Attachment #8418 for bug #41231




	  zugeordnet wird.
	</para>
	<para>
	  Über vier weitere &ucsUCR;-Variablen kann das Verhalten des Hooks gesteuert
	  werden:
	</para>
	  <itemizedlist>
		<listitem>
		  <para>
			<command>ucsschool/import/generate/share/marktplatz/name</command>
		  </para>
		  <para>
			Diese Variable definiert den Namen der Freigabe. Der Standard ist <literal>Marktplatz</literal>.
		  </para>
		</listitem>
		<listitem>
		  <para>
			<command>ucsschool/import/generate/share/marktplatz/sharepath</command>
		  </para>
		  <para>

(-)doc/manual/performance-de.xml (+4 lines)

Lines 93-98	Link Here

  		  </simpara>

  		  </simpara>

  		</listitem>

  		</listitem>

  	  </itemizedlist>

  	  </itemizedlist>

  	  <note>

  	    Der Teil des Gruppennamens der hier &lt;Edukativnetz&gt; ist, kann seit &ucsUAS;-Version 4.1 R2 v10

  	    verändert werden. Siehe dazu auch <xref linkend="structure:ldap:container_names"/>.

  	  </note>

  	</para>

100

  	</para>

    </section>

101

    </section>

102




            Zugriffsrechte gesetzt werden. Dabei kann der Zugriff für einzelne Benutzer oder ganze Gruppen
            erlaubt bzw. gesperrt werden. Um den Schülern den Zugriff auf die physikalischen Drucker zu
            verbieten, muss an den Druckerfreigaben für diese Drucker der Zugriff durch Benutzer der
            OU-spezifischen Gruppe <systemitem class="groupname">schueler-<replaceable>OU</replaceable></systemitem>
            (z.B. <systemitem class="groupname">schueler-gsmitte</systemitem>) verboten werden. Für den PDF-Drucker
            <systemitem class="resource">PDFDrucker</systemitem> sollten keine Einschränkungen gemacht werden.
            <note>
                Der Teil des Gruppennamens der hier &lt;schueler-&gt; ist, kann seit &ucsUAS;-Version 4.1 R2 v10 verändert
                werden. Siehe dazu auch <xref linkend="structure:ldap:container_names"/>.
            </note>
            gemacht werden.
        </para>
        <para>
            Schüler haben damit nur noch die Möglichkeit Druckaufträge an den

            Anlegen einer OU kann durch das Setzen der &ucsUCRV;
            <envar>ucsschool/import/generate/marktplatz</envar> auf den
            Wert <literal>no</literal> verhindert werden.
            <note>
                Weiterführnde Informationen zur <emphasis>Marktplatz</emphasis>-Freigabe finden sich unter <xref linkend="import:marketplace"/>.
            </note>
        </para>
        <para>
            Diese Freigaben müssen zwingend auf dem Schulserver bereitgestellt

            Die Freigabe erlaubt der Gruppe <systemitem class="resource">lehrer-&lt;OU&gt;</systemitem> den
            administrativen
            Zugriff auf das Basisverzeichnis <filename class="directory">/home/&lt;OU&gt;/schueler</filename>.
            <note>
                Der Teil des Gruppennamens der hier &lt;schueler-&gt; bzw.&lt;lehrer-&gt; ist, kann seit
                &ucsUAS;-Version 4.1 R2 v10 verändert werden. Siehe dazu auch <xref linkend="structure:ldap:container_names"/>.
            </note>
        </para>
        <para>
            Per Voreinstellung wird der Lehrergruppe Lesezugriff gewährt.

            Option zu Schuladministratoren umgewandelt werden.
            <itemizedlist>
                <listitem>
                    <para>
                        Die zusätzliche Gruppenmitgliedschaft muss manuell über das &ucsUMC;-Modul
                        <guimenu>Benutzer</guimenu> auf dem &ucsMaster; hinzugefügt werden. Auf dem Reiter
                        <guimenu>Gruppen</guimenu> muss das Benutzerkonto in die Gruppe
                        <guimenu>Gruppen</guimenu>
                        muss das Benutzerkonto in die Gruppe
                        <systemitem class="groupname"><replaceable>admins-OU</replaceable></systemitem>
                        (für die OU <wordasword>gym17</wordasword> ist dies die Gruppe
                        <systemitem class="groupname">admins-gym17</systemitem>) aufgenommen werden.
                        <note>
                            Der Teil des Gruppennamens der hier &lt;admins-&gt; ist, kann seit &ucsUAS;-Version 4.1 R2 v10
                            verändert werden. Siehe dazu auch <xref linkend="structure:ldap:container_names"/>.
                        </note>
                    </para>
                </listitem>
                <listitem>
                    <simpara>
                        Im &ucsUMC;-Modul <guimenu>Benutzer</guimenu> muss außerdem im Reiter
                        <guimenu>Optionen</guimenu> die Option <option>UCS@school-Administrator</option>
                        die Option
                        <option>UCS@school-Administrator</option>
                        eingeschaltet werden.
                    </simpara>
                </listitem>




