Attachment #8209 for bug #41231




	  zugeordnet wird.
	</para>
	<para>
	  Über vier weitere &ucsUCR;-Variablen kann das Verhalten des Hooks gesteuert
	  werden:
	</para>
	  <itemizedlist>
		<listitem>
		  <para>
			<command>ucsschool/import/generate/share/marktplatz/name</command>
		  </para>
		  <para>
			Diese Variable definiert den Namen der Freigabe. Der Standard ist <literal>Marktplatz</literal>.
		  </para>
		</listitem>
		<listitem>
		  <para>
			<command>ucsschool/import/generate/share/marktplatz/sharepath</command>
		  </para>
		  <para>

(-)doc/manual/performance-de.xml (+4 lines)

Lines 93-98	Link Here

  		  </simpara>

  		  </simpara>

  		</listitem>

  		</listitem>

  	  </itemizedlist>

  	  </itemizedlist>

  	  <note>

  	    Der Teil des Gruppennamens der hier &lt;Edukativnetz&gt; ist, kann seit &ucsUAS;-Version 4.1 R2 v7

  	    verändert werden. Siehe dazu auch <xref linkend="structure:ldap:container_names"/>.

  	  </note>

  	</para>

100

  	</para>

    </section>

101

    </section>

102




            Zugriffsrechte gesetzt werden. Dabei kann der Zugriff für einzelne Benutzer oder ganze Gruppen
            erlaubt bzw. gesperrt werden. Um den Schülern den Zugriff auf die physikalischen Drucker zu
            verbieten, muss an den Druckerfreigaben für diese Drucker der Zugriff durch Benutzer der
            OU-spezifischen Gruppe <systemitem class="groupname">schueler-<replaceable>OU</replaceable></systemitem>
            (z.B. <systemitem class="groupname">schueler-gsmitte</systemitem>) verboten werden. Für den PDF-Drucker
            <systemitem class="resource">PDFDrucker</systemitem> sollten keine Einschränkungen gemacht werden.
            <note>
                Der Teil des Gruppennamens der hier &lt;schueler-&gt; ist, kann seit &ucsUAS;-Version 4.1 R2 v7 verändert
                werden. Siehe dazu auch <xref linkend="structure:ldap:container_names"/>.
            </note>
            gemacht werden.
        </para>
        <para>
            Schüler haben damit nur noch die Möglichkeit Druckaufträge an den

            Anlegen einer OU kann durch das Setzen der &ucsUCRV;
            <envar>ucsschool/import/generate/marktplatz</envar> auf den
            Wert <literal>no</literal> verhindert werden.
            <note>
                Weiterführnde Informationen zur <emphasis>Marktplatz</emphasis>-Freigabe finden sich unter <xref linkend="import:marketplace"/>.
            </note>
        </para>
        <para>
            Diese Freigaben müssen zwingend auf dem Schulserver bereitgestellt

            Die Freigabe erlaubt der Gruppe <systemitem class="resource">lehrer-&lt;OU&gt;</systemitem> den
            administrativen
            Zugriff auf das Basisverzeichnis <filename class="directory">/home/&lt;OU&gt;/schueler</filename>.
            <note>
                Der Teil des Gruppennamens der hier &lt;schueler-&gt; bzw.&lt;lehrer-&gt; ist, kann seit
                &ucsUAS;-Version 4.1 R2 v7 verändert werden. Siehe dazu auch <xref linkend="structure:ldap:container_names"/>.
            </note>
        </para>
        <para>
            Per Voreinstellung wird der Lehrergruppe Lesezugriff gewährt.

            Option zu Schuladministratoren umgewandelt werden.
            <itemizedlist>
                <listitem>
                    <para>
                        Die zusätzliche Gruppenmitgliedschaft muss manuell über das &ucsUMC;-Modul
                        <guimenu>Benutzer</guimenu> auf dem &ucsMaster; hinzugefügt werden. Auf dem Reiter
                        <guimenu>Gruppen</guimenu> muss das Benutzerkonto in die Gruppe
                        <guimenu>Gruppen</guimenu>
                        muss das Benutzerkonto in die Gruppe
                        <systemitem class="groupname"><replaceable>admins-OU</replaceable></systemitem>
                        (für die OU <wordasword>gym17</wordasword> ist dies die Gruppe
                        <systemitem class="groupname">admins-gym17</systemitem>) aufgenommen werden.
                        <note>
                            Der Teil des Gruppennamens der hier &lt;admins-&gt; ist, kann seit &ucsUAS;-Version 4.1 R2 v7
                            verändert werden. Siehe dazu auch <xref linkend="structure:ldap:container_names"/>.
                        </note>
                    </para>
                </listitem>
                <listitem>
                    <simpara>
                        Im &ucsUMC;-Modul <guimenu>Benutzer</guimenu> muss außerdem im Reiter
                        <guimenu>Optionen</guimenu> die Option <option>UCS@school-Administrator</option>
                        die Option
                        <option>UCS@school-Administrator</option>
                        eingeschaltet werden.
                    </simpara>
                </listitem>




		</note>
	  </section>

	  <section id="structure:ldap:container_names">
		<title>Gruppen-, Verzeichnis- und Containernamen</title>
		  <para>
		    Seit &ucsUAS;-Version 4.1 R2 v7 können mit Hilfe von UCR-Variablen Teile der Gruppen-, Verzeichnis- und Containernamen
		    <emphasis>vor der Installation der &ucsUAS;-App</emphasis> bestimmt werden.
		  </para>
		  <para>
			Beispielsweise wird die Gruppe <systemitem class="groupname">Member-Edukativnetz</systemitem> durch Setzen
			der UCR-Variablen <envar>ucsschool/ldap/default/groupname/all-educational-member=Membre-Enseignement</envar>
			mit dem Namen <systemitem class="groupname">Membre-Enseignement</systemitem> angelegt.
		  </para>
		  <para>
			  Sollen zum Beispiel die Benutzerkonten von Schülern nicht im Container
			  <uri>cn=schueler,cn=groups,ou=gymmitte,dc=example,dc=com</uri> gespeichert werden, sondern unter
			  <uri>cn=ecolier,cn=groups,ou=gymmitte,dc=example,dc=com</uri>, muss
			  <envar>ucsschool/ldap/default/container/pupils=ecolier</envar> gesetzt werden.
		  </para>
		  <para>
			  Die Bedeutung der aller UCR-Variablen können Sie durch das Lesen der Hilfetexte zu den UCR-Variablen erfahren
			  (siehe <biblioref linkend="ucs-handbuch"/>).
		  </para>
		  <para>
			  <simpara>
				Die folgenden Teile von Containernamen (z.B. in <uri>cn=admins,cn=groups,ou=gymmitte,dc=example,dc=com</uri>) können gesetzt werden:
			  </simpara>
			  <itemizedlist>
				  <listitem><simpara>admins:                 <envar>ucsschool/ldap/default/container/admins</envar></simpara></listitem>
				  <listitem><simpara>schueler:               <envar>ucsschool/ldap/default/container/pupils</envar></simpara></listitem>
				  <listitem><simpara>mitarbeiter:            <envar>ucsschool/ldap/default/container/staff</envar></simpara></listitem>
				  <listitem><simpara>lehrer und mitarbeiter: <envar>ucsschool/ldap/default/container/teachers-and-staff</envar></simpara></listitem>
				  <listitem><simpara>lehrer:                 <envar>ucsschool/ldap/default/container/teachers</envar></simpara></listitem>
				  <listitem><simpara>klassen:                <envar>ucsschool/ldap/default/container/class</envar></simpara></listitem>
				  <listitem><simpara>raeume:                 <envar>ucsschool/ldap/default/container/rooms</envar></simpara></listitem>
				  <listitem><simpara>examusers:              <envar>ucsschool/ldap/default/container/exam</envar></simpara></listitem>
			  </itemizedlist>
		  </para>
		  <para>
			  <simpara>
				Die folgenden Präfixe von Gruppennamen (z.B. in <systemitem class="groupname">schueler-gymmitte</systemitem>) können gesetzt werden:
			  </simpara>
			  <itemizedlist>
				  <listitem><simpara>schueler-:              <envar>ucsschool/ldap/default/groupprefix/pupils</envar></simpara></listitem>
				  <listitem><simpara>lehrer-:                <envar>ucsschool/ldap/default/groupprefix/teachers</envar></simpara></listitem>
				  <listitem><simpara>admins-:                <envar>ucsschool/ldap/default/groupprefix/admins</envar></simpara></listitem>
				  <listitem><simpara>mitarbeiter-:           <envar>ucsschool/ldap/default/groupprefix/staff</envar></simpara></listitem>
			  </itemizedlist>
			  <simpara>
				  Die folgenden Gruppennamen können per UCR gesetzt werden. Bei Namen die <replaceable>%(ou)s</replaceable> enthalten
				  wird dieses vom System durch das jeweilige Schulkürzel ersetzt (z.B. <uri>gymmitte</uri> in
				  <systemitem class="groupname">OUgymmitte-DC-Edukativnetz</systemitem>).
			  </simpara>
			  <itemizedlist>
				  <listitem><simpara>DC-Edukativnetz:                 <envar>ucsschool/ldap/default/groupname/all-educational-dc</envar></simpara></listitem>
				  <listitem><simpara>Member-Edukativnetz:             <envar>ucsschool/ldap/default/groupname/all-educational-member</envar></simpara></listitem>
				  <listitem><simpara>DC-Verwaltungsnetz:              <envar>ucsschool/ldap/default/groupname/all-administrativ-dc</envar></simpara></listitem>
				  <listitem><simpara>Member-Verwaltungsnetz:          <envar>ucsschool/ldap/default/groupname/all-administrativ-member</envar></simpara></listitem>
				  <listitem><simpara>OU%(ou)s-DC-Edukativnetz:        <envar>ucsschool/ldap/default/groupname/ou-educational-dc</envar></simpara></listitem>
				  <listitem><simpara>OU%(ou)s-Member-Edukativnetz:    <envar>ucsschool/ldap/default/groupname/ou-educational-member</envar></simpara></listitem>
				  <listitem><simpara>OU%(ou)s-DC-Verwaltungsnetz:     <envar>ucsschool/ldap/default/groupname/ou-administrativ-dc</envar></simpara></listitem>
				  <listitem><simpara>OU%(ou)s-Member-Verwaltungsnetz: <envar>ucsschool/ldap/default/groupname/ou-administrativ-member</envar></simpara></listitem>
				  <listitem><simpara>OU%(ou)s-Klassenarbeit:          <envar>ucsschool/ldap/default/groupname/exam</envar></simpara></listitem>
			  </itemizedlist>
			  <simpara>
				  Die folgenden Verzeichnisnamen können per UCR gesetzt werden (z.B. <envar>klassen</envar> in <filename class="directory">/home/groups/klassen/3b</filename>):
			  </simpara>
			  <itemizedlist>
				  <listitem><simpara>klassen:                <envar>ucsschool/ldap/default/share/class</envar></simpara></listitem>
				  <listitem><simpara>schueler:               <envar>ucsschool/ldap/default/share/pupils</envar></simpara></listitem>
				  <listitem><simpara>lehrer:                 <envar>ucsschool/ldap/default/share/teachers</envar></simpara></listitem>
				  <listitem><simpara>Unterrichtsmaterial:    <envar>ucsschool/datadistribution/datadir/sender</envar></simpara></listitem>
				  <listitem><simpara>Unterrichtsmaterial:    <envar>ucsschool/datadistribution/datadir/recipient</envar></simpara></listitem>
				  <listitem><simpara>Klassenarbeiten:        <envar>ucsschool/ldap/default/share/exams</envar></simpara></listitem>
				  <listitem><simpara>schueler, lehrer, mitarbeiter:  <envar>ucsschool/import/roleshare/.*/path</envar></simpara></listitem>
				  <listitem><simpara>Marktplatz:             <envar>ucsschool/import/generate/share/marktplatz/name</envar></simpara></listitem>
			  </itemizedlist>
		  </para>
	  </section>

	  <section id="structure:ldap:global">
		<title>Weitere &ucsUAS;-Objekte</title>
		<para>




Type=str
Categories=ucsschool-base

[ucsschool/ldap/default/container/admins]
Description[de]=Standard-Container-Name für Administratoren. Standard ist "admins".
Description[en]=Default container name for administrators. Default is "admins".
Type=str
Categories=ucsschool-base

[ucsschool/ldap/default/container/class]
Description[de]=Standard-Container-Name für Schulklassen. Standard ist "klassen".
Description[en]=Default container name for school classes. Default is "klassen".
Type=str
Categories=ucsschool-base

[ucsschool/ldap/default/container/exam]
Description[de]=Standard-Container-Name für Schüler in einer Prüfung. Standard ist "examusers".
Description[en]=Default container name name for pupils writing exams. Default is "examusers".
Type=str
Categories=ucsschool-base

[ucsschool/ldap/default/container/pupils]
Description[de]=Standard-Container-Name für Schüler. Standard ist "schueler".
Description[en]=Default container name for pupils. Default is "schueler".
Type=str
Categories=ucsschool-base

[ucsschool/ldap/default/container/rooms]
Description[de]=Standard-Container-Name für Klassenräume. Standard ist "raeume".
Description[en]=Default container name for class rooms. Default is "raeume".
Type=str
Categories=ucsschool-base

[ucsschool/ldap/default/container/staff]
Description[de]=Standard-Container-Name für Mitarbeiter. Standard ist "mitarbeiter".
Description[en]=Default container name for staff members. Default is "mitarbeiter".
Type=str
Categories=ucsschool-base

[ucsschool/ldap/default/container/teachers]
Description[de]=Standard-Container-Name für Lehrer. Standard ist "lehrer".
Description[en]=Default container name for teachers. Default is "lehrer".
Type=str
Categories=ucsschool-base

[ucsschool/ldap/default/container/teachers-and-staff]
Description[de]=Standard-Container-Name für Benutzer die gleichzeitig Lehrer und Mitarbeiter sind. Standard ist "lehrer und mitarbeiter".
Description[en]=Default container name for users that are both teachers and staff members. Default is "lehrer und mitarbeiter".
Type=str
Categories=ucsschool-base

[ucsschool/ldap/default/groupname/exam]
Description[de]=Standard Gruppenname für Schüler in einer Prüfung. Das "%(ou)s" im Namen wird mit dem Schulkürzel (OU) ersetzt. Standard ist "OU%(ou)s-Klassenarbeit".
Description[en]=Default group name for pupils writing exams. The "%(ou)s" in the name will be replaced by the short name of the school (OU). Default is "OU%(ou)s-Klassenarbeit".
Type=str
Categories=ucsschool-base

[ucsschool/ldap/default/groupname/all-administrativ-dc]
Description[de]=Standard Gruppenname für Domain Controller in Verwaltungsnetzen. Standard ist "DC-Verwaltungsnetz".
Description[en]=Default group name for domain controllers in administrativ networks. Default is "DC-Verwaltungsnetz".
Type=str
Categories=ucsschool-base

[ucsschool/ldap/default/groupname/all-administrativ-member]
Description[de]=Standard Gruppenname für Member Server in Verwaltungsnetzen. Standard ist "Member-Verwaltungsnetz".
Description[en]=Default group name for member servers in administrativ networks. Default is "Member-Verwaltungsnetz".
Type=str
Categories=ucsschool-base

[ucsschool/ldap/default/groupname/all-educational-dc]
Description[de]=Standard Gruppenname für Domain Controller in Edukativnetzen. Standard ist "DC-Edukativnetz".
Description[en]=Default group name for domain controllers in educational networks. Default is "DC-Edukativnetz".
Type=str
Categories=ucsschool-base

[ucsschool/ldap/default/groupname/all-educational-member]
Description[de]=Standard Gruppenname für Member Server in Edukativnetzen. Standard ist "Member-Edukativnetz".
Description[en]=Default group name for member servers in educational networks. Default is "Member-Edukativnetz".
Type=str
Categories=ucsschool-base

[ucsschool/ldap/default/groupname/ou-administrativ-dc]
Description[de]=Standard Gruppenname für Domain Controller im Verwaltungsnetz einer bestimmten Schule. Das "%(ou)s" im Namen wird mit dem Schulkürzel (OU) ersetzt. Standard ist "OU%(ou)s-DC-Verwaltungsnetz".
Description[en]=Default group name for domain controllers in the administrativ network. The "%(ou)s" in the name will be replaced by the short name of the school (OU). Default is "OU%(ou)s-DC-Verwaltungsnetz".
Type=str
Categories=ucsschool-base

[ucsschool/ldap/default/groupname/ou-administrativ-member]
Description[de]=Standard Gruppenname für Member Server im Verwaltungsnetz einer bestimmten Schule. Das "%(ou)s" im Namen wird mit dem Schulkürzel (OU) ersetzt. Standard ist "OU%(ou)s-Member-Verwaltungsnetz".
Description[en]=Default group name for member servers in the administrativ network. The "%(ou)s" in the name will be replaced by the short name of the school (OU). Default is "OU%(ou)s-Member-Verwaltungsnetz".
Type=str
Categories=ucsschool-base

[ucsschool/ldap/default/groupname/ou-educational-dc]
Description[de]=Standard Gruppenname für Domain Controller im Edukativnetz einer bestimmten Schule. Das "%(ou)s" im Namen wird mit dem Schulkürzel (OU) ersetzt. Standard ist "OU%(ou)s-DC-Edukativnetz".
Description[en]=Default group name for domain controllers in the educational network. The "%(ou)s" in the name will be replaced by the short name of the school (OU). Default is "OU%(ou)s-DC-Edukativnetz".
Type=str
Categories=ucsschool-base

[ucsschool/ldap/default/groupname/ou-educational-member]
Description[de]=Standard Gruppenname für Member Server im Edukativnetz einer bestimmten Schule. Das "%(ou)s" im Namen wird mit dem Schulkürzel (OU) ersetzt. Standard ist "OU%(ou)s-Member-Edukativnetz".
Description[en]=Default group name for member servers in the educational network. The "%(ou)s" in the name will be replaced by the short name of the school (OU). Default is "OU%(ou)s-Member-Edukativnetz".
Type=str
Categories=ucsschool-base

[ucsschool/ldap/default/groupprefix/admins]
Description[de]=Standard-Prefix für die Administrator-Gruppen. Standard ist "admins-".
Description[en]=Default prefix for admin groups. Default is "admins-".
Type=str
Categories=ucsschool-base

[ucsschool/ldap/default/groupprefix/pupils]
Description[de]=Standard-Prefix für die Schüler-Gruppen. Standard ist "schueler-".
Description[en]=Default prefix for pupils groups. Default is "schueler-".
Type=str
Categories=ucsschool-base

[ucsschool/ldap/default/groupprefix/staff]
Description[de]=Standard-Prefix für die Mitarbeiter-Gruppen. Standard ist "mitarbeiter-".
Description[en]=Default prefix for staff groups. Default is "mitarbeiter-".
Type=str
Categories=ucsschool-base

[ucsschool/ldap/default/groupprefix/teachers]
Description[de]=Standard-Prefix für die Lehrer-Gruppen. Standard ist "lehrer-".
Description[en]=Default prefix for teacher groups. Default is "lehrer-".
Type=str
Categories=ucsschool-base

[ucsschool/ldap/default/share/class]
Description[de]=Standard Verzeichnisname für die Klassen-Freigabe. Standard ist "klassen".
Description[en]=Default directory name for the class share. Default is "klassen".
Type=str
Categories=ucsschool-base

[ucsschool/ldap/default/share/pupils]
Description[de]=Standard Verzeichnisname für die Schüler-Verzeichnisse. Standard ist "schueler".
Description[en]=Default directory name for the pupils directories. Default is "schueler".
Type=str
Categories=ucsschool-base

[ucsschool/ldap/default/share/teachers]
Description[de]=Standard Verzeichnisname für die Lehrer-Verzeichnisse. Standard ist "lehrer".
Description[en]=Default directory name for the teachers directories. Default is "lehrer".
Type=str
Categories=ucsschool-base

[ucsschool/ldap/default/dcs]
Description[de]=Spezifiziert welche Schul-DCs beim Erzeugen einer Schule angelegt werden sollen (Werte: edukativ und/oder verwaltung)
Description[en]=Specifies which school DCs are created during the school set up (values: edukativ and/or verwaltung)

Type=str
Categories=ucsschool-base

[ucsschool/import/generate/share/marktplatz/name]
Description[de]=Name der Freigabe (Default: "Marktplatz").
Description[en]=Name of share (default: "Marktplatz").
Type=str
Categories=ucsschool-base

[ucsschool/import/generate/share/marktplatz/sharepath]
Description[de]=Vorgabepfad der Freigabe "Marktplatz" (Default: /home/$ou/groups/Marktplatz)
Description[en]=Default path of share "Marktplatz" (default: /home/$ou/groups/Marktplatz)

Categories=ucsschool-base

[ucsschool/import/roleshare]
Description[de]=Falls diese Variable nicht auf "false" oder "no" gesetzt wird, werden Homeverzeichnisse für Benutzer und Klassengruppen in einer rollen- und schulspezifischen Struktur von Unterverzeichnissen angelegt, z.B. unter /home/$ou/schueler/.
Description[en]=If this variable is not set to "false" or "no", then home directories for users and class groups will be created in a role and school specific structure of subdirectories, e.g. in /home/$ou/schueler/.
Type=str
Categories=ucsschool-base

(-)ucs-school-import/modules/ucsschool/importer/contrib/csv.py (-1 / +1 lines)

Lines 346-352	Link Here

346

347

	def next(self):

347

	def next(self):

348

		if self.line_num == 0:

348

		if self.line_num == 0:

349

		    # Used only for its side effect.

349

			# Used only for its side effect.

350

			self.fieldnames

350

			self.fieldnames

351

		self.row = self.reader.next()

351

		self.row = self.reader.next()

352

		self.line_num = self.reader.line_num

352

		self.line_num = self.reader.line_num

(-)ucs-school-import/modules/ucsschool/importer/models/import_user.py (-19 / +89 lines)

Lines 44-50	Link Here

from ucsschool.lib.models.utils import create_passwd

from ucsschool.lib.models.utils import create_passwd

from ucsschool.importer.configuration import Configuration

from ucsschool.importer.configuration import Configuration

from ucsschool.importer.factory import Factory

from ucsschool.importer.factory import Factory

from ucsschool.importer.exceptions import BadPassword, FormatError, InvalidBirthday, InvalidClassName, InvalidEmail, MissingMailDomain, MissingMandatoryAttribute, MissingSchoolName, NotSupportedError, NoUsername, NoUsernameAtAll, UDMValueError, UniqueIdError, UnkownDisabledSetting, UnknownProperty, UsernameToLong

from ucsschool.importer.exceptions import (BadPassword, FormatError, InvalidBirthday, InvalidClassName, InvalidEmail,

	MissingMailDomain, MissingMandatoryAttribute, MissingSchoolName, NotSupportedError, NoUsername, NoUsernameAtAll,

	UDMValueError, UniqueIdError, UnkownDisabledSetting, UnknownProperty, UsernameToLong)

from ucsschool.importer.utils.logging import get_logger

from ucsschool.importer.utils.logging import get_logger

from ucsschool.importer.utils.pyhooks_loader import PyHooksLoader

from ucsschool.importer.utils.pyhooks_loader import PyHooksLoader

from ucsschool.importer.utils.user_pyhook import UserPyHook

from ucsschool.importer.utils.user_pyhook import UserPyHook

Lines 94-100	Link Here

			self.config = Configuration()

			self.config = Configuration()

			self.reader = self.factory.make_reader()

			self.reader = self.factory.make_reader()

			self.logger = get_logger()

			self.logger = get_logger()

			self.username_max_length = 20 - len(self.ucr.get("ucsschool/ldap/default/userprefix/exam", "exam-"))

			self.username_max_length = 20 - len(Student.get_search_base(school).user_prefix_exam)

		self._lo = None

100

		self._lo = None

		self._userexpiry = None

101

		self._userexpiry = None

100

		super(ImportUser, self).__init__(name, school, **kwargs)

102

		super(ImportUser, self).__init__(name, school, **kwargs)

Lines 160-166	Link Here

160

		:param superordinate: str: superordinate

162

		:param superordinate: str: superordinate

161

		:return: object of ImportUser subclass from LDAP or raises noObject

163

		:return: object of ImportUser subclass from LDAP or raises noObject

162

"""

164

"""

163

		filter_s = filter_format("(&(objectClass=ucsschoolType)(ucsschoolSourceUID=%s)(ucsschoolRecordUID=%s))", (source_uid, record_uid))

165

		filter_s = filter_format(

166

			"(&(objectClass=ucsschoolType)(ucsschoolSourceUID=%s)(ucsschoolRecordUID=%s))",

167

			(source_uid, record_uid)

168

164

		obj = cls.get_only_udm_obj(connection, filter_s, superordinate=superordinate)

169

		obj = cls.get_only_udm_obj(connection, filter_s, superordinate=superordinate)

165

		if not obj:

170

		if not obj:

166

			raise noObject("No user with source_uid={0} and record_uid={1} found.".format(source_uid, record_uid))

171

			raise noObject("No user with source_uid={0} and record_uid={1} found.".format(source_uid, record_uid))

Lines 190-198	Link Here

190

			try:

195

			try:

191

				udm_obj[property_] = value

196

				udm_obj[property_] = value

192

			except (KeyError, noProperty) as exc:

197

			except (KeyError, noProperty) as exc:

193

				raise UnknownProperty("UDM property '{}' could not be set: {}".format(property_, exc), entry=self.entry_count, import_user=self)

198

				raise UnknownProperty(

199

					"UDM property '{}' could not be set: {}".format(property_, exc),

200

					entry=self.entry_count,

201

					import_user=self

202

194

			except (valueError, valueInvalidSyntax) as exc:

203

			except (valueError, valueInvalidSyntax) as exc:

195

				raise UDMValueError("UDM property '{}' could not be set: {}".format(property_, exc), entry=self.entry_count, import_user=self)

204

				raise UDMValueError(

205

					"UDM property '{}' could not be set: {}".format(property_, exc),

206

					entry=self.entry_count,

207

					import_user=self

208

196

209

197

	def has_expired(self, connection):

210

	def has_expired(self, connection):

198

"""

211

"""

Lines 334-340	Link Here

334

			try:

347

			try:

335

				activate = self.config["activate_new_users"]["default"]

348

				activate = self.config["activate_new_users"]["default"]

336

			except KeyError:

349

			except KeyError:

337

				raise UnkownDisabledSetting("Cannot find 'disabled' ('activate_new_users') setting for role '{}' or " "'default'.".format(self.role_sting), self.entry_count, import_user=self)

350

				raise UnkownDisabledSetting(

351

					"Cannot find 'disabled' ('activate_new_users') setting for role '{}' or 'default'.".format(self.role_sting),

352

					self.entry_count,

353

					import_user=self

354

338

		self.disabled = "none" if activate else "all"

355

		self.disabled = "none" if activate else "all"

339

356

340

	def make_firstname(self):

357

	def make_firstname(self):

Lines 379-385	Link Here

379

			try:

396

			try:

380

				maildomain = self.ucr["mail/hosteddomains"].split()[0]

397

				maildomain = self.ucr["mail/hosteddomains"].split()[0]

381

			except (AttributeError, IndexError):

398

			except (AttributeError, IndexError):

382

				raise MissingMailDomain("Could not retrieve mail domain from configuration nor from UCRV " "mail/hosteddomains.", entry=self.entry_count, import_user=self)

399

				raise MissingMailDomain(

400

					"Could not retrieve mail domain from configuration nor from UCRV mail/hosteddomains.",

401

					entry=self.entry_count,

402

					import_user=self

403

383

		self.email = self.format_from_scheme("email", self.config["scheme"]["email"], maildomain=maildomain).lower()

404

		self.email = self.format_from_scheme("email", self.config["scheme"]["email"], maildomain=maildomain).lower()

384

405

385

	def make_password(self):

406

	def make_password(self):

Lines 425-431	Link Here

425

		elif self.schools and isinstance(self.schools, basestring):

446

		elif self.schools and isinstance(self.schools, basestring):

426

			self.make_schools()  # this will recurse back, but schools will be a list then

447

			self.make_schools()  # this will recurse back, but schools will be a list then

427

		else:

448

		else:

428

			raise MissingSchoolName("Primary school name (ou) was not set on the cmdline or in the configuration file " "and was not found in the input data.", entry=self.entry_count, import_user=self)

449

			raise MissingSchoolName(

450

				"Primary school name (ou) was not set on the cmdline or in the configuration file and was not found in "

451

				"the input data.",

452

				entry=self.entry_count,

453

				import_user=self

454

429

455

430

	def make_schools(self):

456

	def make_schools(self):

431

"""

457

"""

Lines 556-565	Link Here

556

		try:

582

		try:

557

			[self.udm_properties.get(ma) or getattr(self, ma) for ma in self.config["mandatory_attributes"]]

583

			[self.udm_properties.get(ma) or getattr(self, ma) for ma in self.config["mandatory_attributes"]]

558

		except (AttributeError, KeyError) as exc:

584

		except (AttributeError, KeyError) as exc:

559

			raise MissingMandatoryAttribute("A mandatory attribute was not set: {}.".format(exc), self.config["mandatory_attributes"], entry=self.entry_count, import_user=self)

585

			raise MissingMandatoryAttribute(

586

				"A mandatory attribute was not set: {}.".format(exc),

587

				self.config["mandatory_attributes"],

588

				entry=self.entry_count,

589

				import_user=self

590

560

591

561

		if self.record_uid in self._unique_ids["recordUID"]:

