- ucs-test-ucsschool/90_ucsschool/75_ldap_acls_teachers (Revision 74236)
+++ ucs-test-ucsschool/90_ucsschool/75_ldap_acls_teachers (Arbeitskopie)
@@ -12,6 +12,7 @@
from essential.schoolroom import ComputerRoom
import univention.testing.ucr as ucr_test
import univention.testing.ucsschool as utu
+from ucsschool.lib.models import ClassShare, Share
def main():
@@ -41,11 +42,11 @@
acl.assert_teacher_group('write')
- shares_dn = 'cn=shares,%s' % utu.UCSTestSchool().get_ou_base_dn(school)
+ shares_dn = Share.get_container(school)
acl.assert_shares(shares_dn, 'write')
- shares_dn = 'cn=Marktplatz,cn=shares,%s' % utu.UCSTestSchool().get_ou_base_dn(school)
+ shares_dn = Share(school=school, name=Share.get_search_base(school).share_name_marktplatz).dn
acl.assert_shares(shares_dn, 'write')
- shares_dn = 'cn=klassen,cn=shares,%s' % utu.UCSTestSchool().get_ou_base_dn(school)
+ shares_dn = ClassShare.get_container(school)
acl.assert_shares(shares_dn, 'read')
acl.assert_temps('write')
Index: ucs-test-ucsschool/90_ucsschool/76_ldap_acls
===================================================================
--- ucs-test-ucsschool/90_ucsschool/76_ldap_acls (Revision 74236)
+++ ucs-test-ucsschool/90_ucsschool/76_ldap_acls (Arbeitskopie)
@@ -14,6 +14,7 @@
from univention.uldap import getMachineConnection
import univention.testing.ucr as ucr_test
import univention.testing.ucsschool as utu
+from ucsschool.lib.models import Group, Policy
class FailAcl(Exception):
@@ -370,15 +371,18 @@
room = ComputerRoom(school, host_members=computers_dns)
room.add()
- room_container_dn = 'cn=raeume,cn=groups,%s' % school_dn
- shares_dn = 'cn=shares,%s' % school_dn
+ room_container_dn = ComputerRoom.get_container(school)
- teacher_group2_dn = 'cn=lehrer-%s,cn=groups,%s' % (school, school_dn)
- student_group2_dn = 'cn=schueler-%s,cn=groups,%s' % (school, school_dn)
+ # unused?
+ #
+ # shares_dn = search_base.shares
+ #
+ # teacher_group2_dn = search_base.teachers_ou_group
+ # student_group2_dn = search_base.students_ou_group
+ #
+ # teacher_group_dn = search_base.teachers_group
+ # student_group_dn = search_base.students_group
- teacher_group_dn = 'cn=lehrer,cn=groups,%s' % school_dn
- student_group_dn = 'cn=schueler,cn=groups,%s' % school_dn
-
gid_temp_dn = 'cn=gid,cn=temporary,cn=univention,%s' % base_dn
gidNumber_temp_dn = 'cn=gidNumber,cn=temporary,cn=univention,%s' % base_dn
sid_temp_dn = 'cn=sid,cn=temporary,cn=univention,%s' % base_dn
@@ -386,9 +390,9 @@
mac_temp_dn = 'cn=mac,cn=temporary,cn=univention,%s' % base_dn
global_univention_dn = 'cn=univention,%s' % base_dn
- global_policies_dn = 'cn=policies,%s' % base_dn
+ global_policies_dn = Policy.get_container(school)
global_dns_dn = 'cn=dns,%s' % base_dn
- global_groups_dn = 'cn=groups,%s' % base_dn
+ global_groups_dn = Group.get_container(school)
dhcp_dn = 'cn=%s,cn=%s,cn=dhcp,%s' % (computers_hostnames[0], school, base_dn)
Index: ucs-test-ucsschool/90_ucsschool/78_ldap_acls_dump.oldconfig.61ucsschool_presettings
===================================================================
--- ucs-test-ucsschool/90_ucsschool/78_ldap_acls_dump.oldconfig.61ucsschool_presettings (Revision 74236)
+++ ucs-test-ucsschool/90_ucsschool/78_ldap_acls_dump.oldconfig.61ucsschool_presettings (Arbeitskopie)
@@ -1,154 +1,184 @@
+@!@
# -*- coding: utf-8 -*-
+import re
+
+def replace_ucr_variables(template):
+ variable_token = re.compile('@[$]@')
+
+ dir_ucsschool = {
+ 'ALL_ADM_DC': configRegistry.get('ucsschool/ldap/default/groupname/all-administrativ-dc', 'DC-Verwaltungsnetz'),
+ 'ALL_ADM_MEMBER': configRegistry.get('ucsschool/ldap/default/groupname/all-administrativ-member', 'Member-Verwaltungsnetz'),
+ 'ALL_EDU_DC': configRegistry.get('ucsschool/ldap/default/groupname/all-educational-dc', 'DC-Edukativnetz'),
+ 'ALL_EDU_MEMBER': configRegistry.get('ucsschool/ldap/default/groupname/all-educational-member', 'Member-Edukativnetz'),
+ }
+
+ while 1:
+ i = variable_token.finditer(template)
+ try:
+ start = i.next()
+ end = i.next()
+ name = template[start.end():end.start()]
+
+ template = template[:start.start()] + dir_ucsschool.get(name,'') + template[end.end():]
+ except StopIteration:
+ break
+
+ return template
+
+
+aclset += """
+# -*- coding: utf-8 -*-
+
# Slave-Controller und Member-Server duerfen Samba-Domaenenobjekt(e) modifizieren
access to filter="(objectClass=sambaDomain)"
- by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
- by group/univentionGroup/uniqueMember="cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
- by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
- by group/univentionGroup/uniqueMember="cn=Member-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
by * none break
# Slave-Controller und Memberserver duerfen ausschliesslich den univention-Container replizieren
access to dn="cn=univention,@%@ldap/base@%@"
- by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
- by group/univentionGroup/uniqueMember="cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
- by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
- by group/univentionGroup/uniqueMember="cn=Member-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
by * none break
# Slave-Controller may replicate license container
access to dn.subtree="cn=license,cn=univention,@%@ldap/base@%@"
- by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
- by group/univentionGroup/uniqueMember="cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
- by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
- by group/univentionGroup/uniqueMember="cn=Member-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
by * none break
# Slave-Controller duerfen custom attributes-Container und dessen Inhalt replizieren
access to dn.subtree="cn=custom attributes,cn=univention,@%@ldap/base@%@"
- by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
- by group/univentionGroup/uniqueMember="cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
- by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
- by group/univentionGroup/uniqueMember="cn=Member-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
by * none break
# Slave-Controller benoetigen den Console-Container fuer die Berechtigungen an der Lehrerconsole
access to dn.subtree="cn=console,cn=univention,@%@ldap/base@%@"
- by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
- by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
- by group/univentionGroup/uniqueMember="cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
- by group/univentionGroup/uniqueMember="cn=Member-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
by * none break
# Slave-Controller benoetigen den UMC-Container fuer die Berechtigungen an der Lehrerconsole
access to dn.subtree="cn=UMC,cn=univention,@%@ldap/base@%@"
- by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
- by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
- by group/univentionGroup/uniqueMember="cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
- by group/univentionGroup/uniqueMember="cn=Member-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
by * none break
# grant write access to domaincontroller slave/member server for certain univention app center settings
access to dn.regex="^univentionAppID=([^,]+),cn=([^,]+),cn=apps,cn=univention,@%@ldap/base@%@$" filter="(objectClass=univentionApp)"
- by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
- by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
- by group/univentionGroup/uniqueMember="cn=Member-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
- by group/univentionGroup/uniqueMember="cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
by * none break
access to dn.regex="^cn=([^,]+),cn=apps,cn=univention,@%@ldap/base@%@$" attrs=children,entry
- by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
- by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
- by group/univentionGroup/uniqueMember="cn=Member-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
- by group/univentionGroup/uniqueMember="cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
by * none break
access to dn="cn=apps,cn=univention,@%@ldap/base@%@" attrs=children,entry
- by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
- by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
- by group/univentionGroup/uniqueMember="cn=Member-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
- by group/univentionGroup/uniqueMember="cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
by * none break
# grant read access to domaincontroller slave/member server for all other univention app center settings
access to dn.subtree="cn=apps,cn=univention,@%@ldap/base@%@"
- by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
- by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
- by group/univentionGroup/uniqueMember="cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
- by group/univentionGroup/uniqueMember="cn=Member-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
by * none break
access to dn.subtree="cn=udm_module,cn=univention,@%@ldap/base@%@"
- by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
- by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
- by group/univentionGroup/uniqueMember="cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
- by group/univentionGroup/uniqueMember="cn=Member-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
by * none break
access to dn.subtree="cn=udm_hook,cn=univention,@%@ldap/base@%@"
- by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
- by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
- by group/univentionGroup/uniqueMember="cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
- by group/univentionGroup/uniqueMember="cn=Member-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
by * none break
access to dn.subtree="cn=udm_syntax,cn=univention,@%@ldap/base@%@"
- by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
- by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
- by group/univentionGroup/uniqueMember="cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
- by group/univentionGroup/uniqueMember="cn=Member-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
by * none break
access to dn.subtree="cn=ldapacl,cn=univention,@%@ldap/base@%@"
- by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
- by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
- by group/univentionGroup/uniqueMember="cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
- by group/univentionGroup/uniqueMember="cn=Member-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
by * none break
access to dn.subtree="cn=ldapschema,cn=univention,@%@ldap/base@%@"
- by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
- by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
- by group/univentionGroup/uniqueMember="cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
- by group/univentionGroup/uniqueMember="cn=Member-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
by * none break
# Slave-Controller und Member-Server benoetigen idmap-Container
access to dn.base="cn=idmap,cn=univention,@%@ldap/base@%@"
- by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
- by group/univentionGroup/uniqueMember="cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
- by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
- by group/univentionGroup/uniqueMember="cn=Member-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
by * none break
# Slave-Controller und Member-Server benoetigen ID-Mapping
access to dn.subtree="cn=idmap,cn=univention,@%@ldap/base@%@" filter="(|(&(objectClass=sambaUnixIdPool)(objectClass=organizationalRole)(objectClass=top))(&(objectClass=sambaIdmapEntry)(objectClass=sambaSidEntry)))"
- by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
- by group/univentionGroup/uniqueMember="cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
- by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
- by group/univentionGroup/uniqueMember="cn=Member-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
by * none break
# Slave-Controller und Memberserver duerfen samba-Container und dessen Inhalt replizieren
access to dn.subtree="cn=samba,@%@ldap/base@%@"