		</note>
	  </section>

	  <section id="structure:ldap:container_names">
		<title>Gruppen-, Verzeichnis- und Containernamen</title>
		  <para>
		    Seit &ucsUAS;-Version 4.1 R2 v7 können mit Hilfe von UCR-Variablen Teile der Gruppen-, Verzeichnis- und Containernamen
		    <emphasis>vor der Installation der &ucsUAS;-App</emphasis> bestimmt werden.
		  </para>
		  <para>
			Beispielsweise wird die Gruppe <systemitem class="groupname">Member-Edukativnetz</systemitem> durch Setzen
			der UCR-Variablen <envar>ucsschool/ldap/default/groupname/all-educational-member=Membre-Enseignement</envar>
			mit dem Namen <systemitem class="groupname">Membre-Enseignement</systemitem> angelegt.
		  </para>
		  <para>
			  Sollen zum Beispiel die Benutzerkonten von Schülern nicht im Container
			  <uri>cn=schueler,cn=groups,ou=gymmitte,dc=example,dc=com</uri> gespeichert werden, sondern unter
			  <uri>cn=ecolier,cn=groups,ou=gymmitte,dc=example,dc=com</uri>, muss
			  <envar>ucsschool/ldap/default/container/pupils=ecolier</envar> gesetzt werden.
		  </para>
		  <para>
			  Die Bedeutung der aller UCR-Variablen können Sie durch das Lesen der Hilfetexte zu den UCR-Variablen erfahren
			  (siehe <biblioref linkend="ucs-handbuch"/>).
		  </para>
		  <para>
			  <simpara>
				Die folgenden Teile von Containernamen (z.B. in <uri>cn=admins,cn=groups,ou=gymmitte,dc=example,dc=com</uri>) können gesetzt werden:
			  </simpara>
			  <itemizedlist>
				  <listitem><simpara>admins:                 <envar>ucsschool/ldap/default/container/admins</envar></simpara></listitem>
				  <listitem><simpara>schueler:               <envar>ucsschool/ldap/default/container/pupils</envar></simpara></listitem>
				  <listitem><simpara>mitarbeiter:            <envar>ucsschool/ldap/default/container/staff</envar></simpara></listitem>
				  <listitem><simpara>lehrer und mitarbeiter: <envar>ucsschool/ldap/default/container/teachers-and-staff</envar></simpara></listitem>
				  <listitem><simpara>lehrer:                 <envar>ucsschool/ldap/default/container/teachers</envar></simpara></listitem>
				  <listitem><simpara>klassen:                <envar>ucsschool/ldap/default/container/class</envar></simpara></listitem>
				  <listitem><simpara>raeume:                 <envar>ucsschool/ldap/default/container/rooms</envar></simpara></listitem>
				  <listitem><simpara>examusers:              <envar>ucsschool/ldap/default/container/exam</envar></simpara></listitem>
			  </itemizedlist>
		  </para>
		  <para>
			  <simpara>
				Die folgenden Präfixe von Gruppennamen (z.B. in <systemitem class="groupname">schueler-gymmitte</systemitem>) können gesetzt werden:
			  </simpara>
			  <itemizedlist>
				  <listitem><simpara>schueler-:              <envar>ucsschool/ldap/default/groupprefix/pupils</envar></simpara></listitem>
				  <listitem><simpara>lehrer-:                <envar>ucsschool/ldap/default/groupprefix/teachers</envar></simpara></listitem>
				  <listitem><simpara>admins-:                <envar>ucsschool/ldap/default/groupprefix/admins</envar></simpara></listitem>
				  <listitem><simpara>mitarbeiter-:           <envar>ucsschool/ldap/default/groupprefix/staff</envar></simpara></listitem>
			  </itemizedlist>
			  <simpara>
				  Die folgenden Gruppennamen können per UCR gesetzt werden. Bei Namen die <replaceable>%(ou)s</replaceable> enthalten
				  wird dieses vom System durch das jeweilige Schulkürzel ersetzt (z.B. <uri>gymmitte</uri> in
				  <systemitem class="groupname">OUgymmitte-DC-Edukativnetz</systemitem>).
			  </simpara>
			  <itemizedlist>
				  <listitem><simpara>DC-Edukativnetz:                 <envar>ucsschool/ldap/default/groupname/all-educational-dc</envar></simpara></listitem>
				  <listitem><simpara>Member-Edukativnetz:             <envar>ucsschool/ldap/default/groupname/all-educational-member</envar></simpara></listitem>
				  <listitem><simpara>DC-Verwaltungsnetz:              <envar>ucsschool/ldap/default/groupname/all-administrativ-dc</envar></simpara></listitem>
				  <listitem><simpara>Member-Verwaltungsnetz:          <envar>ucsschool/ldap/default/groupname/all-administrativ-member</envar></simpara></listitem>
				  <listitem><simpara>OU%(ou)s-DC-Edukativnetz:        <envar>ucsschool/ldap/default/groupname/ou-educational-dc</envar></simpara></listitem>
				  <listitem><simpara>OU%(ou)s-Member-Edukativnetz:    <envar>ucsschool/ldap/default/groupname/ou-educational-member</envar></simpara></listitem>
				  <listitem><simpara>OU%(ou)s-DC-Verwaltungsnetz:     <envar>ucsschool/ldap/default/groupname/ou-administrativ-dc</envar></simpara></listitem>
				  <listitem><simpara>OU%(ou)s-Member-Verwaltungsnetz: <envar>ucsschool/ldap/default/groupname/ou-administrativ-member</envar></simpara></listitem>
				  <listitem><simpara>OU%(ou)s-Klassenarbeit:          <envar>ucsschool/ldap/default/groupname/exam</envar></simpara></listitem>
			  </itemizedlist>
			  <simpara>
				  Die folgenden Verzeichnisnamen können per UCR gesetzt werden (z.B. <envar>klassen</envar> in <filename class="directory">/home/groups/klassen/3b</filename>):
			  </simpara>
			  <itemizedlist>
				  <listitem><simpara>klassen:                <envar>ucsschool/ldap/default/share/class</envar></simpara></listitem>
				  <listitem><simpara>schueler:               <envar>ucsschool/ldap/default/share/pupils</envar></simpara></listitem>
				  <listitem><simpara>lehrer:                 <envar>ucsschool/ldap/default/share/teachers</envar></simpara></listitem>
				  <listitem><simpara>Unterrichtsmaterial:    <envar>ucsschool/datadistribution/datadir/sender</envar></simpara></listitem>
				  <listitem><simpara>Unterrichtsmaterial:    <envar>ucsschool/datadistribution/datadir/recipient</envar></simpara></listitem>
				  <listitem><simpara>Klassenarbeiten:        <envar>ucsschool/ldap/default/share/exams</envar></simpara></listitem>
				  <listitem><simpara>schueler, lehrer, mitarbeiter:  <envar>ucsschool/import/roleshare/.*/path</envar></simpara></listitem>
				  <listitem><simpara>Marktplatz:             <envar>ucsschool/import/generate/share/marktplatz/name</envar></simpara></listitem>
			  </itemizedlist>
		  </para>
	  </section>

	  <section id="structure:ldap:global">
		<title>Weitere &ucsUAS;-Objekte</title>
		<para>




Type=str
Categories=ucsschool-base

[ucsschool/ldap/default/container/admins]
Description[de]=Standard-Container-Name für Administratoren. Standard ist "admins".
Description[en]=Default container name for administrators. Default is "admins".
Type=str
Categories=ucsschool-base

[ucsschool/ldap/default/container/class]
Description[de]=Standard-Container-Name für Schulklassen. Standard ist "klassen".
Description[en]=Default container name for school classes. Default is "klassen".
Type=str
Categories=ucsschool-base

[ucsschool/ldap/default/container/exam]
Description[de]=Standard-Container-Name für Schüler in einer Prüfung. Standard ist "examusers".
Description[en]=Default container name name for pupils writing exams. Default is "examusers".
Type=str
Categories=ucsschool-base