592

		if self.record_uid in self._unique_ids["recordUID"]:

562

			raise UniqueIdError("RecordUID '{}' has already been used in this import.".format(self.record_uid), entry=self.entry_count, import_user=self)

593

			raise UniqueIdError(

594

				"RecordUID '{}' has already been used in this import.".format(self.record_uid),

595

				entry=self.entry_count,

596

				import_user=self

597

563

		self._unique_ids["recordUID"].add(self.record_uid)

598

		self._unique_ids["recordUID"].add(self.record_uid)

564

599

565

		if check_username:

600

		if check_username:

Lines 567-580	Link Here

567

				raise NoUsername("No username was created.", entry=self.entry_count, import_user=self)

602

				raise NoUsername("No username was created.", entry=self.entry_count, import_user=self)

568

603

569

			if len(self.name) > self.username_max_length:

604

			if len(self.name) > self.username_max_length:

570

				raise UsernameToLong("Username '{}' is longer than allowed.".format(self.name), entry=self.entry_count, import_user=self)

605

				raise UsernameToLong(

606

					"Username '{}' is longer than allowed.".format(self.name),

607

					entry=self.entry_count,

608

					import_user=self

609

571

610

572

			if self.name in self._unique_ids["name"]:

611

			if self.name in self._unique_ids["name"]:

573

				raise UniqueIdError("Username '{}' has already been used in this import.".format(self.name), entry=self.entry_count, import_user=self)

612

				raise UniqueIdError(

613

					"Username '{}' has already been used in this import.".format(self.name),

614

					entry=self.entry_count,

615

					import_user=self

616

574

			self._unique_ids["name"].add(self.name)

617

			self._unique_ids["name"].add(self.name)

575

618

576

			if len(self.password) < self.config["password_length"]:

619

			if len(self.password) < self.config["password_length"]:

577

				raise BadPassword("Password is shorter than {} characters.".format(self.config["password_length"]), entry=self.entry_count, import_user=self)

620

				raise BadPassword(

621

					"Password is shorter than {} characters.".format(self.config["password_length"]),

622

					entry=self.entry_count,

623

					import_user=self

624

578

625

579

		if self.email:

626

		if self.email:

580

			# email_pattern:

627

			# email_pattern:

Lines 584-593	Link Here

584

			# * all characters are allowed (international domains)

631

			# * all characters are allowed (international domains)

585

			email_pattern = r"[^@]+@.+\..+"

632

			email_pattern = r"[^@]+@.+\..+"

586

			if not re.match(email_pattern, self.email):

633

			if not re.match(email_pattern, self.email):

587

				raise InvalidEmail("Email address '{}' has invalid format.".format(self.email), entry=self.entry_count, import_user=self)

634

				raise InvalidEmail(

635

					"Email address '{}' has invalid format.".format(self.email),

636

					entry=self.entry_count,

637

					import_user=self

638

588

639

589

			if self.email in self._unique_ids["email"]:

640

			if self.email in self._unique_ids["email"]:

590

				raise UniqueIdError("Email address '{}' has already been used in this import.".format(self.email), entry=self.entry_count, import_user=self)

641

				raise UniqueIdError(

642

					"Email address '{}' has already been used in this import.".format(self.email),

643

					entry=self.entry_count,

644

					import_user=self

645

591

			self._unique_ids["email"].add(self.email)

646

			self._unique_ids["email"].add(self.email)

592

647

593

		if self.birthday:

648

		if self.birthday:

Lines 594-600	Link Here

594

			try:

649

			try:

595

				datetime.datetime.strptime(self.birthday, "%Y-%m-%d")

650

				datetime.datetime.strptime(self.birthday, "%Y-%m-%d")

596

			except ValueError as exc:

651

			except ValueError as exc:

597

				raise InvalidBirthday("Birthday has invalid format: {}.".format(exc), entry=self.entry_count, import_user=self)

652

				raise InvalidBirthday(

653

					"Birthday has invalid format: {}.".format(exc),

654

					entry=self.entry_count,

655

					import_user=self

656

598

657

599

	@property

658

	@property

600

	def role_sting(self):

659

	def role_sting(self):

Lines 709-715	Link Here

709

		for meth_name, meth_list in pyhook_cache.items():

768

		for meth_name, meth_list in pyhook_cache.items():

710

			self._pyhook_cache[meth_name] = [x[0] for x in sorted(meth_list, key=lambda x: x[1], reverse=True)]

769

			self._pyhook_cache[meth_name] = [x[0] for x in sorted(meth_list, key=lambda x: x[1], reverse=True)]

711

770

712

		self.logger.info("Registered hooks: %r.", dict([(meth_name, ["{}.{}".format(m.im_class.__name__, m.im_func.func_name) for m in meths]) for meth_name, meths in self._pyhook_cache.items()]))

771

		self.logger.info("Registered hooks: %r.", dict(

772

773

				(meth_name, ["{}.{}".format(m.im_class.__name__, m.im_func.func_name) for m in meths])

774

				for meth_name, meths in self._pyhook_cache.items()

775

776

))

713

		return pyhooks

777

		return pyhooks

714

778

715

	def _prevent_mapped_attributes_in_udm_properties(self):

779

	def _prevent_mapped_attributes_in_udm_properties(self):

Lines 723-732	Link Here

723

		forbidden_attributes = set(x.udm_name for x in self._attributes.values() if x.udm_name)

787

		forbidden_attributes = set(x.udm_name for x in self._attributes.values() if x.udm_name)

724

		bad_props = set(self.udm_properties.keys()).intersection(forbidden_attributes)

788

		bad_props = set(self.udm_properties.keys()).intersection(forbidden_attributes)

725

		if bad_props:

789

		if bad_props:

726

			raise NotSupportedError("UDM properties '{}' must be set as attributes of the {} object (not in " "udm_properties).".format("', '".join(bad_props), self.__class__.__name__))

790

			raise NotSupportedError(

791

				"UDM properties '{}' must be set as attributes of the {} object (not in udm_properties).".format(

792

					"', '".join(bad_props), self.__class__.__name__)

793

727

		if "e-mail" in self.udm_properties.keys() and not self.email:

794

		if "e-mail" in self.udm_properties.keys() and not self.email:

728

			# this might be an mistake, so let's warn the user

795

			# this might be an mistake, so let's warn the user

729

			self.logger.warn("UDM property 'e-mail' is used for storing contact information. The users mailbox " "address is stored in the 'email' attribute of the {} object (not in udm_properties).".format(self.__class__.__name__))

796

			self.logger.warn(

797

				"UDM property 'e-mail' is used for storing contact information. The users mailbox address is stored in "

798

				"the 'email' attribute of the {} object (not in udm_properties).".format(self.__class__.__name__)

799

730

800

731

	def update(self, other):

801

	def update(self, other):

732

"""

802

"""

(-)ucs-school-import/tests/test_move_domaincontroller_to_ou (-1 / +5 lines)

Lines 37-42	Link Here

	exit 1

	exit 1

fi

fi

. /usr/share/ucs-school-lib/base.sh

eval "$(ucr shell)"

eval "$(ucr shell)"

./create_ou test1 dctest1

./create_ou test1 dctest1

Lines 51-58	Link Here

udm computers/domaincontroller_slave create --position "cn=computers,$ldap_base" --set name=dctest7-01

udm computers/domaincontroller_slave create --position "cn=computers,$ldap_base" --set name=dctest7-01

./create_ou test7

./create_ou test7

udm computers/domaincontroller_slave modify --dn "cn=dctest7-01,cn=computers,$ldap_base" --append groups="cn=OUtest7-DC-Edukativnetz,cn=ucsschool,cn=groups,$ldap_base"

test7_dc="$(ucr_names_default ucsschool/ldap/default/groupname/ou-educational-dc test7)"

udm computers/domaincontroller_slave modify --dn "cn=dctest7-01,cn=computers,$ldap_base" --append groups="cn=$test7_dc,cn=ucsschool,cn=groups,$ldap_base"

echo "TEST: DC is unknown"

echo "TEST: DC is unknown"

./move_domaincontroller_to_ou --dcname UnKnOwN --ou test1

./move_domaincontroller_to_ou --dcname UnKnOwN --ou test1

echo "EXITCODE: $?"

echo "EXITCODE: $?"

(-)ucs-school-import/usr/share/ucs-school-import/hooks/ou_create_post.d/52marktplatz_create (-6 / +9 lines)

#!/bin/bash

#!/bin/bash

# 52marktplatz_create

# 52marktplatz_create

#  Creates a Markplatz share for the specified OUs

#  Creates a Marktplatz share for the specified OUs

# Depends: ucs-school-import

# Depends: ucs-school-import

[ $# -ne 2 ] && echo "USAGE: $(basename $0) FILE DN" && exit 1

[ $# -ne 2 ] && echo "USAGE: $(basename $0) FILE DN" && exit 1

. /usr/share/univention-lib/ucr.sh

. /usr/share/univention-lib/ucr.sh

. /usr/share/ucs-school-lib/base.sh

eval "$(ucr shell)"

eval "$(ucr shell)"

name="$(ucr_names_default ucsschool/import/generate/share/marktplatz/name)"

if ! is_ucr_true "ucsschool/import/generate/share/marktplatz" ; then

if ! is_ucr_true "ucsschool/import/generate/share/marktplatz" ; then

	echo "$(basename $0): creation of share 'Marktplatz' has been disabled by ucsschool/import/generate/share/marktplatz"

	echo "$(basename $0): creation of share '$name' has been disabled by ucsschool/import/generate/share/marktplatz"

	exit 0

	exit 0

fi

fi

sharepath="$ucsschool_import_generate_share_marktplatz_sharepath"

sharepath="$ucsschool_import_generate_share_marktplatz_sharepath"

if [ -z "$sharepath" ] ; then

if [ -z "$sharepath" ] ; then

	if [ -z "$ucsschool_import_roleshare" ] || is_ucr_true "ucsschool/import/roleshare"; then

	if [ -z "$ucsschool_import_roleshare" ] || is_ucr_true "ucsschool/import/roleshare"; then

		sharepath="/home/$ou/groups/Marktplatz"

		sharepath="/home/$ou/groups/$name"

	else

	else

		sharepath="/home/groups/Marktplatz"

		sharepath="/home/groups/$name"

fi

fi

fi

fi

udm shares/share create --ignore_exists \

udm shares/share create --ignore_exists \

	--position "cn=shares,ou=${ou}${district},${ldap_base}" \

	--position "cn=shares,ou=${ou}${district},${ldap_base}" \

	--set name=Marktplatz \

	--set name="${name}" \

	--set "host=${dcname}" \

	--set "host=${dcname}" \

	--set "path=${sharepath}" \

	--set "path=${sharepath}" \

	--set "directorymode=${sharemode}" \

	--set "directorymode=${sharemode}" \

	--set "group=${grpuidnumber}"

	--set "group=${grpuidnumber}"

echo "$(basename $0): added new share Markplatz for server ${dcname}"

echo "$(basename $0): added new share '$name' for server ${dcname}"

exit 0

exit 0




import univention.lib.policy_result
from ucsschool.lib.roles import role_pupil, role_teacher, role_staff
from ucsschool.lib.roleshares import roleshare_home_subdir
from ucsschool.lib.models.utils import stopped_notifier, add_stream_logger_to_schoollib, create_passwd
from ucsschool.lib.models import School, SchoolClass, ClassShare


ldap_errors = (ldap.LDAPError, univention.admin.uexceptions.base,)


pwLengthOu = {}

cn_pupils = configRegistry.get('ucsschool/ldap/default/container/pupils', 'schueler')
cn_teachers = configRegistry.get('ucsschool/ldap/default/container/teachers', 'lehrer')
cn_teachers_staff = configRegistry.get('ucsschool/ldap/default/container/teachers-and-staff', 'lehrer und mitarbeiter')
cn_admins = configRegistry.get('ucsschool/ldap/default/container/admins', 'admins')
cn_staff = configRegistry.get('ucsschool/ldap/default/container/staff', 'mitarbeiter')

grp_prefix_pupils = configRegistry.get('ucsschool/ldap/default/groupprefix/pupils', 'schueler-')
grp_prefix_teachers = configRegistry.get('ucsschool/ldap/default/groupprefix/teachers', 'lehrer-')
grp_prefix_admins = configRegistry.get('ucsschool/ldap/default/groupprefix/admins', 'admins-')
grp_prefix_staff = configRegistry.get('ucsschool/ldap/default/groupprefix/staff', 'mitarbeiter-')

grp_policy_pupils = configRegistry.get('ucsschool/ldap/default/policy/umc/pupils', 'cn=ucsschool-umc-pupils-default,cn=UMC,cn=policies,%s' % baseDN)
grp_policy_teachers = configRegistry.get('ucsschool/ldap/default/policy/umc/teachers', 'cn=ucsschool-umc-teachers-default,cn=UMC,cn=policies,%s' % baseDN)
grp_policy_admins = configRegistry.get('ucsschool/ldap/default/policy/umc/admins', 'cn=ucsschool-umc-admins-default,cn=UMC,cn=policies,%s' % baseDN)

# IP address prefix len conecerning the netmask
default_prefixlen = 24

if not (cn_pupils and cn_teachers and cn_teachers_staff and cn_admins and cn_staff):
	print '''ERROR: Unable to proceed: one of the following UCR variables is not set correctly:
	ucsschool/ldap/default/container/pupils
	ucsschool/ldap/default/container/teachers
	ucsschool/ldap/default/container/teachers-and-staff
	ucsschool/ldap/default/container/staff
	ucsschool/ldap/default/container/admins
'''
	sys.exit(1)


def is_valid_ou_name(name):
	""" check if given OU name is valid """
	return bool(re.match('^[a-zA-Z0-9](([a-zA-Z0-9_]*)([a-zA-Z0-9]$))?$', name))

		else:
			self.allsNrs = [self.sNr]
			self.other_sNr = []
		self.search_base = School.get_search_base(self.allsNrs[0])

		# split into multiple class number if comma is present
		if ',' in self.cNr:


	def getPosition_dn(self):
		# resolution order for the position is pupil, teacher, staff
		cn = cn_pupils
		if role_teacher in self.getRole() and role_staff in self.getRole():
			return self.search_base.teachersAndStaff
		elif role_teacher in self.getRole ():
			return self.search_base.teachers
		elif role_staff in self.getRole():
			return self.search_base.staff
		return self.search_base.students

	def getDN(self):
		return "uid=" + self.login + "," + self.getPosition_dn()

		default_groups = []

		# default group
		default_groups.append("cn=Domain Users %s,%s" % (self.sNr, self.search_base.groups))

		grp_dns = {
			role_teacher: self.search_base.teachers_ou_group,
			role_pupil: self.search_base.students_ou_group,
			role_staff: self.search_base.staff_ou_group}
		for role in self.getRole():
			user_grp_prefix = {role_teacher: grp_prefix_teachers, role_pupil: grp_prefix_pupils, role_staff: grp_prefix_staff}[role]
			if role == role_staff and not configRegistry.is_true('ucsschool/ldap/noneducational/create/objects', True):
				continue
			# class if available
			for cnr in self.cNr:
				default_groups.append("cn=%s,%s" % (cnr, self.search_base.classes))

			default_groups.append(grp_dns[role])

		return default_groups


		verify_container(getDN(schoolNr, base='district'), ou_module, co, lo, superordinate, baseDN)

	print "verify ou for school nr %s" % schoolNr
	search_base = School.get_search_base(schoolNr)
	# list of needed sub-containers, the dictionary-key adds the container as default during create in verify_container
	container = {
		'0printerPath': [search_base.printers],
		'1userPath': [search_base.users, search_base.students, search_base.teachers, search_base.admins],
		'2computerPath': [search_base.computers, 'cn=server,{}'.format(search_base.computers), 'cn=dc,cn=server,{}'.format(search_base.computers)],
		'3networkPath': [search_base.networks],
		'4groupPath': [search_base.groups, search_base.workgroups, search_base.teachers_group, search_base.classes, search_base.rooms],
		'5dhcpPath': [search_base.dhcp],
		'6policyPath': [search_base.policies],
		'7sharePath': [search_base.shares, search_base.classShares],
		'8none': ['cn=dc,cn=server,{}'.format(search_base.computers)]
	}
	if configRegistry.is_true('ucsschool/ldap/noneducational/create/objects', True):
		container['1userPath'].extend([search_base.staff, search_base.teachersAndStaff])
		container['4groupPath'].append(search_base.staff_group)
	# FIXME: die Policies sollten besser mit der Gruppe verknüpft werden, um
	# z.B. Mitarbeiter und Lehrer im selben Container pflegen zu können
	# container_policies = { 'cn=%s,cn=users' % cn_teachers: ['cn=default-lehrer,cn=UMC,cn=policies,' + baseDN] }

		dccn = ''
	myline = '%s\t%s' % (schoolNr, dccn)
	hooks.pre('ou', 'A', line=myline)
	search_base = School.get_search_base(schoolNr)

	# verify global dc groups
	groups_administrative = [search_base.administrative_dc_group, search_base.administrative_member_group]
	groups_education = [search_base.educational_dc_group, search_base.educational_member_group]
	groups_administrativeOU = [search_base.administrative_ou_dc_group, search_base.administrative_ou_member_group]
	groups_educationOU = [search_base.educational_ou_dc_group, search_base.educational_ou_member_group]
		"cn=DC-Edukativnetz,cn=ucsschool,cn=groups,%s" % baseDN,
		"cn=Member-Edukativnetz,cn=ucsschool,cn=groups,%s" % baseDN]
	groups_administrativeOU = [
		"cn=OU%s-DC-Verwaltungsnetz,cn=ucsschool,cn=groups,%s" % (schoolNr.lower(), baseDN),
		"cn=OU%s-Member-Verwaltungsnetz,cn=ucsschool,cn=groups,%s" % (schoolNr.lower(), baseDN)]
	groups_educationOU = [
		"cn=OU%s-DC-Edukativnetz,cn=ucsschool,cn=groups,%s" % (schoolNr.lower(), baseDN),
		"cn=OU%s-Member-Edukativnetz,cn=ucsschool,cn=groups,%s" % (schoolNr.lower(), baseDN)]

	if configRegistry.is_true('ucsschool/ldap/noneducational/create/objects', True):
		groups = groups_administrative + groups_education + groups_administrativeOU + groups_educationOU

			# TODO FIXME The following snippet does not make any sense:
			# if the DC is member of DC-Verwaltungsnetz then is added again to that group?!? Looks like this code is unused.
			for grp in dcobject['groups']:
				if grp.startswith(univention.admin.uldap.explodeDn(search_base.administrative_dc_group)[0]):
					zone = "verwaltung"
			groups = []
			if zone == "edukativ":
				groups.append(search_base.educational_dc_group)
				groups.append(search_base.educational_ou_dc_group)
			if zone == "verwaltung":
				groups.append(search_base.administrative_dc_group)
				groups.append(search_base.administrative_ou_dc_group)
			modified = False
			for grp in groups:
				if grp not in dcobject['groups']:

		if displayName is not None:
			r = lo.modify(ou_base, [('displayName', lo.get(ou_base, ['displayName']).get('displayName', []), [displayName])])

	for path in sorted(container.keys()):
	keys.sort()
	for path in keys:
		for dn in container[path]:
			if path[1:] == 'none':
				path = ' '
			verify_container(dn, cn_module, co, lo, superordinate, baseDN, path=path[1:])

	# create groups if not existant
	grp_ouadmins = search_base.admin_group
	groups = [
		(grp_ouadmins, grp_policy_admins),
		(search_base.students_ou_group, grp_policy_pupils),
		(search_base.teachers_ou_group, grp_policy_teachers),
	]

	if configRegistry.is_true('ucsschool/ldap/noneducational/create/objects', True):
		groups.append((search_base.staff_ou_group, grp_policy_staff))
	if configRegistry.is_true('ucsschool/import/attach/policy/default-umc-users', True):
		domain_users_school = "cn=Domain Users %s,cn=groups,%s" % (schoolNr.lower(), getDN(schoolNr))
		groups.append((domain_users_school, "cn=default-umc-users,cn=UMC,cn=policies,%s" % (baseDN,)))

			else:
				dccn = 'dc%s-01' % schoolNr.lower()

		dcgroups = [search_base.educational_ou_dc_group, search_base.educational_dc_group]

		if dc == 'verwaltung':
			if not configRegistry.is_true('ucsschool/ldap/noneducational/create/objects', True):

					dccn = configRegistry.get('hostname')
				else:
					dccn = 'dc%sv-01' % schoolNr.lower()  # this is the naming convention, a trailing v for Verwaltungsnetz DCs
			dcgroups = [search_base.administrative_ou_dc_group, search_base.administrative_dc_group]
				"cn=OU%s-DC-Verwaltungsnetz,cn=ucsschool,cn=groups,%s" % (schoolNr.lower(), baseDN),
				"cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,%s" % (baseDN, )
			]

		# create server if not exsistant
		objects = univention.admin.modules.lookup(

		if not server_exists and not dcName:
			try:
				if dc == 'verwaltung':
					grpdn = search_base.administrative_ou_dc_group
				else:
					grpdn = search_base.educational_ou_dc_group
				hostlist = lo.get(grpdn, ['uniqueMember']).get('uniqueMember', [])
			except ldap.NO_SUCH_OBJECT:
				hostlist = []

	if (schoolNr, classNr.lower()) in verified_group_shares:
		return True

	position_dn = ClassShare(school=schoolNr, name=classNr).dn
	module = univention.admin.modules.get("shares/share")
	position_basedn = univention.admin.uldap.position(baseDN)
	univention.admin.modules.init(lo, position_basedn, module)

		print "need to create groupshare %s" % position_dn

		# get gid form corresponding group
		school_class = SchoolClass(school=schoolNr, name=classNr)
		class_share = ClassShare.from_school_class(school_class)
		group_dn = school_class.dn
		gids = lo.get(group_dn, ['gidNumber'])
		gid = 0
		if len(gids) > 1:  # TODO FIXME This doesn't look correct to me - gids is a dict and not a list!

		object.open()
		object["name"] = "%s" % classNr
		object["host"] = serverfqdn
		object["path"] = class_share.get_share_path()
			object["path"] = "/home/" + os.path.join(schoolNr, "groups/klassen/%s" % (classNr,))
		else:
			object["path"] = "/home/groups/klassen/%s" % (classNr,)
		object["writeable"] = "1"
		object["sambaWriteable"] = "1"
		object["sambaBrowseable"] = "1"

	object["username"] = person.login
	object["primaryGroup"] = default_groups[0]
	subdir = roleshare_home_subdir(person.sNr, person.getRole(), configRegistry)
	object["unixhome"] = os.path.join("/home", subdir, person.login)
	object["firstname"] = person.name
	object["lastname"] = person.sname
	object["e-mail"] = person.mail

			# FIXME / TODO
			# Test should be following:
			# if ( ( ( parts[0].startswith( 'cn=%s' % grp_prefix_pupils) or parts[0].startswith( 'cn=%s' % grp_prefix_pupils) ) and parts[1] == 'cn=groups' and parts[2].startswith('ou=') ) or
			# 	 ( parts[1] == 'cn=%s' % cn_classes and parts[2] == 'cn=%s' % cn_pupils and parts[3] == 'cn=groups' and parts[4].startswith('ou=') ) ):

			search_base = School.get_search_base(None)
			cn_pupils = ldap.explode_dn(search_base.students, True)[0]
			cn_classes = ldap.explode_dn(search_base.classes, True)[0]
			grp_prefix_pupils = search_base.group_prefix_students
			grp_prefix_teachers = search_base.group_prefix_teachers

			if (
				parts[0].startswith('cn=%s' % grp_prefix_pupils) or
				parts[0].startswith('cn=%s' % grp_prefix_teachers) or
				(parts[1] == 'cn=%s' % cn_classes and parts[2] == 'cn=%s' % cn_pupils)
			):
				# group looks like a default group, so we don't need it anymore
				print "remove from group: %s" % group

	if len(groups) > 1:
		object["groups"] = groups[1:]
	subdir = roleshare_home_subdir(person.sNr, person.getRole(), configRegistry)
	object["unixhome"] = os.path.join("/home", subdir, person.login)
	if object.has_key('mailbox'):
		object["mailbox"] = "/var/spool/%s/" % person.login
	object["password"] = password

					main_person.isTeacher = '0'
					main_person.isStaff = '0'

					search_base = School.get_search_base(ou)
					if object.dn.endswith(',%s' % search_base.teachersAndStaff):
						main_person.isTeacher = '1'
						main_person.isStaff = '1'
					elif object.dn.endswith(',%s' % search_base.teachers):
						main_person.isTeacher = '1'
					elif object.dn.endswith(',%s' % search_base.staff):
						main_person.isStaff = '1'

					if ou in main_person.allsNrs:

				zone = parsed[6]

			verify_school_ou(schoolNr, co, lo, baseDN)
			search_base = School.get_search_base(schoolNr)

			try:
				ip = ipaddr.IPv4Network(IP)

			groups = {}
			if ctype == "memberserver":
				if zone == "edukativ":
					groups[search_base.educational_ou_member_group] = 1
					groups[search_base.educational_member_group] = 1
				if zone == "verwaltung":
					groups[search_base.administrative_ou_member_group] = 1
					groups[search_base.administrative_member_group] = 1

			# invoke pre hooks
			hooks.pre('computer', 'A', line=line)

			ClassID = parsed[2]
			Descrpt = parsed[3]

			group_dn = SchoolClass(school=schoolNr, name=ClassID).dn
			share_dn = ClassShare(school=schoolNr, name=ClassID).dn

			verify_school_ou(schoolNr, co, lo, baseDN)



	slave = slaves[0]
	ouDn = oulist[0].dn
	search_base = School.get_search_base(options.ou)

	group_filter = univention.admin.filter.conjunction('&', [
		univention.admin.filter.conjunction('|', [
			univention.admin.uldap.explodeDn(search_base.educational_ou_dc_group)[0],
			univention.admin.uldap.explodeDn(search_base.administrative_ou_dc_group)[0],
		]),
		univention.admin.filter.expression('uniqueMember', slave.dn),
	])

		print 'ERROR: specified OU %r does not exist' % ou_name
		sys.exit(1)

	search_base = School.get_search_base(ou_name)
	# get list of desired group memberships
	group_dn_list = {
		TYPE_DC_ADMINISTRATIVE: [search_base.administrative_ou_dc_group, search_base.administrative_dc_group],
		TYPE_DC_EDUCATIONAL: [search_base.educational_dc_group, search_base.educational_ou_dc_group]
			'cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,%s' % (baseDN,),
		],
		TYPE_DC_EDUCATIONAL: [
			'cn=DC-Edukativnetz,cn=ucsschool,cn=groups,%s' % (baseDN,),
			'cn=OU%s-DC-Edukativnetz,cn=ucsschool,cn=groups,%s' % (ou_name.lower(), baseDN),
		],
	}[dc_type]
	for grpdn in group_dn_list:
		verify_group(grpdn, co, lo, superordinate, baseDN)




# <http://www.gnu.org/licenses/>.

. /usr/share/univention-lib/all.sh
. /usr/share/ucs-school-lib/base.sh

display_help() {
	cat <<-EOL

while read service; do
	case "$service" in
		"UCS@school Education")
			target_server_all_dcs="$(ucr_names_default ucsschool/ldap/default/groupname/all-educational-dc)"
			target_server_ou_dcs="$(ucr_names_default ucsschool/ldap/default/groupname/ou-educational-dc)"
			target_server_ucsschool_service="$service"
			;;
		"UCS@school Administration")
			target_server_all_dcs="$(ucr_names_default ucsschool/ldap/default/groupname/all-administrativ-dc)"
			target_server_ou_dcs="$(ucr_names_default ucsschool/ldap/default/groupname/ou-administrativ-dc)"
			target_server_ucsschool_service="$service"
			;;
	esac


	echo -n "Check group memberschip : "
	test_output=$(univention-ssh "$ROOTPWD" "root@${target_school_dc_ip}" \
		/usr/sbin/udm groups/group list --filter name="$target_server_all_dcs" | sed -n "/^ *hosts: $target_ldap_hostdn$/p")
	if [ -z "$test_output" ]; then
		echo -e "\033[60Gfailed"
		echo "$hostname is not member of the group $target_server_all_dcs, this needs to be fixed first manually."
		exit 1
	fi
	test_output=$(univention-ssh "$ROOTPWD" "root@${target_school_dc_ip}" \
		/usr/sbin/udm groups/group list --filter name="$(replace_ou "$target_server_ou_dcs" "$my_school_ou")" | sed -n "/^ *hosts: $target_ldap_hostdn$/p")
	if [ -z "$test_output" ]; then
		echo -e "\033[60Gfailed"
		echo "$hostname is not member of the group $(replace_ou "$target_server_ou_dcs" "$my_school_ou"), this needs to be fixed first manually."
		exit 1
	else
		echo -e "\033[60Gdone"




import univention.admin.handlers.groups.group
import univention.admin.handlers.users.user
import univention.admin.objects
from ucsschool.lib.models import School, SchoolClass, Staff, Student, Teacher


class Problem(Exception):



def parse_line(lo, line):
	school = School(name=line['school'])
	oubase = school.dn
	uid = line['name']
	try:
		dn = lo.search(filter_format('uid=%s', (uid,)), oubase, unique=True)[0][0]

			raise StudentDoesNotExists(line, uid)
		else:
			raise StudentIsInAnotherSchool(line, uid, dn)
	if not dn.endswith(Student.get_container(school.name)):
		if not dn.endswith(Teacher.get_container(school.name)) or not dn.endswith(Staff.get_container(school.name)):
			print('Ignoring teacher/staff %r' % (uid,))
			return
		msg('ERROR: %s (%s %s) is not a student/teacher/staff.' % (uid, line['firstname'], line['lastname']))

	correct = False
	invalid_groups = set()
	for gdn, group in groups:  # pylint: disable=W0612
		if not gdn.endswith(SchoolClass.get_container(school.name)):
			if not gdn.endswith(oubase) and re.search(',ou=[^,]+,%s$' % (ucr['ldap/base'],), gdn, re.I):
				raise StudentIsInAnotherClassInAnotherSchool(line, uid, dn, gdn)
			continue  # ignore workgroups / Domain Users