- by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
- by group/univentionGroup/uniqueMember="cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
- by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
- by group/univentionGroup/uniqueMember="cn=Member-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
by * none break
# Slave-Controller needs the builtin groups
access to dn.subtree="cn=Builtin,@%@ldap/base@%@"
- by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
- by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
- by group/univentionGroup/uniqueMember="cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
- by group/univentionGroup/uniqueMember="cn=Member-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
by * none break
# sonst duerfen sie nichts aus cn=univention,BASEDN replizieren
access to dn.subtree="cn=univention,@%@ldap/base@%@"
- by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
- by group/univentionGroup/uniqueMember="cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
- by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
- by group/univentionGroup/uniqueMember="cn=Member-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
by * none break
Index: ucs-test-ucsschool/90_ucsschool/78_ldap_acls_dump.oldconfig.65ucsschool
===================================================================
--- ucs-test-ucsschool/90_ucsschool/78_ldap_acls_dump.oldconfig.65ucsschool (Revision 74236)
+++ ucs-test-ucsschool/90_ucsschool/78_ldap_acls_dump.oldconfig.65ucsschool (Arbeitskopie)
@@ -13,18 +13,21 @@
def replace_ucr_variables(template):
variable_token = re.compile('@[$]@')
- dir_ucsschool = { }
- dir_ucsschool[ 'DISTRICT' ] = ''
- if configRegistry.get('ucsschool/ldap/district/enable','no').lower() in ( 'yes', 'true', '1' ):
- dir_ucsschool[ 'DISTRICT' ] = 'ou=[^,]+,'
- dir_ucsschool[ 'PUPILS' ] = configRegistry.get('ucsschool/ldap/default/container/pupils', 'schueler')
- dir_ucsschool[ 'TEACHERS' ] = configRegistry.get('ucsschool/ldap/default/container/teachers', 'lehrer')
- dir_ucsschool[ 'STAFF' ] = configRegistry.get('ucsschool/ldap/default/container/staff', 'mitarbeiter')
- dir_ucsschool[ 'TEACHERS-STAFF' ] = configRegistry.get('ucsschool/ldap/default/container/teachers-and-staff', 'lehrer und mitarbeiter')
- dir_ucsschool[ 'ADMINS' ] = configRegistry.get('ucsschool/ldap/default/container/admins', 'admins')
- dir_ucsschool[ 'GRPADMINS' ] = configRegistry.get('ucsschool/ldap/default/groupprefix/admins', 'admins-')
+ dir_ucsschool = {
+ 'DISTRICT': 'ou=[^,]+,' if configRegistry.is_true('ucsschool/ldap/district/enable') else '',
+ 'PUPILS': configRegistry.get('ucsschool/ldap/default/container/pupils', 'schueler'),
+ 'TEACHERS': configRegistry.get('ucsschool/ldap/default/container/teachers', 'lehrer'),
+ 'STAFF': configRegistry.get('ucsschool/ldap/default/container/staff', 'mitarbeiter'),
+ 'TEACHERS-STAFF': configRegistry.get('ucsschool/ldap/default/container/teachers-and-staff', 'lehrer und mitarbeiter'),
+ 'ADMINS': configRegistry.get('ucsschool/ldap/default/container/admins', 'admins'),
+ 'GRPADMINS': configRegistry.get('ucsschool/ldap/default/groupprefix/admins', 'admins-'),
+ 'ROOMS': configRegistry.get('ucsschool/ldap/default/container/rooms', 'raeume'),
+ 'ALL_ADM_DC': configRegistry.get('ucsschool/ldap/default/groupname/all-administrativ-dc', 'DC-Verwaltungsnetz'),
+ 'ALL_ADM_MEMBER': configRegistry.get('ucsschool/ldap/default/groupname/all-administrativ-member', 'Member-Verwaltungsnetz'),
+ 'ALL_EDU_DC': configRegistry.get('ucsschool/ldap/default/groupname/all-educational-dc', 'DC-Edukativnetz'),
+ 'ALL_EDU_MEMBER': configRegistry.get('ucsschool/ldap/default/groupname/all-educational-member', 'Member-Edukativnetz'),
+ }
-
while 1:
i = variable_token.finditer(template)
try:
@@ -39,15 +42,14 @@
return template
-
-if configRegistry.get('ucsschool/ldap/district/enable','no').lower() in ( 'yes', 'true', '1' ):
+if configRegistry.is_true('ucsschool/ldap/district/enable','no'):
aclset += """
# DCs und Memberserver erhalten Lesezugriff auf das OU-Objekt selbst (im DISTRICT-Mode notwendig)
access to dn.regex="^ou=([^,]+),@%@ldap/base@%@$$"
- by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
- by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
- by group/univentionGroup/uniqueMember="cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
- by group/univentionGroup/uniqueMember="cn=Member-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
by * none break
"""
@@ -61,28 +63,28 @@
# Slave controllers and memberservers require write access to virtual machine manager objects
access to dn.regex="^univentionVirtualMachineUUID=([^,]+),cn=Information,cn=Virtual Machine Manager,@%@ldap/base@%@" filter="(objectClass=univentionVirtualMachine)"
- by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
- by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
- by group/univentionGroup/uniqueMember="cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
- by group/univentionGroup/uniqueMember="cn=Member-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
by dn.regex="^[^,]+,cn=dc,cn=computers,@%@ldap/base@%@$$" write
by dn.regex="^[^,]+,cn=memberserver,cn=computers,@%@ldap/base@%@$$" write
by * read break
access to dn.regex="^cn=([^,]+),cn=CloudConnection,cn=Virtual Machine Manager,@%@ldap/base@%@" filter="(objectClass=univentionVirtualMachineCloudConnection)"
- by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
- by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
- by group/univentionGroup/uniqueMember="cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
- by group/univentionGroup/uniqueMember="cn=Member-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
by dn.regex="^[^,]+,cn=dc,cn=computers,@%@ldap/base@%@$$" write
by dn.regex="^[^,]+,cn=memberserver,cn=computers,@%@ldap/base@%@$$" write
by * read break
access to dn="cn=(Information|CloudConnection),cn=Virtual Machine Manager,@%@ldap/base@%@" attrs=children,entry
- by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
- by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
- by group/univentionGroup/uniqueMember="cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
- by group/univentionGroup/uniqueMember="cn=Member-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
by dn.regex="^[^,]+,cn=dc,cn=computers,@%@ldap/base@%@$$" write
by dn.regex="^[^,]+,cn=memberserver,cn=computers,@%@ldap/base@%@$$" write
by * read break
@@ -89,18 +91,18 @@
# Slave controller and memberservers may replicate the Virtual Machine Manager container
access to dn.subtree="cn=Virtual Machine Manager,@%@ldap/base@%@"
- by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
- by group/univentionGroup/uniqueMember="cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
- by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
- by group/univentionGroup/uniqueMember="cn=Member-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
by * read break
# Slave controller and memberservers may replicate the mail container
access to dn.subtree="cn=mail,@%@ldap/base@%@"
- by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
- by group/univentionGroup/uniqueMember="cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
- by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
- by group/univentionGroup/uniqueMember="cn=Member-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
by * read break
access to dn.regex="^@%@ldap/base@%@$$"
@@ -109,34 +111,34 @@
# DC Slaves need write access to the members of the group Domain Computers
access to dn.exact="cn=Domain Computers,cn=groups,@%@ldap/base@%@" attrs="uniqueMember,memberUid"
- by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
- by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
by * none break
# Slave-Controller und Memberserver duerfen globale Container computers, shares, dns, dhcp, kerberos und policies sowie Benutzer lesen
access to dn.regex="(^(.+,)?cn=(groups|dns|dhcp|policies|computers|kerberos|shares),|^(uid=[^,]+,|)cn=users,|^)@%@ldap/base@%@$$"
- by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
- by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
- by group/univentionGroup/uniqueMember="cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
- by group/univentionGroup/uniqueMember="cn=Member-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
by * none break
# Slave DCs can read MS system container
access to dn.base="cn=system,@%@ldap/base@%@"
- by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
- by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
by * none break
# Slave DCs can read and write policy containers for MS GPOs and msPrintConnectionPolicy objects
access to dn.subtree="cn=policies,cn=system,@%@ldap/base@%@" filter="(|(objectClass=msGPOContainer)(objectClass=organizationalRole)(objectClass=msPrintConnectionPolicy))"
- by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
- by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
by * none break
# Slave DCs can read and write policy containers for MS WMI filter objects
access to dn.subtree="cn=WMIPolicy,cn=system,@%@ldap/base@%@" filter="(|(objectClass=msWMISom)(objectClass=organizationalRole))"
- by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
- by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
by * none break
# Lehrer, Mitarbeiter und OU-Admins duerfen Schueler-Passwoerter aendern
@@ -145,11 +147,11 @@
by * none break
# Lehrer und ouadmins duerfen Raum-Gruppen anlegen und bearbeiten
-access to dn.regex="^cn=raeume,cn=groups,ou=([^,]+),@$@DISTRICT@$@@%@ldap/base@%@$$" attrs=children,entry
+access to dn.regex="^cn=@$@ROOMS@$@,cn=groups,ou=([^,]+),@$@DISTRICT@$@@%@ldap/base@%@$$" attrs=children,entry
by dn.regex="^uid=([^,]+),cn=(@$@TEACHERS@$@|@$@TEACHERS-STAFF@$@|@$@STAFF@$@|@$@ADMINS@$@),cn=users,ou=$1,@$@DISTRICT@$@@%@ldap/base@%@$$" write
by * none break
-access to dn.regex="^cn=([^,]+),cn=raeume,cn=groups,ou=([^,]+),@$@DISTRICT@$@@%@ldap/base@%@$$" filter="(&(!(|(uidNumber=*)(objectClass=SambaSamAccount)))(objectClass=univentionGroup))"
+access to dn.regex="^cn=([^,]+),cn=@$@ROOMS@$@,cn=groups,ou=([^,]+),@$@DISTRICT@$@@%@ldap/base@%@$$" filter="(&(!(|(uidNumber=*)(objectClass=SambaSamAccount)))(objectClass=univentionGroup))"
by dn.regex="^uid=([^,]+),cn=(@$@TEACHERS@$@|@$@TEACHERS-STAFF@$@|@$@STAFF@$@|@$@ADMINS@$@),cn=users,ou=$2,@$@DISTRICT@$@@%@ldap/base@%@$$" write
by * none break
@@ -224,40 +226,40 @@
# domaincontroller slaves and memberservers of management group are not allowed to replicate pupils and teachers
access to dn.regex="^.+,cn=(@$@TEACHERS@$@|@$@PUPILS@$@),cn=users,ou=[^,]+,@$@DISTRICT@$@@%@ldap/base@%@$$"
- by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
- by group/univentionGroup/uniqueMember="cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
by * none break
# domaincontroller slaves and memberservers of educational group are not allowed to replicate staff users
access to dn.regex="^.+,cn=@$@STAFF@$@,cn=users,ou=[^,]+,@$@DISTRICT@$@@%@ldap/base@%@$$"
- by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
- by group/univentionGroup/uniqueMember="cn=Member-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
by * none break
# domaincontroller slaves and memberservers may replicate the OU "domain controllers"
access to dn.subtree="ou=domain controllers,@%@ldap/base@%@"
- by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
- by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
- by group/univentionGroup/uniqueMember="cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
- by group/univentionGroup/uniqueMember="cn=Member-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
by * read break
# Memberserver duerfen bestimmte Attribute lesen
access to dn.regex="^(.+,)?ou=([^,]+),@$@DISTRICT@$@@%@ldap/base@%@$$" attrs=userPassword,krb5Key,krb5KDCFlags,sambaNTPassword,sambaLMPassword,shadowLastChange,sambaPwdLastSet,pwhistory,krb5KeyVersionNumber,univentionWindowsReinstall,sambaPwdCanChange,sambaPwdMustChange
- by group/univentionGroup/uniqueMember="cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
- by group/univentionGroup/uniqueMember="cn=Member-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