[ucsschool/ldap/default/container/pupils]
Description[de]=Standard-Container-Name für Schüler. Standard ist "schueler".
Description[en]=Default container name for pupils. Default is "schueler".
Type=str
Categories=ucsschool-base

[ucsschool/ldap/default/container/rooms]
Description[de]=Standard-Container-Name für Klassenräume. Standard ist "raeume".
Description[en]=Default container name for class rooms. Default is "raeume".
Type=str
Categories=ucsschool-base

[ucsschool/ldap/default/container/staff]
Description[de]=Standard-Container-Name für Mitarbeiter. Standard ist "mitarbeiter".
Description[en]=Default container name for staff members. Default is "mitarbeiter".
Type=str
Categories=ucsschool-base

[ucsschool/ldap/default/container/teachers]
Description[de]=Standard-Container-Name für Lehrer. Standard ist "lehrer".
Description[en]=Default container name for teachers. Default is "lehrer".
Type=str
Categories=ucsschool-base

[ucsschool/ldap/default/container/teachers-and-staff]
Description[de]=Standard-Container-Name für Benutzer die gleichzeitig Lehrer und Mitarbeiter sind. Standard ist "lehrer und mitarbeiter".
Description[en]=Default container name for users that are both teachers and staff members. Default is "lehrer und mitarbeiter".
Type=str
Categories=ucsschool-base

[ucsschool/ldap/default/groupname/exam]
Description[de]=Standard Gruppenname für Schüler in einer Prüfung. Das "%(ou)s" im Namen wird mit dem Schulkürzel (OU) ersetzt. Standard ist "OU%(ou)s-Klassenarbeit".
Description[en]=Default group name for pupils writing exams. The "%(ou)s" in the name will be replaced by the short name of the school (OU). Default is "OU%(ou)s-Klassenarbeit".
Type=str
Categories=ucsschool-base

[ucsschool/ldap/default/groupname/all-administrativ-dc]
Description[de]=Standard Gruppenname für Domain Controller in Verwaltungsnetzen. Standard ist "DC-Verwaltungsnetz".
Description[en]=Default group name for domain controllers in administrativ networks. Default is "DC-Verwaltungsnetz".
Type=str
Categories=ucsschool-base

[ucsschool/ldap/default/groupname/all-administrativ-member]
Description[de]=Standard Gruppenname für Member Server in Verwaltungsnetzen. Standard ist "Member-Verwaltungsnetz".
Description[en]=Default group name for member servers in administrativ networks. Default is "Member-Verwaltungsnetz".
Type=str
Categories=ucsschool-base

[ucsschool/ldap/default/groupname/all-educational-dc]
Description[de]=Standard Gruppenname für Domain Controller in Edukativnetzen. Standard ist "DC-Edukativnetz".
Description[en]=Default group name for domain controllers in educational networks. Default is "DC-Edukativnetz".
Type=str
Categories=ucsschool-base

[ucsschool/ldap/default/groupname/all-educational-member]
Description[de]=Standard Gruppenname für Member Server in Edukativnetzen. Standard ist "Member-Edukativnetz".
Description[en]=Default group name for member servers in educational networks. Default is "Member-Edukativnetz".
Type=str
Categories=ucsschool-base

[ucsschool/ldap/default/groupname/ou-administrativ-dc]
Description[de]=Standard Gruppenname für Domain Controller im Verwaltungsnetz einer bestimmten Schule. Das "%(ou)s" im Namen wird mit dem Schulkürzel (OU) ersetzt. Standard ist "OU%(ou)s-DC-Verwaltungsnetz".
Description[en]=Default group name for domain controllers in the administrativ network. The "%(ou)s" in the name will be replaced by the short name of the school (OU). Default is "OU%(ou)s-DC-Verwaltungsnetz".
Type=str
Categories=ucsschool-base

[ucsschool/ldap/default/groupname/ou-administrativ-member]
Description[de]=Standard Gruppenname für Member Server im Verwaltungsnetz einer bestimmten Schule. Das "%(ou)s" im Namen wird mit dem Schulkürzel (OU) ersetzt. Standard ist "OU%(ou)s-Member-Verwaltungsnetz".
Description[en]=Default group name for member servers in the administrativ network. The "%(ou)s" in the name will be replaced by the short name of the school (OU). Default is "OU%(ou)s-Member-Verwaltungsnetz".
Type=str
Categories=ucsschool-base

[ucsschool/ldap/default/groupname/ou-educational-dc]
Description[de]=Standard Gruppenname für Domain Controller im Edukativnetz einer bestimmten Schule. Das "%(ou)s" im Namen wird mit dem Schulkürzel (OU) ersetzt. Standard ist "OU%(ou)s-DC-Edukativnetz".
Description[en]=Default group name for domain controllers in the educational network. The "%(ou)s" in the name will be replaced by the short name of the school (OU). Default is "OU%(ou)s-DC-Edukativnetz".
Type=str
Categories=ucsschool-base

[ucsschool/ldap/default/groupname/ou-educational-member]
Description[de]=Standard Gruppenname für Member Server im Edukativnetz einer bestimmten Schule. Das "%(ou)s" im Namen wird mit dem Schulkürzel (OU) ersetzt. Standard ist "OU%(ou)s-Member-Edukativnetz".
Description[en]=Default group name for member servers in the educational network. The "%(ou)s" in the name will be replaced by the short name of the school (OU). Default is "OU%(ou)s-Member-Edukativnetz".
Type=str
Categories=ucsschool-base

[ucsschool/ldap/default/groupprefix/admins]
Description[de]=Standard-Prefix für die Administrator-Gruppen. Standard ist "admins-".
Description[en]=Default prefix for admin groups. Default is "admins-".
Type=str
Categories=ucsschool-base

[ucsschool/ldap/default/groupprefix/pupils]
Description[de]=Standard-Prefix für die Schüler-Gruppen. Standard ist "schueler-".
Description[en]=Default prefix for pupils groups. Default is "schueler-".
Type=str
Categories=ucsschool-base

[ucsschool/ldap/default/groupprefix/staff]
Description[de]=Standard-Prefix für die Mitarbeiter-Gruppen. Standard ist "mitarbeiter-".
Description[en]=Default prefix for staff groups. Default is "mitarbeiter-".
Type=str
Categories=ucsschool-base

[ucsschool/ldap/default/groupprefix/teachers]
Description[de]=Standard-Prefix für die Lehrer-Gruppen. Standard ist "lehrer-".
Description[en]=Default prefix for teacher groups. Default is "lehrer-".
Type=str
Categories=ucsschool-base