@!@
# -*- coding: utf-8 -*-
import re


def replace_ucr_variables(template):
	variable_token = re.compile('@[$]@')

	dir_ucsschool = {
		'ALL_ADM_DC': configRegistry.get('ucsschool/ldap/default/groupname/all-administrativ-dc', 'DC-Verwaltungsnetz'),
		'ALL_ADM_MEMBER': configRegistry.get('ucsschool/ldap/default/groupname/all-administrativ-member', 'Member-Verwaltungsnetz'),
		'ALL_EDU_DC': configRegistry.get('ucsschool/ldap/default/groupname/all-educational-dc', 'DC-Edukativnetz'),
		'ALL_EDU_MEMBER': configRegistry.get('ucsschool/ldap/default/groupname/all-educational-member', 'Member-Edukativnetz'),
	}

	while 1:
		i = variable_token.finditer(template)
		try:
			start = i.next()
			end = i.next()
			name = template[start.end():end.start()]

			template = template[:start.start()] + dir_ucsschool.get(name,'') + template[end.end():]
		except StopIteration:
			break

	return template


aclset += """
# start 61ucsschool_presettings

# revert rule from UCS; Bug #41402
access to attrs=entry,objectClass,uniqueMember,ou,uid,loginShell,homeDirectory,uidNumber,gidNumber,sn,cn,gecos,description,memberUid
	by dn.regex=".*cn=computers,ou=([^,]+),(ou=[^,]+,)?@%@ldap/base@%@" none break
	by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none break
	by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none break
	by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none break
	by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none break
	by set="user/objectClass & ([ucsschoolStudent] | [ucsschoolTeacher] | [ucsschoolStaff] | [ucsschoolAdministrator])" none break
	by * +0 break

# Slave-Controller und Member-Server duerfen Samba-Domaenenobjekt(e) modifizieren
access to filter="(objectClass=sambaDomain)"
	by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by * +0 break

# grant write access to domaincontroller slave/member server for certain univention app center settings
access to dn.regex="^univentionAppID=([^,]+),cn=([^,]+),cn=apps,cn=univention,@%@ldap/base@%@$" filter="(objectClass=univentionApp)"
	by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by * +0 break

access to dn.regex="^cn=([^,]+),cn=apps,cn=univention,@%@ldap/base@%@$" attrs=children,entry
	by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by * +0 break

access to dn="cn=apps,cn=univention,@%@ldap/base@%@" attrs=children,entry
	by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by * +0 break

# Slave controllers and memberservers require write access to virtual machine manager objects
access to dn.regex="^univentionVirtualMachineUUID=([^,]+),cn=Information,cn=Virtual Machine Manager,@%@ldap/base@%@" filter="(objectClass=univentionVirtualMachine)"
	by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by * +0 break

access to dn.regex="^cn=([^,]+),cn=CloudConnection,cn=Virtual Machine Manager,@%@ldap/base@%@" filter="(objectClass=univentionVirtualMachineCloudConnection)"
	by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by * +0 break

access to dn="cn=(Information|CloudConnection),cn=Virtual Machine Manager,@%@ldap/base@%@" attrs=children,entry
	by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by dn.regex="^[^,]+,cn=dc,cn=computers,@%@ldap/base@%@$$" write
	by dn.regex="^[^,]+,cn=memberserver,cn=computers,@%@ldap/base@%@$$" write
	by * +0 break


# Slave-Controller und Member-Server benoetigen idmap-Container
access to dn.base="cn=idmap,cn=univention,@%@ldap/base@%@"
	by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by * +0 break

# Slave-Controller und Member-Server benoetigen ID-Mapping
access to dn.subtree="cn=idmap,cn=univention,@%@ldap/base@%@" filter="(|(&(objectClass=sambaUnixIdPool)(objectClass=organizationalRole)(objectClass=top))(&(objectClass=sambaIdmapEntry)(objectClass=sambaSidEntry)))"
	by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by * +0 break

# Slave-Controller und Member-Server benoetigen nicht alle Container
access to dn.subtree="cn=backup,@%@ldap/base@%@"
	by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
	by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
	by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
	by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
	by * +0 break

access to dn.subtree="cn=printers,@%@ldap/base@%@"
	by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
	by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
	by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
	by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
	by * +0 break

access to dn.subtree="cn=networks,@%@ldap/base@%@"
	by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
	by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
	by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
	by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
	by * +0 break

access to dn.regex="^(.*,)?cn=(cups|ppolicy|packages|services|templates|admin-settings|default containers|saml-serviceprovider),cn=univention,@%@ldap/base@%@$$"
	by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
	by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
	by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
	by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
	by * +0 break

# end 61ucsschool_presettings
"""

print replace_ucr_variables(aclset)
@!@




def replace_ucr_variables(template):
	variable_token = re.compile('@[$]@')

	dir_ucsschool = {
		'DISTRICT':       'ou=[^,]+,' if configRegistry.is_true('ucsschool/ldap/district/enable') else '',
		'PUPILS':         configRegistry.get('ucsschool/ldap/default/container/pupils', 'schueler'),
		'TEACHERS':       configRegistry.get('ucsschool/ldap/default/container/teachers', 'lehrer'),
		'STAFF':          configRegistry.get('ucsschool/ldap/default/container/staff', 'mitarbeiter'),
		'TEACHERS-STAFF': configRegistry.get('ucsschool/ldap/default/container/teachers-and-staff', 'lehrer und mitarbeiter'),
		'ADMINS':         configRegistry.get('ucsschool/ldap/default/container/admins', 'admins'),
		'GRPADMINS':      configRegistry.get('ucsschool/ldap/default/groupprefix/admins', 'admins-'),
		'EXAM':           configRegistry.get('ucsschool/ldap/default/container/exam', 'examusers'),
		'CLASS':          configRegistry.get('ucsschool/ldap/default/container/class', 'klassen'),
		'ROOMS':          configRegistry.get('ucsschool/ldap/default/container/rooms', 'raeume'),
		'ALL_ADM_DC': configRegistry.get('ucsschool/ldap/default/groupname/all-administrativ-dc', 'DC-Verwaltungsnetz'),
		'ALL_ADM_MEMBER': configRegistry.get('ucsschool/ldap/default/groupname/all-administrativ-member', 'Member-Verwaltungsnetz'),
		'ALL_EDU_DC': configRegistry.get('ucsschool/ldap/default/groupname/all-educational-dc', 'DC-Edukativnetz'),
		'ALL_EDU_MEMBER': configRegistry.get('ucsschool/ldap/default/groupname/all-educational-member', 'Member-Edukativnetz'),
	}


	while 1:
		i = variable_token.finditer(template)
		try:

aclset += """
# DC Slaves need write access to the members of the group Domain Computers
access to dn.exact="cn=Domain Computers,cn=groups,@%@ldap/base@%@" attrs="uniqueMember,memberUid"
	by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by * +0 break

# Slave DCs can read and write policy containers for MS GPOs and msPrintConnectionPolicy objects
access to dn.subtree="cn=policies,cn=system,@%@ldap/base@%@" filter="(|(objectClass=msGPOContainer)(objectClass=organizationalRole)(objectClass=msPrintConnectionPolicy))"
	by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by * +0 break

# Slave DCs can read and write policy containers for MS WMI filter objects
access to dn.subtree="cn=WMIPolicy,cn=system,@%@ldap/base@%@" filter="(|(objectClass=msWMISom)(objectClass=organizationalRole))"
	by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by * +0 break

# Lehrer, Mitarbeiter und OU-Admins duerfen Schueler-Passwoerter aendern

	by * +0 break

# Lehrer, Mitarbeiter und OU-Admins duerfen Raum-Gruppen anlegen und bearbeiten
access to dn.regex="^cn=@$@ROOMS@$@,cn=groups,ou=([^,]+),@$@DISTRICT@$@@%@ldap/base@%@$$" attrs=children,entry
	by set.expand="[$1] & ([ldap:///]+user/entryDN+[?entryDN?base?%28%7C%28objectClass%3DucsschoolTeacher%29%28objectClass%3DucsschoolAdministrator%29%28objectClass%3DucsschoolStaff%29%29])/ucsschoolSchool" write
@$@# old rule@$@	by dn.regex="^uid=([^,]+),cn=(@$@TEACHERS@$@|@$@TEACHERS-STAFF@$@|@$@STAFF@$@|@$@ADMINS@$@),cn=users,ou=$1,@$@DISTRICT@$@@%@ldap/base@%@$$" write
	by * +0 break

access to dn.regex="^cn=([^,]+),cn=@$@ROOMS@$@,cn=groups,ou=([^,]+),@$@DISTRICT@$@@%@ldap/base@%@$$" filter="(&(!(|(uidNumber=*)(objectClass=SambaSamAccount)))(objectClass=univentionGroup))"
	by set.expand="[$2] & ([ldap:///]+user/entryDN+[?entryDN?base?%28%7C%28objectClass%3DucsschoolTeacher%29%28objectClass%3DucsschoolAdministrator%29%28objectClass%3DucsschoolStaff%29%29])/ucsschoolSchool" write
@$@# old rule@$@	by dn.regex="^uid=([^,]+),cn=(@$@TEACHERS@$@|@$@TEACHERS-STAFF@$@|@$@STAFF@$@|@$@ADMINS@$@),cn=users,ou=$2,@$@DISTRICT@$@@%@ldap/base@%@$$" write
	by * +0 break

	by * +0 break

access to dn.subtree="cn=temporary,cn=univention,@%@ldap/base@%@"
	by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
	by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
	by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
	by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
	by * +0 break

# OU-Admins duerfen MAC-Adressen im Rechner- und DHCP-Objekt aendern


# domaincontroller slaves and memberservers of management group are not allowed to replicate pupils and teachers
access to dn.regex="^.+,cn=(@$@TEACHERS@$@|@$@PUPILS@$@),cn=users,ou=[^,]+,@$@DISTRICT@$@@%@ldap/base@%@$$"
	by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
	by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
	by * +0 break

access to filter="(|(objectClass=ucsschoolStudent)(&(objectClass=ucsschoolTeacher)(!(objectClass=ucsschoolStaff))))"
	by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
	by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
	by * +0 break

# domaincontroller slaves and memberservers of educational group are not allowed to replicate staff users
access to dn.regex="^.+,cn=@$@STAFF@$@,cn=users,ou=[^,]+,@$@DISTRICT@$@@%@ldap/base@%@$$"
	by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
	by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
	by * +0 break

access to filter="(&(objectClass=ucsschoolStaff)(!(objectClass=ucsschoolTeacher))(!(objectClass=ucsschoolAdministrator)))"
	by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
	by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
	by * +0 break

# FIXME: this rule allows to read all passwords underneath of all OU's instead of only the password belonging to the OU; explain why or fix it

# TODO: are the following attributes missing here?: 'sambaBadPasswordCount', 'krb5PasswordEnd', 'shadowMax', 'sambaAcctFlags', 'sambaPasswordHistory'
# Memberserver duerfen Passwoerter aller Objekte unterhalb einer Schule lesen
access to dn.regex="^(.+,)?ou=([^,]+),@$@DISTRICT@$@@%@ldap/base@%@$$" attrs=userPassword,krb5Key,krb5KDCFlags,sambaNTPassword,sambaLMPassword,shadowLastChange,sambaPwdLastSet,pwhistory,krb5KeyVersionNumber,sambaPwdCanChange,sambaPwdMustChange
	by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" +rscxd
	by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" +rscxd
	by * +0 break

# Alle DC-Slaves muessen alle Benutzercontainer und Gruppen jeder Schule lesen koennen
access to dn.regex="^ou=([^,]+),@$@DISTRICT@$@@%@ldap/base@%@$$" filter="objectClass=ucsschoolOrganizationalUnit"
	by group/univentionGroup/uniqueMember.expand="cn=OU$1-@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by group/univentionGroup/uniqueMember.expand="cn=OU$1-@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by dn.regex="^cn=.*,cn=server,cn=computers,ou=([^,]+),@$@DISTRICT@$@@%@ldap/base@%@$$" +rscxd
	by * +0 break

access to dn.regex="^cn=(users|groups|@$@EXAM@$@),ou=([^,]+),@$@DISTRICT@$@@%@ldap/base@%@$$"
	by group/univentionGroup/uniqueMember.expand="cn=OU$2-@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by group/univentionGroup/uniqueMember.expand="cn=OU$2-@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by dn.regex="^cn=.*,cn=server,cn=computers,ou=([^,]+),@$@DISTRICT@$@@%@ldap/base@%@$$" +rscxd
	by * +0 break

access to dn.regex="^([^,]+),cn=groups,ou=([^,]+),@$@DISTRICT@$@@%@ldap/base@%@$$"
	by group/univentionGroup/uniqueMember.expand="cn=OU$2-@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by group/univentionGroup/uniqueMember.expand="cn=OU$2-@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by dn.regex="^cn=.*,cn=server,cn=computers,ou=([^,]+),@$@DISTRICT@$@@%@ldap/base@%@$$" +rscxd
	by * +0 break

access to dn.regex="^cn=(@$@PUPILS@$@|@$@TEACHERS@$@|@$@TEACHERS-STAFF@$@|@$@STAFF@$@|@$@ADMINS@$@),cn=users,ou=([^,]+),@$@DISTRICT@$@@%@ldap/base@%@$$"
	by group/univentionGroup/uniqueMember.expand="cn=OU$2-@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by group/univentionGroup/uniqueMember.expand="cn=OU$2-@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by dn.regex="^cn=.*,cn=server,cn=computers,ou=([^,]+),@$@DISTRICT@$@@%@ldap/base@%@$$" +rscxd
	by * +0 break

# DC-Slaves muessen die Benutzer ihrer Schule lesen und schreiben duerfen
access to dn.regex="^uid=([^,]+),cn=(@$@PUPILS@$@|@$@TEACHERS@$@|@$@TEACHERS-STAFF@$@|@$@STAFF@$@|@$@ADMINS@$@),cn=users,ou=([^,]+),@$@DISTRICT@$@@%@ldap/base@%@$$"
	by set="([cn=OU]+this/ucsschoolSchool+[-@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@])/uniqueMember & user" write
	by * +0 break
access to dn.regex="^uid=([^,]+),cn=@$@EXAM@$@,ou=([^,]+),@$@DISTRICT@$@@%@ldap/base@%@$$"
	by set="([cn=OU]+this/ucsschoolSchool+[-@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@])/uniqueMember & user" write
	by * +0 break

# Schul-Slave-Server duerfen nur Eintraege ihrer OU lesen und schreiben (Passwortaenderungen etc.)

# Lehrer und Memberserver duerfen sie lesen, ou-eigene bekommen Standard-ACLs, ou-fremde Server/user duerfen nichts
access to dn.regex="^(.+,)?ou=([^,]+),@$@DISTRICT@$@@%@ldap/base@%@$$"
	by set.expand="[ldap:///ou=$2,@%@ldap/base@%@?ou?base?%28%21%28objectClass%3DucsschoolOrganizationalUnit%29%29]/ou" +0 break
	by group/univentionGroup/uniqueMember.expand="cn=OU$2-@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by group/univentionGroup/uniqueMember.expand="cn=OU$2-@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by group/univentionLDAPACL/univentionLDAPAccessWrite.expand="ou=$2,@$@DISTRICT@$@@%@ldap/base@%@" write
	by dn.regex="^uid=([^,]+),cn=(@$@TEACHERS@$@|@$@TEACHERS-STAFF@$@|@$@STAFF@$@|@$@ADMINS@$@),cn=users,ou=$2,@$@DISTRICT@$@@%@ldap/base@%@$$" +rscxd continue
	by set.expand="[$2] & ([ldap:///]+user/entryDN+[?entryDN?base?%28%7C%28objectClass%3DucsschoolTeacher%29%28objectClass%3DucsschoolAdministrator%29%28objectClass%3DucsschoolStaff%29%29])/ucsschoolSchool" +rscxd continue
	by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" +0 stop
	by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" +0 stop
	by set.expand="([ldap:///]+user/entryDN+[?entryDN?base?%28%7C%28objectClass%3DucsschoolTeacher%29%28objectClass%3DucsschoolAdministrator%29%28objectClass%3DucsschoolStaff%29%29])/ucsschoolSchool" +0 stop
	by dn.regex="^.*,ou=$2,@$@DISTRICT@$@@%@ldap/base@%@$$" +rscxd break
	by dn.regex="^.*,ou=([^,]+),@$@DISTRICT@$@@%@ldap/base@%@$$" +0 stop

	by * +0 break

# Slave-Controller duerfen Klassen-Gruppen bearbeiten (AUSNAHME! Wird fuer Lehrerzuordnung in UMC benoetigt!)
access to dn.regex="^cn=@$@CLASS@$@,cn=@$@PUPILS@$@,cn=groups,ou=([^,]+),@$@DISTRICT@$@@%@ldap/base@%@$$" attrs=children,entry
	by group/univentionGroup/uniqueMember.expand="cn=OU$1-@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by group/univentionGroup/uniqueMember.expand="cn=OU$1-@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by * +0 break

access to dn.regex="^cn=([^,]+),cn=klassen,cn=@$@PUPILS@$@,cn=groups,ou=([^,]+),@$@DISTRICT@$@@%@ldap/base@%@$$" filter="(&(!(|(uidNumber=*)(objectClass=SambaSamAccount)))(objectClass=univentionGroup))"
	by group/univentionGroup/uniqueMember.expand="cn=OU$2-@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by group/univentionGroup/uniqueMember.expand="cn=OU$2-@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by * +0 break

# Schulserver duerfen die Passwoerter aller globalen Objekte replizieren
access to dn.regex="^(.+,)?cn=(users|kerberos|computers),@%@ldap/base@%@$$"
	by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" +rscxd
	by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" +rscxd
	by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" +rscxd
	by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" +rscxd
	by * +0 break
"""


(-)ucs-school-ldap-acls-master/70ucsschool-ldap-acls-master.inst (-1 / +7 lines)

Lines 32-37	Link Here

VERSION=7

VERSION=7

. /usr/share/univention-join/joinscripthelper.lib

. /usr/share/univention-join/joinscripthelper.lib

. /usr/share/univention-lib/ldap.sh

. /usr/share/univention-lib/ldap.sh

. /usr/share/ucs-school-lib/base.sh

joinscript_init

joinscript_init

eval "$(univention-config-registry shell)"

eval "$(univention-config-registry shell)"

Lines 43-49	Link Here

	--set name="ucsschool"

	--set name="ucsschool"

# create global groups required for LDAP ACLs for UCS@school

# create global groups required for LDAP ACLs for UCS@school

for grp in "DC-Verwaltungsnetz" "Member-Verwaltungsnetz" "DC-Edukativnetz" "Member-Edukativnetz" ; do

for grp in \

		"$(ucr_names_default ucsschool/ldap/default/groupname/all-administrativ-dc)" \

		"$(ucr_names_default ucsschool/ldap/default/groupname/all-administrativ-member)" \

		"$(ucr_names_default ucsschool/ldap/default/groupname/all-educational-dc)" \

		"$(ucr_names_default ucsschool/ldap/default/groupname/all-educational-member)"; do

	univention-directory-manager groups/group create "$@" \

	univention-directory-manager groups/group create "$@" \

		--ignore_exist \

		--ignore_exist \

		--position="cn=ucsschool,cn=groups,$ldap_base" \

		--position="cn=ucsschool,cn=groups,$ldap_base" \

(-)ucs-school-ldap-acls-master/debian/control (-1 / +1 lines)

Lines 9-15	Link Here

Package: ucs-school-ldap-acls-master

Package: ucs-school-ldap-acls-master

Architecture: all

Architecture: all

Depends: univention-ldap-server, univention-ldap-config

Depends: univention-ldap-server, univention-ldap-config, shell-ucs-school

Conflicts: univention-server-slave, univention-server-member, univention-mobile-client, univention-managed-client, univention-basesystem

Conflicts: univention-server-slave, univention-server-member, univention-mobile-client, univention-managed-client, univention-basesystem

Description: Special LDAP ACLs for UCS@school

Description: Special LDAP ACLs for UCS@school

 This package provides additional LDAP ACLs for slapd

 This package provides additional LDAP ACLs for slapd




	def get_container(cls, school=None):
		return ucr.get('ldap/base')

	@classmethod
	def cn_name(cls, name, default):
		ucr_var = 'ucsschool/ldap/default/container/%s' % name
		return ucr.get(ucr_var, default)

	def create_default_containers(self, lo):
		search_base = self.get_search_base(self.name)
		cn_pupils = ldap.explode_dn(search_base.students, True)[0]
		cn_teachers = ldap.explode_dn(search_base.teachers, True)[0]
		cn_admins = ldap.explode_dn(search_base.admins, True)[0]
		cn_classes = ldap.explode_dn(search_base.classes, True)[0]
		cn_rooms = ldap.explode_dn(search_base.rooms, True)[0]
		user_containers = [cn_pupils, cn_teachers, cn_admins]
		group_containers = [cn_pupils, [cn_classes], cn_teachers, cn_rooms]
		if self.shall_create_administrative_objects():
			cn_staff = ldap.explode_dn(search_base.staff, True)[0]
			cn_teachers_staff = ldap.explode_dn(search_base.teachersAndStaff, True)[0]
			user_containers.extend([cn_staff, cn_teachers_staff])
			group_containers.append(cn_staff)
		containers_with_path = {

			for cn in containers:
				last_dn = _add_container(cn, last_dn, self.dn, path, lo)

	def group_name(self, prefix_var, default_prefix):
		ucr_var = 'ucsschool/ldap/default/groupprefix/%s' % prefix_var
		name_part = ucr.get(ucr_var, default_prefix)
		school_part = self.name.lower()
		return '%s%s' % (name_part, school_part)

	def get_umc_policy_dn(self, name):
		# at least the default ones should exist due to the join script
		return ucr.get('ucsschool/ldap/default/policy/umc/%s' % name, 'cn=ucsschool-umc-%s-default,cn=UMC,cn=policies,%s' % (name, ucr.get('ldap/base')))

			group.create(lo)

		# cn=ouadmins
		search_base = self.get_search_base(self.name)
		group = BasicGroup.cache("{}{}".format(search_base.group_prefix_admins, self.name.lower()), container=search_base.globalGroupContainer)
		group.create(lo)
		group.add_umc_policy(self.get_umc_policy_dn('admins'), lo)
		try:

			udm_obj.modify()

		# cn=schueler
		group = Group.cache("{}{}".format(search_base.group_prefix_students, self.name.lower()), self.name)
		group.create(lo)
		group.add_umc_policy(self.get_umc_policy_dn('pupils'), lo)

		# cn=lehrer
		group = Group.cache("{}{}".format(search_base.group_prefix_teachers, self.name.lower()), self.name)
		group.create(lo)
		group.add_umc_policy(self.get_umc_policy_dn('teachers'), lo)

		# cn=mitarbeiter
		if self.shall_create_administrative_objects():
			group = Group.cache("{}{}".format(search_base.group_prefix_staff, self.name.lower()), self.name)
			group.create(lo)
			group.add_umc_policy(self.get_umc_policy_dn('staff'), lo)


			return flatten([self.get_administrative_group_name(group_type, True, ou_specific, as_dn), self.get_administrative_group_name(group_type, False, ou_specific, as_dn)])
		if ou_specific == 'both':
			return flatten([self.get_administrative_group_name(group_type, domain_controller, False, as_dn), self.get_administrative_group_name(group_type, domain_controller, True, as_dn)])
		search_base = self.get_search_base(self.name)
		base_dn = ucr.get('ldap/base')
		if group_type == 'administrative':
			if domain_controller:
				if ou_specific:
					dn = search_base.administrative_ou_dc_group
				else:
					dn = search_base.administrative_dc_group
			else:
				if ou_specific:
					dn = search_base.administrative_ou_member_group
				else:
					dn = search_base.administrative_member_group
		else:
			if domain_controller:
				if ou_specific:
					dn = search_base.educational_ou_dc_group
				else:
					dn = search_base.educational_dc_group
			else:
				if ou_specific:
					dn = search_base.educational_ou_member_group
				else:
					dn = search_base.educational_member_group
		if as_dn:
			return dn
		else:
			return ldap.explode_dn(dn, True)[0]

	def get_administrative_server_names(self, lo):
		dn = self.get_administrative_group_name('administrative', ou_specific=True, as_dn=True)

(-)ucs-school-lib/python/models/share.py (-2 / +2 lines)

138

139

	def get_share_path(self):

139

	def get_share_path(self):

140

		if ucr.is_true('ucsschool/import/roleshare', True):

140

		if ucr.is_true('ucsschool/import/roleshare', True):

141

			return '/home/%s/groups/klassen/%s' % (self.school_group.school, self.name)

141

			return '/home/%s/groups/%s/%s' % (self.school_group.school, self.get_search_base(self.school).share_name_class, self.name)

142

		else:

142

		else:

143

			return '/home/groups/klassen/%s' % self.name

143

			return '/home/groups/%s/%s' % (self.get_search_base(self.school).share_name_class, self.name)




		return [self.get_group_dn('Domain Users %s' % school, school) for school in self.schools]

	def get_students_groups(self):
		prefix = self.get_search_base(self.school).group_prefix_students
		return [self.get_group_dn('%s%s' % (prefix, school), school) for school in self.schools]

	def get_teachers_groups(self):
		prefix = self.get_search_base(self.school).group_prefix_teachers
		return [self.get_group_dn('%s%s' % (prefix, school), school) for school in self.schools]

	def get_staff_groups(self):
		prefix = self.get_search_base(self.school).group_prefix_staff
		return [self.get_group_dn('%s%s' % (prefix, school), school) for school in self.schools]

	def groups_used(self, lo):


	@classmethod
	def from_student_dn(cls, lo, school, dn):
		examUserPrefix = cls.get_search_base(school).user_prefix_exam
		dn = 'uid=%s%s,%s' % (escape_dn_chars(examUserPrefix), explode_dn(dn, True)[0], cls.get_container(school))
		return cls.from_dn(dn, school, lo)

(-)ucs-school-lib/python/roleshares.py (-2 / +2 lines)

Lines 36-42	Link Here

import univention.config_registry

import univention.config_registry

from ucsschool.lib.roles import role_pupil, role_teacher, role_staff

from ucsschool.lib.roles import role_pupil, role_teacher, role_staff

from ucsschool.lib.i18n import ucs_school_name_i18n

from ucsschool.lib.i18n import ucs_school_name_i18n

from ucsschool.lib.models import Group, School

from ucsschool.lib.models import Group, School, Share

from ucsschool.lib.schoolldap import LDAP_Connection, USER_READ, USER_WRITE, MACHINE_READ

from ucsschool.lib.schoolldap import LDAP_Connection, USER_READ, USER_WRITE, MACHINE_READ

import univention.admin.uexceptions

import univention.admin.uexceptions

import univention.admin.uldap as udm_uldap

import univention.admin.uldap as udm_uldap

Lines 151-157	Link Here

151

		ucr.load()

151

		ucr.load()

152

153

	school_ou = school.name

153

	school_ou = school.name

154

	share_container_dn = school.get_search_base(school.name).shares

154

	share_container_dn = Share.get_container(school.name)

155

156

	teacher_groupname = '-'.join((ucs_school_name_i18n(role_teacher), school_ou))

156

	teacher_groupname = '-'.join((ucs_school_name_i18n(role_teacher), school_ou))

157

	teacher_group = Group(name=teacher_groupname, school=school_ou).get_udm_object(ldap_user_read)

157

	teacher_group = Group(name=teacher_groupname, school=school_ou).get_udm_object(ldap_user_read)




# /usr/share/common-licenses/AGPL-3; if not, see
# <http://www.gnu.org/licenses/>.

import inspect
import re
from functools import wraps
from ldap.filter import escape_filter_chars, filter_format

import univention.admin.config
import univention.admin.modules
import univention.admin.modules as udm_modules
import univention.config_registry
import univention.uldap
import univention.admin.config
import univention.admin.modules
from univention.admin.filter import conjunction, parse
from univention.admin.uexceptions import noObject

import univention.admin.modules as udm_modules
from univention.management.console.protocol.message import Message

from univention.lib.i18n import Translation

from functools import wraps
import re
import inspect
from ldap.filter import escape_filter_chars, filter_format

from univention.management.console.config import ucr
from univention.management.console.ldap import get_machine_connection, get_admin_connection, get_user_connection#, reset_cache as reset_connection_cache
from univention.management.console.log import MODULE
from univention.management.console.ldap import get_machine_connection, get_admin_connection, get_user_connection  # , reset_cache as reset_connection_cache
from univention.management.console.modules import Base, UMC_Error
from univention.management.console.modules.decorators import sanitize
from univention.management.console.modules.sanitizers import StringSanitizer
from univention.management.console.protocol.message import Message