by * none break
# Slave-Controller duerfen Eintraege Ihrer ou lesen und schreiben (Passwortaenderungen etc.)
# Lehrer und Memberserver duerfen sie lesen, ou-eigene bekommen Standard-ACLs, ou-fremde Server/user duerfen nichts
access to dn.regex="^(.+,)?ou=([^,]+),@$@DISTRICT@$@@%@ldap/base@%@$$"
- by group/univentionGroup/uniqueMember.expand="cn=OU$2-DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
- by group/univentionGroup/uniqueMember.expand="cn=OU$2-DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
+ by group/univentionGroup/uniqueMember.expand="cn=OU$2-@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
+ by group/univentionGroup/uniqueMember.expand="cn=OU$2-@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
by group/univentionLDAPACL/univentionLDAPAccessWrite.expand="ou=$2,@$@DISTRICT@$@@%@ldap/base@%@" write
- by group/univentionGroup/uniqueMember.expand="cn=OU$2-Member-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
- by group/univentionGroup/uniqueMember.expand="cn=OU$2-Member-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
- by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
- by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
+ by group/univentionGroup/uniqueMember.expand="cn=OU$2-@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
+ by group/univentionGroup/uniqueMember.expand="cn=OU$2-@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
by dn.regex="^uid=([^,]+),cn=(@$@TEACHERS@$@|@$@TEACHERS-STAFF@$@|@$@STAFF@$@|@$@ADMINS@$@),cn=users,ou=$2,@$@DISTRICT@$@@%@ldap/base@%@$$" read
by dn.regex="^uid=(.+,)?cn=users,ou=$2,@$@DISTRICT@$@@%@ldap/base@%@$$" none break
by dn.regex="^uid=(.+,)?ou=([^,]+),@$@DISTRICT@$@@%@ldap/base@%@$$" none
@@ -265,21 +267,21 @@
# Slave-Controller duerfen Klassen-Gruppen bearbeiten (AUSNAHME! Wird fuer Lehrerzuordnung in UMC benoetigt!)
access to dn.regex="^cn=klassen,cn=@$@PUPILS@$@,cn=groups,ou=([^,]+),@$@DISTRICT@$@@%@ldap/base@%@$$" attrs=children,entry
- by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
- by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
by * none break
access to dn.regex="^cn=([^,]+),cn=klassen,cn=@$@PUPILS@$@,cn=groups,ou=([^,]+),@$@DISTRICT@$@@%@ldap/base@%@$$" filter="(&(!(|(uidNumber=*)(objectClass=SambaSamAccount)))(objectClass=univentionGroup))"
- by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
- by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
by * none break
# Slave-Controller duerfen nagios-Container und Inhalt replizieren
access to dn.subtree="cn=nagios,@%@ldap/base@%@"
- by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
- by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
- by group/univentionGroup/uniqueMember="cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
- by group/univentionGroup/uniqueMember="cn=Member-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
by * none break
# Schüler, Lehrer, Mitarbeiter, Admins duerfen globale Container univention, policies, groups und dns lesen
@@ -290,10 +292,10 @@
# Slave-Controller und normale Lehrer duerfen sonst nichts lesen, Schueler sowieso nicht
access to *
- by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
- by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
- by group/univentionGroup/uniqueMember="cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
- by group/univentionGroup/uniqueMember="cn=Member-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
+ by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
by * none break
"""
Index: ucs-test-ucsschool/90_ucsschool/80_move_users_into_another_ou
===================================================================
--- ucs-test-ucsschool/90_ucsschool/80_move_users_into_another_ou (Revision 74236)
+++ ucs-test-ucsschool/90_ucsschool/80_move_users_into_another_ou (Arbeitskopie)
@@ -5,6 +5,7 @@
## bugs: [40870, 41601, 41609, 41620]
## exposure: dangerous
+import os.path
from univention.testing.ucsschool import UCSTestSchool
from univention.testing.ucr import UCSTestConfigRegistry
from univention.testing.udm import UCSTestUDM
@@ -31,35 +32,32 @@
# TODO: change school and uid at once!
# TODO: user without classes
- base = ucr['ldap/base']
- domain_users_school = 'cn=Domain Users %s,cn=groups,ou=%s,%s' % (b, b, base)
- teacher_group = 'cn=lehrer-%s,cn=groups,ou=%s,%s' % (b, b, base)
- staff_group = 'cn=mitarbeiter-%s,cn=groups,ou=%s,%s' % (b, b, base)
- students_group = 'cn=schueler-%s,cn=groups,ou=%s,%s' % (b, b, base)
+ search_base = User.get_search_base(b)
+ domain_users_school = 'cn=Domain Users {},{}'.format(b, search_base.groups)
+ teacher_group = search_base.teachers_ou_group
+ staff_group = search_base.staff_ou_group
+ students_group = search_base.students_ou_group
grp1_name = uts.random_username()
grp2_name = uts.random_username()
two_klasses = '{0}-{1},{0}-{2}'.format(a, grp1_name, grp2_name)
- workgroup_dn, workgroup_name = udm.create_group(position='cn=schueler,cn=groups,%s' % (a_dn,))
+ workgroup_dn, workgroup_name = udm.create_group(position=WorkGroup.get_container(a))
global_group_dn, global_group_name = udm.create_group()
+ search_base = User.get_search_base(a)
users = [
- (env.create_user(a, classes=two_klasses), 'schueler',
- [students_group, domain_users_school, global_group_dn]),
- (env.create_user(a, is_teacher=True, classes=two_klasses), 'lehrer',
- [domain_users_school, teacher_group, global_group_dn]),
- (env.create_user(a, is_staff=True), 'mitarbeiter',
- [domain_users_school, staff_group, global_group_dn]),
- (env.create_user(a, is_teacher=True, is_staff=True, classes=two_klasses), 'lehrer',
- [domain_users_school, teacher_group, staff_group, global_group_dn]),
+ (env.create_user(a, classes=two_klasses), [students_group, domain_users_school, global_group_dn]),
+ (env.create_user(a, is_teacher=True, classes=two_klasses), [domain_users_school, teacher_group, global_group_dn]),
+ (env.create_user(a, is_staff=True), [domain_users_school, staff_group, global_group_dn]),
+ (env.create_user(a, is_teacher=True, is_staff=True, classes=two_klasses), [domain_users_school, teacher_group, staff_group, global_group_dn]),
]
lo = env.open_ldap_connection()
workgroup = WorkGroup.from_dn(workgroup_dn, a, lo)
- users_dns = [dn for (user, dn,), roleshare_path, groups in users]
+ users_dns = [dn for (user, dn,), groups in users]
udm.modify_object('groups/group', dn=global_group_dn, append={'users': users_dns})
workgroup.users.extend(users_dns)
workgroup.modify(lo)
- for (user, dn,), roleshare_path, groups in users:
+ for (user, dn,), groups in users:
print '################################'
print '#### moving user at', dn, 'to', b
@@ -67,7 +65,7 @@
user = User.from_dn(dn, a, lo)
attrs = {
- 'homeDirectory': ['/home/%s/%s/%s' % (b, roleshare_path, user.name)],
+ 'homeDirectory': [os.path.join('/home/', user.get_roleshare_home_subdir(), user.name)],
'ucsschoolSchool': [b],
'departmentNumber': [b],
# TODO: add sambaHomeDrive sambaHomePath sambaLogonScript sambaProfilePath
Index: ucs-test-ucsschool/90_ucsschool/98_samba4_evaluate_windows_gpo
===================================================================
--- ucs-test-ucsschool/90_ucsschool/98_samba4_evaluate_windows_gpo (Revision 74236)
+++ ucs-test-ucsschool/90_ucsschool/98_samba4_evaluate_windows_gpo (Arbeitskopie)
@@ -25,7 +25,7 @@
from datetime import datetime, timedelta
from ucsschool.lib.schoolldap import SchoolSearchBase
-from ucsschool.lib.models import School
+from ucsschool.lib.models import School, SchoolClass
from essential.computerroom import Room
from essential.exam import Exam
@@ -500,7 +500,7 @@
klasse_dn = udm.create_object(
'groups/group',
name=schoolclassname,
- position="cn=klassen,cn=schueler,cn=groups,%s" % school_dn
+ position=SchoolClass.get_container(school)
)
student_pwd = "univention"
Index: ucs-test-ucsschool/90_ucsschool/essential/acl.py
===================================================================
--- ucs-test-ucsschool/90_ucsschool/essential/acl.py (Revision 74236)
+++ ucs-test-ucsschool/90_ucsschool/essential/acl.py (Arbeitskopie)
@@ -13,6 +13,7 @@
import univention.testing.ucr as ucr_test
import univention.testing.ucsschool as utu
import univention.testing.strings as uts
+from ucsschool.lib.models import ComputerRoom, School
class FailAcl(Exception):
@@ -122,6 +123,7 @@
self.access_allowance = access_allowance
self.ucr = ucr_test.UCSTestConfigRegistry()
self.ucr.load()
+ self.search_base = School.get_search_base(self.school)
def assert_acl(self, target_dn, access, attrs, access_allowance=None):
"""Test ACL rule:\n
@@ -202,7 +204,7 @@
def assert_room(self, room_dn, access):
"""Lehrer und ouadmins duerfen Raum-Gruppen anlegen und bearbeiten
"""
- target_dn = 'cn=raeume,cn=groups,%s' % utu.UCSTestSchool().get_ou_base_dn(self.school)
+ target_dn = ComputerRoom.get_container(self.school)
attrs = [
'children',
'entry',
@@ -229,7 +231,7 @@
"""Lehrer, Mitarbeiter und Mitglieder der lokalen Administratoren
duerfen Arbeitsgruppen anlegen und aendern
"""
- group_dn = 'cn=lehrer,cn=groups,%s' % utu.UCSTestSchool().get_ou_base_dn(self.school)
+ group_dn = self.search_base.teachers_group
attrs = [
'children',
'entry',
@@ -259,7 +261,7 @@
self.assert_acl(group_dn, access, attrs)
def assert_student_group(self, access):
- group_dn = 'cn=schueler,cn=groups,%s' % utu.UCSTestSchool().get_ou_base_dn(self.school)
+ group_dn = self.search_base.students_group
attrs = [
'children',
'entry',
Index: ucs-test-ucsschool/90_ucsschool/essential/computerroom.py
===================================================================
--- ucs-test-ucsschool/90_ucsschool/essential/computerroom.py (Revision 74236)
+++ ucs-test-ucsschool/90_ucsschool/essential/computerroom.py (Arbeitskopie)
@@ -7,6 +7,8 @@
from ucsschool.lib.models import IPComputer as IPComputerLib
from ucsschool.lib.models import MacComputer as MacComputerLib
from ucsschool.lib.models import WindowsComputer as WindowsComputerLib
+from ucsschool.lib.models import School as SchoolLib
+from ucsschool.lib.models import ComputerRoom as ComputerRoomLib
from univention.testing.ucsschool import UMCConnection
import copy
import datetime
@@ -92,10 +94,10 @@
def __init__(self, school, name=None, dn=None, description=None, host_members=None):
self.school = school
self.name = name if name else uts.random_name()
- self.dn = dn if dn else 'cn=%s-%s,cn=raeume,cn=groups,%s' % (
- school, self.name, utu.UCSTestSchool().get_ou_base_dn(school))
+ self.dn = dn if dn else ComputerRoomLib(school=school, name='{}-{}'.format(school, self.name)).dn
self.description = description if description else uts.random_name()
self.host_members = host_members or []
+ self.marktplatz_name = SchoolLib.get_search_base(self.school).share_name_marktplatz
def get_room_user(self, umc_connection):
print 'Executing command: computerroom/rooms in school:', self.school
@@ -286,35 +288,37 @@
utils.fail('Write to home directory result (%r), expected (%r)' % (write[0], expected_result))
def check_marktplatz_read(self, user, ip_address, passwd='univention', expected_result=0):
- print '.... Check Marktplatz read ....'