[ucsschool/ldap/default/share/class]
Description[de]=Standard Verzeichnisname für die Klassen-Freigabe. Standard ist "klassen".
Description[en]=Default directory name for the class share. Default is "klassen".
Type=str
Categories=ucsschool-base

[ucsschool/ldap/default/share/pupils]
Description[de]=Standard Verzeichnisname für die Schüler-Verzeichnisse. Standard ist "schueler".
Description[en]=Default directory name for the pupils directories. Default is "schueler".
Type=str
Categories=ucsschool-base

[ucsschool/ldap/default/share/teachers]
Description[de]=Standard Verzeichnisname für die Lehrer-Verzeichnisse. Standard ist "lehrer".
Description[en]=Default directory name for the teachers directories. Default is "lehrer".
Type=str
Categories=ucsschool-base

[ucsschool/ldap/default/dcs]
Description[de]=Spezifiziert welche Schul-DCs beim Erzeugen einer Schule angelegt werden sollen (Werte: edukativ und/oder verwaltung)
Description[en]=Specifies which school DCs are created during the school set up (values: edukativ and/or verwaltung)

Type=str
Categories=ucsschool-base

[ucsschool/import/generate/share/marktplatz/name]
Description[de]=Name der Freigabe (Default: "Marktplatz").
Description[en]=Name of share (default: "Marktplatz").
Type=str
Categories=ucsschool-base

[ucsschool/import/generate/share/marktplatz/sharepath]
Description[de]=Vorgabepfad der Freigabe "Marktplatz" (Default: /home/$ou/groups/Marktplatz)
Description[en]=Default path of share "Marktplatz" (default: /home/$ou/groups/Marktplatz)

Categories=ucsschool-base

[ucsschool/import/roleshare]
Description[de]=Falls diese Variable nicht auf "false" oder "no" gesetzt wird, werden Homeverzeichnisse für Benutzer und Klassengruppen in einer rollen- und schulspezifischen Struktur von Unterverzeichnissen angelegt, z.B. unter /home/$ou/schueler/.
Description[en]=If this variable is not set to "false" or "no", then home directories for users and class groups will be created in a role and school specific structure of subdirectories, e.g. in /home/$ou/schueler/.
Type=str
Categories=ucsschool-base

(-)ucs-school-import/modules/ucsschool/importer/contrib/csv.py (-1 / +1 lines)

Lines 346-352	Link Here

346

347

	def next(self):

347

	def next(self):

348

		if self.line_num == 0:

348

		if self.line_num == 0:

349

		    # Used only for its side effect.

349

			# Used only for its side effect.

350

			self.fieldnames

350

			self.fieldnames

351

		self.row = self.reader.next()

351

		self.row = self.reader.next()

352

		self.line_num = self.reader.line_num

352

		self.line_num = self.reader.line_num

(-)ucs-school-import/modules/ucsschool/importer/models/import_user.py (-1 / +1 lines)

Lines 107-113	Link Here

107

			self.__class__.config = Configuration()

107

			self.__class__.config = Configuration()

108

			self.__class__.reader = self.factory.make_reader()

108

			self.__class__.reader = self.factory.make_reader()

109

			self.__class__.logger = get_logger()

109

			self.__class__.logger = get_logger()

110

			self.__class__.username_max_length = 20 - len(self.ucr.get("ucsschool/ldap/default/userprefix/exam", "exam-"))

110

			self.__class__.username_max_length = 20 - len(Student.get_search_base(school).user_prefix_exam)

111

		self._lo = None

111

		self._lo = None

112

		self._userexpiry = None

112

		self._userexpiry = None

113

		super(ImportUser, self).__init__(name, school, **kwargs)

113

		super(ImportUser, self).__init__(name, school, **kwargs)

(-)ucs-school-import/tests/test_move_domaincontroller_to_ou (-1 / +5 lines)

Lines 37-42	Link Here

	exit 1

	exit 1

fi

fi

. /usr/share/ucs-school-lib/base.sh

eval "$(ucr shell)"

eval "$(ucr shell)"

./create_ou test1 dctest1

./create_ou test1 dctest1

Lines 51-58	Link Here

udm computers/domaincontroller_slave create --position "cn=computers,$ldap_base" --set name=dctest7-01

udm computers/domaincontroller_slave create --position "cn=computers,$ldap_base" --set name=dctest7-01

./create_ou test7

./create_ou test7

udm computers/domaincontroller_slave modify --dn "cn=dctest7-01,cn=computers,$ldap_base" --append groups="cn=OUtest7-DC-Edukativnetz,cn=ucsschool,cn=groups,$ldap_base"

test7_dc="$(ucr_names_default ucsschool/ldap/default/groupname/ou-educational-dc test7)"

udm computers/domaincontroller_slave modify --dn "cn=dctest7-01,cn=computers,$ldap_base" --append groups="cn=$test7_dc,cn=ucsschool,cn=groups,$ldap_base"

echo "TEST: DC is unknown"

echo "TEST: DC is unknown"

./move_domaincontroller_to_ou --dcname UnKnOwN --ou test1

./move_domaincontroller_to_ou --dcname UnKnOwN --ou test1

echo "EXITCODE: $?"

echo "EXITCODE: $?"

(-)ucs-school-import/usr/share/ucs-school-import/hooks/ou_create_post.d/52marktplatz_create (-6 / +9 lines)

#!/bin/bash

#!/bin/bash

# 52marktplatz_create

# 52marktplatz_create

#  Creates a Markplatz share for the specified OUs

#  Creates a Marktplatz share for the specified OUs

# Depends: ucs-school-import

# Depends: ucs-school-import

[ $# -ne 2 ] && echo "USAGE: $(basename $0) FILE DN" && exit 1

[ $# -ne 2 ] && echo "USAGE: $(basename $0) FILE DN" && exit 1

. /usr/share/univention-lib/ucr.sh

. /usr/share/univention-lib/ucr.sh

. /usr/share/ucs-school-lib/base.sh

eval "$(ucr shell)"

eval "$(ucr shell)"

name="$(ucr_names_default ucsschool/import/generate/share/marktplatz/name)"

if ! is_ucr_true "ucsschool/import/generate/share/marktplatz" ; then

if ! is_ucr_true "ucsschool/import/generate/share/marktplatz" ; then

	echo "$(basename $0): creation of share 'Marktplatz' has been disabled by ucsschool/import/generate/share/marktplatz"