# load UDM modules
udm_modules.update()

		self._school = school or availableSchools[0]
		self._schoolDN = dn or School.cache(self.school).dn

		#
		# When adding/updating UCRV defaults, also add/update them in shell/base.sh.
		#

		#
		# When changing any of ucsschool/ldap/default/groupname/all-{administrativ, educational}-{dc, member}
		# copy the changes to ucs-school-ldap-acls-master/{61ucsschool_presettings, 65ucsschool}.
		#

		# containers
		self._containerAdmins = ucr.get('ucsschool/ldap/default/container/admins', 'admins')
		self._containerStudents = ucr.get('ucsschool/ldap/default/container/pupils', 'schueler')
		self._containerStaff = ucr.get('ucsschool/ldap/default/container/staff', 'mitarbeiter')

		self._containerClass = ucr.get('ucsschool/ldap/default/container/class', 'klassen')
		self._containerRooms = ucr.get('ucsschool/ldap/default/container/rooms', 'raeume')
		self._examUserContainerName = ucr.get('ucsschool/ldap/default/container/exam', 'examusers')
		# group names
		self._examGroupName = ucr.get('ucsschool/ldap/default/groupname/exam',
			'OU%(ou)s-Klassenarbeit') % {'ou': self._school.lower()}
		self._all_administrativ_dc = ucr.get('ucsschool/ldap/default/groupname/all-administrativ-dc',
			'DC-Verwaltungsnetz')
		self._all_administrativ_member = ucr.get('ucsschool/ldap/default/groupname/all-administrativ-member',
			'Member-Verwaltungsnetz')
		self._all_educational_dc = ucr.get('ucsschool/ldap/default/groupname/all-educational-dc',
			'DC-Edukativnetz')
		self._all_educational_member = ucr.get('ucsschool/ldap/default/groupname/all-educational-member',
			'Member-Edukativnetz')
		self._ou_administrativ_dc = ucr.get('ucsschool/ldap/default/groupname/ou-administrativ-dc',
			'OU%(ou)s-DC-Verwaltungsnetz') % {'ou': self._school.lower()}
		self._ou_administrativ_member = ucr.get('ucsschool/ldap/default/groupname/ou-administrativ-member',
			'OU%(ou)s-Member-Verwaltungsnetz') % {'ou': self._school.lower()}
		self._ou_educational_dc = ucr.get('ucsschool/ldap/default/groupname/ou-educational-dc',
			'OU%(ou)s-DC-Edukativnetz') % {'ou': self._school.lower()}
		self._ou_educational_member = ucr.get('ucsschool/ldap/default/groupname/ou-educational-member',
			'OU%(ou)s-Member-Edukativnetz') % {'ou': self._school.lower()}
		# group prefixes
		self.group_prefix_students = ucr.get('ucsschool/ldap/default/groupprefix/pupils', 'schueler-')
		self.group_prefix_teachers = ucr.get('ucsschool/ldap/default/groupprefix/teachers', 'lehrer-')
		self.group_prefix_admins = ucr.get('ucsschool/ldap/default/groupprefix/admins', 'admins-')
		self.group_prefix_staff = ucr.get('ucsschool/ldap/default/groupprefix/staff', 'mitarbeiter-')
		# user prefix
		self.user_prefix_exam = ucr.get('ucsschool/ldap/default/userprefix/exam', 'exam-')
		# share/directory names
		self.share_name_class = ucr.get('ucsschool/ldap/default/share/class', 'klassen')
		self.share_name_pupils = ucr.get('ucsschool/ldap/default/share/pupils', 'schueler')
		self.share_name_teachers = ucr.get('ucsschool/ldap/default/share/teachers', 'lehrer')
		self.share_name_exams = ucr.get('ucsschool/ldap/default/share/exams', 'Klassenarbeiten')
		self.share_name_marktplatz = ucr.get('ucsschool/import/generate/share/marktplatz/name', 'Marktplatz')

	@classmethod
	def getOU(cls, dn):


	@property
	def students(self):
		"""cn=schueler,cn=users,<ou dn>"""
		return "cn=%s,cn=users,%s" % (self._containerStudents, self.schoolDN)

	@property
	def students_group(self):
		"""cn=schueler,cn=groups,<ou dn>"""
		return "cn=%s,cn=groups,%s" % (self._containerStudents, self.schoolDN)

	@property
	def students_ou_group(self):
		"""cn=schueler-%(ou)s,cn=groups,<ou dn> (ou already replaced)"""
		return "cn=%s%s,cn=groups,%s" % (self.group_prefix_students, self.school, self.schoolDN)

	@property
	def teachers(self):
		"""cn=lehrer,cn=users,<ou dn>"""
		return "cn=%s,cn=users,%s" % (self._containerTeachers, self.schoolDN)

	@property
	def teachers_group(self):
		"""cn=lehrer,cn=groups,<ou dn>"""
		return "cn=%s,cn=groups,%s" % (self._containerTeachers, self.schoolDN)

	@property
	def teachers_ou_group(self):
		"""cn=lehrer-%(ou)s,cn=groups,<ou dn> (ou already replaced)"""
		return "cn=%s%s,cn=groups,%s" % (self.group_prefix_teachers, self.school, self.schoolDN)

	@property
	def teachersAndStaff(self):
		"""cn=lehrer und mitarbeiter,cn=users,<ou dn>"""
		return "cn=%s,cn=users,%s" % (self._containerTeachersAndStaff, self.schoolDN)

	@property
	def staff(self):
		"""cn=mitarbeiter,cn=users,<ou dn>"""
		return "cn=%s,cn=users,%s" % (self._containerStaff, self.schoolDN)

	@property
	def staff_group(self):
		"""cn=mitarbeiter,cn=groups,<ou dn>"""
		return "cn=%s,cn=groups,%s" % (self._containerStaff, self.schoolDN)

	@property
	def staff_ou_group(self):
		"""cn=mitarbeiter-%(ou)s,cn=groups,<ou dn> (ou already replaced)"""
		return "cn=%s%s,cn=groups,%s" % (self.group_prefix_staff, self.school, self.schoolDN)

	@property
	def admins(self):
		"""cn=admins,cn=users,<ou dn>"""
		return "cn=%s,cn=users,%s" % (self._containerAdmins, self.schoolDN)

	@property
	def admin_group(self):
		"""cn=admins-%(ou)s,cn=ouadmins,cn=groups,<ou dn> (ou already replaced)"""
		return "cn=%s%s,cn=ouadmins,cn=groups,%s" % (self.group_prefix_admins, self.school, self.schoolDN)

	@property
	def classShares(self):
		return "cn=%s,cn=shares,%s" % (self._containerClass, self.schoolDN)



	@property
	def educationalDCGroup(self):
		"""deprecated, please use educational_ou_dc_group"""
		return self.educational_ou_dc_group

	@property
	def educationalMemberGroup(self):
		"""deprecated, please use educational_ou_member_group"""
		return self.educational_ou_member_group

	@property
	def administrativeDCGroup(self):
		"""deprecated, please use administrative_ou_dc_group"""
		return self.administrative_ou_dc_group

	@property
	def administrativeMemberGroup(self):
		"""deprecated, please use administrative_ou_member_group"""
		return self.administrative_ou_member_group

	@property
	def administrative_dc_group(self):
		"""cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,<ldap base>"""
		return "cn=%s,cn=ucsschool,cn=groups,%s" % (self._all_administrativ_dc, self._ldapBase)

	@property
	def administrative_member_group(self):
		"""cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,<ldap base>"""
		return "cn=%s,cn=ucsschool,cn=groups,%s" % (self._all_administrativ_member, self._ldapBase)

	@property
	def educational_dc_group(self):
		"""cn=DC-Edukativnetz,cn=ucsschool,cn=groups,<ldap base>"""
		return "cn=%s,cn=ucsschool,cn=groups,%s" % (self._all_educational_dc, self._ldapBase)

	@property
	def educational_member_group(self):
		"""cn=Member-Edukativnetz,cn=ucsschool,cn=groups,<ldap base>"""
		return "cn=%s,cn=ucsschool,cn=groups,%s" % (self._all_educational_member, self._ldapBase)

	@property
	def educational_ou_dc_group(self):
		"""cn=OU%(ou)s-DC-Edukativnetz,cn=ucsschool,cn=groups,<ldap base> (ou already replaced)"""
		return "cn=%s,cn=ucsschool,cn=groups,%s" % (self._ou_educational_dc, self._ldapBase)

	@property
	def educational_ou_member_group(self):
		"""cn=OU%(ou)s-Member-Edukativnetz,cn=ucsschool,cn=groups,<ldap base> (ou already replaced)"""
		return "cn=%s,cn=ucsschool,cn=groups,%s" % (self._ou_educational_member, self._ldapBase)

	@property
	def administrative_ou_dc_group(self):
		"""cn=OU%(ou)s-DC-Verwaltungsnetz,cn=ucsschool,cn=groups,<ldap base> (ou already replaced)"""
		return "cn=%s,cn=ucsschool,cn=groups,%s" % (self._ou_administrativ_dc, self._ldapBase)

	@property
	def administrative_ou_member_group(self):
		"""cn=OU%(ou)s-Member-Verwaltungsnetz,cn=ucsschool,cn=groups,<ldap base> (ou already replaced)"""
		return "cn=%s,cn=ucsschool,cn=groups,%s" % (self._ou_administrativ_member, self._ldapBase)

	@property
	def examGroupName(self):
		"""OU%(ou)s-Klassenarbeit (only name, not a DN, ou already replaced)"""
		return self._examGroupName
		return self._examGroupNameTemplate % ucr_value_keywords

	@property
	def examGroup(self):
		"""cn=OU%(ou)s-Klassenarbeit,cn=ucsschool,cn=groups,<ldap base> (ou already replaced)"""
		return "cn=%s,cn=ucsschool,cn=groups,%s" % (self.examGroupName, self._ldapBase)

	def isWorkgroup(self, groupDN):




	#
	# $ servers_school_ous -h $(ucr get ldap/master) -p $(ucr get ldap/master/port)
	# ou=bar,dc=example,dc=com
	local ldap_hostdn ldap_base ldap_server ldap_port IFS res
	. /usr/share/univention-lib/ucr.sh

	ldap_base="$(/usr/sbin/univention-config-registry get ldap/base)"

	res=""
	for oudn in $(univention-ldapsearch $ldap_server $ldap_port -xLLL -b "$ldap_base" 'objectClass=ucsschoolOrganizationalUnit' dn | ldapsearch-wrapper | sed -nre 's/^dn: //p') ; do
		ouname="$(school_ou "$oudn")"
		search_str="(|(cn=$(ucr_names_default ucsschool/ldap/default/groupname/ou-educational-dc ${ouname}))(cn=$(ucr_names_default ucsschool/ldap/default/groupname/ou-administrativ-dc OU${ouname})))"
		if ! is_ucr_true ucsschool/singlemaster; then
			search_str="(&${search_str}(uniqueMember=${ldap_hostdn}))"
			search_str="(&(|(cn=OU${ouname}-DC-Edukativnetz)(cn=OU${ouname}-DC-Verwaltungsnetz))(uniqueMember=${ldap_hostdn}))"
		fi
		if univention-ldapsearch $ldap_server $ldap_port -xLLL "$search_str" dn | grep -q "^dn: "; then
			res="$res

	done
	echo -n "${res}" | egrep -v "^\s*$"
}

replace_ou() {
	# syntax: replace_ou <template> <ou>
	#
	# Replace '%(ou)s' in <template> with <ou>
	#
	# example:
	# $ replace_ou "OU%(ou)s-DC-Edukativnetz" "myschool"
	# "OUmyschool-DC-Edukativnetz
	if [ "$#" != 2 ]; then
		echo "syntax: replace_ou <template> <ou>"
		return 1
	fi
	echo -n "$1" | sed "s/%(ou)s/$2/"
}

ucr_names_default() {
	# syntax: ucr_names_default <ucr> [ou]
	#
	# Get UCR value or default, optionally replace '%(ou)s'.
	#
	# example:
	# $ ucr_names_default "ucsschool/ldap/default/container/pupils"
	# "schueler
	# $ ucr_names_default "ucsschool/ldap/default/groupname/ou-administrativ-dc" "myschool"
	# "OUmyschool-DC-Verwaltungsnetz"
	local res

	if [ "$#" -lt 1 -o "$#" -gt 2 ]; then
		echo "syntax: ucr_names_default <ucr> [ou]"
		return 1
	fi
	if [ $(echo -n "$1" | cut -f 1-3 -d '/') != 'ucsschool/ldap/default' ]; then
		echo "<ucr> must be a UCR variable from ucsschool/ldap/default/*/*"
		return 1
	fi

	#
	# When adding/updating UCRV defaults, also add/update them in python/schoolldap.py.
	#

	res="$(ucr get $1)"
	if [ -z "$res" ]; then
		case "$1" in
			# containers
			'ucsschool/ldap/default/container/admins') res='admins';;
			'ucsschool/ldap/default/container/pupils') res='schueler';;
			'ucsschool/ldap/default/container/staff') res='mitarbeiter';;
			'ucsschool/ldap/default/container/teachers-and-staff') res='lehrer und mitarbeiter';;
			'ucsschool/ldap/default/container/teachers') res='lehrer';;
			'ucsschool/ldap/default/container/class') res='klassen';;
			'ucsschool/ldap/default/container/rooms') res='raeume';;
			'ucsschool/ldap/default/container/exam') res='examusers';;
			# group names
			'ucsschool/ldap/default/groupname/exam') res='OU%(ou)%s-Klassenarbeit';;
			'ucsschool/ldap/default/groupname/all-administrativ-dc') res='DC-Verwaltungsnetz';;
			'ucsschool/ldap/default/groupname/all-administrativ-member') res='Member-Verwaltungsnetz';;
			'ucsschool/ldap/default/groupname/all-educational-dc') res='DC-Edukativnetz';;
			'ucsschool/ldap/default/groupname/all-educational-member') res='Member-Edukativnetz';;
			'ucsschool/ldap/default/groupname/ou-administrativ-dc') res='OU%(ou)s-DC-Verwaltungsnetz';;
			'ucsschool/ldap/default/groupname/ou-administrativ-member') res='OU%(ou)s-Member-Verwaltungsnetz';;
			'ucsschool/ldap/default/groupname/ou-educational-dc') res='OU%(ou)s-DC-Edukativnetz';;
			'ucsschool/ldap/default/groupname/ou-educational-member') res='OU%(ou)s-Member-Edukativnetz';;
			# group prefixes
			'ucsschool/ldap/default/groupprefix/pupils') res='schueler-';;
			'ucsschool/ldap/default/groupprefix/teachers') res='lehrer-';;
			'ucsschool/ldap/default/groupprefix/admins') res='admins-';;
			'ucsschool/ldap/default/groupprefix/staff') res='mitarbeiter-';;
			# user prefix
			'ucsschool/ldap/default/userprefix/exam') res='exam-';;
			# share/directory names
			'ucsschool/ldap/default/share/class') res='klassen';;
			'ucsschool/ldap/default/share/pupils') res='schueler';;
			'ucsschool/ldap/default/share/teachers') res='lehrer';;
			'ucsschool/ldap/default/share/exams') res='Klassenarbeiten';;
			'ucsschool/import/generate/share/marktplatz/name') res='Marktplatz';;
		esac
	fi
	if [ -z "$res" ]; then
		echo "Error: Unknown UCR $1."
		return 1
	fi

	if [ -z "$2" ]; then
		echo -n "$res"
	else
		replace_ou "$res" "$2"
	fi
}

(-)ucs-school-netlogon-user-logonscripts/99ucs-school-netlogon-user-logonscripts.inst (-3 / +6 lines)

Lines 32-40	Link Here

VERSION="1"

VERSION="1"

. /usr/share/univention-join/joinscripthelper.lib

. /usr/share/univention-join/joinscripthelper.lib

. /usr/share/ucs-school-lib/base.sh

joinscript_init

joinscript_init

eval "$(univention-config-registry shell)"

eval "$(univention-config-registry shell)"

share_name="$(ucr_names_default ucsschool/import/generate/share/marktplatz/name)"

# samba 4 netlogon share

# samba 4 netlogon share

myrealm=$(echo $kerberos_realm |  awk '{print tolower($0)}')

myrealm=$(echo $kerberos_realm |  awk '{print tolower($0)}')

Lines 43-51	Link Here

fi

fi

univention-config-registry set \

univention-config-registry set \

    ucsschool/userlogon/commonshares?"Marktplatz" \

    ucsschool/userlogon/commonshares?"$share_name" \

    ucsschool/userlogon/commonshares/server/Marktplatz?"$hostname" \

    "ucsschool/userlogon/commonshares/server/$share_name?$hostname" \

    ucsschool/userlogon/commonshares/letter/Marktplatz?"M" \

    "ucsschool/userlogon/commonshares/letter/$share_name?M" \

    ucsschool/userlogon/classshareletter?"K" \

    ucsschool/userlogon/classshareletter?"K" \

    ucsschool/netlogon/ucs-school-netlogon-user-logonscripts/script?'user\%USERNAME%.vbs'

    ucsschool/netlogon/ucs-school-netlogon-user-logonscripts/script?'user\%USERNAME%.vbs'

(-)ucs-school-netlogon-user-logonscripts/debian/control (+1 lines)

Lines 13-18	Link Here

 univention-directory-listener,

 univention-directory-listener,

 ucs-school-netlogon,

 ucs-school-netlogon,

 shell-univention-lib,

 shell-univention-lib,

 shell-ucs-school,

 univention-config

 univention-config

Description: ucs@school userspecific netlogon scripts

Description: ucs@school userspecific netlogon scripts

 This package provides a listener-module that creates

 This package provides a listener-module that creates




#DEBHELPER#

. /usr/share/univention-lib/all.sh
. /usr/share/ucs-school-lib/base.sh

eval "$(ucr shell)"
share_name="$(ucr_names_default ucsschool/import/generate/share/marktplatz/name)"

univention-config-registry set \
	samba/homedirletter?I \
    ucsschool/userlogon/commonshares?"$share_name" \
    "ucsschool/userlogon/commonshares/server/$share_name?$hostname" \
    "ucsschool/userlogon/commonshares/letter/$share_name?M" \
    ucsschool/userlogon/classshareletter?"K" \
    ucsschool/netlogon/ucs-school-netlogon-user-logonscripts/script?'user\%USERNAME%.vbs' \
	ucsschool/userlogon/myshares/enabled?no

(-)ucs-school-umc-computerroom/umc/python/computerroom/__init__.py (-1 / +1 lines)

Lines 727-733	Link Here

727

			vset[vunset[-1]] = shareMode

727

			vset[vunset[-1]] = shareMode

728

			vextract.append('samba/othershares/hosts/deny')

728

			vextract.append('samba/othershares/hosts/deny')

729

			vappend[vextract[-1]] = hosts

729

			vappend[vextract[-1]] = hosts

730

			vextract.append('samba/share/Marktplatz/hosts/deny')

730

			vextract.append('samba/share/{}/hosts/deny'.format(School.get_search_base(self._italc.school).share_name_marktplatz))

731

			vappend[vextract[-1]] = hosts

731

			vappend[vextract[-1]] = hosts

732

		else:

732

		else:

733

			vunset_now.append('samba/sharemode/room/%s' % self._italc.room)

733

			vunset_now.append('samba/sharemode/room/%s' % self._italc.room)

(-)ucs-school-umc-csv-import/umc/python/schoolcsvimport/util.py (-1 / +1 lines)

Lines 126-132	Link Here

126

			firstname = firstname[:5] + '.'

126

			firstname = firstname[:5] + '.'

127

128

		username = firstname + lastname[:5]

128

		username = firstname + lastname[:5]

129

		maxlength = 20 - len(ucr.get('ucsschool/ldap/default/userprefix/exam', 'exam-'))

129

		maxlength = 20 - len(self.get_search_base(self.school).user_prefix_exam)

130

		return replace_invalid_chars(username[:maxlength])

130

		return replace_invalid_chars(username[:maxlength])

131

132

	@classmethod

132

	@classmethod

(-)ucs-school-umc-distribution/debian/ucs-school-umc-distribution.univention-config-registry-variables (+11 lines)

Line 0	Link Here

[ucsschool/datadistribution/datadir/recipient]

Description[de]=Standardname für das Projektverzeichnis in das Unterrichtsmaterial verteilt wird. Standard ist "Unterrichtsmaterial".

Description[en]=Default name for the project directory into which teaching material will be distributed. Default is "Unterrichtsmaterial".

Type=str

Categories=ucsschool-base

[ucsschool/datadistribution/datadir/sender]

Description[de]=Standardname für das Projektverzeichnis aus dem Unterrichtsmaterial eingesammelt wird. Standard ist "Unterrichtsmaterial".

Description[en]=Default name for the project directory from which teaching material will be collected. Default is "Unterrichtsmaterial".

Type=str

Categories=ucsschool-base

(-)ucs-school-umc-distribution/umc/python/distribution/util.py (-1 / +1 lines)

Lines 281-287	Link Here

281

	@property

281

	@property

282

	def isDistributed(self):

282

	def isDistributed(self):

283

		'''True if files have already been distributed.'''

283

		'''True if files have already been distributed.'''

284

		# distributed files can still be found in the internal property 'files',

284

		# distributed files can still be found in the internal property 'files',Unterrichtsmaterial

285

		# however, upon distribution they are removed from the cache directory;

285

		# however, upon distribution they are removed from the cache directory;

286

		# thus, if one of the specified files does not exist, the project has

286

		# thus, if one of the specified files does not exist, the project has

287

		# already been distributed

287

		# already been distributed

(-)ucs-school-umc-exam/debian/control (+1 lines)

Lines 31-36	Link Here

 python-ucs-school,

 python-ucs-school,

 ucs-school-import,

 ucs-school-import,

 shell-univention-lib,

 shell-univention-lib,

 shell-ucs-school,

 univention-ldap-config (>= 9.0.27-3),

 univention-ldap-config (>= 9.0.27-3),

Description: UMC module delivering backend services for ucs-school-umc-exam

Description: UMC module delivering backend services for ucs-school-umc-exam

 UMC module delivering backend services for ucs-school-umc-exam

 UMC module delivering backend services for ucs-school-umc-exam




[ $# -ne 2 ] && echo "USAGE: $(basename $0) FILE DN" && exit 1

. /usr/share/univention-lib/ucr.sh
. /usr/share/ucs-school-lib/base.sh

eval "$(ucr shell)"


	district=",ou=${ou:0:2}"
fi

examusers="$(ucr_names_default ucsschool/ldap/default/container/exam)"
if [ -z "$examusers" ] ; then
	examusers='examusers'
fi

udm container/cn create --ignore_exists \
	--position "ou=${ou}${district},${ldap_base}" \
	--set name="${examusers}" \

ou_specific_examgroupname="$(ucr_names_default ucsschool/ldap/default/groupname/exam)"
if [ -z "$examgroupname" ] ; then
	examgroupname='OU%(ou)s-Klassenarbeit'
fi
ou_specific_examgroupname=$(python -c "print '$examgroupname' % {'ou': '$ou'}")

udm groups/group create --ignore_exists \
	--position "cn=ucsschool,cn=groups,${ldap_base}" \




import univention.config_registry
import univention.uldap
import univention.admin.uldap
from ucsschool.lib.models import ExamStudent
from univention.lib.umc_connection import UMCConnection
from univention.admin.uexceptions import noObject
from ldap.filter import escape_filter_chars

		self.hostname = self.ucr.get('hostname')
		self.umcp = self.get_UMCP_connection()
		self.lo = self.get_LDAP_connection()
		self.exam_prefix = self.ucr.get('ucsschool/ldap/default/userprefix/exam', 'exam-')
		self.DIR_ROOMS = '/var/cache/ucs-school-umc-computerroom'
		self.DIR_EXAMS = self.ucr.get('ucsschool/exam/cache', '/var/lib/ucs-school-umc-schoolexam')


			ou_list = self.lo.search(filter='(objectClass=ucsschoolOrganizationalUnit)')
			for ou_dn, ou_attrs in ou_list:
				ou_name = ou_attrs['ou'][0]
				exam_prefix = ExamStudent.get_search_base(ou_name).user_prefix_exam
				try:
					userlist = mod_user.lookup({}, lo, 'uid=%s*' % (escape_filter_chars(exam_prefix),), base=ExamStudent.get_container(ou_name))
				except noObject:
					# no exam users container in this OU
					continue




import traceback
import re
from ldap.filter import filter_format
from ldap import explode_dn

from univention.management.console.config import ucr
from univention.management.console.log import MODULE

	def __init__(self):
		SchoolBaseModule.__init__(self)

		self._examUserPrefix = ucr.get('ucsschool/ldap/default/userprefix/exam', 'exam-')

		# cache objects
		self._udm_modules = dict()
		self._examGroup = None

	def examUserContainerDN(self, ldap_admin_write, ldap_position, school):
		'''lookup examUserContainerDN, create it if missing'''
		if not self._examUserContainerDN:
			examUsers = ExamStudent.get_container(school)
			examUserContainerName = explode_dn(ExamStudent.get_search_base(school).examUsers, True)[0]
			examUserContainerName = search_base._examUserContainerName
			try:
				ldap_admin_write.searchDn('(objectClass=organizationalRole)', examUsers, scope='base')
			except univention.admin.uexceptions.noObject:

		user_orig = user.get_udm_object(ldap_admin_write)

		# uid and DN of exam_user
		exam_user_prefix = ExamStudent.get_search_base(school).user_prefix_exam
		exam_user_uid = "".join((exam_user_prefix, user_orig['username']))
		exam_user_dn = "uid=%s,%s" % (exam_user_uid, self.examUserContainerDN(ldap_admin_write, ldap_position, user.school))

		try:

(-)ucs-school-umc-installer/umc/python/schoolinstaller/__init__.py (-2 / +2 lines)

Lines 572-580	Link Here

572

				for islave in slaves:

572

				for islave in slaves:

573

					islave.open()

573

					islave.open()

574

					# compare group DNs case insensitive

574

					# compare group DNs case insensitive

575

					if search_base.educationalDCGroup.lower() in [x.lower() for x in islave['groups']]:

575

					if search_base.educational_ou_dc_group.lower() in [x.lower() for x in islave['groups']]:

576

						values['educational_slaves'].append(islave['name'])

576

						values['educational_slaves'].append(islave['name'])

577

					if search_base.administrativeDCGroup.lower() in [x.lower() for x in islave['groups']]:

577

					if search_base.administrative_ou_dc_group.lower() in [x.lower() for x in islave['groups']]:

578

						values['administrative_slaves'].append(islave['name'])

578

						values['administrative_slaves'].append(islave['name'])

579

		except univention.uldap.ldap.LDAPError as err:

579

		except univention.uldap.ldap.LDAPError as err:

580

			MODULE.warn('LDAP connection to %s failed: %s' % (master, err))

580

			MODULE.warn('LDAP connection to %s failed: %s' % (master, err))




import univention.testing.udm
import univention.testing.utils as utils
from univention.testing.ucsschool import UMCConnection
from ucsschool.lib.models import SchoolClass


def _dir(userName):

# get the current printed jobs
def queryPrintJobs(connection, printerName, cName, school, pattern, basedn):
	if cName != 'None':
		cdn = SchoolClass(school=school, name=cName).dn
			cName,
			school,
			basedn)
	else:
		cdn = cName
	param = {'school': school, 'class': cdn, 'pattern': pattern}

				klasse1_dn = udm.create_object(
					'groups/group',
					name='%s-1A' % school,
					position=SchoolClass.get_container(oudn)
				)
				klasse2_dn = udm.create_object(
					'groups/group',
					name='%s-2B' % school,
					position=SchoolClass.get_container(school)
				)
				tea, teadn = schoolenv.create_user(school, is_teacher=True)
				stu1, stu1_dn = schoolenv.create_user(school)

(-)ucs-test-ucsschool/90_ucsschool/101_exam_mode (-1 / +2 lines)

Lines 13-18	Link Here

import univention.testing.ucr as ucr_test

import univention.testing.ucr as ucr_test

import univention.testing.ucsschool as utu

import univention.testing.ucsschool as utu

import univention.testing.udm

import univention.testing.udm

from ucsschool.lib.models import SchoolClass

def main():

def main():

Lines 28-34	Link Here

				else:

				else:

					edudc = ucr.get('hostname')

					edudc = ucr.get('hostname')

				school, oudn = schoolenv.create_ou(name_edudc=edudc)

				school, oudn = schoolenv.create_ou(name_edudc=edudc)

				klasse_dn = udm.create_object('groups/group', name='%s-AA1' % school, position="cn=klassen,cn=schueler,cn=groups,%s" % oudn)

				klasse_dn = udm.create_object('groups/group', name='%s-AA1' % school, position=SchoolClass.get_container(school))

				tea, teadn = schoolenv.create_user(school, is_teacher=True)

				tea, teadn = schoolenv.create_user(school, is_teacher=True)

				stu, studn = schoolenv.create_user(school)

				stu, studn = schoolenv.create_user(school)

(-)ucs-test-ucsschool/90_ucsschool/101_exam_mode_group_members (-5 / +10 lines)

Lines 15-20	Link Here

import univention.testing.ucsschool as utu

import univention.testing.ucsschool as utu

import univention.testing.udm

import univention.testing.udm

import univention.testing.utils as utils

import univention.testing.utils as utils

from ucsschool.lib.models import ExamStudent, SchoolClass

def main():

def main():