- cmd_read_marktplatz = ['smbclient', '//%(ip)s/Marktplatz', '-U', '%(user)s', '-c', 'dir']
+ print '.... Check Marktplatz ({}) read ....'.format(self.marktplatz_name)
+ cmd_read_marktplatz = ['smbclient', '//%(ip)s/%(marktplatz_name)s', '-U', '%(user)s', '-c', 'dir']
read = run_commands(
[cmd_read_marktplatz],
{
'ip': ip_address,
- 'user': '{0}%{1}'.format(user, passwd)
+ 'user': '{0}%{1}'.format(user, passwd),
+ 'marktplatz_name': self.marktplatz_name
}
)
if read[0] != expected_result:
- print 'FAIL .. Read Marktplatz directory result (%r), expected (%r)' % (read[0], expected_result)
- utils.fail('Read Marktplatz directory result (%r), expected (%r)' % (read[0], expected_result))
+ print 'FAIL .. Read Marktplatz (%s) directory result (%r), expected (%r)' % (self.marktplatz_name, read[0], expected_result)
+ utils.fail('Read Marktplatz (%s) directory result (%r), expected (%r)' % (self.marktplatz_name, read[0], expected_result))
def check_marktplatz_write(self, user, ip_address, passwd='univention', expected_result=0):
- print '.... Check Marktplatz write ....'
+ print '.... Check Marktplatz ({}) write ....'.format(self.marktplatz_name)
f = tempfile.NamedTemporaryFile(dir='/tmp')
- cmd_write_marktplatz = ['smbclient', '//%(ip)s/Marktplatz', '-U', '%(user)s', '-c', 'put %(filename)s']
+ cmd_write_marktplatz = ['smbclient', '//%(ip)s/%(marktplatz_name)s', '-U', '%(user)s', '-c', 'put %(filename)s']
write = run_commands(
[cmd_write_marktplatz],
{
'ip': ip_address,
'user': '{0}%{1}'.format(user, passwd),
- 'filename': '%s %s' % (f.name, f.name.split('/')[-1])
+ 'filename': '%s %s' % (f.name, f.name.split('/')[-1]),
+ 'marktplatz_name': self.marktplatz_name
}
)
f.close()
if write[0] != expected_result:
- print 'FAIL .. Write to Marktplatz directory result (%r), expected (%r)' % (write[0], expected_result)
- utils.fail('Write to Marktplatz directory result (%r), expected (%r)' % (write[0], expected_result))
+ print 'FAIL .. Write to Marktplatz (%s) directory result (%r), expected (%r)' % (self.marktplatz_name, write[0], expected_result)
+ utils.fail('Write to Marktplatz (%s) directory result (%r), expected (%r)' % (self.marktplatz_name, write[0], expected_result))
def check_share_access(self, user, ip_address, expected_home_result, expected_marktplatz_result):
self.check_home_read(user, ip_address, expected_result=expected_home_result)
Index: ucs-test-ucsschool/90_ucsschool/essential/distribution.py
===================================================================
--- ucs-test-ucsschool/90_ucsschool/essential/distribution.py (Revision 74236)
+++ ucs-test-ucsschool/90_ucsschool/essential/distribution.py (Arbeitskopie)
@@ -13,6 +13,7 @@
import univention.testing.strings as uts
import univention.testing.ucr as ucr_test
import univention.testing.utils as utils
+from ucsschool.lib.models import School
class Distribution(object):
@@ -517,14 +518,39 @@
path = ''
self.ucr.load()
roleshare = self.ucr.get('ucsschool/import/roleshare')
+ collect_from = self.ucr.get('ucsschool/datadistribution/datadir/sender', 'Unterrichtsmaterial')
+ distribute_to = self.ucr.get('ucsschool/datadistribution/datadir/recipient', 'Unterrichtsmaterial')
+ search_base = School.get_search_base(self.school)
if purpose == 'distribute':
if roleshare == 'no' or roleshare is False:
- path = '/home/{0}/Unterrichtsmaterial/{1}/'.format(user, self.name)
+ path = '/home/{}/{}/{}/'.format(
+ user,
+ distribute_to,
+ self.name
+ )
else:
- path = '/home/{0}/schueler/{1}/Unterrichtsmaterial/{2}'.format(self.school, user, self.name)
+ path = '/home/{}/{}/{}/{}/{}'.format(
+ self.school,
+ search_base.share_name_pupils,
+ user,
+ distribute_to,
+ self.name
+ )
elif purpose == 'collect':
if roleshare == 'no' or roleshare is False:
- path = '/home/{0}/Unterrichtsmaterial/{1}/{2}/'.format(self.sender, self.name, user)
+ path = '/home/{}/{}/{}/{}/'.format(
+ self.sender,
+ collect_from,
+ self.name,
+ user
+ )
else:
- path = '/home/{0}/lehrer/{1}/Unterrichtsmaterial/{2}/{3}'.format(self.school, self.sender, self.name, user)
+ path = '/home/{}/{}/{}/{}/{}/{}'.format(
+ self.school,
+ search_base.share_name_teachers,
+ self.sender,
+ collect_from,
+ self.name,
+ user
+ )
return path
Index: ucs-test-ucsschool/90_ucsschool/essential/exam.py
===================================================================
--- ucs-test-ucsschool/90_ucsschool/essential/exam.py (Revision 74236)
+++ ucs-test-ucsschool/90_ucsschool/essential/exam.py (Arbeitskopie)
@@ -16,6 +16,7 @@
import univention.testing.strings as uts
import univention.testing.ucr as ucr_test
import univention.testing.utils as utils
+from ucsschool.lib.models import School
class StartFail(Exception):
@@ -121,6 +122,7 @@
self.shareMode = shareMode
self.internetRule = internetRule
self.customRule = customRule
+ self.search_base = School.get_search_base(self.school)
if umcConnection:
self.umcConnection = umcConnection
@@ -269,7 +271,7 @@
def check_collect(self):
account = utils.UCSTestDomainAdminCredentials()
admin = account.username
- path = '/home/%s/Klassenarbeiten/%s' % (admin, self.name)
+ path = '/home/%s/%s/%s' % (admin, self.search_base.share_name_exams, self.name)
path_files = get_dir_files(path)
if not set(self.files).issubset(set(path_files)):
utils.fail('%r were not collected to %r' % (self.files, path))
@@ -281,7 +283,7 @@
utils.fail('%r were not uploaded to %r' % (self.files, path))
def check_distribute(self):
- path = '/home/%s/schueler' % self.school
+ path = '/home/%s/%s' % (self.school, self.search_base.share_name_pupils)
path_files = get_dir_files(path)
if not set(self.files).issubset(set(path_files)):
utils.fail('%r were not uploaded to %r' % (self.files, path))
Index: ucs-test-ucsschool/90_ucsschool/essential/importcomputers.py
===================================================================
--- ucs-test-ucsschool/90_ucsschool/essential/importcomputers.py (Revision 74236)
+++ ucs-test-ucsschool/90_ucsschool/essential/importcomputers.py (Arbeitskopie)
@@ -145,11 +145,11 @@
print 'verify computer: %s' % self.name
utils.verify_ldap_object(self.dn, expected_attr=self.expected_attributes(), should_exist=True)
-
- verwaltung_member_group1 = 'cn=OU%s-Member-Verwaltungsnetz,cn=ucsschool,cn=groups,%s' % (self.school, configRegistry.get('ldap/base'))
- verwaltung_member_group2 = 'cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,%s' % (configRegistry.get('ldap/base'))
- edukativ_member_group1 = 'cn=OU%s-Member-Edukativnetz,cn=ucsschool,cn=groups,%s' % (self.school, configRegistry.get('ldap/base'))
- edukativ_member_group2 = 'cn=Member-Edukativnetz,cn=ucsschool,cn=groups,%s' % (configRegistry.get('ldap/base'))
+ search_base = SchoolLib.get_search_base(self.school)
+ verwaltung_member_group1 = search_base.administrative_ou_member_group
+ verwaltung_member_group2 = search_base.administrative_member_group
+ edukativ_member_group1 = search_base.educational_ou_member_group
+ edukativ_member_group2 = search_base.educational_member_group
if self.zone == 'verwaltung':
utils.verify_ldap_object(verwaltung_member_group1, expected_attr={'uniqueMember': [self.dn]}, strict=False, should_exist=True)
utils.verify_ldap_object(verwaltung_member_group2, expected_attr={'uniqueMember': [self.dn]}, strict=False, should_exist=True)
Index: ucs-test-ucsschool/90_ucsschool/essential/importgroups.py
===================================================================
--- ucs-test-ucsschool/90_ucsschool/essential/importgroups.py (Revision 74236)
+++ ucs-test-ucsschool/90_ucsschool/essential/importgroups.py (Arbeitskopie)
@@ -10,6 +10,7 @@
import univention.testing.strings as uts
from ucsschool.lib.models import SchoolClass as GroupLib
from ucsschool.lib.models import School as SchoolLib
+from ucsschool.lib.models import ClassShare as ClassShareLib
import ucsschool.lib.models.utils
from essential.importou import remove_ou, get_school_base
@@ -27,9 +28,7 @@
configRegistry = univention.config_registry.ConfigRegistry()
configRegistry.load()
-cn_pupils = configRegistry.get('ucsschool/ldap/default/container/pupils', 'schueler')
-
class Group:
def __init__(self, school):
@@ -40,8 +39,8 @@
self.school_base = get_school_base(self.school)
- self.dn = 'cn=%s,cn=klassen,cn=%s,cn=groups,%s' % (self.name, cn_pupils, self.school_base)
- self.share_dn = 'cn=%s,cn=klassen,cn=shares,%s' % (self.name, self.school_base)
+ self.dn = GroupLib(school=self.school, name=self.name).dn
+ self.share_dn = ClassShareLib(school=self.school, name=self.name).dn
def set_mode_to_modify(self):
self.mode = 'M'
Index: ucs-test-ucsschool/90_ucsschool/essential/importou.py