	echo "$(basename $0): creation of share '$name' has been disabled by ucsschool/import/generate/share/marktplatz"

	exit 0

	exit 0

fi

fi

sharepath="$ucsschool_import_generate_share_marktplatz_sharepath"

sharepath="$ucsschool_import_generate_share_marktplatz_sharepath"

if [ -z "$sharepath" ] ; then

if [ -z "$sharepath" ] ; then

	if [ -z "$ucsschool_import_roleshare" ] || is_ucr_true "ucsschool/import/roleshare"; then

	if [ -z "$ucsschool_import_roleshare" ] || is_ucr_true "ucsschool/import/roleshare"; then

		sharepath="/home/$ou/groups/Marktplatz"

		sharepath="/home/$ou/groups/$name"

	else

	else

		sharepath="/home/groups/Marktplatz"

		sharepath="/home/groups/$name"

fi

fi

fi

fi

udm shares/share create --ignore_exists \

udm shares/share create --ignore_exists \

	--position "cn=shares,ou=${ou}${district},${ldap_base}" \

	--position "cn=shares,ou=${ou}${district},${ldap_base}" \

	--set name=Marktplatz \

	--set name="${name}" \

	--set "host=${dcname}" \

	--set "host=${dcname}" \

	--set "path=${sharepath}" \

	--set "path=${sharepath}" \

	--set "directorymode=${sharemode}" \

	--set "directorymode=${sharemode}" \

	--set "group=${grpuidnumber}"

	--set "group=${grpuidnumber}"

echo "$(basename $0): added new share Markplatz for server ${dcname}"

echo "$(basename $0): added new share '$name' for server ${dcname}"

exit 0

exit 0




import univention.lib.policy_result
from ucsschool.lib.roles import role_pupil, role_teacher, role_staff
from ucsschool.lib.roleshares import roleshare_home_subdir
from ucsschool.lib.models.utils import stopped_notifier, add_stream_logger_to_schoollib, create_passwd
from ucsschool.lib.models import School, SchoolClass, ClassShare


ldap_errors = (ldap.LDAPError, univention.admin.uexceptions.base,)


pwLengthOu = {}

cn_pupils = configRegistry.get('ucsschool/ldap/default/container/pupils', 'schueler')
cn_teachers = configRegistry.get('ucsschool/ldap/default/container/teachers', 'lehrer')
cn_teachers_staff = configRegistry.get('ucsschool/ldap/default/container/teachers-and-staff', 'lehrer und mitarbeiter')
cn_admins = configRegistry.get('ucsschool/ldap/default/container/admins', 'admins')
cn_staff = configRegistry.get('ucsschool/ldap/default/container/staff', 'mitarbeiter')

grp_prefix_pupils = configRegistry.get('ucsschool/ldap/default/groupprefix/pupils', 'schueler-')
grp_prefix_teachers = configRegistry.get('ucsschool/ldap/default/groupprefix/teachers', 'lehrer-')
grp_prefix_admins = configRegistry.get('ucsschool/ldap/default/groupprefix/admins', 'admins-')
grp_prefix_staff = configRegistry.get('ucsschool/ldap/default/groupprefix/staff', 'mitarbeiter-')

grp_policy_pupils = configRegistry.get('ucsschool/ldap/default/policy/umc/pupils', 'cn=ucsschool-umc-pupils-default,cn=UMC,cn=policies,%s' % baseDN)
grp_policy_teachers = configRegistry.get('ucsschool/ldap/default/policy/umc/teachers', 'cn=ucsschool-umc-teachers-default,cn=UMC,cn=policies,%s' % baseDN)
grp_policy_admins = configRegistry.get('ucsschool/ldap/default/policy/umc/admins', 'cn=ucsschool-umc-admins-default,cn=UMC,cn=policies,%s' % baseDN)

# IP address prefix len conecerning the netmask
default_prefixlen = 24

if not (cn_pupils and cn_teachers and cn_teachers_staff and cn_admins and cn_staff):
	print '''ERROR: Unable to proceed: one of the following UCR variables is not set correctly:
	ucsschool/ldap/default/container/pupils
	ucsschool/ldap/default/container/teachers
	ucsschool/ldap/default/container/teachers-and-staff
	ucsschool/ldap/default/container/staff
	ucsschool/ldap/default/container/admins
'''
	sys.exit(1)


def is_valid_ou_name(name):
	""" check if given OU name is valid """
	return bool(re.match('^[a-zA-Z0-9](([a-zA-Z0-9_]*)([a-zA-Z0-9]$))?$', name))

		else:
			self.allsNrs = [self.sNr]
			self.other_sNr = []
		self.search_base = School.get_search_base(self.allsNrs[0])

		# split into multiple class number if comma is present
		if ',' in self.cNr:


	def getPosition_dn(self):
		# resolution order for the position is pupil, teacher, staff
		cn = cn_pupils
		if role_teacher in self.getRole() and role_staff in self.getRole():
			return self.search_base.teachersAndStaff
		elif role_teacher in self.getRole ():
			return self.search_base.teachers
		elif role_staff in self.getRole():
			return self.search_base.staff
		return self.search_base.students

	def getDN(self):
		return "uid=" + self.login + "," + self.getPosition_dn()

		default_groups = []

		# default group
		default_groups.append("cn=Domain Users %s,%s" % (self.sNr, self.search_base.groups))

		grp_dns = {
			role_teacher: self.search_base.teachers_ou_group,
			role_pupil: self.search_base.students_ou_group,
			role_staff: self.search_base.staff_ou_group}
		for role in self.getRole():
			user_grp_prefix = {role_teacher: grp_prefix_teachers, role_pupil: grp_prefix_pupils, role_staff: grp_prefix_staff}[role]
			if role == role_staff and not configRegistry.is_true('ucsschool/ldap/noneducational/create/objects', True):
				continue
			# class if available
			for cnr in self.cNr:
				default_groups.append("cn=%s,%s" % (cnr, self.search_base.classes))

			default_groups.append(grp_dns[role])

		return default_groups


	except IndexError:
		# TODO: add more debug output
		print "ERROR: Unable to extract district from school number: %s' % schoolNr + \
				'\n\tIf you don't use the district model deactivate UCR variable ucsschool/ldap/district/enable"


def getDN(schoolNr, base='school', basedn=baseDN):

		verify_container(getDN(schoolNr, base='district'), ou_module, co, lo, superordinate, baseDN)