Lines 27-33	Link Here

				else:

				else:

					edudc = ucr.get('hostname')

					edudc = ucr.get('hostname')

				school, oudn = schoolenv.create_ou(name_edudc=edudc)

				school, oudn = schoolenv.create_ou(name_edudc=edudc)

				klasse_dn = udm.create_object('groups/group', name='%s-AA1' % school, position="cn=klassen,cn=schueler,cn=groups,%s" % oudn)

				klasse_dn = udm.create_object(

					'groups/group',

					name='%s-AA1' % school,

					position=SchoolClass.get_container(school)

				tea, teadn = schoolenv.create_user(school, is_teacher=True)

				tea, teadn = schoolenv.create_user(school, is_teacher=True)

				stu, studn = schoolenv.create_user(school)

				stu, studn = schoolenv.create_user(school)

				udm.modify_object('groups/group', dn=klasse_dn, append={"users": [teadn]})

				udm.modify_object('groups/group', dn=klasse_dn, append={"users": [teadn]})

Lines 57-73	Link Here

				try:

				try:

					expected_memberUid = ["%s$" % pc2.name, "exam-%s" % stu]

					expected_memberUid = ["%s$" % pc2.name, "exam-%s" % stu]

					expected_uniqueMember = ["%s" % pc2.dn, "uid=exam-%s,cn=examusers,%s" % (stu, oudn)]

					expected_uniqueMember = [pc2.dn, ExamStudent(school=school, name=stu).dn]

					# Get the current attributes values

					# Get the current attributes values

					lo = getMachineConnection()

					lo = getMachineConnection()

					exam_group_dn = "cn=OU%s-Klassenarbeit,cn=ucsschool,cn=groups,%s" % (school, ucr.get('ldap/base'))

					exam_group_dn = ExamStudent.get_search_base(school).examGroup

					memberUid = lo.search(base=exam_group_dn)[0][1].get('memberUid')

					memberUid = lo.search(base=exam_group_dn)[0][1].get('memberUid')

					uniqueMember = lo.search(base=exam_group_dn)[0][1].get('uniqueMember')

					uniqueMember = lo.search(base=exam_group_dn)[0][1].get('uniqueMember')

					if (set(memberUid) != set(expected_memberUid)):

					if set(memberUid) != set(expected_memberUid):

						utils.fail("Current memberUid = %r\nExpected = %r" % (memberUid, expected_memberUid))

						utils.fail("Current memberUid = %r\nExpected = %r" % (memberUid, expected_memberUid))

					if (set(uniqueMember) != set(expected_uniqueMember)):

					if set(uniqueMember) != set(expected_uniqueMember):

						utils.fail("Current uniqueMember = %r\nExpected= %r" % (uniqueMember, expected_uniqueMember))

						utils.fail("Current uniqueMember = %r\nExpected= %r" % (uniqueMember, expected_uniqueMember))

				finally:

				finally:

(-)ucs-test-ucsschool/90_ucsschool/101_exam_mode_settings (-1 / +2 lines)

Lines 17-22	Link Here

import univention.testing.ucr as ucr_test

import univention.testing.ucr as ucr_test

import univention.testing.ucsschool as utu

import univention.testing.ucsschool as utu

import univention.testing.udm

import univention.testing.udm

from ucsschool.lib.models import SchoolClass

def main():

def main():

Lines 33-39	Link Here

					edudc = ucr.get('hostname')

					edudc = ucr.get('hostname')

				school, oudn = schoolenv.create_ou(name_edudc=edudc)

				school, oudn = schoolenv.create_ou(name_edudc=edudc)

				klasse_dn = udm.create_object('groups/group', name='%s-AA1' % school, position="cn=klassen,cn=schueler,cn=groups,%s" % oudn)

				klasse_dn = udm.create_object('groups/group', name='%s-AA1' % school, position=SchoolClass.get_container(school))

				tea, teadn = schoolenv.create_user(school, is_teacher=True)

				tea, teadn = schoolenv.create_user(school, is_teacher=True)

				stu, studn = schoolenv.create_user(school)

				stu, studn = schoolenv.create_user(school)




import univention.testing.ucr as ucr_test
import univention.testing.ucsschool as utu
import univention.testing.utils as utils
from ucsschool.lib.models import ClassShare, SchoolClass


BACKUP_PATH = '/home/backup/groups'





def share_dn(class_name, school):
	return ClassShare(school=school, name=class_name).dn
		return 'cn=%s,cn=klassen,cn=shares,ou=%s,%s' % (class_name, school, ucr.get('ldap/base'))


def class_dn(class_name, school):
	return SchoolClass(school=school, name=class_name).dn
		return 'cn=%s,cn=klassen,cn=schueler,cn=groups,ou=%s,%s' % (class_name, school, ucr.get('ldap/base'))


def share_path(class_name, school):
	sc = SchoolClass(school=school, name=class_name)
	path = ClassShare(school=school, name=class_name, school_group=sc).get_share_path()
	if os.path.exists(path):
		return path


(-)ucs-test-ucsschool/90_ucsschool/110_set_default-umc-users (-1 / +2 lines)

Lines 10-15	Link Here

import ldap

import ldap

import univention.testing.ucr as ucr_test

import univention.testing.ucr as ucr_test

import univention.testing.utils as utils

import univention.testing.utils as utils

from ucsschool.lib.models import Group

def main():

def main():

Lines 38-44	Link Here

					utils.fail('Attribute %s was not found in ldap object %r' % (

					utils.fail('Attribute %s was not found in ldap object %r' % (

						'univentionPolicyReference', base))

						'univentionPolicyReference', base))

				except ldap.NO_SUCH_OBJECT as e:

				except ldap.NO_SUCH_OBJECT as e:

					if "cn=groups,%s" % (schoolenv.get_ou_base_dn(school),) in str(e):

					if Group.get_container(school) in str(e):

						print ('* Cought an expected exception: %r' % e)

						print ('* Cought an expected exception: %r' % e)

					else:

					else:

						utils.fail('Unexpected Exception: %r' % e)

						utils.fail('Unexpected Exception: %r' % e)

(-)ucs-test-ucsschool/90_ucsschool/131_check_for_nfs_shares (-1 / +1 lines)

Lines 19-25	Link Here

			for share in Share.get_all(lo, school.name):

			for share in Share.get_all(lo, school.name):

				share_udm = share.get_udm_object(lo)

				share_udm = share.get_udm_object(lo)

				if "nfs" in share_udm.options:

				if "nfs" in share_udm.options:

					if share.name in ["Marktplatz", "iTALC-Installation"]:

					if share.name in [Share.get_search_base(school).share_name_marktplatz, "iTALC-Installation"]:

						print("*** Ignoring //{}/{} (Bug #42514)".format(school.name, share.name))

						print("*** Ignoring //{}/{} (Bug #42514)".format(school.name, share.name))

					else:

					else:

						nfs_shares.append((school.name, share.name))

						nfs_shares.append((school.name, share.name))

(-)ucs-test-ucsschool/90_ucsschool/16_s4_slave_automatic_srv_record (-2 / +2 lines)

Lines 135-141	Link Here

135

					position="cn=dc,cn=server,cn=computers,%s" % (school.dn,),

135

					position="cn=dc,cn=server,cn=computers,%s" % (school.dn,),

136

					domain=ucr.get('domainname'),

136

					domain=ucr.get('domainname'),

137

					service=("S4 SlavePDC", _local_ucsschool_service),

137

					service=("S4 SlavePDC", _local_ucsschool_service),

138

					groups=("cn=DC-Edukativnetz,cn=ucsschool,cn=groups,%(ldap/base)s" % ucr)

138

					groups=(school.get_search_base(school.name).educational_dc_group)

139

140

141

				positive_test_fqdn = ".".join((positive_test_hostname, ucr.get('domainname')))

141

				positive_test_fqdn = ".".join((positive_test_hostname, ucr.get('domainname')))

Lines 148-154	Link Here

148

					position="cn=dc,cn=server,cn=computers,%s" % (school.dn,),

148

					position="cn=dc,cn=server,cn=computers,%s" % (school.dn,),

149

					domain=ucr.get('domainname'),

149

					domain=ucr.get('domainname'),

150

					service=("S4 SlavePDC", _not_local_ucsschool_service),

150

					service=("S4 SlavePDC", _not_local_ucsschool_service),

151

					groups=("cn=DC-Edukativnetz,cn=ucsschool,cn=groups,%(ldap/base)s" % ucr)

151

					groups=(school.get_search_base(school.name).educational_dc_group)

152

153

154

				negative_test_fqdn = ".".join((negative_test_hostname, ucr.get('domainname')))

154

				negative_test_fqdn = ".".join((negative_test_hostname, ucr.get('domainname')))




import univention.testing.ucsschool as utu
import univention.testing.udm as udm_test
import univention.testing.utils as utils
from ucsschool.lib.models import School


def listUnion(firstList, secondList):

				utils.wait_for_replication_and_postrun()

				basedn = ucr.get('ldap/base')
				search_base = School.get_search_base(school)
				position = search_base.admins
				groups = [search_base.admin_group]
				dn, schooladmin = udm.create_user(position=position, groups=groups)
				groups = ["cn=Domain Admins,cn=groups,%s" % (basedn,)]
				dn, domainadmin = udm.create_user(position=position, groups=groups)





import copy
import pprint
from ldap.dn import escape_dn_chars
import univention.testing.strings as uts
import univention.testing.utils as utils
from univention.testing.ucs_samba import wait_for_drs_replication
from essential.importusers_cli_v2 import CLI_Import_v2_Tester, PyHooks
from essential.importusers import Person


					fn_config = self.create_config_json(config=config)
					self.save_ldap_status()
					self.run_import(['-c', fn_config, '-i', fn_csv])
					wait_for_drs_replication('cn={}'.format(escape_dn_chars(person.username)))
					person.set_mode_to_delete()
					self.check_new_and_removed_users(0, 1)
					person.verify()




import univention.testing.utils as utils
from essential.importusers_cli_v2 import CLI_Import_v2_Tester
from essential.importusers import Person
from ucsschool.lib.models import SchoolClass, WorkGroup


class Test(CLI_Import_v2_Tester):

		self.log.debug('*** Creating groups...')
		global_group_dn, global_group_name = self.udm.create_group()
		workgroup_A_dn, workgroup_A_name = self.udm.create_group(
			position=WorkGroup.get_container(self.ou_A.name),
			name="{}-{}".format(self.ou_A.name, uts.random_groupname()))
		class_A_dn, class_A_name = self.udm.create_group(
			position=SchoolClass.get_container(self.ou_A.name),
			name="{}-{}".format(self.ou_A.name, uts.random_groupname()))
		cn_A_dn = self.udm.create_object('container/cn', position=self.ou_A.dn, name='kurs-%s' % uts.random_string())
		extra_A_group1_dn, extra_A_group1_name = self.udm.create_group(position=cn_A_dn)

			name="{}-{}".format(self.ou_A.name, uts.random_groupname()))

		workgroup_B_dn, workgroup_B_name = self.udm.create_group(
			position=WorkGroup.get_container(self.ou_B.name),
			name="{}-{}".format(self.ou_B.name, uts.random_groupname()))
		class_B_dn, class_B_name = self.udm.create_group(
			position=SchoolClass.get_container(self.ou_B.name),
			name="{}-{}".format(self.ou_B.name, uts.random_groupname()))
		cn_B_dn = self.udm.create_object('container/cn', position=self.ou_B.dn, name='kurs-%s' % uts.random_string())
		extra_B_group1_dn, extra_B_group1_name = self.udm.create_group(position=cn_B_dn)




import univention.testing.utils as utils
from essential.importusers_cli_v2 import CLI_Import_v2_Tester
from essential.importusers import Person
from ucsschool.lib.models import SchoolClass


class Test(CLI_Import_v2_Tester):


		def create_user_w_two_classes(record_uid, source_uid, same_ou=True):
			cls1_dn, cls1_name = self.udm.create_group(
				position=SchoolClass.get_container(self.ou_A.name),
				name="{}-{}".format(self.ou_A.name, uts.random_groupname()))
			if same_ou:
				dn = self.ou_A.dn

				name = self.ou_B.name
				school = sorted([self.ou_A.name, self.ou_B.name])[0]
			cls2_dn, cls2_name = self.udm.create_group(
				position=SchoolClass.get_container(name),
				name="{}-{}".format(name, uts.random_groupname()))
			person = Person(school, role)
			person.update(record_uid=record_uid, source_uid=source_uid, username=uts.random_username())

(-)ucs-test-ucsschool/90_ucsschool/22_computerroom_two_rooms_settings_interference (-1 / +2 lines)

Lines 11-16	Link Here

from essential.computerroom import Room, Computers, add_printer, remove_printer, clean_folder, run_commands

from essential.computerroom import Room, Computers, add_printer, remove_printer, clean_folder, run_commands

from essential.internetrule import InternetRule

from essential.internetrule import InternetRule

from essential.workgroup import Workgroup

from essential.workgroup import Workgroup

from ucsschool.lib.models import Share

from univention.testing.ucsschool import UMCConnection

from univention.testing.ucsschool import UMCConnection

from univention.testing.network import NetworkRedirector

from univention.testing.network import NetworkRedirector

import datetime

import datetime

Lines 113-119	Link Here

113

								room1.check_behavior(room1_old_settings, room1_new_settings, tea, computers_ips[1], printer_name, white_page, global_domains, ucr)

114

								room1.check_behavior(room1_old_settings, room1_new_settings, tea, computers_ips[1], printer_name, white_page, global_domains, ucr)

114

								# For DEBUG purposes

115

								# For DEBUG purposes

115

								# run_commands([['ucr', 'search', room1.name], ['ucr','search', room2.name], ['atq']], {})

116

								# run_commands([['ucr', 'search', room1.name], ['ucr','search', room2.name], ['atq']], {})

116

								clean_folder('/home/gsmitte/groups/Marktplatz/')

117

								clean_folder('/home/gsmitte/groups/{}/'.format(Share.get_search_base(school).share_name_marktplatz))

117

								clean_folder('/home/%s/lehrer/%s/' % (school, tea))

118

								clean_folder('/home/%s/lehrer/%s/' % (school, tea))

118

							# TODO Exception Errno4

119

							# TODO Exception Errno4

119

							except httplib.HTTPException as e:

120

							except httplib.HTTPException as e:

(-)ucs-test-ucsschool/90_ucsschool/40_schoolwizard_school_create (-26 / +22 lines)

Lines 9-14	Link Here

import subprocess

import subprocess

import simplejson as json

import simplejson as json

from ucsschool.lib.models import Group

import univention.testing.ucr as ucr_test

import univention.testing.ucr as ucr_test

import univention.testing.utils as utils

import univention.testing.utils as utils

import univention.testing.strings as uts

import univention.testing.strings as uts

Lines 47-52	Link Here

	return stdout, stderr, pipe.returncode

	return stdout, stderr, pipe.returncode

def grp_dns(ou_name, edu=True):

	search_base = Group.get_search_base(ou_name)

	if edu:

		return [search_base.educational_ou_dc_group, search_base.educational_dc_group]

	else:

		return [search_base.administrative_ou_dc_group, search_base.administrative_dc_group]

def main():

def main():

	remove_ous = []

	remove_ous = []

	testschool = UCSTestSchool()

	testschool = UCSTestSchool()

Lines 65-72	Link Here

			utils.verify_ldap_object(dc_dn, expected_attr={'cn': [dc_name]}, strict=True, should_exist=False)

			utils.verify_ldap_object(dc_dn, expected_attr={'cn': [dc_name]}, strict=True, should_exist=False)

		else:

		else:

			utils.verify_ldap_object(dc_dn, expected_attr={'cn': [dc_name]}, strict=True, should_exist=True)

			utils.verify_ldap_object(dc_dn, expected_attr={'cn': [dc_name]}, strict=True, should_exist=True)

			for grp_dn in ('cn=OU%(ou)s-DC-Edukativnetz,cn=ucsschool,cn=groups,%(basedn)s', 'cn=DC-Edukativnetz,cn=ucsschool,cn=groups,%(basedn)s', ):

			for grp_dn in grp_dns(ou_name):

				grp_dn = grp_dn % {'ou': ou_name, 'basedn': ucr.get('ldap/base')}

				utils.verify_ldap_object(grp_dn, expected_attr={'uniqueMember': [dc_dn]}, strict=False, should_exist=True)

				utils.verify_ldap_object(grp_dn, expected_attr={'uniqueMember': [dc_dn]}, strict=False, should_exist=True)

		msg = 'new random OU, new random DC'

		msg = 'new random OU, new random DC'

Lines 79-86	Link Here

			utils.fail('Cannot create %s' % msg)

			utils.fail('Cannot create %s' % msg)

		dc_dn = 'cn=%s,cn=dc,cn=server,cn=computers,%s' % (dc_name, testschool.get_ou_base_dn(ou_name))

		dc_dn = 'cn=%s,cn=dc,cn=server,cn=computers,%s' % (dc_name, testschool.get_ou_base_dn(ou_name))

		utils.verify_ldap_object(dc_dn, expected_attr={'cn': [dc_name]}, strict=True, should_exist=True)

		utils.verify_ldap_object(dc_dn, expected_attr={'cn': [dc_name]}, strict=True, should_exist=True)

		for grp_dn in ('cn=OU%(ou)s-DC-Edukativnetz,cn=ucsschool,cn=groups,%(basedn)s', 'cn=DC-Edukativnetz,cn=ucsschool,cn=groups,%(basedn)s', ):

		for grp_dn in grp_dns(ou_name):

			grp_dn = grp_dn % {'ou': ou_name, 'basedn': ucr.get('ldap/base')}

			utils.verify_ldap_object(grp_dn, expected_attr={'uniqueMember': [dc_dn]}, strict=False, should_exist=True)

			utils.verify_ldap_object(grp_dn, expected_attr={'uniqueMember': [dc_dn]}, strict=False, should_exist=True)

		msg = 'new random OU, existing DC in other OU'

		msg = 'new random OU, existing DC in other OU'

Lines 92-99	Link Here

			utils.fail('Cannot create %s' % msg)

			utils.fail('Cannot create %s' % msg)

		# reusing first DC

100

		# reusing first DC

		utils.verify_ldap_object(dc_dn, expected_attr={'cn': [dc_name]}, strict=True, should_exist=True)

101

		utils.verify_ldap_object(dc_dn, expected_attr={'cn': [dc_name]}, strict=True, should_exist=True)

		for grp_dn in ('cn=OU%(ou)s-DC-Edukativnetz,cn=ucsschool,cn=groups,%(basedn)s', 'cn=DC-Edukativnetz,cn=ucsschool,cn=groups,%(basedn)s', ):

102

		for grp_dn in grp_dns(ou_name):

			grp_dn = grp_dn % {'ou': ou_name, 'basedn': ucr.get('ldap/base')}

			utils.verify_ldap_object(grp_dn, expected_attr={'uniqueMember': [dc_dn]}, strict=False, should_exist=True)

103

			utils.verify_ldap_object(grp_dn, expected_attr={'uniqueMember': [dc_dn]}, strict=False, should_exist=True)

104

		msg = 'new random OU with existing DC in cn=computers,BASEDN'

105

		msg = 'new random OU with existing DC in cn=computers,BASEDN'

Lines 114-121	Link Here

114

				utils.fail('Cannot create %s' % msg)

120

				utils.fail('Cannot create %s' % msg)

115

121

116

			utils.verify_ldap_object(dc_dn, expected_attr={'cn': [dc_name]}, strict=True, should_exist=True)

122

			utils.verify_ldap_object(dc_dn, expected_attr={'cn': [dc_name]}, strict=True, should_exist=True)

117

			for grp_dn in ('cn=OU%(ou)s-DC-Edukativnetz,cn=ucsschool,cn=groups,%(basedn)s', 'cn=DC-Edukativnetz,cn=ucsschool,cn=groups,%(basedn)s', ):

123

			for grp_dn in grp_dns(ou_name):

118

				grp_dn = grp_dn % {'ou': ou_name, 'basedn': ucr.get('ldap/base')}

119

				utils.verify_ldap_object(grp_dn, expected_attr={'uniqueMember': [dc_dn]}, strict=False, should_exist=True)

124

				utils.verify_ldap_object(grp_dn, expected_attr={'uniqueMember': [dc_dn]}, strict=False, should_exist=True)

120

125

121

		msg = 'new random OU, new random DC and then try to add a second new random DC'

126

		msg = 'new random OU, new random DC and then try to add a second new random DC'

Lines 128-135	Link Here

128

			utils.fail('Cannot create %s' % msg)

133

			utils.fail('Cannot create %s' % msg)

129

		dc_dn = 'cn=%s,cn=dc,cn=server,cn=computers,%s' % (dc_name, testschool.get_ou_base_dn(ou_name))

134

		dc_dn = 'cn=%s,cn=dc,cn=server,cn=computers,%s' % (dc_name, testschool.get_ou_base_dn(ou_name))

130

		utils.verify_ldap_object(dc_dn, expected_attr={'cn': [dc_name]}, strict=True, should_exist=True)

135

		utils.verify_ldap_object(dc_dn, expected_attr={'cn': [dc_name]}, strict=True, should_exist=True)

131

		for grp_dn in ('cn=OU%(ou)s-DC-Edukativnetz,cn=ucsschool,cn=groups,%(basedn)s', 'cn=DC-Edukativnetz,cn=ucsschool,cn=groups,%(basedn)s', ):

136

		for grp_dn in grp_dns(ou_name):

132

			grp_dn = grp_dn % {'ou': ou_name, 'basedn': ucr.get('ldap/base')}

133

			utils.verify_ldap_object(grp_dn, expected_attr={'uniqueMember': [dc_dn]}, strict=False, should_exist=True)

137

			utils.verify_ldap_object(grp_dn, expected_attr={'uniqueMember': [dc_dn]}, strict=False, should_exist=True)

134

138

135

		dc_name = uts.random_string()

139

		dc_name = uts.random_string()

Lines 138-145	Link Here

138

			utils.fail('Cannot create %s' % msg)

142

			utils.fail('Cannot create %s' % msg)

139

		dc_dn = 'cn=%s,cn=dc,cn=server,cn=computers,%s' % (dc_name, testschool.get_ou_base_dn(ou_name))

143

		dc_dn = 'cn=%s,cn=dc,cn=server,cn=computers,%s' % (dc_name, testschool.get_ou_base_dn(ou_name))

140

		utils.verify_ldap_object(dc_dn, expected_attr={'cn': [dc_name]}, strict=True, should_exist=True)

144

		utils.verify_ldap_object(dc_dn, expected_attr={'cn': [dc_name]}, strict=True, should_exist=True)

141

		for grp_dn in ('cn=OU%(ou)s-DC-Edukativnetz,cn=ucsschool,cn=groups,%(basedn)s', 'cn=DC-Edukativnetz,cn=ucsschool,cn=groups,%(basedn)s', ):

145

		for grp_dn in grp_dns(ou_name):

142

			grp_dn = grp_dn % {'ou': ou_name, 'basedn': ucr.get('ldap/base')}

143

			utils.verify_ldap_object(grp_dn, expected_attr={'uniqueMember': [dc_dn]}, strict=False, should_exist=True)

146

			utils.verify_ldap_object(grp_dn, expected_attr={'uniqueMember': [dc_dn]}, strict=False, should_exist=True)

144

147

145

		msg = 'new random OU, new random administrative DC'

148

		msg = 'new random OU, new random administrative DC'

Lines 154-164	Link Here

154

		dc_dn = 'cn=%s,cn=dc,cn=server,cn=computers,%s' % (dc_name, testschool.get_ou_base_dn(ou_name))

157

		dc_dn = 'cn=%s,cn=dc,cn=server,cn=computers,%s' % (dc_name, testschool.get_ou_base_dn(ou_name))

155

		dc_dn_administrative = 'cn=%s,cn=dc,cn=server,cn=computers,%s' % (dc_name_administrative, testschool.get_ou_base_dn(ou_name))

158

		dc_dn_administrative = 'cn=%s,cn=dc,cn=server,cn=computers,%s' % (dc_name_administrative, testschool.get_ou_base_dn(ou_name))

156

		utils.verify_ldap_object(dc_dn_administrative, expected_attr={'cn': [dc_name_administrative]}, strict=True, should_exist=True)

159

		utils.verify_ldap_object(dc_dn_administrative, expected_attr={'cn': [dc_name_administrative]}, strict=True, should_exist=True)

157

		for grp_dn in ('cn=OU%(ou)s-DC-Edukativnetz,cn=ucsschool,cn=groups,%(basedn)s', 'cn=DC-Edukativnetz,cn=ucsschool,cn=groups,%(basedn)s', ):

160

		for grp_dn in grp_dns(ou_name):

158

			grp_dn = grp_dn % {'ou': ou_name, 'basedn': ucr.get('ldap/base')}

159

			utils.verify_ldap_object(grp_dn, expected_attr={'uniqueMember': [dc_dn]}, strict=False, should_exist=True)

161

			utils.verify_ldap_object(grp_dn, expected_attr={'uniqueMember': [dc_dn]}, strict=False, should_exist=True)

160

		for grp_dn in ('cn=OU%(ou)s-DC-Verwaltungsnetz,cn=ucsschool,cn=groups,%(basedn)s', 'cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,%(basedn)s', ):

162

		for grp_dn in grp_dns(ou_name, False):

161

			grp_dn = grp_dn % {'ou': ou_name, 'basedn': ucr.get('ldap/base')}

162

			utils.verify_ldap_object(grp_dn, expected_attr={'uniqueMember': [dc_dn_administrative]}, strict=False, should_exist=True)

163

			utils.verify_ldap_object(grp_dn, expected_attr={'uniqueMember': [dc_dn_administrative]}, strict=False, should_exist=True)

163

164

		msg = 'new random OU, new random educational DC and then try to add a second new random administrative DC'

165

		msg = 'new random OU, new random educational DC and then try to add a second new random administrative DC'

Lines 171-178	Link Here

171

			utils.fail('Cannot create %s' % msg)

172

			utils.fail('Cannot create %s' % msg)

172

		dc_dn = 'cn=%s,cn=dc,cn=server,cn=computers,%s' % (dc_name, testschool.get_ou_base_dn(ou_name))

173

		dc_dn = 'cn=%s,cn=dc,cn=server,cn=computers,%s' % (dc_name, testschool.get_ou_base_dn(ou_name))

173

		utils.verify_ldap_object(dc_dn, expected_attr={'cn': [dc_name]}, strict=True, should_exist=True)

174

		utils.verify_ldap_object(dc_dn, expected_attr={'cn': [dc_name]}, strict=True, should_exist=True)

174

		for grp_dn in ('cn=OU%(ou)s-DC-Edukativnetz,cn=ucsschool,cn=groups,%(basedn)s', 'cn=DC-Edukativnetz,cn=ucsschool,cn=groups,%(basedn)s', ):

175

		for grp_dn in grp_dns(ou_name):

175

			grp_dn = grp_dn % {'ou': ou_name, 'basedn': ucr.get('ldap/base')}

176

			utils.verify_ldap_object(grp_dn, expected_attr={'uniqueMember': [dc_dn]}, strict=False, should_exist=True)

176

			utils.verify_ldap_object(grp_dn, expected_attr={'uniqueMember': [dc_dn]}, strict=False, should_exist=True)

177

178

		dc_name_administrative = uts.random_string()

178

		dc_name_administrative = uts.random_string()

Lines 181-191	Link Here

181

			utils.fail('Cannot create %s' % msg)

181

			utils.fail('Cannot create %s' % msg)

182

		dc_dn_administrative = 'cn=%s,cn=dc,cn=server,cn=computers,%s' % (dc_name_administrative, testschool.get_ou_base_dn(ou_name))

182

		dc_dn_administrative = 'cn=%s,cn=dc,cn=server,cn=computers,%s' % (dc_name_administrative, testschool.get_ou_base_dn(ou_name))

183

		utils.verify_ldap_object(dc_dn_administrative, expected_attr={'cn': [dc_name_administrative]}, strict=True, should_exist=True)

183

		utils.verify_ldap_object(dc_dn_administrative, expected_attr={'cn': [dc_name_administrative]}, strict=True, should_exist=True)

184

		for grp_dn in ('cn=OU%(ou)s-DC-Edukativnetz,cn=ucsschool,cn=groups,%(basedn)s', 'cn=DC-Edukativnetz,cn=ucsschool,cn=groups,%(basedn)s', ):

184

		for grp_dn in grp_dns(ou_name):

185

			grp_dn = grp_dn % {'ou': ou_name, 'basedn': ucr.get('ldap/base')}

186

			utils.verify_ldap_object(grp_dn, expected_attr={'uniqueMember': [dc_dn]}, strict=False, should_exist=True)

185

			utils.verify_ldap_object(grp_dn, expected_attr={'uniqueMember': [dc_dn]}, strict=False, should_exist=True)

187

		for grp_dn in ('cn=OU%(ou)s-DC-Verwaltungsnetz,cn=ucsschool,cn=groups,%(basedn)s', 'cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,%(basedn)s', ):

186

		for grp_dn in grp_dns(ou_name, False):

188

			grp_dn = grp_dn % {'ou': ou_name, 'basedn': ucr.get('ldap/base')}

189

			utils.verify_ldap_object(grp_dn, expected_attr={'uniqueMember': [dc_dn_administrative]}, strict=False, should_exist=True)

187

			utils.verify_ldap_object(grp_dn, expected_attr={'uniqueMember': [dc_dn_administrative]}, strict=False, should_exist=True)

190

188

191

		msg = 'new random OU with existing administrative DC in cn=computers,BASEDN'