===================================================================
--- ucs-test-ucsschool/90_ucsschool/essential/importou.py (Revision 74236)
+++ ucs-test-ucsschool/90_ucsschool/essential/importou.py (Arbeitskopie)
@@ -13,6 +13,7 @@
import univention.uldap
import univention.admin.uldap
+import ldap
import univention.admin.modules
import univention.admin.filter
import univention.config_registry
@@ -299,12 +300,15 @@
old_dhcpd_ldap_base = ucr.get('dhcpd/ldap/base')
lo = univention.uldap.getMachineConnection()
base_dn = ucr.get('ldap/base')
+ search_base = School.get_search_base(ou)
- cn_pupils = ucr.get('ucsschool/ldap/default/container/pupils', 'schueler')
- cn_teachers = ucr.get('ucsschool/ldap/default/container/teachers', 'lehrer')
- cn_teachers_staff = ucr.get('ucsschool/ldap/default/container/teachers-and-staff', 'lehrer und mitarbeiter')
- cn_admins = ucr.get('ucsschool/ldap/default/container/admins', 'admins')
- cn_staff = ucr.get('ucsschool/ldap/default/container/staff', 'mitarbeiter')
+ cn_pupils = ldap.explode_dn(search_base.students, True)[0]
+ cn_teachers = ldap.explode_dn(search_base.teachers, True)[0]
+ cn_teachers_staff = ldap.explode_dn(search_base.teachersAndStaff, True)[0]
+ cn_admins = ldap.explode_dn(search_base.admins, True)[0]
+ cn_staff = ldap.explode_dn(search_base.staff, True)[0]
+ cn_class = ldap.explode_dn(search_base.classes, True)[0]
+ cn_rooms = ldap.explode_dn(search_base.rooms, True)[0]
singlemaster = ucr.is_true('ucsschool/singlemaster')
noneducational_create_objects = ucr.is_true('ucsschool/ldap/noneducational/create/objects')
@@ -332,43 +336,42 @@
utils.verify_ldap_object(ou_base, expected_attr={'ou': [ou], 'ucsschoolClassShareFileServer': [sharefileserver_dn], 'ucsschoolHomeShareFileServer': [sharefileserver_dn]}, should_exist=must_exist)
- utils.verify_ldap_object('cn=printers,%s' % ou_base, expected_attr={'cn': ['printers']}, should_exist=must_exist)
- utils.verify_ldap_object('cn=users,%s' % ou_base, expected_attr={'cn': ['users']}, should_exist=must_exist)
- utils.verify_ldap_object('cn=%s,cn=users,%s' % (cn_pupils, ou_base), expected_attr={'cn': [cn_pupils]}, should_exist=must_exist)
- utils.verify_ldap_object('cn=%s,cn=users,%s' % (cn_teachers, ou_base), expected_attr={'cn': [cn_teachers]}, should_exist=must_exist)
- utils.verify_ldap_object('cn=%s,cn=users,%s' % (cn_admins, ou_base), expected_attr={'cn': [cn_admins]}, should_exist=must_exist)
- utils.verify_ldap_object('cn=%s,cn=users,%s' % (cn_admins, ou_base), expected_attr={'cn': [cn_admins]}, should_exist=must_exist)
+ utils.verify_ldap_object(search_base.printers, expected_attr={'cn': ['printers']}, should_exist=must_exist)
+ utils.verify_ldap_object(search_base.users, expected_attr={'cn': ['users']}, should_exist=must_exist)
+ utils.verify_ldap_object(search_base.students, expected_attr={'cn': [cn_pupils]}, should_exist=must_exist)
+ utils.verify_ldap_object(search_base.teachers, expected_attr={'cn': [cn_teachers]}, should_exist=must_exist)
+ utils.verify_ldap_object(search_base.admins, expected_attr={'cn': [cn_admins]}, should_exist=must_exist)
- utils.verify_ldap_object('cn=computers,%s' % ou_base, expected_attr={'cn': ['computers']}, should_exist=must_exist)
+ utils.verify_ldap_object(search_base.computers, expected_attr={'cn': ['computers']}, should_exist=must_exist)
utils.verify_ldap_object('cn=server,cn=computers,%s' % ou_base, expected_attr={'cn': ['server']}, should_exist=must_exist)
utils.verify_ldap_object('cn=dc,cn=server,cn=computers,%s' % ou_base, expected_attr={'cn': ['dc']}, should_exist=must_exist)
- utils.verify_ldap_object('cn=networks,%s' % ou_base, expected_attr={'cn': ['networks']}, should_exist=must_exist)
- utils.verify_ldap_object('cn=groups,%s' % ou_base, expected_attr={'cn': ['groups']}, should_exist=must_exist)
- utils.verify_ldap_object('cn=%s,cn=groups,%s' % (cn_pupils, ou_base), expected_attr={'cn': [cn_pupils]}, should_exist=must_exist)
- utils.verify_ldap_object('cn=%s,cn=groups,%s' % (cn_teachers, ou_base), expected_attr={'cn': [cn_teachers]}, should_exist=must_exist)
- utils.verify_ldap_object('cn=klassen,cn=%s,cn=groups,%s' % (cn_pupils, ou_base), expected_attr={'cn': ['klassen']}, should_exist=must_exist)
- utils.verify_ldap_object('cn=raeume,cn=groups,%s' % ou_base, expected_attr={'cn': ['raeume']}, should_exist=must_exist)
+ utils.verify_ldap_object(search_base.networks, expected_attr={'cn': ['networks']}, should_exist=must_exist)
+ utils.verify_ldap_object(search_base.groups, expected_attr={'cn': ['groups']}, should_exist=must_exist)
+ utils.verify_ldap_object(search_base.workgroups, expected_attr={'cn': [cn_pupils]}, should_exist=must_exist)
+ utils.verify_ldap_object(search_base.teachers_group, expected_attr={'cn': [cn_teachers]}, should_exist=must_exist)
+ utils.verify_ldap_object(search_base.classes, expected_attr={'cn': [cn_class]}, should_exist=must_exist)
+ utils.verify_ldap_object(search_base.rooms, expected_attr={'cn': [cn_rooms]}, should_exist=must_exist)
- utils.verify_ldap_object('cn=dhcp,%s' % ou_base, expected_attr={'cn': ['dhcp']}, should_exist=must_exist)
- utils.verify_ldap_object('cn=policies,%s' % ou_base, expected_attr={'cn': ['policies']}, should_exist=must_exist)
- utils.verify_ldap_object('cn=shares,%s' % ou_base, expected_attr={'cn': ['shares']}, should_exist=must_exist)
- utils.verify_ldap_object('cn=klassen,cn=shares,%s' % ou_base, expected_attr={'cn': ['klassen']}, should_exist=must_exist)
+ utils.verify_ldap_object(search_base.dhcp, expected_attr={'cn': ['dhcp']}, should_exist=must_exist)
+ utils.verify_ldap_object(search_base.policies, expected_attr={'cn': ['policies']}, should_exist=must_exist)
+ utils.verify_ldap_object(search_base.shares, expected_attr={'cn': ['shares']}, should_exist=must_exist)
+ utils.verify_ldap_object(search_base.classShares, expected_attr={'cn': [cn_class]}, should_exist=must_exist)
utils.verify_ldap_object('cn=dc,cn=server,cn=computers,%s' % ou_base, expected_attr={'cn': ['dc']}, should_exist=must_exist)
if noneducational_create_objects:
- utils.verify_ldap_object('cn=%s,cn=users,%s' % (cn_staff, ou_base), should_exist=must_exist)
- utils.verify_ldap_object('cn=%s,cn=users,%s' % (cn_teachers_staff, ou_base), should_exist=must_exist)
- utils.verify_ldap_object('cn=%s,cn=groups,%s' % (cn_staff, ou_base), should_exist=must_exist)
+ utils.verify_ldap_object(search_base.staff, should_exist=must_exist)
+ utils.verify_ldap_object(search_base.teachersAndStaff, should_exist=must_exist)
+ utils.verify_ldap_object(search_base.staff_group, should_exist=must_exist)
else:
- utils.verify_ldap_object('cn=%s,cn=users,%s' % (cn_staff, ou_base), should_exist=False)
- utils.verify_ldap_object('cn=%s,cn=users,%s' % (cn_teachers_staff, ou_base), should_exist=False)
- utils.verify_ldap_object('cn=%s,cn=groups,%s' % (cn_staff, ou_base), should_exist=False)
+ utils.verify_ldap_object(search_base.staff, should_exist=False)
+ utils.verify_ldap_object(search_base.teachersAndStaff, should_exist=False)
+ utils.verify_ldap_object(search_base.staff_group, should_exist=False)
if noneducational_create_objects:
- utils.verify_ldap_object('cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,%s' % base_dn, should_exist=True)
- utils.verify_ldap_object('cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,%s' % base_dn, should_exist=True)
- utils.verify_ldap_object('cn=OU%s-DC-Verwaltungsnetz,cn=ucsschool,cn=groups,%s' % (ou, base_dn), should_exist=True)
- utils.verify_ldap_object('cn=OU%s-Member-Verwaltungsnetz,cn=ucsschool,cn=groups,%s' % (ou, base_dn), should_exist=True)
+ utils.verify_ldap_object(search_base.administrative_dc_group, should_exist=True)
+ utils.verify_ldap_object(search_base.administrative_member_group, should_exist=True)
+ utils.verify_ldap_object(search_base.administrative_ou_dc_group)
+ utils.verify_ldap_object(search_base.administrative_ou_member_group)
# This will fail because we don't cleanup these groups in cleanup_ou
# else:
# utils.verify_ldap_object("cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,%s" % base_dn, should_exist=False)
@@ -382,22 +385,17 @@
if dc_administrative:
verify_dc(ou, dc_administrative, TYPE_DC_ADMINISTRATIVE, base_dn, must_exist)
- grp_prefix_pupils = ucr.get('ucsschool/ldap/default/groupprefix/pupils', 'schueler-')
- grp_prefix_teachers = ucr.get('ucsschool/ldap/default/groupprefix/teachers', 'lehrer-')
- grp_prefix_admins = ucr.get('ucsschool/ldap/default/groupprefix/admins', 'admins-')
- grp_prefix_staff = ucr.get('ucsschool/ldap/default/groupprefix/staff', 'mitarbeiter-')
-
grp_policy_pupils = ucr.get('ucsschool/ldap/default/policy/umc/pupils', 'cn=ucsschool-umc-pupils-default,cn=UMC,cn=policies,%s' % base_dn)