	print "verify ou for school nr %s" % schoolNr
	search_base = School.get_search_base(schoolNr)
	# list of needed sub-containers, the dictionary-key adds the container as default during create in verify_container
	container = {
		'0printerPath': [search_base.printers],
		'1userPath': [search_base.users, search_base.students, search_base.teachers, search_base.admins],
		'2computerPath': [search_base.computers, 'cn=server,{}'.format(search_base.computers), 'cn=dc,cn=server,{}'.format(search_base.computers)],
		'3networkPath': [search_base.networks],
		'4groupPath': [search_base.groups, search_base.workgroups, search_base.teachers_group, search_base.classes, search_base.rooms],
		'5dhcpPath': [search_base.dhcp],
		'6policyPath': [search_base.policies],
		'7sharePath': [search_base.shares, search_base.classShares],
		'8none': ['cn=dc,cn=server,{}'.format(search_base.computers)]
	}
	if configRegistry.is_true('ucsschool/ldap/noneducational/create/objects', True):
		container['1userPath'].extend([search_base.staff, search_base.teachersAndStaff])
		container['4groupPath'].append(search_base.staff_group)
	# FIXME: die Policies sollten besser mit der Gruppe verknüpft werden, um
	# z.B. Mitarbeiter und Lehrer im selben Container pflegen zu können
	# container_policies = { 'cn=%s,cn=users' % cn_teachers: ['cn=default-lehrer,cn=UMC,cn=policies,' + baseDN] }

		dccn = ''
	myline = '%s\t%s' % (schoolNr, dccn)
	hooks.pre('ou', 'A', line=myline)
	search_base = School.get_search_base(schoolNr)

	# verify global dc groups
	groups_administrative = [search_base.administrative_dc_group, search_base.administrative_member_group]
	groups_education = [search_base.educational_dc_group, search_base.educational_member_group]
	groups_administrativeOU = [search_base.administrative_ou_dc_group, search_base.administrative_ou_member_group]
	groups_educationOU = [search_base.educational_ou_dc_group, search_base.educational_ou_member_group]
		"cn=DC-Edukativnetz,cn=ucsschool,cn=groups,%s" % baseDN,
		"cn=Member-Edukativnetz,cn=ucsschool,cn=groups,%s" % baseDN]
	groups_administrativeOU = [
		"cn=OU%s-DC-Verwaltungsnetz,cn=ucsschool,cn=groups,%s" % (schoolNr.lower(), baseDN),
		"cn=OU%s-Member-Verwaltungsnetz,cn=ucsschool,cn=groups,%s" % (schoolNr.lower(), baseDN)]
	groups_educationOU = [
		"cn=OU%s-DC-Edukativnetz,cn=ucsschool,cn=groups,%s" % (schoolNr.lower(), baseDN),
		"cn=OU%s-Member-Edukativnetz,cn=ucsschool,cn=groups,%s" % (schoolNr.lower(), baseDN)]

	if configRegistry.is_true('ucsschool/ldap/noneducational/create/objects', True):
		groups = groups_administrative + groups_education + groups_administrativeOU + groups_educationOU

			# TODO FIXME The following snippet does not make any sense:
			# if the DC is member of DC-Verwaltungsnetz then is added again to that group?!? Looks like this code is unused.
			for grp in dcobject['groups']:
				if grp.startswith(univention.admin.uldap.explodeDn(search_base.administrative_dc_group)[0]):
					zone = "verwaltung"
			groups = []
			if zone == "edukativ":
				groups.append(search_base.educational_dc_group)
				groups.append(search_base.educational_ou_dc_group)
			if zone == "verwaltung":
				groups.append(search_base.administrative_dc_group)
				groups.append(search_base.administrative_ou_dc_group)
			modified = False
			for grp in groups:
				if grp not in dcobject['groups']:

		if displayName is not None:
			r = lo.modify(ou_base, [('displayName', lo.get(ou_base, ['displayName']).get('displayName', []), [displayName])])

	for path in sorted(container.keys()):
	keys.sort()
	for path in keys:
		for dn in container[path]:
			if path[1:] == 'none':
				path = ' '
			verify_container(dn, cn_module, co, lo, superordinate, baseDN, path=path[1:])

	# create groups if not existant
	grp_ouadmins = search_base.admin_group
	groups = [
		(grp_ouadmins, grp_policy_admins),
		(search_base.students_ou_group, grp_policy_pupils),
		(search_base.teachers_ou_group, grp_policy_teachers),
	]

	if configRegistry.is_true('ucsschool/ldap/noneducational/create/objects', True):
		groups.append((search_base.staff_ou_group, grp_policy_staff))
	if configRegistry.is_true('ucsschool/import/attach/policy/default-umc-users', True):
		domain_users_school = "cn=Domain Users %s,cn=groups,%s" % (schoolNr.lower(), getDN(schoolNr))
		groups.append((domain_users_school, "cn=default-umc-users,cn=UMC,cn=policies,%s" % (baseDN,)))

			else:
				dccn = 'dc%s-01' % schoolNr.lower()

		dcgroups = [search_base.educational_ou_dc_group, search_base.educational_dc_group]

		if dc == 'verwaltung':
			if not configRegistry.is_true('ucsschool/ldap/noneducational/create/objects', True):

					dccn = configRegistry.get('hostname')
				else:
					dccn = 'dc%sv-01' % schoolNr.lower()  # this is the naming convention, a trailing v for Verwaltungsnetz DCs
			dcgroups = [search_base.administrative_ou_dc_group, search_base.administrative_dc_group]
				"cn=OU%s-DC-Verwaltungsnetz,cn=ucsschool,cn=groups,%s" % (schoolNr.lower(), baseDN),
				"cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,%s" % (baseDN, )
			]

		# create server if not exsistant
		objects = univention.admin.modules.lookup(

		if not server_exists and not dcName:
			try:
				if dc == 'verwaltung':
					grpdn = search_base.administrative_ou_dc_group
				else:
					grpdn = search_base.educational_ou_dc_group
				hostlist = lo.get(grpdn, ['uniqueMember']).get('uniqueMember', [])
			except ldap.NO_SUCH_OBJECT:
				hostlist = []

	if (schoolNr, classNr.lower()) in verified_group_shares:
		return True

	position_dn = ClassShare(school=schoolNr, name=classNr).dn
	module = univention.admin.modules.get("shares/share")
	position_basedn = univention.admin.uldap.position(baseDN)
	univention.admin.modules.init(lo, position_basedn, module)

		print "need to create groupshare %s" % position_dn

		# get gid form corresponding group
		school_class = SchoolClass(school=schoolNr, name=classNr)
		class_share = ClassShare.from_school_class(school_class)
		group_dn = school_class.dn
		gids = lo.get(group_dn, ['gidNumber'])
		gid = 0
		if len(gids) > 1:  # TODO FIXME This doesn't look correct to me - gids is a dict and not a list!