189

		msg = 'new random OU with existing administrative DC in cn=computers,BASEDN'

Lines 208-218	Link Here

208

206

209

			dc_dn = 'cn=%s,cn=dc,cn=server,cn=computers,%s' % (dc_name, testschool.get_ou_base_dn(ou_name))

207

			dc_dn = 'cn=%s,cn=dc,cn=server,cn=computers,%s' % (dc_name, testschool.get_ou_base_dn(ou_name))

210

			utils.verify_ldap_object(dc_dn, expected_attr={'cn': [dc_name]}, strict=True, should_exist=True)

208

			utils.verify_ldap_object(dc_dn, expected_attr={'cn': [dc_name]}, strict=True, should_exist=True)

211

			for grp_dn in ('cn=OU%(ou)s-DC-Edukativnetz,cn=ucsschool,cn=groups,%(basedn)s', 'cn=DC-Edukativnetz,cn=ucsschool,cn=groups,%(basedn)s', ):

209

			for grp_dn in grp_dns(ou_name):

212

				grp_dn = grp_dn % {'ou': ou_name, 'basedn': ucr.get('ldap/base')}

213

				utils.verify_ldap_object(grp_dn, expected_attr={'uniqueMember': [dc_dn]}, strict=False, should_exist=True)

210

				utils.verify_ldap_object(grp_dn, expected_attr={'uniqueMember': [dc_dn]}, strict=False, should_exist=True)

214

			for grp_dn in ('cn=OU%(ou)s-DC-Verwaltungsnetz,cn=ucsschool,cn=groups,%(basedn)s', 'cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,%(basedn)s', ):

211

			for grp_dn in grp_dns(ou_name, False):

215

				grp_dn = grp_dn % {'ou': ou_name, 'basedn': ucr.get('ldap/base')}

216

				utils.verify_ldap_object(grp_dn, expected_attr={'uniqueMember': [dc_dn_administrative]}, strict=False, should_exist=True)

212

				utils.verify_ldap_object(grp_dn, expected_attr={'uniqueMember': [dc_dn_administrative]}, strict=False, should_exist=True)

217

213

218

	finally:

214

	finally:




#!/usr/share/ucs-test/runner python
## -*- coding: utf-8 -*-
## desc: check marktplatz creation
## roles: [domaincontroller_master]
## tags: [apptest,ucsschool]
## exposure: dangerous
## packages: [ucs-school-umc-computerroom]
## bugs: [40785, 41231]

import univention.testing.ucr as ucr_test
import univention.testing.ucsschool as utu
import univention.testing.strings as uts
from univention.testing import utils
from univention.config_registry import handler_set, handler_unset



def main():
	with utu.UCSTestSchool() as schoolenv, ucr_test.UCSTestConfigRegistry() as ucr:
		for should_exist, variable, name in [(False, None, ''), (True, 'yes', 'Marktplatz'), (True, 'yes', uts.random_name()), (False, 'no', '')]:
			if variable is None:
				handler_unset(['ucsschool/import/generate/share/marktplatz'])
			else:
				print '### Setting ucsschool/import/generate/share/marktplatz=%s.' % variable
				handler_set(['ucsschool/import/generate/share/marktplatz=%s' % (variable,)])

			print '### Creating school. Expecting Marktplatz to exists = %r' % (should_exist,)
			if should_exist:
				if name:
					print '### Setting share name to %r.' % name
					handler_set(['ucsschool/import/generate/share/marktplatz/name={}'.format(name)])
				else:
					print '### Not setting share name, should be "Marktplatz".'
					handler_unset(['ucsschool/import/generate/share/marktplatz/name'])

			school, oudn = schoolenv.create_ou(name_edudc=ucr.get('hostname'))
			utils.wait_for_replication()
			utils.verify_ldap_object(
				'cn={},cn=shares,{}'.format(name or 'Marktplatz', oudn),
				strict=True,
				should_exist=should_exist)

if __name__ == '__main__':
	main()




from essential.schoolroom import ComputerRoom
import univention.testing.ucr as ucr_test
import univention.testing.ucsschool as utu
from ucsschool.lib.models import ClassShare, Share


def main():

			acl.assert_teacher_group('write')
			acl.assert_student_group('write')

			shares_dn = Share.get_container(school)
			acl.assert_shares(shares_dn, 'write')
			shares_dn = Share(school=school, name=Share.get_search_base(school).share_name_marktplatz).dn
			acl.assert_shares(shares_dn, 'write')
			shares_dn = ClassShare.get_container(school)
			acl.assert_shares(shares_dn, 'read')

			acl.assert_temps('write')

(-)ucs-test-ucsschool/90_ucsschool/75_ldap_acls_staff (-1 / +2 lines)

Lines 10-15	Link Here

from essential.acl import Acl

from essential.acl import Acl

from essential.computerroom import Computers

from essential.computerroom import Computers

from essential.schoolroom import ComputerRoom

from essential.schoolroom import ComputerRoom

from ucsschool.lib.models import Share

import univention.testing.ucr as ucr_test

import univention.testing.ucr as ucr_test

import univention.testing.ucsschool as utu

import univention.testing.ucsschool as utu

Lines 50-56	Link Here

			share_dn = open_ldap_co.searchDn(filter=filter_format('(&(objectClass=univentionShare)(cn=%s))', (class_name,)))[0]

			share_dn = open_ldap_co.searchDn(filter=filter_format('(&(objectClass=univentionShare)(cn=%s))', (class_name,)))[0]

			acl.assert_share_object_access(share_dn, 'read', 'ALLOWED')

			acl.assert_share_object_access(share_dn, 'read', 'ALLOWED')

			acl.assert_share_object_access(share_dn, 'write', 'DENIED')

			acl.assert_share_object_access(share_dn, 'write', 'DENIED')

			share_dn = 'cn=Marktplatz,cn=shares,%s' % (oudn,)

			share_dn = Share(school=school, name=Share.get_search_base(school).share_name_marktplatz).dn

			acl.assert_share_object_access(share_dn, 'read', 'ALLOWED')

			acl.assert_share_object_access(share_dn, 'read', 'ALLOWED')

			acl.assert_share_object_access(share_dn, 'write', 'DENIED')

			acl.assert_share_object_access(share_dn, 'write', 'DENIED')




from essential.schoolroom import ComputerRoom
import univention.testing.ucr as ucr_test
import univention.testing.ucsschool as utu
from ucsschool.lib.models import ClassShare, Share


def main():

			acl.assert_teacher_group('write')
			acl.assert_student_group('write')

			shares_dn = Share.get_container(school)
			acl.assert_shares(shares_dn, 'write')
			shares_dn = Share(school=school, name=Share.get_search_base(school).share_name_marktplatz).dn
			acl.assert_shares(shares_dn, 'write')
			shares_dn = ClassShare.get_container(school)
			acl.assert_shares(shares_dn, 'read')

			acl.assert_temps('write')




from essential.schoolroom import ComputerRoom
import univention.testing.ucr as ucr_test
import univention.testing.ucsschool as utu
from ucsschool.lib.models import ClassShare, Share


def main():


			acl.assert_teacher_group('write')

			shares_dn = Share.get_container(school)
			acl.assert_shares(shares_dn, 'write')
			shares_dn = Share(school=school, name=Share.get_search_base(school).share_name_marktplatz).dn
			acl.assert_shares(shares_dn, 'write')
			shares_dn = ClassShare.get_container(school)
			acl.assert_shares(shares_dn, 'read')

			acl.assert_temps('write')




from univention.uldap import getMachineConnection
import univention.testing.ucr as ucr_test
import univention.testing.ucsschool as utu
from ucsschool.lib.models import Group, Policy


class FailAcl(Exception):

			room = ComputerRoom(school, host_members=computers_dns)
			room.add()

			room_container_dn = ComputerRoom.get_container(school)
			shares_dn = 'cn=shares,%s' % school_dn

			# unused?
			#
			# shares_dn = search_base.shares
			#
			# teacher_group2_dn = search_base.teachers_ou_group
			# student_group2_dn = search_base.students_ou_group
			#
			# teacher_group_dn = search_base.teachers_group
			# student_group_dn = search_base.students_group

			teacher_group_dn = 'cn=lehrer,cn=groups,%s' % school_dn
			student_group_dn = 'cn=schueler,cn=groups,%s' % school_dn

			gid_temp_dn = 'cn=gid,cn=temporary,cn=univention,%s' % base_dn
			gidNumber_temp_dn = 'cn=gidNumber,cn=temporary,cn=univention,%s' % base_dn
			sid_temp_dn = 'cn=sid,cn=temporary,cn=univention,%s' % base_dn

			mac_temp_dn = 'cn=mac,cn=temporary,cn=univention,%s' % base_dn

			global_univention_dn = 'cn=univention,%s' % base_dn
			global_policies_dn = Policy.get_container(school)
			global_dns_dn = 'cn=dns,%s' % base_dn
			global_groups_dn = Group.get_container(school)

			dhcp_dn = 'cn=%s,cn=%s,cn=dhcp,%s' % (computers_hostnames[0], school, base_dn)





@!@
# -*- coding: utf-8 -*-
import re


def replace_ucr_variables(template):
	variable_token = re.compile('@[$]@')

	dir_ucsschool = {
		'ALL_ADM_DC': configRegistry.get('ucsschool/ldap/default/groupname/all-administrativ-dc', 'DC-Verwaltungsnetz'),
		'ALL_ADM_MEMBER': configRegistry.get('ucsschool/ldap/default/groupname/all-administrativ-member', 'Member-Verwaltungsnetz'),
		'ALL_EDU_DC': configRegistry.get('ucsschool/ldap/default/groupname/all-educational-dc', 'DC-Edukativnetz'),
		'ALL_EDU_MEMBER': configRegistry.get('ucsschool/ldap/default/groupname/all-educational-member', 'Member-Edukativnetz'),
	}

	while 1:
		i = variable_token.finditer(template)
		try:
			start = i.next()
			end = i.next()
			name = template[start.end():end.start()]

			template = template[:start.start()] + dir_ucsschool.get(name,'') + template[end.end():]
		except StopIteration:
			break

	return template


aclset += """
# -*- coding: utf-8 -*-

# Slave-Controller und Member-Server duerfen Samba-Domaenenobjekt(e) modifizieren
access to filter="(objectClass=sambaDomain)"
   by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
   by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
   by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
   by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
   by * none break

# Slave-Controller und Memberserver duerfen ausschliesslich den univention-Container replizieren
access to dn="cn=univention,@%@ldap/base@%@"
   by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
   by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
   by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
   by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
   by * none break

# Slave-Controller may replicate license container
access to dn.subtree="cn=license,cn=univention,@%@ldap/base@%@"
   by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
   by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
   by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
   by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
   by * none break

# Slave-Controller duerfen custom attributes-Container und dessen Inhalt replizieren
access to dn.subtree="cn=custom attributes,cn=univention,@%@ldap/base@%@"
   by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
   by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
   by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
   by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
   by * none break

# Slave-Controller benoetigen den Console-Container fuer die Berechtigungen an der Lehrerconsole
access to dn.subtree="cn=console,cn=univention,@%@ldap/base@%@"
   by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
   by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
   by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
   by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
   by * none break 

# Slave-Controller benoetigen den UMC-Container fuer die Berechtigungen an der Lehrerconsole
access to dn.subtree="cn=UMC,cn=univention,@%@ldap/base@%@"
   by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
   by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
   by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
   by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
   by * none break 

# grant write access to domaincontroller slave/member server for certain univention app center settings
access to dn.regex="^univentionAppID=([^,]+),cn=([^,]+),cn=apps,cn=univention,@%@ldap/base@%@$" filter="(objectClass=univentionApp)"
        by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
        by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
        by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
        by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
        by * none break

access to dn.regex="^cn=([^,]+),cn=apps,cn=univention,@%@ldap/base@%@$" attrs=children,entry
        by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
        by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
        by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
        by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
        by * none break

access to dn="cn=apps,cn=univention,@%@ldap/base@%@" attrs=children,entry
        by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
        by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
        by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
        by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
        by * none break

# grant read access to domaincontroller slave/member server for all other univention app center settings
access to dn.subtree="cn=apps,cn=univention,@%@ldap/base@%@"
   by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
   by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
   by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
   by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
   by * none break 

access to dn.subtree="cn=udm_module,cn=univention,@%@ldap/base@%@"
   by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
   by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
   by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
   by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
   by * none break 

access to dn.subtree="cn=udm_hook,cn=univention,@%@ldap/base@%@"
   by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
   by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
   by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
   by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
   by * none break 

access to dn.subtree="cn=udm_syntax,cn=univention,@%@ldap/base@%@"
   by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
   by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
   by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
   by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
   by * none break 

access to dn.subtree="cn=ldapacl,cn=univention,@%@ldap/base@%@"
   by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
   by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
   by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
   by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
   by * none break 

access to dn.subtree="cn=ldapschema,cn=univention,@%@ldap/base@%@"
   by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
   by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
   by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
   by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
   by * none break 

# Slave-Controller und Member-Server benoetigen idmap-Container
access to dn.base="cn=idmap,cn=univention,@%@ldap/base@%@"
   by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
   by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
   by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
   by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
   by * none break 

# Slave-Controller und Member-Server benoetigen ID-Mapping
access to dn.subtree="cn=idmap,cn=univention,@%@ldap/base@%@" filter="(|(&(objectClass=sambaUnixIdPool)(objectClass=organizationalRole)(objectClass=top))(&(objectClass=sambaIdmapEntry)(objectClass=sambaSidEntry)))"
   by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
   by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
   by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
   by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
   by * none break

# Slave-Controller und Memberserver duerfen samba-Container und dessen Inhalt replizieren
access to dn.subtree="cn=samba,@%@ldap/base@%@"
   by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
   by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
   by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
   by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
   by * none break

# Slave-Controller needs the builtin groups
access to dn.subtree="cn=Builtin,@%@ldap/base@%@"
   by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
   by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
   by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
   by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
   by * none break 

# sonst duerfen sie nichts aus cn=univention,BASEDN replizieren
access to dn.subtree="cn=univention,@%@ldap/base@%@"
   by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
   by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
   by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
   by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
   by * none break




def replace_ucr_variables(template):
	variable_token = re.compile('@[$]@')

	dir_ucsschool = {
		'DISTRICT':       'ou=[^,]+,' if configRegistry.is_true('ucsschool/ldap/district/enable') else '',
		'PUPILS':         configRegistry.get('ucsschool/ldap/default/container/pupils', 'schueler'),
		'TEACHERS':       configRegistry.get('ucsschool/ldap/default/container/teachers', 'lehrer'),
		'STAFF':          configRegistry.get('ucsschool/ldap/default/container/staff', 'mitarbeiter'),
		'TEACHERS-STAFF': configRegistry.get('ucsschool/ldap/default/container/teachers-and-staff', 'lehrer und mitarbeiter'),
		'ADMINS':         configRegistry.get('ucsschool/ldap/default/container/admins', 'admins'),
		'GRPADMINS':      configRegistry.get('ucsschool/ldap/default/groupprefix/admins', 'admins-'),
		'ROOMS':          configRegistry.get('ucsschool/ldap/default/container/rooms', 'raeume'),
		'ALL_ADM_DC': configRegistry.get('ucsschool/ldap/default/groupname/all-administrativ-dc', 'DC-Verwaltungsnetz'),
		'ALL_ADM_MEMBER': configRegistry.get('ucsschool/ldap/default/groupname/all-administrativ-member', 'Member-Verwaltungsnetz'),
		'ALL_EDU_DC': configRegistry.get('ucsschool/ldap/default/groupname/all-educational-dc', 'DC-Edukativnetz'),
		'ALL_EDU_MEMBER': configRegistry.get('ucsschool/ldap/default/groupname/all-educational-member', 'Member-Edukativnetz'),
	}


	while 1:
		i = variable_token.finditer(template)
		try:

	return template


if configRegistry.is_true('ucsschool/ldap/district/enable','no'):
if configRegistry.get('ucsschool/ldap/district/enable','no').lower() in ( 'yes', 'true', '1' ):
   aclset += """
# DCs und Memberserver erhalten Lesezugriff auf das OU-Objekt selbst (im DISTRICT-Mode notwendig)
access to dn.regex="^ou=([^,]+),@%@ldap/base@%@$$"
	by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
	by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
	by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
	by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
	by * none break

"""


# Slave controllers and memberservers require write access to virtual machine manager objects
access to dn.regex="^univentionVirtualMachineUUID=([^,]+),cn=Information,cn=Virtual Machine Manager,@%@ldap/base@%@" filter="(objectClass=univentionVirtualMachine)"
	by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by dn.regex="^[^,]+,cn=dc,cn=computers,@%@ldap/base@%@$$" write
	by dn.regex="^[^,]+,cn=memberserver,cn=computers,@%@ldap/base@%@$$" write
	by * read break

access to dn.regex="^cn=([^,]+),cn=CloudConnection,cn=Virtual Machine Manager,@%@ldap/base@%@" filter="(objectClass=univentionVirtualMachineCloudConnection)"
	by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by dn.regex="^[^,]+,cn=dc,cn=computers,@%@ldap/base@%@$$" write
	by dn.regex="^[^,]+,cn=memberserver,cn=computers,@%@ldap/base@%@$$" write
	by * read break

access to dn="cn=(Information|CloudConnection),cn=Virtual Machine Manager,@%@ldap/base@%@" attrs=children,entry
	by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by dn.regex="^[^,]+,cn=dc,cn=computers,@%@ldap/base@%@$$" write
	by dn.regex="^[^,]+,cn=memberserver,cn=computers,@%@ldap/base@%@$$" write
	by * read break


# Slave controller and memberservers may replicate the Virtual Machine Manager container
access to dn.subtree="cn=Virtual Machine Manager,@%@ldap/base@%@"
   by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
   by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
   by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
   by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
   by * read break

# Slave controller and memberservers may replicate the mail container
access to dn.subtree="cn=mail,@%@ldap/base@%@"
   by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
   by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
   by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
   by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
   by * read break

access to dn.regex="^@%@ldap/base@%@$$"


# DC Slaves need write access to the members of the group Domain Computers
access to dn.exact="cn=Domain Computers,cn=groups,@%@ldap/base@%@" attrs="uniqueMember,memberUid"
    by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
    by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
    by * none break

# Slave-Controller und Memberserver duerfen globale Container computers, shares, dns, dhcp, kerberos und policies sowie Benutzer lesen
access to dn.regex="(^(.+,)?cn=(groups|dns|dhcp|policies|computers|kerberos|shares),|^(uid=[^,]+,|)cn=users,|^)@%@ldap/base@%@$$"
	by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
	by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
	by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
	by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
	by * none break

# Slave DCs can read MS system container
access to dn.base="cn=system,@%@ldap/base@%@"
    by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
    by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
    by * none break

# Slave DCs can read and write policy containers for MS GPOs and msPrintConnectionPolicy objects
access to dn.subtree="cn=policies,cn=system,@%@ldap/base@%@" filter="(|(objectClass=msGPOContainer)(objectClass=organizationalRole)(objectClass=msPrintConnectionPolicy))"
    by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
    by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
    by * none break

# Slave DCs can read and write policy containers for MS WMI filter objects
access to dn.subtree="cn=WMIPolicy,cn=system,@%@ldap/base@%@" filter="(|(objectClass=msWMISom)(objectClass=organizationalRole))"
    by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
    by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
    by * none break

# Lehrer, Mitarbeiter und OU-Admins duerfen Schueler-Passwoerter aendern

	by * none break

# Lehrer und ouadmins duerfen Raum-Gruppen anlegen und bearbeiten
access to dn.regex="^cn=@$@ROOMS@$@,cn=groups,ou=([^,]+),@$@DISTRICT@$@@%@ldap/base@%@$$" attrs=children,entry
	by dn.regex="^uid=([^,]+),cn=(@$@TEACHERS@$@|@$@TEACHERS-STAFF@$@|@$@STAFF@$@|@$@ADMINS@$@),cn=users,ou=$1,@$@DISTRICT@$@@%@ldap/base@%@$$" write
	by * none break

access to dn.regex="^cn=([^,]+),cn=@$@ROOMS@$@,cn=groups,ou=([^,]+),@$@DISTRICT@$@@%@ldap/base@%@$$" filter="(&(!(|(uidNumber=*)(objectClass=SambaSamAccount)))(objectClass=univentionGroup))"
	by dn.regex="^uid=([^,]+),cn=(@$@TEACHERS@$@|@$@TEACHERS-STAFF@$@|@$@STAFF@$@|@$@ADMINS@$@),cn=users,ou=$2,@$@DISTRICT@$@@%@ldap/base@%@$$" write
	by * none break



# domaincontroller slaves and memberservers of management group are not allowed to replicate pupils and teachers
access to dn.regex="^.+,cn=(@$@TEACHERS@$@|@$@PUPILS@$@),cn=users,ou=[^,]+,@$@DISTRICT@$@@%@ldap/base@%@$$"
	by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
	by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
	by * none break

# domaincontroller slaves and memberservers of educational group are not allowed to replicate staff users
access to dn.regex="^.+,cn=@$@STAFF@$@,cn=users,ou=[^,]+,@$@DISTRICT@$@@%@ldap/base@%@$$"
	by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
	by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
	by * none break

# domaincontroller slaves and memberservers may replicate the OU "domain controllers"
access to dn.subtree="ou=domain controllers,@%@ldap/base@%@"
   by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
   by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
   by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
   by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
   by * read break

# Memberserver duerfen bestimmte Attribute lesen
access to dn.regex="^(.+,)?ou=([^,]+),@$@DISTRICT@$@@%@ldap/base@%@$$" attrs=userPassword,krb5Key,krb5KDCFlags,sambaNTPassword,sambaLMPassword,shadowLastChange,sambaPwdLastSet,pwhistory,krb5KeyVersionNumber,univentionWindowsReinstall,sambaPwdCanChange,sambaPwdMustChange
	by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
	by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
	by * none break

# Slave-Controller duerfen Eintraege Ihrer ou lesen und schreiben (Passwortaenderungen etc.)
# Lehrer und Memberserver duerfen sie lesen, ou-eigene bekommen Standard-ACLs, ou-fremde Server/user duerfen nichts
access to dn.regex="^(.+,)?ou=([^,]+),@$@DISTRICT@$@@%@ldap/base@%@$$"
	by group/univentionGroup/uniqueMember.expand="cn=OU$2-@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by group/univentionGroup/uniqueMember.expand="cn=OU$2-@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
    by group/univentionLDAPACL/univentionLDAPAccessWrite.expand="ou=$2,@$@DISTRICT@$@@%@ldap/base@%@" write
	by group/univentionGroup/uniqueMember.expand="cn=OU$2-@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
	by group/univentionGroup/uniqueMember.expand="cn=OU$2-@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
	by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
	by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
    by dn.regex="^uid=([^,]+),cn=(@$@TEACHERS@$@|@$@TEACHERS-STAFF@$@|@$@STAFF@$@|@$@ADMINS@$@),cn=users,ou=$2,@$@DISTRICT@$@@%@ldap/base@%@$$" read
    by dn.regex="^uid=(.+,)?cn=users,ou=$2,@$@DISTRICT@$@@%@ldap/base@%@$$" none break
    by dn.regex="^uid=(.+,)?ou=([^,]+),@$@DISTRICT@$@@%@ldap/base@%@$$" none


# Slave-Controller duerfen Klassen-Gruppen bearbeiten (AUSNAHME! Wird fuer Lehrerzuordnung in UMC benoetigt!)
access to dn.regex="^cn=klassen,cn=@$@PUPILS@$@,cn=groups,ou=([^,]+),@$@DISTRICT@$@@%@ldap/base@%@$$" attrs=children,entry
	by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by * none break

access to dn.regex="^cn=([^,]+),cn=klassen,cn=@$@PUPILS@$@,cn=groups,ou=([^,]+),@$@DISTRICT@$@@%@ldap/base@%@$$" filter="(&(!(|(uidNumber=*)(objectClass=SambaSamAccount)))(objectClass=univentionGroup))"
	by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by * none break

# Slave-Controller duerfen nagios-Container und Inhalt replizieren
access to dn.subtree="cn=nagios,@%@ldap/base@%@"
	by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
	by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
	by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
	by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
	by * none break

# Schüler, Lehrer, Mitarbeiter, Admins duerfen globale Container univention, policies, groups und dns lesen 


# Slave-Controller und normale Lehrer duerfen sonst nichts lesen, Schueler sowieso nicht
access to *
	by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
	by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
	by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
	by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
	by * none break

"""




## bugs: [40870, 41601, 41609, 41620]
## exposure: dangerous

import os.path
from univention.testing.ucsschool import UCSTestSchool
from univention.testing.ucr import UCSTestConfigRegistry
from univention.testing.udm import UCSTestUDM

		# TODO: change school and uid at once!
		# TODO: user without classes

		search_base = User.get_search_base(b)
		domain_users_school = 'cn=Domain Users {},{}'.format(b, search_base.groups)
		teacher_group = search_base.teachers_ou_group
		staff_group = search_base.staff_ou_group
		students_group = search_base.students_ou_group
		grp1_name = uts.random_username()
		grp2_name = uts.random_username()
		two_klasses = '{0}-{1},{0}-{2}'.format(a, grp1_name, grp2_name)
		workgroup_dn, workgroup_name = udm.create_group(position=WorkGroup.get_container(a))
		global_group_dn, global_group_name = udm.create_group()

		search_base = User.get_search_base(a)
		users = [
			(env.create_user(a, classes=two_klasses), [students_group, domain_users_school, global_group_dn]),
			(env.create_user(a, is_teacher=True, classes=two_klasses), [domain_users_school, teacher_group, global_group_dn]),
			(env.create_user(a, is_staff=True), [domain_users_school, staff_group, global_group_dn]),
			(env.create_user(a, is_teacher=True, is_staff=True, classes=two_klasses), [domain_users_school, teacher_group, staff_group, global_group_dn]),
			(env.create_user(a, is_staff=True), 'mitarbeiter',
				[domain_users_school, staff_group, global_group_dn]),
			(env.create_user(a, is_teacher=True, is_staff=True, classes=two_klasses), 'lehrer',
				[domain_users_school, teacher_group, staff_group, global_group_dn]),
		]
		lo = env.open_ldap_connection()
		workgroup = WorkGroup.from_dn(workgroup_dn, a, lo)
		users_dns = [dn for (user, dn,), groups in users]
		udm.modify_object('groups/group', dn=global_group_dn, append={'users': users_dns})
		workgroup.users.extend(users_dns)
		workgroup.modify(lo)

		for (user, dn,), groups in users:

			print '################################'
			print '#### moving user at', dn, 'to', b


			user = User.from_dn(dn, a, lo)
			attrs = {
				'homeDirectory': [os.path.join('/home/', user.get_roleshare_home_subdir(), user.name)],
				'ucsschoolSchool': [b],
				'departmentNumber': [b],
				# TODO: add sambaHomeDrive sambaHomePath sambaLogonScript sambaProfilePath

(-)ucs-test-ucsschool/90_ucsschool/98_samba4_evaluate_windows_gpo (-2 / +2 lines)

Lines 25-31	Link Here

from datetime import datetime, timedelta

from datetime import datetime, timedelta

from ucsschool.lib.schoolldap import SchoolSearchBase

from ucsschool.lib.schoolldap import SchoolSearchBase

from ucsschool.lib.models import School

from ucsschool.lib.models import School, SchoolClass

from essential.computerroom import Room

from essential.computerroom import Room

from essential.exam import Exam

from essential.exam import Exam

Lines 500-506	Link Here

500

	klasse_dn = udm.create_object(

500

	klasse_dn = udm.create_object(

501

		'groups/group',

501

		'groups/group',

502

		name=schoolclassname,

502

		name=schoolclassname,

503

		position="cn=klassen,cn=schueler,cn=groups,%s" % school_dn

503

		position=SchoolClass.get_container(school)

504

505

506

	student_pwd = "univention"

506

	student_pwd = "univention"




import univention.testing.ucr as ucr_test
import univention.testing.ucsschool as utu
import univention.testing.strings as uts
from ucsschool.lib.models import ComputerRoom, School


class FailAcl(Exception):

		self.access_allowance = access_allowance
		self.ucr = ucr_test.UCSTestConfigRegistry()
		self.ucr.load()
		self.search_base = School.get_search_base(self.school)

	def assert_acl(self, target_dn, access, attrs, access_allowance=None):
		"""Test ACL rule:\n

	def assert_room(self, room_dn, access):
		"""Lehrer und ouadmins duerfen Raum-Gruppen anlegen und bearbeiten
		"""
		target_dn = ComputerRoom.get_container(self.school)
		attrs = [
			'children',
			'entry',

		"""Lehrer, Mitarbeiter und Mitglieder der lokalen Administratoren
		duerfen Arbeitsgruppen anlegen und aendern
		"""
		group_dn = self.search_base.teachers_group
		attrs = [
			'children',
			'entry',

		self.assert_acl(group_dn, access, attrs)

	def assert_student_group(self, access):
		group_dn = self.search_base.students_group
		attrs = [
			'children',
			'entry',

(-)ucs-test-ucsschool/90_ucsschool/essential/computerroom.py (-12 / +16 lines)

Lines 7-12	Link Here

from ucsschool.lib.models import IPComputer as IPComputerLib

from ucsschool.lib.models import IPComputer as IPComputerLib

from ucsschool.lib.models import MacComputer as MacComputerLib

from ucsschool.lib.models import MacComputer as MacComputerLib

from ucsschool.lib.models import WindowsComputer as WindowsComputerLib

from ucsschool.lib.models import WindowsComputer as WindowsComputerLib

from ucsschool.lib.models import School as SchoolLib

from ucsschool.lib.models import ComputerRoom as ComputerRoomLib

from univention.testing.ucsschool import UMCConnection

from univention.testing.ucsschool import UMCConnection

import copy

import copy

import datetime

import datetime

Lines 92-101	Link Here

	def __init__(self, school, name=None, dn=None, description=None, host_members=None):

	def __init__(self, school, name=None, dn=None, description=None, host_members=None):

		self.school = school

		self.school = school

		self.name = name if name else uts.random_name()

		self.name = name if name else uts.random_name()

		self.dn = dn if dn else 'cn=%s-%s,cn=raeume,cn=groups,%s' % (

		self.dn = dn if dn else ComputerRoomLib(school=school, name='{}-{}'.format(school, self.name)).dn

			school, self.name, utu.UCSTestSchool().get_ou_base_dn(school))

		self.description = description if description else uts.random_name()

		self.description = description if description else uts.random_name()

		self.host_members = host_members or []

		self.host_members = host_members or []

100

		self.marktplatz_name = SchoolLib.get_search_base(self.school).share_name_marktplatz

101

100

	def get_room_user(self, umc_connection):

102

	def get_room_user(self, umc_connection):

101

		print 'Executing command: computerroom/rooms in school:', self.school

103

		print 'Executing command: computerroom/rooms in school:', self.school

Lines 286-320	Link Here

286

			utils.fail('Write to home directory result (%r), expected (%r)' % (write[0], expected_result))

288

			utils.fail('Write to home directory result (%r), expected (%r)' % (write[0], expected_result))

287

289

288

	def check_marktplatz_read(self, user, ip_address, passwd='univention', expected_result=0):

290

	def check_marktplatz_read(self, user, ip_address, passwd='univention', expected_result=0):

289

		print '.... Check Marktplatz read ....'