grp_policy_teachers = ucr.get('ucsschool/ldap/default/policy/umc/teachers', 'cn=ucsschool-umc-teachers-default,cn=UMC,cn=policies,%s' % base_dn)
grp_policy_admins = ucr.get('ucsschool/ldap/default/policy/umc/admins', 'cn=ucsschool-umc-admins-default,cn=UMC,cn=policies,%s' % base_dn)
grp_policy_staff = ucr.get('ucsschool/ldap/default/policy/umc/staff', 'cn=ucsschool-umc-staff-default,cn=UMC,cn=policies,%s' % base_dn)
- utils.verify_ldap_object("cn=%s%s,cn=ouadmins,cn=groups,%s" % (grp_prefix_admins, ou, base_dn), expected_attr={'univentionPolicyReference': [grp_policy_admins]}, should_exist=True)
- utils.verify_ldap_object("cn=%s%s,cn=groups,%s" % (grp_prefix_pupils, ou, ou_base), expected_attr={'univentionPolicyReference': [grp_policy_pupils]}, should_exist=must_exist)
- utils.verify_ldap_object("cn=%s%s,cn=groups,%s" % (grp_prefix_teachers, ou, ou_base), expected_attr={'univentionPolicyReference': [grp_policy_teachers]}, should_exist=must_exist)
+ utils.verify_ldap_object(search_base.admin_group, expected_attr={'univentionPolicyReference': [grp_policy_admins]}, should_exist=True)
+ utils.verify_ldap_object(search_base.students_ou_group, expected_attr={'univentionPolicyReference': [grp_policy_pupils]}, should_exist=must_exist)
+ utils.verify_ldap_object(search_base.teachers_ou_group, expected_attr={'univentionPolicyReference': [grp_policy_teachers]}, should_exist=must_exist)
if noneducational_create_objects:
- utils.verify_ldap_object("cn=%s%s,cn=groups,%s" % (grp_prefix_staff, ou, ou_base), expected_attr={'univentionPolicyReference': [grp_policy_staff]}, should_exist=must_exist)
+ utils.verify_ldap_object(search_base.staff_ou_group, expected_attr={'univentionPolicyReference': [grp_policy_staff]}, should_exist=must_exist)
dcmaster_module = univention.admin.modules.get("computers/domaincontroller_master")
dcbackup_module = univention.admin.modules.get("computers/domaincontroller_backup")
@@ -410,7 +408,7 @@
# check group membership
# slave should be member
# master and backup should not be member
- dcgroups = ["cn=OU%s-DC-Edukativnetz,cn=ucsschool,cn=groups,%s" % (ou, base_dn), "cn=DC-Edukativnetz,cn=ucsschool,cn=groups,%s" % (base_dn)]
+ dcgroups = [search_base.educational_ou_dc_group, search_base.educational_dc_group]
if must_exist:
if masterobjs:
@@ -486,33 +484,34 @@
base_dn = ucr.get('ldap/base')
ou_base = get_ou_base(ou, ucr.is_true('ucsschool/ldap/district/enable', False))
dc_dn = 'cn=%s,cn=dc,cn=server,cn=computers,%s' % (dc_name, ou_base)
+ search_base = School.get_search_base(ou)
# define list of (un-)desired group memberships ==> [(IS_MEMBER, GROUP_DN), ...]
group_dn_list = []
if dc_type == TYPE_DC_ADMINISTRATIVE:
group_dn_list += [
- (True, 'cn=OU%s-DC-Verwaltungsnetz,cn=ucsschool,cn=groups,%s' % (ou.lower(), base_dn)),
- (True, 'cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,%s' % (base_dn, )),
- (False, 'cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,%s' % base_dn),
- (False, 'cn=OU%s-Member-Verwaltungsnetz,cn=ucsschool,cn=groups,%s' % (ou, base_dn)),
- (False, 'cn=OU%s-DC-Edukativnetz,cn=ucsschool,cn=groups,%s' % (ou.lower(), base_dn)),
- (False, 'cn=DC-Edukativnetz,cn=ucsschool,cn=groups,%s' % (base_dn, )),
- (False, 'cn=Member-Edukativnetz,cn=ucsschool,cn=groups,%s' % base_dn),
- (False, 'cn=OU%s-Member-Edukativnetz,cn=ucsschool,cn=groups,%s' % (ou, base_dn)),
+ (True, search_base.administrative_ou_dc_group),
+ (True, search_base.administrative_dc_group),
+ (False, search_base.administrative_member_group),
+ (False, search_base.administrative_ou_member_group),
+ (False, search_base.educational_ou_dc_group),
+ (False, search_base.educational_dc_group),
+ (False, search_base.educational_member_group),
+ (False, search_base.educational_ou_member_group),
]
else:
group_dn_list += [
- (True, 'cn=OU%s-DC-Edukativnetz,cn=ucsschool,cn=groups,%s' % (ou.lower(), base_dn)),
- (True, 'cn=DC-Edukativnetz,cn=ucsschool,cn=groups,%s' % (base_dn, )),
- (False, 'cn=Member-Edukativnetz,cn=ucsschool,cn=groups,%s' % base_dn),
- (False, 'cn=OU%s-Member-Edukativnetz,cn=ucsschool,cn=groups,%s' % (ou, base_dn)),
+ (True, search_base.educational_ou_dc_group),
+ (True, search_base.educational_dc_group),
+ (False, search_base.educational_member_group),
+ (False, search_base.educational_ou_member_group),
]
if ucr.is_true('ucsschool/ldap/noneducational/create/objects', must_exist):
group_dn_list += [
- (False, 'cn=OU%s-DC-Verwaltungsnetz,cn=ucsschool,cn=groups,%s' % (ou.lower(), base_dn)),
- (False, 'cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,%s' % (base_dn, )),
- (False, 'cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,%s' % base_dn),
- (False, 'cn=OU%s-Member-Verwaltungsnetz,cn=ucsschool,cn=groups,%s' % (ou, base_dn)),
+ (False, search_base.administrative_ou_dc_group),
+ (False, search_base.administrative_dc_group),
+ (False, search_base.administrative_member_group),
+ (False, search_base.administrative_ou_member_group),
]
utils.verify_ldap_object(dc_dn, should_exist=must_exist)
Index: ucs-test-ucsschool/90_ucsschool/essential/importusers.py
===================================================================
--- ucs-test-ucsschool/90_ucsschool/essential/importusers.py (Revision 74236)
+++ ucs-test-ucsschool/90_ucsschool/essential/importusers.py (Arbeitskopie)
@@ -13,6 +13,7 @@
from univention.testing.decorators import SetTimeout
import univention.uldap
import univention.config_registry
+from ucsschool.lib.models import SchoolClass as SchoolClassLib
from ucsschool.lib.models import Student as StudentLib
from ucsschool.lib.models import Teacher as TeacherLib
from ucsschool.lib.models import Staff as StaffLib
@@ -38,17 +39,7 @@
configRegistry = univention.config_registry.ConfigRegistry()
configRegistry.load()
-cn_pupils = configRegistry.get('ucsschool/ldap/default/container/pupils', 'schueler')
-cn_teachers = configRegistry.get('ucsschool/ldap/default/container/teachers', 'lehrer')
-cn_teachers_staff = configRegistry.get('ucsschool/ldap/default/container/teachers-and-staff', 'lehrer und mitarbeiter')
-cn_staff = configRegistry.get('ucsschool/ldap/default/container/staff', 'mitarbeiter')
-grp_prefix_pupils = configRegistry.get('ucsschool/ldap/default/groupprefix/pupils', 'schueler-')
-grp_prefix_teachers = configRegistry.get('ucsschool/ldap/default/groupprefix/teachers', 'lehrer-')
-grp_prefix_admins = configRegistry.get('ucsschool/ldap/default/groupprefix/admins', 'admins-')
-grp_prefix_staff = configRegistry.get('ucsschool/ldap/default/groupprefix/staff', 'mitarbeiter-')
-
-
class Person(object):
def __init__(self, school, role):
@@ -57,6 +48,7 @@
self.username = uts.random_name()
self.school = school
self.schools = [school]
+ self.search_base = SchoolLib.get_search_base(self.school)
self.role = role
self.record_uid = None
self.source_uid = None
@@ -64,17 +56,17 @@
self.mail = '%s@%s' % (self.username, configRegistry.get('domainname'))
self.school_classes = {}
if self.is_student():
- self.cn = cn_pupils
- self.grp_prefix = grp_prefix_pupils
+ self.user_type = StudentLib
+ self.role_group_dn = self.search_base.students_ou_group
elif self.is_teacher():
- self.cn = cn_teachers
- self.grp_prefix = grp_prefix_teachers
+ self.user_type = TeacherLib
+ self.role_group_dn = self.search_base.teachers_ou_group
elif self.is_teacher_staff():
- self.cn = cn_teachers_staff
- self.grp_prefix = grp_prefix_teachers
+ self.user_type = TeachersAndStaffLib
+ self.role_group_dn = self.search_base.teachers_ou_group
elif self.is_staff():
- self.cn = cn_staff
- self.grp_prefix = grp_prefix_staff
+ self.user_type = StaffLib
+ self.role_group_dn = self.search_base.staff_ou_group
self.mode = 'A'
self.active = True
self.password = None
@@ -83,7 +75,7 @@
self.append_random_groups()
def make_dn(self):
- return 'uid=%s,cn=%s,cn=users,%s' % (self.username, self.cn, self.school_base)
+ return self.user_type(school=self.school, name=self.username).dn
def make_school_base(self):
return get_school_base(self.school)
@@ -242,17 +234,11 @@
if self.description:
attr['description'] = [self.description]
- subdir = ''
if configRegistry.is_true('ucsschool/import/roleshare', True):
- if self.is_student():
- subdir = os.path.join(self.school, 'schueler')
- elif self.is_teacher():
- subdir = os.path.join(self.school, 'lehrer')
- elif self.is_teacher_staff():
- subdir = os.path.join(self.school, 'lehrer')
- elif self.is_staff():
- subdir = os.path.join(self.school, 'mitarbeiter')
- attr['homeDirectory'] = ['/home/%s' % os.path.join(subdir, self.username)]
+ subdir = self.user_type(school=self.school, name=self.username).get_roleshare_home_subdir()