		object.open()
		object["name"] = "%s" % classNr
		object["host"] = serverfqdn
		object["path"] = class_share.get_share_path()
			object["path"] = "/home/" + os.path.join(schoolNr, "groups/klassen/%s" % (classNr,))
		else:
			object["path"] = "/home/groups/klassen/%s" % (classNr,)
		object["writeable"] = "1"
		object["sambaWriteable"] = "1"
		object["sambaBrowseable"] = "1"

	object["username"] = person.login
	object["primaryGroup"] = default_groups[0]
	subdir = roleshare_home_subdir(person.sNr, person.getRole(), configRegistry)
	object["unixhome"] = os.path.join("/home", subdir, person.login)
	object["firstname"] = person.name
	object["lastname"] = person.sname
	object["e-mail"] = person.mail

			# FIXME / TODO
			# Test should be following:
			# if ( ( ( parts[0].startswith( 'cn=%s' % grp_prefix_pupils) or parts[0].startswith( 'cn=%s' % grp_prefix_pupils) ) and parts[1] == 'cn=groups' and parts[2].startswith('ou=') ) or
			# 	 ( parts[1] == 'cn=%s' % cn_classes and parts[2] == 'cn=%s' % cn_pupils and parts[3] == 'cn=groups' and parts[4].startswith('ou=') ) ):

			search_base = School.get_search_base(None)
			cn_pupils = ldap.explode_dn(search_base.students, True)[0]
			cn_classes = ldap.explode_dn(search_base.classes, True)[0]
			grp_prefix_pupils = search_base.group_prefix_students
			grp_prefix_teachers = search_base.group_prefix_teachers

			if (
				parts[0].startswith('cn=%s' % grp_prefix_pupils) or
				parts[0].startswith('cn=%s' % grp_prefix_teachers) or
				(parts[1] == 'cn=%s' % cn_classes and parts[2] == 'cn=%s' % cn_pupils)
			):
				# group looks like a default group, so we don't need it anymore
				print "remove from group: %s" % group

	if len(groups) > 1:
		object["groups"] = groups[1:]
	subdir = roleshare_home_subdir(person.sNr, person.getRole(), configRegistry)
	object["unixhome"] = os.path.join("/home", subdir, person.login)
	if object.has_key('mailbox'):
		object["mailbox"] = "/var/spool/%s/" % person.login
	object["password"] = password

					main_person.isTeacher = '0'
					main_person.isStaff = '0'

					search_base = School.get_search_base(ou)
					if object.dn.endswith(',%s' % search_base.teachersAndStaff):
						main_person.isTeacher = '1'
						main_person.isStaff = '1'
					elif object.dn.endswith(',%s' % search_base.teachers):
						main_person.isTeacher = '1'
					elif object.dn.endswith(',%s' % search_base.staff):
						main_person.isStaff = '1'

					if ou in main_person.allsNrs:

				zone = parsed[6]

			verify_school_ou(schoolNr, co, lo, baseDN)
			search_base = School.get_search_base(schoolNr)

			try:
				ip = ipaddr.IPv4Network(IP)

			groups = {}
			if ctype == "memberserver":
				if zone == "edukativ":
					groups[search_base.educational_ou_member_group] = 1
					groups[search_base.educational_member_group] = 1
				if zone == "verwaltung":
					groups[search_base.administrative_ou_member_group] = 1
					groups[search_base.administrative_member_group] = 1

			# invoke pre hooks
			hooks.pre('computer', 'A', line=line)

			ClassID = parsed[2]
			Descrpt = parsed[3]

			group_dn = SchoolClass(school=schoolNr, name=ClassID).dn
			share_dn = ClassShare(school=schoolNr, name=ClassID).dn

			verify_school_ou(schoolNr, co, lo, baseDN)



	slave = slaves[0]
	ouDn = oulist[0].dn
	search_base = School.get_search_base(options.ou)

	group_filter = univention.admin.filter.conjunction('&', [
		univention.admin.filter.conjunction('|', [
			univention.admin.uldap.explodeDn(search_base.educational_ou_dc_group)[0],
			univention.admin.uldap.explodeDn(search_base.administrative_ou_dc_group)[0],
		]),
		univention.admin.filter.expression('uniqueMember', slave.dn),
	])

		print 'ERROR: specified OU %r does not exist' % ou_name
		sys.exit(1)

	search_base = School.get_search_base(ou_name)
	# get list of desired group memberships
	group_dn_list = {
		TYPE_DC_ADMINISTRATIVE: [search_base.administrative_ou_dc_group, search_base.administrative_dc_group],
		TYPE_DC_EDUCATIONAL: [search_base.educational_dc_group, search_base.educational_ou_dc_group]
			'cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,%s' % (baseDN,),
		],
		TYPE_DC_EDUCATIONAL: [
			'cn=DC-Edukativnetz,cn=ucsschool,cn=groups,%s' % (baseDN,),
			'cn=OU%s-DC-Edukativnetz,cn=ucsschool,cn=groups,%s' % (ou_name.lower(), baseDN),
		],
	}[dc_type]
	for grpdn in group_dn_list:
		verify_group(grpdn, co, lo, superordinate, baseDN)




# <http://www.gnu.org/licenses/>.

. /usr/share/univention-lib/all.sh
. /usr/share/ucs-school-lib/base.sh

display_help() {
	cat <<-EOL

while read service; do
	case "$service" in
		"UCS@school Education")
			target_server_all_dcs="$(ucr_names_default ucsschool/ldap/default/groupname/all-educational-dc)"
			target_server_ou_dcs="$(ucr_names_default ucsschool/ldap/default/groupname/ou-educational-dc)"
			target_server_ucsschool_service="$service"
			;;
		"UCS@school Administration")
			target_server_all_dcs="$(ucr_names_default ucsschool/ldap/default/groupname/all-administrativ-dc)"
			target_server_ou_dcs="$(ucr_names_default ucsschool/ldap/default/groupname/ou-administrativ-dc)"
			target_server_ucsschool_service="$service"
			;;
	esac