291

		print '.... Check Marktplatz ({}) read ....'.format(self.marktplatz_name)

290

		cmd_read_marktplatz = ['smbclient', '//%(ip)s/Marktplatz', '-U', '%(user)s', '-c', 'dir']

292

		cmd_read_marktplatz = ['smbclient', '//%(ip)s/%(marktplatz_name)s', '-U', '%(user)s', '-c', 'dir']

291

		read = run_commands(

293

		read = run_commands(

292

			[cmd_read_marktplatz],

294

			[cmd_read_marktplatz],

293

295

294

				'ip': ip_address,

296

				'ip': ip_address,

295

				'user': '{0}%{1}'.format(user, passwd)

297

				'user': '{0}%{1}'.format(user, passwd),

298

				'marktplatz_name': self.marktplatz_name

296

299

297

300

298

		if read[0] != expected_result:

301

		if read[0] != expected_result:

299

			print 'FAIL .. Read Marktplatz directory result (%r), expected (%r)' % (read[0], expected_result)

302

			print 'FAIL .. Read Marktplatz (%s) directory result (%r), expected (%r)' % (self.marktplatz_name, read[0], expected_result)

300

			utils.fail('Read Marktplatz directory result (%r), expected (%r)' % (read[0], expected_result))

303

			utils.fail('Read Marktplatz (%s) directory result (%r), expected (%r)' % (self.marktplatz_name, read[0], expected_result))

301

304

302

	def check_marktplatz_write(self, user, ip_address, passwd='univention', expected_result=0):

305

	def check_marktplatz_write(self, user, ip_address, passwd='univention', expected_result=0):

303

		print '.... Check Marktplatz write ....'

306

		print '.... Check Marktplatz ({}) write ....'.format(self.marktplatz_name)

304

		f = tempfile.NamedTemporaryFile(dir='/tmp')

307

		f = tempfile.NamedTemporaryFile(dir='/tmp')

305

		cmd_write_marktplatz = ['smbclient', '//%(ip)s/Marktplatz', '-U', '%(user)s', '-c', 'put %(filename)s']

308

		cmd_write_marktplatz = ['smbclient', '//%(ip)s/%(marktplatz_name)s', '-U', '%(user)s', '-c', 'put %(filename)s']

306

		write = run_commands(

309

		write = run_commands(

307

			[cmd_write_marktplatz],

310

			[cmd_write_marktplatz],

308

311

309

				'ip': ip_address,

312

				'ip': ip_address,

310

				'user': '{0}%{1}'.format(user, passwd),

313

				'user': '{0}%{1}'.format(user, passwd),

311

				'filename': '%s %s' % (f.name, f.name.split('/')[-1])

314

				'filename': '%s %s' % (f.name, f.name.split('/')[-1]),

315

				'marktplatz_name': self.marktplatz_name

312

316

313

317

314

		f.close()

318

		f.close()

315

		if write[0] != expected_result:

319

		if write[0] != expected_result:

316

			print 'FAIL .. Write to Marktplatz directory result (%r), expected (%r)' % (write[0], expected_result)

320

			print 'FAIL .. Write to Marktplatz (%s) directory result (%r), expected (%r)' % (self.marktplatz_name, write[0], expected_result)

317

			utils.fail('Write to Marktplatz directory result (%r), expected (%r)' % (write[0], expected_result))

321

			utils.fail('Write to Marktplatz (%s) directory result (%r), expected (%r)' % (self.marktplatz_name, write[0], expected_result))

318

322

319

	def check_share_access(self, user, ip_address, expected_home_result, expected_marktplatz_result):

323

	def check_share_access(self, user, ip_address, expected_home_result, expected_marktplatz_result):

320

		self.check_home_read(user, ip_address, expected_result=expected_home_result)

324

		self.check_home_read(user, ip_address, expected_result=expected_home_result)

(-)ucs-test-ucsschool/90_ucsschool/essential/distribution.py (-4 / +30 lines)

Lines 13-18	Link Here

import univention.testing.strings as uts

import univention.testing.strings as uts

import univention.testing.ucr as ucr_test

import univention.testing.ucr as ucr_test

import univention.testing.utils as utils

import univention.testing.utils as utils

from ucsschool.lib.models import School

class Distribution(object):

class Distribution(object):

Lines 517-530	Link Here

517

		path = ''

518

		path = ''

518

		self.ucr.load()

519

		self.ucr.load()

519

		roleshare = self.ucr.get('ucsschool/import/roleshare')

520

		roleshare = self.ucr.get('ucsschool/import/roleshare')

521

		collect_from = self.ucr.get('ucsschool/datadistribution/datadir/sender', 'Unterrichtsmaterial')

522

		distribute_to = self.ucr.get('ucsschool/datadistribution/datadir/recipient', 'Unterrichtsmaterial')

523

		search_base = School.get_search_base(self.school)

520

		if purpose == 'distribute':

524

		if purpose == 'distribute':

521

			if roleshare == 'no' or roleshare is False:

525

			if roleshare == 'no' or roleshare is False:

522

				path = '/home/{0}/Unterrichtsmaterial/{1}/'.format(user, self.name)

526

				path = '/home/{}/{}/{}/'.format(

527

					user,

528

					distribute_to,

529

					self.name

530

523

			else:

531

			else:

524

				path = '/home/{0}/schueler/{1}/Unterrichtsmaterial/{2}'.format(self.school, user, self.name)

532

				path = '/home/{}/{}/{}/{}/{}'.format(

533

					self.school,

534

					search_base.share_name_pupils,

535

					user,

536

					distribute_to,

537

					self.name

538

525

		elif purpose == 'collect':

539

		elif purpose == 'collect':

526

			if roleshare == 'no' or roleshare is False:

540

			if roleshare == 'no' or roleshare is False:

527

				path = '/home/{0}/Unterrichtsmaterial/{1}/{2}/'.format(self.sender, self.name, user)

541

				path = '/home/{}/{}/{}/{}/'.format(

542

						self.sender,

543

						collect_from,

544

						self.name,

545

						user

546

528

			else:

547

			else:

529

				path = '/home/{0}/lehrer/{1}/Unterrichtsmaterial/{2}/{3}'.format(self.school, self.sender, self.name, user)

548

				path = '/home/{}/{}/{}/{}/{}/{}'.format(

549

					self.school,

550

					search_base.share_name_teachers,

551

					self.sender,

552

					collect_from,

553

					self.name,

554

					user

555

530

		return path

556

		return path




import univention.testing.strings as uts
import univention.testing.ucr as ucr_test
import univention.testing.utils as utils
from ucsschool.lib.models import School


class StartFail(Exception):

		self.shareMode = shareMode
		self.internetRule = internetRule
		self.customRule = customRule
		self.search_base = School.get_search_base(self.school)

		if umcConnection:
			self.umcConnection = umcConnection

	def check_collect(self):
		account = utils.UCSTestDomainAdminCredentials()
		admin = account.username
		path = '/home/%s/%s/%s' % (admin, self.search_base.share_name_exams, self.name)
		path_files = get_dir_files(path)
		if not set(self.files).issubset(set(path_files)):
			utils.fail('%r were not collected to %r' % (self.files, path))

			utils.fail('%r were not uploaded to %r' % (self.files, path))

	def check_distribute(self):
		path = '/home/%s/%s' % (self.school, self.search_base.share_name_pupils)
		path_files = get_dir_files(path)
		if not set(self.files).issubset(set(path_files)):
			utils.fail('%r were not uploaded to %r' % (self.files, path))

(-)ucs-test-ucsschool/90_ucsschool/essential/importcomputers.py (-5 / +5 lines)

Lines 145-155	Link Here

145

		print 'verify computer: %s' % self.name

145

		print 'verify computer: %s' % self.name

146

147

		utils.verify_ldap_object(self.dn, expected_attr=self.expected_attributes(), should_exist=True)

147

		utils.verify_ldap_object(self.dn, expected_attr=self.expected_attributes(), should_exist=True)

148

		search_base = SchoolLib.get_search_base(self.school)

149

		verwaltung_member_group1 = 'cn=OU%s-Member-Verwaltungsnetz,cn=ucsschool,cn=groups,%s' % (self.school, configRegistry.get('ldap/base'))

149

		verwaltung_member_group1 = search_base.administrative_ou_member_group

150

		verwaltung_member_group2 = 'cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,%s' % (configRegistry.get('ldap/base'))

150

		verwaltung_member_group2 = search_base.administrative_member_group

151

		edukativ_member_group1 = 'cn=OU%s-Member-Edukativnetz,cn=ucsschool,cn=groups,%s' % (self.school, configRegistry.get('ldap/base'))

151

		edukativ_member_group1 = search_base.educational_ou_member_group

152

		edukativ_member_group2 = 'cn=Member-Edukativnetz,cn=ucsschool,cn=groups,%s' % (configRegistry.get('ldap/base'))

152

		edukativ_member_group2 = search_base.educational_member_group

153

		if self.zone == 'verwaltung':

153

		if self.zone == 'verwaltung':

154

			utils.verify_ldap_object(verwaltung_member_group1, expected_attr={'uniqueMember': [self.dn]}, strict=False, should_exist=True)

154

			utils.verify_ldap_object(verwaltung_member_group1, expected_attr={'uniqueMember': [self.dn]}, strict=False, should_exist=True)

155

			utils.verify_ldap_object(verwaltung_member_group2, expected_attr={'uniqueMember': [self.dn]}, strict=False, should_exist=True)

155

			utils.verify_ldap_object(verwaltung_member_group2, expected_attr={'uniqueMember': [self.dn]}, strict=False, should_exist=True)




import univention.testing.strings as uts
from ucsschool.lib.models import SchoolClass as GroupLib
from ucsschool.lib.models import School as SchoolLib
from ucsschool.lib.models import ClassShare as ClassShareLib
import ucsschool.lib.models.utils

from essential.importou import remove_ou, get_school_base

configRegistry = univention.config_registry.ConfigRegistry()
configRegistry.load()

cn_pupils = configRegistry.get('ucsschool/ldap/default/container/pupils', 'schueler')


class Group:

	def __init__(self, school):


		self.school_base = get_school_base(self.school)

		self.dn = GroupLib(school=self.school, name=self.name).dn
		self.share_dn = ClassShareLib(school=self.school, name=self.name).dn

	def set_mode_to_modify(self):
		self.mode = 'M'

(-)ucs-test-ucsschool/90_ucsschool/essential/importou.py (-58 / +57 lines)

Lines 13-18	Link Here

import univention.uldap

import univention.uldap

import univention.admin.uldap

import univention.admin.uldap

import ldap

import univention.admin.modules

import univention.admin.modules

import univention.admin.filter

import univention.admin.filter

import univention.config_registry

import univention.config_registry

Lines 299-310	Link Here

299

	old_dhcpd_ldap_base = ucr.get('dhcpd/ldap/base')

300

	old_dhcpd_ldap_base = ucr.get('dhcpd/ldap/base')

300

	lo = univention.uldap.getMachineConnection()

301

	lo = univention.uldap.getMachineConnection()

301

	base_dn = ucr.get('ldap/base')

302

	base_dn = ucr.get('ldap/base')

303

	search_base = School.get_search_base(ou)

302

304

303

	cn_pupils = ucr.get('ucsschool/ldap/default/container/pupils', 'schueler')

305

	cn_pupils = ldap.explode_dn(search_base.students, True)[0]

304

	cn_teachers = ucr.get('ucsschool/ldap/default/container/teachers', 'lehrer')

306

	cn_teachers = ldap.explode_dn(search_base.teachers, True)[0]

305

	cn_teachers_staff = ucr.get('ucsschool/ldap/default/container/teachers-and-staff', 'lehrer und mitarbeiter')

307

	cn_teachers_staff = ldap.explode_dn(search_base.teachersAndStaff, True)[0]

306

	cn_admins = ucr.get('ucsschool/ldap/default/container/admins', 'admins')

308

	cn_admins = ldap.explode_dn(search_base.admins, True)[0]

307

	cn_staff = ucr.get('ucsschool/ldap/default/container/staff', 'mitarbeiter')

309

	cn_staff = ldap.explode_dn(search_base.staff, True)[0]

310

	cn_class = ldap.explode_dn(search_base.classes, True)[0]

311

	cn_rooms = ldap.explode_dn(search_base.rooms, True)[0]

308

312

309

	singlemaster = ucr.is_true('ucsschool/singlemaster')

313

	singlemaster = ucr.is_true('ucsschool/singlemaster')

310

	noneducational_create_objects = ucr.is_true('ucsschool/ldap/noneducational/create/objects')

314

	noneducational_create_objects = ucr.is_true('ucsschool/ldap/noneducational/create/objects')

Lines 332-374	Link Here

332

336

333

	utils.verify_ldap_object(ou_base, expected_attr={'ou': [ou], 'ucsschoolClassShareFileServer': [sharefileserver_dn], 'ucsschoolHomeShareFileServer': [sharefileserver_dn]}, should_exist=must_exist)

337

	utils.verify_ldap_object(ou_base, expected_attr={'ou': [ou], 'ucsschoolClassShareFileServer': [sharefileserver_dn], 'ucsschoolHomeShareFileServer': [sharefileserver_dn]}, should_exist=must_exist)

334

338

335

	utils.verify_ldap_object('cn=printers,%s' % ou_base, expected_attr={'cn': ['printers']}, should_exist=must_exist)

339

	utils.verify_ldap_object(search_base.printers, expected_attr={'cn': ['printers']}, should_exist=must_exist)

336

	utils.verify_ldap_object('cn=users,%s' % ou_base, expected_attr={'cn': ['users']}, should_exist=must_exist)

340

	utils.verify_ldap_object(search_base.users, expected_attr={'cn': ['users']}, should_exist=must_exist)

337

	utils.verify_ldap_object('cn=%s,cn=users,%s' % (cn_pupils, ou_base), expected_attr={'cn': [cn_pupils]}, should_exist=must_exist)

341

	utils.verify_ldap_object(search_base.students, expected_attr={'cn': [cn_pupils]}, should_exist=must_exist)

338

	utils.verify_ldap_object('cn=%s,cn=users,%s' % (cn_teachers, ou_base), expected_attr={'cn': [cn_teachers]}, should_exist=must_exist)

342

	utils.verify_ldap_object(search_base.teachers, expected_attr={'cn': [cn_teachers]}, should_exist=must_exist)

339

	utils.verify_ldap_object('cn=%s,cn=users,%s' % (cn_admins, ou_base), expected_attr={'cn': [cn_admins]}, should_exist=must_exist)

343

	utils.verify_ldap_object(search_base.admins, expected_attr={'cn': [cn_admins]}, should_exist=must_exist)

340

	utils.verify_ldap_object('cn=%s,cn=users,%s' % (cn_admins, ou_base), expected_attr={'cn': [cn_admins]}, should_exist=must_exist)

341

344

342

	utils.verify_ldap_object('cn=computers,%s' % ou_base, expected_attr={'cn': ['computers']}, should_exist=must_exist)

345

	utils.verify_ldap_object(search_base.computers, expected_attr={'cn': ['computers']}, should_exist=must_exist)

343

	utils.verify_ldap_object('cn=server,cn=computers,%s' % ou_base, expected_attr={'cn': ['server']}, should_exist=must_exist)

346

	utils.verify_ldap_object('cn=server,cn=computers,%s' % ou_base, expected_attr={'cn': ['server']}, should_exist=must_exist)

344

	utils.verify_ldap_object('cn=dc,cn=server,cn=computers,%s' % ou_base, expected_attr={'cn': ['dc']}, should_exist=must_exist)

347

	utils.verify_ldap_object('cn=dc,cn=server,cn=computers,%s' % ou_base, expected_attr={'cn': ['dc']}, should_exist=must_exist)

345

	utils.verify_ldap_object('cn=networks,%s' % ou_base, expected_attr={'cn': ['networks']}, should_exist=must_exist)

348

	utils.verify_ldap_object(search_base.networks, expected_attr={'cn': ['networks']}, should_exist=must_exist)

346

	utils.verify_ldap_object('cn=groups,%s' % ou_base, expected_attr={'cn': ['groups']}, should_exist=must_exist)

349

	utils.verify_ldap_object(search_base.groups, expected_attr={'cn': ['groups']}, should_exist=must_exist)

347

	utils.verify_ldap_object('cn=%s,cn=groups,%s' % (cn_pupils, ou_base), expected_attr={'cn': [cn_pupils]}, should_exist=must_exist)

350

	utils.verify_ldap_object(search_base.workgroups, expected_attr={'cn': [cn_pupils]}, should_exist=must_exist)

348

	utils.verify_ldap_object('cn=%s,cn=groups,%s' % (cn_teachers, ou_base), expected_attr={'cn': [cn_teachers]}, should_exist=must_exist)

351

	utils.verify_ldap_object(search_base.teachers_group, expected_attr={'cn': [cn_teachers]}, should_exist=must_exist)

349

	utils.verify_ldap_object('cn=klassen,cn=%s,cn=groups,%s' % (cn_pupils, ou_base), expected_attr={'cn': ['klassen']}, should_exist=must_exist)

352

	utils.verify_ldap_object(search_base.classes, expected_attr={'cn': [cn_class]}, should_exist=must_exist)

350

	utils.verify_ldap_object('cn=raeume,cn=groups,%s' % ou_base, expected_attr={'cn': ['raeume']}, should_exist=must_exist)

353

	utils.verify_ldap_object(search_base.rooms, expected_attr={'cn': [cn_rooms]}, should_exist=must_exist)

351

354

352

	utils.verify_ldap_object('cn=dhcp,%s' % ou_base, expected_attr={'cn': ['dhcp']}, should_exist=must_exist)

355

	utils.verify_ldap_object(search_base.dhcp, expected_attr={'cn': ['dhcp']}, should_exist=must_exist)

353

	utils.verify_ldap_object('cn=policies,%s' % ou_base, expected_attr={'cn': ['policies']}, should_exist=must_exist)

356

	utils.verify_ldap_object(search_base.policies, expected_attr={'cn': ['policies']}, should_exist=must_exist)

354

	utils.verify_ldap_object('cn=shares,%s' % ou_base, expected_attr={'cn': ['shares']}, should_exist=must_exist)

357

	utils.verify_ldap_object(search_base.shares, expected_attr={'cn': ['shares']}, should_exist=must_exist)

355

	utils.verify_ldap_object('cn=klassen,cn=shares,%s' % ou_base, expected_attr={'cn': ['klassen']}, should_exist=must_exist)

358

	utils.verify_ldap_object(search_base.classShares, expected_attr={'cn': [cn_class]}, should_exist=must_exist)

356

	utils.verify_ldap_object('cn=dc,cn=server,cn=computers,%s' % ou_base, expected_attr={'cn': ['dc']}, should_exist=must_exist)

359

	utils.verify_ldap_object('cn=dc,cn=server,cn=computers,%s' % ou_base, expected_attr={'cn': ['dc']}, should_exist=must_exist)

357

360

358

	if noneducational_create_objects:

361

	if noneducational_create_objects:

359

		utils.verify_ldap_object('cn=%s,cn=users,%s' % (cn_staff, ou_base), should_exist=must_exist)

362

		utils.verify_ldap_object(search_base.staff, should_exist=must_exist)

360

		utils.verify_ldap_object('cn=%s,cn=users,%s' % (cn_teachers_staff, ou_base), should_exist=must_exist)

363

		utils.verify_ldap_object(search_base.teachersAndStaff, should_exist=must_exist)

361

		utils.verify_ldap_object('cn=%s,cn=groups,%s' % (cn_staff, ou_base), should_exist=must_exist)

364

		utils.verify_ldap_object(search_base.staff_group, should_exist=must_exist)

362

	else:

365

	else:

363

		utils.verify_ldap_object('cn=%s,cn=users,%s' % (cn_staff, ou_base), should_exist=False)

366

		utils.verify_ldap_object(search_base.staff, should_exist=False)

364

		utils.verify_ldap_object('cn=%s,cn=users,%s' % (cn_teachers_staff, ou_base), should_exist=False)

367

		utils.verify_ldap_object(search_base.teachersAndStaff, should_exist=False)

365

		utils.verify_ldap_object('cn=%s,cn=groups,%s' % (cn_staff, ou_base), should_exist=False)

368

		utils.verify_ldap_object(search_base.staff_group, should_exist=False)

366

369

367

	if noneducational_create_objects:

370

	if noneducational_create_objects:

368

		utils.verify_ldap_object('cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,%s' % base_dn, should_exist=True)

371

		utils.verify_ldap_object(search_base.administrative_dc_group, should_exist=True)

369

		utils.verify_ldap_object('cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,%s' % base_dn, should_exist=True)

372

		utils.verify_ldap_object(search_base.administrative_member_group, should_exist=True)

370

		utils.verify_ldap_object('cn=OU%s-DC-Verwaltungsnetz,cn=ucsschool,cn=groups,%s' % (ou, base_dn), should_exist=True)

373

		utils.verify_ldap_object(search_base.administrative_ou_dc_group)

371

		utils.verify_ldap_object('cn=OU%s-Member-Verwaltungsnetz,cn=ucsschool,cn=groups,%s' % (ou, base_dn), should_exist=True)

374

		utils.verify_ldap_object(search_base.administrative_ou_member_group)

372

	# This will fail because we don't cleanup these groups in cleanup_ou

375

	# This will fail because we don't cleanup these groups in cleanup_ou

373

	# else:

376

	# else:

374

	#	utils.verify_ldap_object("cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,%s" % base_dn, should_exist=False)

377

	#	utils.verify_ldap_object("cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,%s" % base_dn, should_exist=False)

Lines 382-403	Link Here

382

	if dc_administrative:

385

	if dc_administrative:

383

		verify_dc(ou, dc_administrative, TYPE_DC_ADMINISTRATIVE, base_dn, must_exist)

386

		verify_dc(ou, dc_administrative, TYPE_DC_ADMINISTRATIVE, base_dn, must_exist)

384

387

385

	grp_prefix_pupils = ucr.get('ucsschool/ldap/default/groupprefix/pupils', 'schueler-')

386

	grp_prefix_teachers = ucr.get('ucsschool/ldap/default/groupprefix/teachers', 'lehrer-')

387

	grp_prefix_admins = ucr.get('ucsschool/ldap/default/groupprefix/admins', 'admins-')

388

	grp_prefix_staff = ucr.get('ucsschool/ldap/default/groupprefix/staff', 'mitarbeiter-')

389

390

	grp_policy_pupils = ucr.get('ucsschool/ldap/default/policy/umc/pupils', 'cn=ucsschool-umc-pupils-default,cn=UMC,cn=policies,%s' % base_dn)

388

	grp_policy_pupils = ucr.get('ucsschool/ldap/default/policy/umc/pupils', 'cn=ucsschool-umc-pupils-default,cn=UMC,cn=policies,%s' % base_dn)

391

	grp_policy_teachers = ucr.get('ucsschool/ldap/default/policy/umc/teachers', 'cn=ucsschool-umc-teachers-default,cn=UMC,cn=policies,%s' % base_dn)

389

	grp_policy_teachers = ucr.get('ucsschool/ldap/default/policy/umc/teachers', 'cn=ucsschool-umc-teachers-default,cn=UMC,cn=policies,%s' % base_dn)

392

	grp_policy_admins = ucr.get('ucsschool/ldap/default/policy/umc/admins', 'cn=ucsschool-umc-admins-default,cn=UMC,cn=policies,%s' % base_dn)

390

	grp_policy_admins = ucr.get('ucsschool/ldap/default/policy/umc/admins', 'cn=ucsschool-umc-admins-default,cn=UMC,cn=policies,%s' % base_dn)

393

	grp_policy_staff = ucr.get('ucsschool/ldap/default/policy/umc/staff', 'cn=ucsschool-umc-staff-default,cn=UMC,cn=policies,%s' % base_dn)

391

	grp_policy_staff = ucr.get('ucsschool/ldap/default/policy/umc/staff', 'cn=ucsschool-umc-staff-default,cn=UMC,cn=policies,%s' % base_dn)

394

392

395

	utils.verify_ldap_object("cn=%s%s,cn=ouadmins,cn=groups,%s" % (grp_prefix_admins, ou, base_dn), expected_attr={'univentionPolicyReference': [grp_policy_admins]}, should_exist=True)

393

	utils.verify_ldap_object(search_base.admin_group, expected_attr={'univentionPolicyReference': [grp_policy_admins]}, should_exist=True)

396

	utils.verify_ldap_object("cn=%s%s,cn=groups,%s" % (grp_prefix_pupils, ou, ou_base), expected_attr={'univentionPolicyReference': [grp_policy_pupils]}, should_exist=must_exist)

394

	utils.verify_ldap_object(search_base.students_ou_group, expected_attr={'univentionPolicyReference': [grp_policy_pupils]}, should_exist=must_exist)

397

	utils.verify_ldap_object("cn=%s%s,cn=groups,%s" % (grp_prefix_teachers, ou, ou_base), expected_attr={'univentionPolicyReference': [grp_policy_teachers]}, should_exist=must_exist)

395

	utils.verify_ldap_object(search_base.teachers_ou_group, expected_attr={'univentionPolicyReference': [grp_policy_teachers]}, should_exist=must_exist)

398

396

399

	if noneducational_create_objects:

397

	if noneducational_create_objects:

400

		utils.verify_ldap_object("cn=%s%s,cn=groups,%s" % (grp_prefix_staff, ou, ou_base), expected_attr={'univentionPolicyReference': [grp_policy_staff]}, should_exist=must_exist)

398

		utils.verify_ldap_object(search_base.staff_ou_group, expected_attr={'univentionPolicyReference': [grp_policy_staff]}, should_exist=must_exist)

401

399

402

	dcmaster_module = univention.admin.modules.get("computers/domaincontroller_master")

400

	dcmaster_module = univention.admin.modules.get("computers/domaincontroller_master")

403

	dcbackup_module = univention.admin.modules.get("computers/domaincontroller_backup")

401

	dcbackup_module = univention.admin.modules.get("computers/domaincontroller_backup")

Lines 410-416	Link Here

410

	# check group membership

408

	# check group membership

411

	#  slave should be member

409

	#  slave should be member

412

	#  master and backup should not be member

410

	#  master and backup should not be member

413

	dcgroups = ["cn=OU%s-DC-Edukativnetz,cn=ucsschool,cn=groups,%s" % (ou, base_dn), "cn=DC-Edukativnetz,cn=ucsschool,cn=groups,%s" % (base_dn)]

411

	dcgroups = [search_base.educational_ou_dc_group, search_base.educational_dc_group]

414

412

415

	if must_exist:

413

	if must_exist:

416

		if masterobjs:

414

		if masterobjs:

Lines 486-518	Link Here

486

		base_dn = ucr.get('ldap/base')

484

		base_dn = ucr.get('ldap/base')

487

	ou_base = get_ou_base(ou, ucr.is_true('ucsschool/ldap/district/enable', False))

485

	ou_base = get_ou_base(ou, ucr.is_true('ucsschool/ldap/district/enable', False))

488

	dc_dn = 'cn=%s,cn=dc,cn=server,cn=computers,%s' % (dc_name, ou_base)

486

	dc_dn = 'cn=%s,cn=dc,cn=server,cn=computers,%s' % (dc_name, ou_base)

487

	search_base = School.get_search_base(ou)

489

488

490

	# define list of (un-)desired group memberships ==> [(IS_MEMBER, GROUP_DN), ...]

489

	# define list of (un-)desired group memberships ==> [(IS_MEMBER, GROUP_DN), ...]

491

	group_dn_list = []

490

	group_dn_list = []

492

	if dc_type == TYPE_DC_ADMINISTRATIVE:

491

	if dc_type == TYPE_DC_ADMINISTRATIVE:

493

		group_dn_list += [

492

		group_dn_list += [

494

			(True, 'cn=OU%s-DC-Verwaltungsnetz,cn=ucsschool,cn=groups,%s' % (ou.lower(), base_dn)),

493

			(True, search_base.administrative_ou_dc_group),

495

			(True, 'cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,%s' % (base_dn, )),

494

			(True, search_base.administrative_dc_group),

496

			(False, 'cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,%s' % base_dn),

495

			(False, search_base.administrative_member_group),

497

			(False, 'cn=OU%s-Member-Verwaltungsnetz,cn=ucsschool,cn=groups,%s' % (ou, base_dn)),

496

			(False, search_base.administrative_ou_member_group),

498

			(False, 'cn=OU%s-DC-Edukativnetz,cn=ucsschool,cn=groups,%s' % (ou.lower(), base_dn)),

497

			(False, search_base.educational_ou_dc_group),

499

			(False, 'cn=DC-Edukativnetz,cn=ucsschool,cn=groups,%s' % (base_dn, )),

498

			(False, search_base.educational_dc_group),

500

			(False, 'cn=Member-Edukativnetz,cn=ucsschool,cn=groups,%s' % base_dn),

499

			(False, search_base.educational_member_group),

501

			(False, 'cn=OU%s-Member-Edukativnetz,cn=ucsschool,cn=groups,%s' % (ou, base_dn)),

500

			(False, search_base.educational_ou_member_group),

502

501

503

	else:

502

	else:

504

		group_dn_list += [

503

		group_dn_list += [

505

			(True, 'cn=OU%s-DC-Edukativnetz,cn=ucsschool,cn=groups,%s' % (ou.lower(), base_dn)),

504

			(True, search_base.educational_ou_dc_group),

506

			(True, 'cn=DC-Edukativnetz,cn=ucsschool,cn=groups,%s' % (base_dn, )),

505

			(True, search_base.educational_dc_group),

507

			(False, 'cn=Member-Edukativnetz,cn=ucsschool,cn=groups,%s' % base_dn),

506

			(False, search_base.educational_member_group),

508

			(False, 'cn=OU%s-Member-Edukativnetz,cn=ucsschool,cn=groups,%s' % (ou, base_dn)),

507

			(False, search_base.educational_ou_member_group),

509

508

510

		if ucr.is_true('ucsschool/ldap/noneducational/create/objects', must_exist):

509

		if ucr.is_true('ucsschool/ldap/noneducational/create/objects', must_exist):

511

			group_dn_list += [

510

			group_dn_list += [

512

				(False, 'cn=OU%s-DC-Verwaltungsnetz,cn=ucsschool,cn=groups,%s' % (ou.lower(), base_dn)),

511

				(False, search_base.administrative_ou_dc_group),

513

				(False, 'cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,%s' % (base_dn, )),

512

				(False, search_base.administrative_dc_group),

514

				(False, 'cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,%s' % base_dn),

513

				(False, search_base.administrative_member_group),

515

				(False, 'cn=OU%s-Member-Verwaltungsnetz,cn=ucsschool,cn=groups,%s' % (ou, base_dn)),

514

				(False, search_base.administrative_ou_member_group),

516

515

517

516

518

	utils.verify_ldap_object(dc_dn, should_exist=must_exist)

517

	utils.verify_ldap_object(dc_dn, should_exist=must_exist)




from univention.testing.decorators import SetTimeout
import univention.uldap
import univention.config_registry
from ucsschool.lib.models import SchoolClass as SchoolClassLib
from ucsschool.lib.models import Student as StudentLib
from ucsschool.lib.models import Teacher as TeacherLib
from ucsschool.lib.models import Staff as StaffLib

configRegistry = univention.config_registry.ConfigRegistry()
configRegistry.load()

cn_pupils = configRegistry.get('ucsschool/ldap/default/container/pupils', 'schueler')
cn_teachers = configRegistry.get('ucsschool/ldap/default/container/teachers', 'lehrer')
cn_teachers_staff = configRegistry.get('ucsschool/ldap/default/container/teachers-and-staff', 'lehrer und mitarbeiter')
cn_staff = configRegistry.get('ucsschool/ldap/default/container/staff', 'mitarbeiter')

grp_prefix_pupils = configRegistry.get('ucsschool/ldap/default/groupprefix/pupils', 'schueler-')
grp_prefix_teachers = configRegistry.get('ucsschool/ldap/default/groupprefix/teachers', 'lehrer-')
grp_prefix_admins = configRegistry.get('ucsschool/ldap/default/groupprefix/admins', 'admins-')
grp_prefix_staff = configRegistry.get('ucsschool/ldap/default/groupprefix/staff', 'mitarbeiter-')


class Person(object):

	def __init__(self, school, role):

		self.username = uts.random_name()
		self.school = school
		self.schools = [school]
		self.search_base = SchoolLib.get_search_base(self.school)
		self.role = role
		self.record_uid = None
		self.source_uid = None

		self.mail = '%s@%s' % (self.username, configRegistry.get('domainname'))
		self.school_classes = {}
		if self.is_student():
			self.user_type = StudentLib
			self.role_group_dn = self.search_base.students_ou_group
		elif self.is_teacher():
			self.user_type = TeacherLib
			self.role_group_dn = self.search_base.teachers_ou_group
		elif self.is_teacher_staff():
			self.user_type = TeachersAndStaffLib
			self.role_group_dn = self.search_base.teachers_ou_group
		elif self.is_staff():
			self.user_type = StaffLib
			self.role_group_dn = self.search_base.staff_ou_group
		self.mode = 'A'
		self.active = True
		self.password = None

		self.append_random_groups()

	def make_dn(self):
		return self.user_type(school=self.school, name=self.username).dn

	def make_school_base(self):
		return get_school_base(self.school)

		if self.description:
			attr['description'] = [self.description]

		subdir = ''
		if configRegistry.is_true('ucsschool/import/roleshare', True):
			subdir = self.user_type(school=self.school, name=self.username).get_roleshare_home_subdir()
		else:
			subdir = ''
		attr['homeDirectory'] = [os.path.join('/home', subdir, self.username)]
			elif self.is_teacher_staff():
				subdir = os.path.join(self.school, 'lehrer')
			elif self.is_staff():
				subdir = os.path.join(self.school, 'mitarbeiter')
		attr['homeDirectory'] = ['/home/%s' % os.path.join(subdir, self.username)]

		if self.is_active():
			attr['krb5KDCFlags'] = ['126']


		for school, classes in self.school_classes.iteritems():
			for cl in classes:
				cl_group_dn = SchoolClassLib(school=school, name=cl).dn
				utils.verify_ldap_object(cl_group_dn, expected_attr={'uniqueMember': [self.dn], 'memberUid': [self.username]}, strict=False, should_exist=True)

		utils.verify_ldap_object(self.role_group_dn, expected_attr={'uniqueMember': [self.dn], 'memberUid': [self.username]}, strict=False, should_exist=True)
		utils.verify_ldap_object(role_group_dn, expected_attr={'uniqueMember': [self.dn], 'memberUid': [self.username]}, strict=False, should_exist=True)
		print 'person OK: %s' % self.username



(-)ucs-test-ucsschool/90_ucsschool/essential/internetrule.py (-1 / +2 lines)

Lines 15-20	Link Here

import univention.testing.utils as utils

import univention.testing.utils as utils

from univention.testing.ucsschool import UCSTestSchool

from univention.testing.ucsschool import UCSTestSchool

import univention.testing.ucsschool as utu

import univention.testing.ucsschool as utu

from ucsschool.lib.models import SchoolClass as SchoolClassLib

class InternetRule(object):

class InternetRule(object):

Lines 199-205	Link Here

199

			ucsschool = UCSTestSchool()

200

			ucsschool = UCSTestSchool()

200

			groupdn = ucsschool.get_workinggroup_dn(school, groupName)

201

			groupdn = ucsschool.get_workinggroup_dn(school, groupName)

201

		elif groupType == 'class':

202

		elif groupType == 'class':

202

			groupdn = 'cn=%s-%s,cn=klassen,cn=schueler,cn=groups,%s' % (school, groupName, school_basedn)

203

			groupdn = SchoolClassLib(school=schoolenv.name, name="{}-{}".format(school, groupName)).dn

203

204

		if default:

205

		if default:

205

			name = '$default$'

206

			name = '$default$'




from univention.testing.ucsschool import UMCConnection
import univention.testing.ucr as ucr_test
from univention.testing.ucsschool import UCSTestSchool
from ucsschool.lib.models import SchoolClass as SchoolClassLib


class GetFail(Exception):

					k, classes_names))

	def dn(self):
		return SchoolClassLib(school=self.school, name="{}-{}".format(self.school, self.name)).dn
			self.school, self.name, UCSTestSchool().get_ou_base_dn(self.school)
		)

	def get(self):
		"""Get class"""

(-)ucs-test-ucsschool/90_ucsschool/essential/school.py (-43 / +43 lines)

Lines 4-9	Link Here

.. moduleauthor:: Ammar Najjar <najjar@univention.de>

.. moduleauthor:: Ammar Najjar <najjar@univention.de>

"""

"""

import ldap

from essential.importcomputers import random_ip

from essential.importcomputers import random_ip

from essential.importou import DCNotFound, DCMembership, DhcpdLDAPBase, TYPE_DC_ADMINISTRATIVE

from essential.importou import DCNotFound, DCMembership, DhcpdLDAPBase, TYPE_DC_ADMINISTRATIVE

from essential.importou import get_ou_base, verify_dc, get_school_ou_from_dn, TYPE_DC_EDUCATIONAL

from essential.importou import get_ou_base, verify_dc, get_school_ou_from_dn, TYPE_DC_EDUCATIONAL

Lines 13-18	Link Here

import univention.testing.ucr as ucr_test

import univention.testing.ucr as ucr_test

import univention.testing.utils as utils

import univention.testing.utils as utils

import univention.uldap

import univention.uldap

from ucsschool.lib.models import (School as LibSchool, ComputerRoom as LibComputerRoom, SchoolClass as LibSchoolClass,

	Staff as LibStaff, TeachersAndStaff as LibTeachersAndStaff, Teacher as LibTeacher, Student as LibStudent)

class GetFail(Exception):

class GetFail(Exception):

Lines 258-269	Link Here

258

		old_dhcpd_ldap_base = ucr.get('dhcpd/ldap/base')

261

		old_dhcpd_ldap_base = ucr.get('dhcpd/ldap/base')

259

		lo = univention.uldap.getMachineConnection()

262

		lo = univention.uldap.getMachineConnection()

260

		base_dn = ucr.get('ldap/base')

263

		base_dn = ucr.get('ldap/base')

264

		search_base = LibSchool.get_search_base(ou)

261

265

262

		cn_pupils = ucr.get('ucsschool/ldap/default/container/pupils', 'schueler')

266

		cn_pupils = ldap.explode_dn(LibStudent.get_container(ou), True)[0]

263

		cn_teachers = ucr.get('ucsschool/ldap/default/container/teachers', 'lehrer')

267

		cn_teachers = ldap.explode_dn(LibTeacher.get_container(ou), True)[0]

264

		cn_teachers_staff = ucr.get('ucsschool/ldap/default/container/teachers-and-staff', 'lehrer und mitarbeiter')

268

		cn_teachers_staff = ldap.explode_dn(LibTeachersAndStaff.get_container(ou), True)[0]

265

		cn_admins = ucr.get('ucsschool/ldap/default/container/admins', 'admins')

269

		cn_admins = ldap.explode_dn(search_base.admins, True)[0]

266

		cn_staff = ucr.get('ucsschool/ldap/default/container/staff', 'mitarbeiter')

270

		cn_staff = ldap.explode_dn(LibStaff.get_container(ou), True)[0]

271

		cn_class = ldap.explode_dn(LibSchoolClass.get_container(ou), True)[0]

272

		cn_rooms = ldap.explode_dn(LibComputerRoom.get_container(ou), True)[0]

267

273

268

		singlemaster = ucr.is_true('ucsschool/singlemaster')

274

		singlemaster = ucr.is_true('ucsschool/singlemaster')

269

		noneducational_create_objects = ucr.is_true('ucsschool/ldap/noneducational/create/objects')

275

		noneducational_create_objects = ucr.is_true('ucsschool/ldap/noneducational/create/objects')

Lines 297-339	Link Here

297

303

298

		utils.verify_ldap_object(ou_base, expected_attr={'ou': [ou], 'ucsschoolClassShareFileServer': [classsharefileserver_dn], 'ucsschoolHomeShareFileServer': [homesharefileserver_dn]}, should_exist=must_exist)

304

		utils.verify_ldap_object(ou_base, expected_attr={'ou': [ou], 'ucsschoolClassShareFileServer': [classsharefileserver_dn], 'ucsschoolHomeShareFileServer': [homesharefileserver_dn]}, should_exist=must_exist)

299

305

300

		utils.verify_ldap_object('cn=printers,%s' % ou_base, expected_attr={'cn': ['printers']}, should_exist=must_exist)

306

		utils.verify_ldap_object(search_base.printers, expected_attr={'cn': ['printers']}, should_exist=must_exist)

301

		utils.verify_ldap_object('cn=users,%s' % ou_base, expected_attr={'cn': ['users']}, should_exist=must_exist)

307

		utils.verify_ldap_object(search_base.users, expected_attr={'cn': ['users']}, should_exist=must_exist)

302

		utils.verify_ldap_object('cn=%s,cn=users,%s' % (cn_pupils, ou_base), expected_attr={'cn': [cn_pupils]}, should_exist=must_exist)

308

		utils.verify_ldap_object(search_base.students, expected_attr={'cn': [cn_pupils]}, should_exist=must_exist)

303

		utils.verify_ldap_object('cn=%s,cn=users,%s' % (cn_teachers, ou_base), expected_attr={'cn': [cn_teachers]}, should_exist=must_exist)

309

		utils.verify_ldap_object(search_base.teachers, expected_attr={'cn': [cn_teachers]}, should_exist=must_exist)

304

		utils.verify_ldap_object('cn=%s,cn=users,%s' % (cn_admins, ou_base), expected_attr={'cn': [cn_admins]}, should_exist=must_exist)

310

		utils.verify_ldap_object(search_base.admins, expected_attr={'cn': [cn_admins]}, should_exist=must_exist)

305

		utils.verify_ldap_object('cn=%s,cn=users,%s' % (cn_admins, ou_base), expected_attr={'cn': [cn_admins]}, should_exist=must_exist)

306

311

307

		utils.verify_ldap_object('cn=computers,%s' % ou_base, expected_attr={'cn': ['computers']}, should_exist=must_exist)

312

		utils.verify_ldap_object(search_base.computers, expected_attr={'cn': ['computers']}, should_exist=must_exist)

308

		utils.verify_ldap_object('cn=server,cn=computers,%s' % ou_base, expected_attr={'cn': ['server']}, should_exist=must_exist)

313

		utils.verify_ldap_object('cn=server,cn=computers,%s' % ou_base, expected_attr={'cn': ['server']}, should_exist=must_exist)

309

		utils.verify_ldap_object('cn=dc,cn=server,cn=computers,%s' % ou_base, expected_attr={'cn': ['dc']}, should_exist=must_exist)

314

		utils.verify_ldap_object('cn=dc,cn=server,cn=computers,%s' % ou_base, expected_attr={'cn': ['dc']}, should_exist=must_exist)

310

		utils.verify_ldap_object('cn=networks,%s' % ou_base, expected_attr={'cn': ['networks']}, should_exist=must_exist)

315

		utils.verify_ldap_object(search_base.networks, expected_attr={'cn': ['networks']}, should_exist=must_exist)

311

		utils.verify_ldap_object('cn=groups,%s' % ou_base, expected_attr={'cn': ['groups']}, should_exist=must_exist)

316

		utils.verify_ldap_object(search_base.groups, expected_attr={'cn': ['groups']}, should_exist=must_exist)

312

		utils.verify_ldap_object('cn=%s,cn=groups,%s' % (cn_pupils, ou_base), expected_attr={'cn': [cn_pupils]}, should_exist=must_exist)

317

		utils.verify_ldap_object(search_base.workgroups, expected_attr={'cn': [cn_pupils]}, should_exist=must_exist)

313

		utils.verify_ldap_object('cn=%s,cn=groups,%s' % (cn_teachers, ou_base), expected_attr={'cn': [cn_teachers]}, should_exist=must_exist)

318

		utils.verify_ldap_object(search_base.teachers_group, expected_attr={'cn': [cn_teachers]}, should_exist=must_exist)

314

		utils.verify_ldap_object('cn=klassen,cn=%s,cn=groups,%s' % (cn_pupils, ou_base), expected_attr={'cn': ['klassen']}, should_exist=must_exist)

319

		utils.verify_ldap_object(search_base.classes, expected_attr={'cn': [cn_class]}, should_exist=must_exist)

315

		utils.verify_ldap_object('cn=raeume,cn=groups,%s' % ou_base, expected_attr={'cn': ['raeume']}, should_exist=must_exist)

320

		utils.verify_ldap_object(search_base.rooms, expected_attr={'cn': [cn_rooms]}, should_exist=must_exist)

316

321

317

		utils.verify_ldap_object('cn=dhcp,%s' % ou_base, expected_attr={'cn': ['dhcp']}, should_exist=must_exist)

322

		utils.verify_ldap_object(search_base.dhcp, expected_attr={'cn': ['dhcp']}, should_exist=must_exist)

318

		utils.verify_ldap_object('cn=policies,%s' % ou_base, expected_attr={'cn': ['policies']}, should_exist=must_exist)

323

		utils.verify_ldap_object(search_base.policies, expected_attr={'cn': ['policies']}, should_exist=must_exist)

319

		utils.verify_ldap_object('cn=shares,%s' % ou_base, expected_attr={'cn': ['shares']}, should_exist=must_exist)

324

		utils.verify_ldap_object(search_base.shares, expected_attr={'cn': ['shares']}, should_exist=must_exist)

320

		utils.verify_ldap_object('cn=klassen,cn=shares,%s' % ou_base, expected_attr={'cn': ['klassen']}, should_exist=must_exist)

325

		utils.verify_ldap_object(search_base.classShares, expected_attr={'cn': [cn_class]}, should_exist=must_exist)

321

		utils.verify_ldap_object('cn=dc,cn=server,cn=computers,%s' % ou_base, expected_attr={'cn': ['dc']}, should_exist=must_exist)

326

		utils.verify_ldap_object('cn=dc,cn=server,cn=computers,%s' % ou_base, expected_attr={'cn': ['dc']}, should_exist=must_exist)

322

327

323

		if noneducational_create_objects:

328

		if noneducational_create_objects:

324

			utils.verify_ldap_object('cn=%s,cn=users,%s' % (cn_staff, ou_base), should_exist=must_exist)

329

			utils.verify_ldap_object(search_base.staff, should_exist=must_exist)

325

			utils.verify_ldap_object('cn=%s,cn=users,%s' % (cn_teachers_staff, ou_base), should_exist=must_exist)

330

			utils.verify_ldap_object(search_base.teachersAndStaff, should_exist=must_exist)

326

			utils.verify_ldap_object('cn=%s,cn=groups,%s' % (cn_staff, ou_base), should_exist=must_exist)

331

			utils.verify_ldap_object(search_base.staff_group, should_exist=must_exist)

327

		else:

332

		else:

328

			utils.verify_ldap_object('cn=%s,cn=users,%s' % (cn_staff, ou_base), should_exist=False)

333

			utils.verify_ldap_object(search_base.staff, should_exist=False)

329

			utils.verify_ldap_object('cn=%s,cn=users,%s' % (cn_teachers_staff, ou_base), should_exist=False)

334

			utils.verify_ldap_object(search_base.teachersAndStaff, should_exist=False)

330

			utils.verify_ldap_object('cn=%s,cn=groups,%s' % (cn_staff, ou_base), should_exist=False)

335

			utils.verify_ldap_object(search_base.staff_group, should_exist=False)

331

336

332

		if noneducational_create_objects:

337

		if noneducational_create_objects:

333

			utils.verify_ldap_object('cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,%s' % base_dn, should_exist=True)

338

			utils.verify_ldap_object(search_base.administrative_dc_group, should_exist=True)

334

			utils.verify_ldap_object('cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,%s' % base_dn, should_exist=True)

339

			utils.verify_ldap_object(search_base.administrative_member_group, should_exist=True)

335

			utils.verify_ldap_object('cn=OU%s-DC-Verwaltungsnetz,cn=ucsschool,cn=groups,%s' % (ou, base_dn), should_exist=True)

340

			utils.verify_ldap_object(search_base.administrative_ou_dc_group)

336

			utils.verify_ldap_object('cn=OU%s-Member-Verwaltungsnetz,cn=ucsschool,cn=groups,%s' % (ou, base_dn), should_exist=True)

341

			utils.verify_ldap_object(search_base.administrative_ou_member_group)

337

		# This will fail because we don't cleanup these groups in cleanup_ou

342

		# This will fail because we don't cleanup these groups in cleanup_ou

338

		# else:

343

		# else:

339

		#	utils.verify_ldap_object("cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,%s" % base_dn, should_exist=False)

344

		#	utils.verify_ldap_object("cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,%s" % base_dn, should_exist=False)

Lines 347-368	Link Here

347

		if dc_administrative:

352

		if dc_administrative:

348

			verify_dc(ou, dc_administrative, TYPE_DC_ADMINISTRATIVE, base_dn, must_exist)

353

			verify_dc(ou, dc_administrative, TYPE_DC_ADMINISTRATIVE, base_dn, must_exist)

349

354

350

		grp_prefix_pupils = ucr.get('ucsschool/ldap/default/groupprefix/pupils', 'schueler-')

351

		grp_prefix_teachers = ucr.get('ucsschool/ldap/default/groupprefix/teachers', 'lehrer-')

352

		grp_prefix_admins = ucr.get('ucsschool/ldap/default/groupprefix/admins', 'admins-')

353

		grp_prefix_staff = ucr.get('ucsschool/ldap/default/groupprefix/staff', 'mitarbeiter-')

354

355

		grp_policy_pupils = ucr.get('ucsschool/ldap/default/policy/umc/pupils', 'cn=ucsschool-umc-pupils-default,cn=UMC,cn=policies,%s' % base_dn)

355

		grp_policy_pupils = ucr.get('ucsschool/ldap/default/policy/umc/pupils', 'cn=ucsschool-umc-pupils-default,cn=UMC,cn=policies,%s' % base_dn)

356

		grp_policy_teachers = ucr.get('ucsschool/ldap/default/policy/umc/teachers', 'cn=ucsschool-umc-teachers-default,cn=UMC,cn=policies,%s' % base_dn)

356

		grp_policy_teachers = ucr.get('ucsschool/ldap/default/policy/umc/teachers', 'cn=ucsschool-umc-teachers-default,cn=UMC,cn=policies,%s' % base_dn)

357

		grp_policy_admins = ucr.get('ucsschool/ldap/default/policy/umc/admins', 'cn=ucsschool-umc-admins-default,cn=UMC,cn=policies,%s' % base_dn)

357

		grp_policy_admins = ucr.get('ucsschool/ldap/default/policy/umc/admins', 'cn=ucsschool-umc-admins-default,cn=UMC,cn=policies,%s' % base_dn)

358

		grp_policy_staff = ucr.get('ucsschool/ldap/default/policy/umc/staff', 'cn=ucsschool-umc-staff-default,cn=UMC,cn=policies,%s' % base_dn)

358

		grp_policy_staff = ucr.get('ucsschool/ldap/default/policy/umc/staff', 'cn=ucsschool-umc-staff-default,cn=UMC,cn=policies,%s' % base_dn)

359

360

		utils.verify_ldap_object("cn=%s%s,cn=ouadmins,cn=groups,%s" % (grp_prefix_admins, ou, base_dn), expected_attr={'univentionPolicyReference': [grp_policy_admins]}, should_exist=True)

360

		utils.verify_ldap_object(search_base.admin_group, expected_attr={'univentionPolicyReference': [grp_policy_admins]}, should_exist=True)

361

		utils.verify_ldap_object("cn=%s%s,cn=groups,%s" % (grp_prefix_pupils, ou, ou_base), expected_attr={'univentionPolicyReference': [grp_policy_pupils]}, should_exist=must_exist)

361

		utils.verify_ldap_object(search_base.students_ou_group, expected_attr={'univentionPolicyReference': [grp_policy_pupils]}, should_exist=must_exist)

362

		utils.verify_ldap_object("cn=%s%s,cn=groups,%s" % (grp_prefix_teachers, ou, ou_base), expected_attr={'univentionPolicyReference': [grp_policy_teachers]}, should_exist=must_exist)

362

		utils.verify_ldap_object(search_base.teachers_ou_group, expected_attr={'univentionPolicyReference': [grp_policy_teachers]}, should_exist=must_exist)

363

364

		if noneducational_create_objects:

364

		if noneducational_create_objects:

365

			utils.verify_ldap_object("cn=%s%s,cn=groups,%s" % (grp_prefix_staff, ou, ou_base), expected_attr={'univentionPolicyReference': [grp_policy_staff]}, should_exist=must_exist)

365

			utils.verify_ldap_object(search_base.staff_ou_group, expected_attr={'univentionPolicyReference': [grp_policy_staff]}, should_exist=must_exist)

366

367

		dcmaster_module = univention.admin.modules.get("computers/domaincontroller_master")

367

		dcmaster_module = univention.admin.modules.get("computers/domaincontroller_master")

368

		dcbackup_module = univention.admin.modules.get("computers/domaincontroller_backup")

368

		dcbackup_module = univention.admin.modules.get("computers/domaincontroller_backup")

Lines 375-381	Link Here

375

		# check group membership

375

		# check group membership

376

		#  slave should be member

376

		#  slave should be member

377

		#  master and backup should not be member

377

		#  master and backup should not be member

378

		dcgroups = ["cn=OU%s-DC-Edukativnetz,cn=ucsschool,cn=groups,%s" % (ou, base_dn), "cn=DC-Edukativnetz,cn=ucsschool,cn=groups,%s" % (base_dn)]

378

		dcgroups = [search_base.educational_ou_dc_group, search_base.educational_dc_group]

379

380

		if must_exist:

380

		if must_exist:

381

			if masterobjs:

381

			if masterobjs:

Lines 419-425	Link Here

419

				# seems to be the first OU, so check the variable settings

419

				# seems to be the first OU, so check the variable settings

420

				if ucr.get('dhcpd/ldap/base') != "cn=dhcp,%s" % (ou_base,):

420

				if ucr.get('dhcpd/ldap/base') != "cn=dhcp,%s" % (ou_base,):

421

					print 'ERROR: dhcpd/ldap/base =', ucr.get('dhcpd/ldap/base')

421

					print 'ERROR: dhcpd/ldap/base =', ucr.get('dhcpd/ldap/base')

422

					print 'ERROR: expected base =', dhcp_dn

422

					print 'ERROR: expected base =', dhcp_dn  # FIXME: unresolve reference: dhcp_dn

423

					raise DhcpdLDAPBase()

423

					raise DhcpdLDAPBase()

424

425

			# use the UCR value and check if the DHCP service exists

425

			# use the UCR value and check if the DHCP service exists




from univention.testing.ucsschool import UMCConnection
import univention.testing.strings as uts
import univention.testing.ucr as ucr_test
import univention.testing.ucsschool as utu
import univention.testing.utils as utils
from ucsschool.lib.models import LibComputerRoom


class FailQuery(Exception):

		self.umc_connection.auth(admin, passwd)

	def dn(self):
		return LibComputerRoom(school="myschool", name='{}-{}'.format("myschool", "myname")).dn

	def add(self, should_pass=True):
		param = [{

(-)ucs-test-ucsschool/univention/testing/ucsschool.py (-1 / +1 lines)

Lines 394-400	Link Here

394

				unset_ucr = False

394

				unset_ucr = False

395

				if not self._ucr.get('mail/hosteddomains'):

395

				if not self._ucr.get('mail/hosteddomains'):

396

					unset_ucr = True

396

					unset_ucr = True

397

					handler_set(['mail/hosteddomains={hostname}.{domainname}'.format(**dict(self._ucr.items()))])

397

					handler_set(['mail/hosteddomains={}.{}'.format(self._ucr["hostname"], self._ucr["domainname"])])

398

				try:

398

				try:

399

					cmd = [self.PATH_CMD_IMPORT_USER, tmp_file.name]

399

					cmd = [self.PATH_CMD_IMPORT_USER, tmp_file.name]

400

					print '*** Calling following command: %r' % cmd

400

					print '*** Calling following command: %r' % cmd

(-)univention-management-console-module-selective-udm/umc/python/selective-udm/__init__.py (-1 / +2 lines)

Lines 55-60	Link Here

univention.admin.syntax.update_choices()

univention.admin.syntax.update_choices()

_ = Translation('univention-management-console-selective-udm').translate

_ = Translation('univention-management-console-selective-udm').translate

from ucsschool.lib.models import SchoolComputer

class CreationDenied(Exception):

class CreationDenied(Exception):

Lines 94-100	Link Here

		try:

		try:

			# Set new position

			# Set new position

			ldap_position.setDn(search_base.computers)

			ldap_position.setDn(SchoolComputer.get_container(search_base.school))

			usersid = request.options.get('usersid')

100

			usersid = request.options.get('usersid')

100

			self._check_usersid_join_permissions(ldap_user_read, usersid)

101

			self._check_usersid_join_permissions(ldap_user_read, usersid)

Return to bug 41231