+ else:
+ subdir = ''
+ attr['homeDirectory'] = [os.path.join('/home', subdir, self.username)]
if self.is_active():
attr['krb5KDCFlags'] = ['126']
@@ -332,11 +318,10 @@
for school, classes in self.school_classes.iteritems():
for cl in classes:
- cl_group_dn = 'cn=%s,cn=klassen,cn=%s,cn=groups,%s' % (cl, cn_pupils, get_school_base(school))
+ cl_group_dn = SchoolClassLib(school=school, name=cl).dn
utils.verify_ldap_object(cl_group_dn, expected_attr={'uniqueMember': [self.dn], 'memberUid': [self.username]}, strict=False, should_exist=True)
- role_group_dn = 'cn=%s%s,cn=groups,%s' % (self.grp_prefix, self.school, self.school_base)
- utils.verify_ldap_object(role_group_dn, expected_attr={'uniqueMember': [self.dn], 'memberUid': [self.username]}, strict=False, should_exist=True)
+ utils.verify_ldap_object(self.role_group_dn, expected_attr={'uniqueMember': [self.dn], 'memberUid': [self.username]}, strict=False, should_exist=True)
print 'person OK: %s' % self.username
Index: ucs-test-ucsschool/90_ucsschool/essential/internetrule.py
===================================================================
--- ucs-test-ucsschool/90_ucsschool/essential/internetrule.py (Revision 74236)
+++ ucs-test-ucsschool/90_ucsschool/essential/internetrule.py (Arbeitskopie)
@@ -15,6 +15,7 @@
import univention.testing.utils as utils
from univention.testing.ucsschool import UCSTestSchool
import univention.testing.ucsschool as utu
+from ucsschool.lib.models import SchoolClass as SchoolClassLib
class InternetRule(object):
@@ -199,7 +200,7 @@
ucsschool = UCSTestSchool()
groupdn = ucsschool.get_workinggroup_dn(school, groupName)
elif groupType == 'class':
- groupdn = 'cn=%s-%s,cn=klassen,cn=schueler,cn=groups,%s' % (school, groupName, school_basedn)
+ groupdn = SchoolClassLib(school=schoolenv.name, name="{}-{}".format(school, groupName)).dn
if default:
name = '$default$'
Index: ucs-test-ucsschool/90_ucsschool/essential/klasse.py
===================================================================
--- ucs-test-ucsschool/90_ucsschool/essential/klasse.py (Revision 74236)
+++ ucs-test-ucsschool/90_ucsschool/essential/klasse.py (Arbeitskopie)
@@ -9,6 +9,7 @@
from univention.testing.ucsschool import UMCConnection
import univention.testing.ucr as ucr_test
from univention.testing.ucsschool import UCSTestSchool
+from ucsschool.lib.models import SchoolClass as SchoolClassLib
class GetFail(Exception):
@@ -132,9 +133,7 @@
k, classes_names))
def dn(self):
- return 'cn=%s-%s,cn=klassen,cn=schueler,cn=groups,%s' % (
- self.school, self.name, UCSTestSchool().get_ou_base_dn(self.school)
- )
+ return SchoolClassLib(school=self.school, name="{}-{}".format(self.school, self.name)).dn
def get(self):
"""Get class"""
Index: ucs-test-ucsschool/90_ucsschool/essential/school.py
===================================================================
--- ucs-test-ucsschool/90_ucsschool/essential/school.py (Revision 74236)
+++ ucs-test-ucsschool/90_ucsschool/essential/school.py (Arbeitskopie)
@@ -4,6 +4,7 @@
.. moduleauthor:: Ammar Najjar
"""
+import ldap
from essential.importcomputers import random_ip
from essential.importou import DCNotFound, DCMembership, DhcpdLDAPBase, TYPE_DC_ADMINISTRATIVE
from essential.importou import get_ou_base, verify_dc, get_school_ou_from_dn, TYPE_DC_EDUCATIONAL
@@ -13,6 +14,8 @@
import univention.testing.ucr as ucr_test
import univention.testing.utils as utils
import univention.uldap
+from ucsschool.lib.models import (School as LibSchool, ComputerRoom as LibComputerRoom, SchoolClass as LibSchoolClass,
+ Staff as LibStaff, TeachersAndStaff as LibTeachersAndStaff, Teacher as LibTeacher, Student as LibStudent)
class GetFail(Exception):
@@ -258,12 +261,15 @@
old_dhcpd_ldap_base = ucr.get('dhcpd/ldap/base')
lo = univention.uldap.getMachineConnection()
base_dn = ucr.get('ldap/base')
+ search_base = LibSchool.get_search_base(ou)
- cn_pupils = ucr.get('ucsschool/ldap/default/container/pupils', 'schueler')
- cn_teachers = ucr.get('ucsschool/ldap/default/container/teachers', 'lehrer')
- cn_teachers_staff = ucr.get('ucsschool/ldap/default/container/teachers-and-staff', 'lehrer und mitarbeiter')
- cn_admins = ucr.get('ucsschool/ldap/default/container/admins', 'admins')
- cn_staff = ucr.get('ucsschool/ldap/default/container/staff', 'mitarbeiter')
+ cn_pupils = ldap.explode_dn(LibStudent.get_container(ou), True)[0]
+ cn_teachers = ldap.explode_dn(LibTeacher.get_container(ou), True)[0]
+ cn_teachers_staff = ldap.explode_dn(LibTeachersAndStaff.get_container(ou), True)[0]
+ cn_admins = ldap.explode_dn(search_base.admins, True)[0]
+ cn_staff = ldap.explode_dn(LibStaff.get_container(ou), True)[0]
+ cn_class = ldap.explode_dn(LibSchoolClass.get_container(ou), True)[0]
+ cn_rooms = ldap.explode_dn(LibComputerRoom.get_container(ou), True)[0]
singlemaster = ucr.is_true('ucsschool/singlemaster')
noneducational_create_objects = ucr.is_true('ucsschool/ldap/noneducational/create/objects')
@@ -297,43 +303,42 @@
utils.verify_ldap_object(ou_base, expected_attr={'ou': [ou], 'ucsschoolClassShareFileServer': [classsharefileserver_dn], 'ucsschoolHomeShareFileServer': [homesharefileserver_dn]}, should_exist=must_exist)
- utils.verify_ldap_object('cn=printers,%s' % ou_base, expected_attr={'cn': ['printers']}, should_exist=must_exist)
- utils.verify_ldap_object('cn=users,%s' % ou_base, expected_attr={'cn': ['users']}, should_exist=must_exist)
- utils.verify_ldap_object('cn=%s,cn=users,%s' % (cn_pupils, ou_base), expected_attr={'cn': [cn_pupils]}, should_exist=must_exist)
- utils.verify_ldap_object('cn=%s,cn=users,%s' % (cn_teachers, ou_base), expected_attr={'cn': [cn_teachers]}, should_exist=must_exist)
- utils.verify_ldap_object('cn=%s,cn=users,%s' % (cn_admins, ou_base), expected_attr={'cn': [cn_admins]}, should_exist=must_exist)
- utils.verify_ldap_object('cn=%s,cn=users,%s' % (cn_admins, ou_base), expected_attr={'cn': [cn_admins]}, should_exist=must_exist)
+ utils.verify_ldap_object(search_base.printers, expected_attr={'cn': ['printers']}, should_exist=must_exist)
+ utils.verify_ldap_object(search_base.users, expected_attr={'cn': ['users']}, should_exist=must_exist)
+ utils.verify_ldap_object(search_base.students, expected_attr={'cn': [cn_pupils]}, should_exist=must_exist)
+ utils.verify_ldap_object(search_base.teachers, expected_attr={'cn': [cn_teachers]}, should_exist=must_exist)
+ utils.verify_ldap_object(search_base.admins, expected_attr={'cn': [cn_admins]}, should_exist=must_exist)
- utils.verify_ldap_object('cn=computers,%s' % ou_base, expected_attr={'cn': ['computers']}, should_exist=must_exist)
+ utils.verify_ldap_object(search_base.computers, expected_attr={'cn': ['computers']}, should_exist=must_exist)
utils.verify_ldap_object('cn=server,cn=computers,%s' % ou_base, expected_attr={'cn': ['server']}, should_exist=must_exist)
utils.verify_ldap_object('cn=dc,cn=server,cn=computers,%s' % ou_base, expected_attr={'cn': ['dc']}, should_exist=must_exist)
- utils.verify_ldap_object('cn=networks,%s' % ou_base, expected_attr={'cn': ['networks']}, should_exist=must_exist)
- utils.verify_ldap_object('cn=groups,%s' % ou_base, expected_attr={'cn': ['groups']}, should_exist=must_exist)
- utils.verify_ldap_object('cn=%s,cn=groups,%s' % (cn_pupils, ou_base), expected_attr={'cn': [cn_pupils]}, should_exist=must_exist)
- utils.verify_ldap_object('cn=%s,cn=groups,%s' % (cn_teachers, ou_base), expected_attr={'cn': [cn_teachers]}, should_exist=must_exist)
- utils.verify_ldap_object('cn=klassen,cn=%s,cn=groups,%s' % (cn_pupils, ou_base), expected_attr={'cn': ['klassen']}, should_exist=must_exist)
- utils.verify_ldap_object('cn=raeume,cn=groups,%s' % ou_base, expected_attr={'cn': ['raeume']}, should_exist=must_exist)
+ utils.verify_ldap_object(search_base.networks, expected_attr={'cn': ['networks']}, should_exist=must_exist)
+ utils.verify_ldap_object(search_base.groups, expected_attr={'cn': ['groups']}, should_exist=must_exist)
+ utils.verify_ldap_object(search_base.workgroups, expected_attr={'cn': [cn_pupils]}, should_exist=must_exist)
+ utils.verify_ldap_object(search_base.teachers_group, expected_attr={'cn': [cn_teachers]}, should_exist=must_exist)
+ utils.verify_ldap_object(search_base.classes, expected_attr={'cn': [cn_class]}, should_exist=must_exist)
+ utils.verify_ldap_object(search_base.rooms, expected_attr={'cn': [cn_rooms]}, should_exist=must_exist)
- utils.verify_ldap_object('cn=dhcp,%s' % ou_base, expected_attr={'cn': ['dhcp']}, should_exist=must_exist)
- utils.verify_ldap_object('cn=policies,%s' % ou_base, expected_attr={'cn': ['policies']}, should_exist=must_exist)
- utils.verify_ldap_object('cn=shares,%s' % ou_base, expected_attr={'cn': ['shares']}, should_exist=must_exist)
- utils.verify_ldap_object('cn=klassen,cn=shares,%s' % ou_base, expected_attr={'cn': ['klassen']}, should_exist=must_exist)
+ utils.verify_ldap_object(search_base.dhcp, expected_attr={'cn': ['dhcp']}, should_exist=must_exist)
+ utils.verify_ldap_object(search_base.policies, expected_attr={'cn': ['policies']}, should_exist=must_exist)
+ utils.verify_ldap_object(search_base.shares, expected_attr={'cn': ['shares']}, should_exist=must_exist)
+ utils.verify_ldap_object(search_base.classShares, expected_attr={'cn': [cn_class]}, should_exist=must_exist)
utils.verify_ldap_object('cn=dc,cn=server,cn=computers,%s' % ou_base, expected_attr={'cn': ['dc']}, should_exist=must_exist)
if noneducational_create_objects:
- utils.verify_ldap_object('cn=%s,cn=users,%s' % (cn_staff, ou_base), should_exist=must_exist)
- utils.verify_ldap_object('cn=%s,cn=users,%s' % (cn_teachers_staff, ou_base), should_exist=must_exist)
- utils.verify_ldap_object('cn=%s,cn=groups,%s' % (cn_staff, ou_base), should_exist=must_exist)
+ utils.verify_ldap_object(search_base.staff, should_exist=must_exist)
+ utils.verify_ldap_object(search_base.teachersAndStaff, should_exist=must_exist)
+ utils.verify_ldap_object(search_base.staff_group, should_exist=must_exist)
else:
- utils.verify_ldap_object('cn=%s,cn=users,%s' % (cn_staff, ou_base), should_exist=False)
- utils.verify_ldap_object('cn=%s,cn=users,%s' % (cn_teachers_staff, ou_base), should_exist=False)
- utils.verify_ldap_object('cn=%s,cn=groups,%s' % (cn_staff, ou_base), should_exist=False)
+ utils.verify_ldap_object(search_base.staff, should_exist=False)
+ utils.verify_ldap_object(search_base.teachersAndStaff, should_exist=False)
+ utils.verify_ldap_object(search_base.staff_group, should_exist=False)
if noneducational_create_objects:
- utils.verify_ldap_object('cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,%s' % base_dn, should_exist=True)
- utils.verify_ldap_object('cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,%s' % base_dn, should_exist=True)
- utils.verify_ldap_object('cn=OU%s-DC-Verwaltungsnetz,cn=ucsschool,cn=groups,%s' % (ou, base_dn), should_exist=True)
- utils.verify_ldap_object('cn=OU%s-Member-Verwaltungsnetz,cn=ucsschool,cn=groups,%s' % (ou, base_dn), should_exist=True)
+ utils.verify_ldap_object(search_base.administrative_dc_group, should_exist=True)
+ utils.verify_ldap_object(search_base.administrative_member_group, should_exist=True)
+ utils.verify_ldap_object(search_base.administrative_ou_dc_group)
+ utils.verify_ldap_object(search_base.administrative_ou_member_group)
# This will fail because we don't cleanup these groups in cleanup_ou
# else:
# utils.verify_ldap_object("cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,%s" % base_dn, should_exist=False)
@@ -347,22 +352,17 @@
if dc_administrative:
verify_dc(ou, dc_administrative, TYPE_DC_ADMINISTRATIVE, base_dn, must_exist)
- grp_prefix_pupils = ucr.get('ucsschool/ldap/default/groupprefix/pupils', 'schueler-')
- grp_prefix_teachers = ucr.get('ucsschool/ldap/default/groupprefix/teachers', 'lehrer-')
- grp_prefix_admins = ucr.get('ucsschool/ldap/default/groupprefix/admins', 'admins-')
- grp_prefix_staff = ucr.get('ucsschool/ldap/default/groupprefix/staff', 'mitarbeiter-')
-
grp_policy_pupils = ucr.get('ucsschool/ldap/default/policy/umc/pupils', 'cn=ucsschool-umc-pupils-default,cn=UMC,cn=policies,%s' % base_dn)
grp_policy_teachers = ucr.get('ucsschool/ldap/default/policy/umc/teachers', 'cn=ucsschool-umc-teachers-default,cn=UMC,cn=policies,%s' % base_dn)
grp_policy_admins = ucr.get('ucsschool/ldap/default/policy/umc/admins', 'cn=ucsschool-umc-admins-default,cn=UMC,cn=policies,%s' % base_dn)
grp_policy_staff = ucr.get('ucsschool/ldap/default/policy/umc/staff', 'cn=ucsschool-umc-staff-default,cn=UMC,cn=policies,%s' % base_dn)
- utils.verify_ldap_object("cn=%s%s,cn=ouadmins,cn=groups,%s" % (grp_prefix_admins, ou, base_dn), expected_attr={'univentionPolicyReference': [grp_policy_admins]}, should_exist=True)
- utils.verify_ldap_object("cn=%s%s,cn=groups,%s" % (grp_prefix_pupils, ou, ou_base), expected_attr={'univentionPolicyReference': [grp_policy_pupils]}, should_exist=must_exist)
- utils.verify_ldap_object("cn=%s%s,cn=groups,%s" % (grp_prefix_teachers, ou, ou_base), expected_attr={'univentionPolicyReference': [grp_policy_teachers]}, should_exist=must_exist)
+ utils.verify_ldap_object(search_base.admin_group, expected_attr={'univentionPolicyReference': [grp_policy_admins]}, should_exist=True)
+ utils.verify_ldap_object(search_base.students_ou_group, expected_attr={'univentionPolicyReference': [grp_policy_pupils]}, should_exist=must_exist)
+ utils.verify_ldap_object(search_base.teachers_ou_group, expected_attr={'univentionPolicyReference': [grp_policy_teachers]}, should_exist=must_exist)
if noneducational_create_objects:
- utils.verify_ldap_object("cn=%s%s,cn=groups,%s" % (grp_prefix_staff, ou, ou_base), expected_attr={'univentionPolicyReference': [grp_policy_staff]}, should_exist=must_exist)
+ utils.verify_ldap_object(search_base.staff_ou_group, expected_attr={'univentionPolicyReference': [grp_policy_staff]}, should_exist=must_exist)
dcmaster_module = univention.admin.modules.get("computers/domaincontroller_master")
dcbackup_module = univention.admin.modules.get("computers/domaincontroller_backup")
@@ -375,7 +375,7 @@
# check group membership
# slave should be member
# master and backup should not be member
- dcgroups = ["cn=OU%s-DC-Edukativnetz,cn=ucsschool,cn=groups,%s" % (ou, base_dn), "cn=DC-Edukativnetz,cn=ucsschool,cn=groups,%s" % (base_dn)]
+ dcgroups = [search_base.educational_ou_dc_group, search_base.educational_dc_group]
if must_exist:
if masterobjs:
@@ -419,7 +419,7 @@
# seems to be the first OU, so check the variable settings
if ucr.get('dhcpd/ldap/base') != "cn=dhcp,%s" % (ou_base,):
print 'ERROR: dhcpd/ldap/base =', ucr.get('dhcpd/ldap/base')
- print 'ERROR: expected base =', dhcp_dn
+ print 'ERROR: expected base =', dhcp_dn # FIXME: unresolve reference: dhcp_dn
raise DhcpdLDAPBase()
# use the UCR value and check if the DHCP service exists
Index: ucs-test-ucsschool/90_ucsschool/essential/schoolroom.py
===================================================================
--- ucs-test-ucsschool/90_ucsschool/essential/schoolroom.py (Revision 74236)
+++ ucs-test-ucsschool/90_ucsschool/essential/schoolroom.py (Arbeitskopie)
@@ -1,8 +1,8 @@
from univention.testing.ucsschool import UMCConnection
import univention.testing.strings as uts
import univention.testing.ucr as ucr_test
-import univention.testing.ucsschool as utu
import univention.testing.utils as utils
+from ucsschool.lib.models import LibComputerRoom
class FailQuery(Exception):
@@ -54,7 +54,7 @@
self.umc_connection.auth(admin, passwd)
def dn(self):
- return 'cn=%s-%s,cn=raeume,cn=groups,%s' % (self.school, self.name, utu.UCSTestSchool().get_ou_base_dn(self.school))
+ return LibComputerRoom(school="myschool", name='{}-{}'.format("myschool", "myname")).dn
def add(self, should_pass=True):
param = [{
Index: ucs-test-ucsschool/univention/testing/ucsschool.py
===================================================================
--- ucs-test-ucsschool/univention/testing/ucsschool.py (Revision 74236)
+++ ucs-test-ucsschool/univention/testing/ucsschool.py (Arbeitskopie)
@@ -394,7 +394,7 @@
unset_ucr = False
if not self._ucr.get('mail/hosteddomains'):
unset_ucr = True
- handler_set(['mail/hosteddomains={hostname}.{domainname}'.format(**dict(self._ucr.items()))])
+ handler_set(['mail/hosteddomains={}.{}'.format(self._ucr["hostname"], self._ucr["domainname"])])
try:
cmd = [self.PATH_CMD_IMPORT_USER, tmp_file.name]
print '*** Calling following command: %r' % cmd
Index: univention-management-console-module-selective-udm/umc/python/selective-udm/__init__.py
===================================================================
--- univention-management-console-module-selective-udm/umc/python/selective-udm/__init__.py (Revision 74236)
+++ univention-management-console-module-selective-udm/umc/python/selective-udm/__init__.py (Arbeitskopie)
@@ -55,6 +55,7 @@
univention.admin.syntax.update_choices()
_ = Translation('univention-management-console-selective-udm').translate
+from ucsschool.lib.models import SchoolComputer
class CreationDenied(Exception):
@@ -94,7 +95,7 @@
try:
# Set new position
- ldap_position.setDn(search_base.computers)
+ ldap_position.setDn(SchoolComputer.get_container(search_base.school))
usersid = request.options.get('usersid')
self._check_usersid_join_permissions(ldap_user_read, usersid)