	echo -n "Check group memberschip : "
	test_output=$(univention-ssh "$ROOTPWD" "root@${target_school_dc_ip}" \
		/usr/sbin/udm groups/group list --filter name="$target_server_all_dcs" | sed -n "/^ *hosts: $target_ldap_hostdn$/p")
	if [ -z "$test_output" ]; then
		echo -e "\033[60Gfailed"
		echo "$hostname is not member of the group $target_server_all_dcs, this needs to be fixed first manually."
		exit 1
	fi
	test_output=$(univention-ssh "$ROOTPWD" "root@${target_school_dc_ip}" \
		/usr/sbin/udm groups/group list --filter name="$(replace_ou "$target_server_ou_dcs" "$my_school_ou")" | sed -n "/^ *hosts: $target_ldap_hostdn$/p")
	if [ -z "$test_output" ]; then
		echo -e "\033[60Gfailed"
		echo "$hostname is not member of the group $(replace_ou "$target_server_ou_dcs" "$my_school_ou"), this needs to be fixed first manually."
		exit 1
	else
		echo -e "\033[60Gdone"




import univention.admin.handlers.groups.group
import univention.admin.handlers.users.user
import univention.admin.objects
from ucsschool.lib.models import School, SchoolClass, Staff, Student, Teacher


class Problem(Exception):



def parse_line(lo, line):
	school = School(name=line['school'])
	oubase = school.dn
	uid = line['name']
	try:
		dn = lo.search(filter_format('uid=%s', (uid,)), oubase, unique=True)[0][0]

			raise StudentDoesNotExists(line, uid)
		else:
			raise StudentIsInAnotherSchool(line, uid, dn)
	if not dn.endswith(Student.get_container(school.name)):
		if not dn.endswith(Teacher.get_container(school.name)) or not dn.endswith(Staff.get_container(school.name)):
			print('Ignoring teacher/staff %r' % (uid,))
			return
		msg('ERROR: %s (%s %s) is not a student/teacher/staff.' % (uid, line['firstname'], line['lastname']))

	correct = False
	invalid_groups = set()
	for gdn, group in groups:  # pylint: disable=W0612
		if not gdn.endswith(SchoolClass.get_container(school.name)):
			if not gdn.endswith(oubase) and re.search(',ou=[^,]+,%s$' % (ucr['ldap/base'],), gdn, re.I):
				raise StudentIsInAnotherClassInAnotherSchool(line, uid, dn, gdn)
			continue  # ignore workgroups / Domain Users




@!@
# -*- coding: utf-8 -*-
import re


def replace_ucr_variables(template):
	variable_token = re.compile('@[$]@')

	dir_ucsschool = {
		'ALL_ADM_DC': configRegistry.get('ucsschool/ldap/default/groupname/all-administrativ-dc', 'DC-Verwaltungsnetz'),
		'ALL_ADM_MEMBER': configRegistry.get('ucsschool/ldap/default/groupname/all-administrativ-member', 'Member-Verwaltungsnetz'),
		'ALL_EDU_DC': configRegistry.get('ucsschool/ldap/default/groupname/all-educational-dc', 'DC-Edukativnetz'),
		'ALL_EDU_MEMBER': configRegistry.get('ucsschool/ldap/default/groupname/all-educational-member', 'Member-Edukativnetz'),
	}

	while 1:
		i = variable_token.finditer(template)
		try:
			start = i.next()
			end = i.next()
			name = template[start.end():end.start()]

			template = template[:start.start()] + dir_ucsschool.get(name,'') + template[end.end():]
		except StopIteration:
			break

	return template


aclset += """
# start 61ucsschool_presettings

# revert rule from UCS; Bug #41402
access to attrs=entry,objectClass,uniqueMember,ou,uid,loginShell,homeDirectory,uidNumber,gidNumber,sn,cn,gecos,description,memberUid
	by dn.regex=".*cn=computers,ou=([^,]+),(ou=[^,]+,)?@%@ldap/base@%@" none break
	by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none break
	by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none break
	by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none break
	by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none break
	by set="user/objectClass & ([ucsschoolStudent] | [ucsschoolTeacher] | [ucsschoolStaff] | [ucsschoolAdministrator])" none break
	by * +0 break

# Slave-Controller und Member-Server duerfen Samba-Domaenenobjekt(e) modifizieren
access to filter="(objectClass=sambaDomain)"
	by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by * +0 break

# grant write access to domaincontroller slave/member server for certain univention app center settings
access to dn.regex="^univentionAppID=([^,]+),cn=([^,]+),cn=apps,cn=univention,@%@ldap/base@%@$" filter="(objectClass=univentionApp)"
	by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by * +0 break

access to dn.regex="^cn=([^,]+),cn=apps,cn=univention,@%@ldap/base@%@$" attrs=children,entry
	by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by * +0 break

access to dn="cn=apps,cn=univention,@%@ldap/base@%@" attrs=children,entry
	by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by * +0 break

# Slave controllers and memberservers require write access to virtual machine manager objects
access to dn.regex="^univentionVirtualMachineUUID=([^,]+),cn=Information,cn=Virtual Machine Manager,@%@ldap/base@%@" filter="(objectClass=univentionVirtualMachine)"
	by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by * +0 break

access to dn.regex="^cn=([^,]+),cn=CloudConnection,cn=Virtual Machine Manager,@%@ldap/base@%@" filter="(objectClass=univentionVirtualMachineCloudConnection)"
	by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by * +0 break

access to dn="cn=(Information|CloudConnection),cn=Virtual Machine Manager,@%@ldap/base@%@" attrs=children,entry
	by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by dn.regex="^[^,]+,cn=dc,cn=computers,@%@ldap/base@%@$$" write
	by dn.regex="^[^,]+,cn=memberserver,cn=computers,@%@ldap/base@%@$$" write
	by * +0 break


# Slave-Controller und Member-Server benoetigen idmap-Container
access to dn.base="cn=idmap,cn=univention,@%@ldap/base@%@"
	by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by * +0 break

# Slave-Controller und Member-Server benoetigen ID-Mapping
access to dn.subtree="cn=idmap,cn=univention,@%@ldap/base@%@" filter="(|(&(objectClass=sambaUnixIdPool)(objectClass=organizationalRole)(objectClass=top))(&(objectClass=sambaIdmapEntry)(objectClass=sambaSidEntry)))"
	by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by * +0 break

# Slave-Controller und Member-Server benoetigen nicht alle Container
access to dn.subtree="cn=backup,@%@ldap/base@%@"
	by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
	by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
	by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
	by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
	by * +0 break

access to dn.subtree="cn=printers,@%@ldap/base@%@"
	by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
	by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
	by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
	by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
	by * +0 break

access to dn.subtree="cn=networks,@%@ldap/base@%@"
	by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
	by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
	by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
	by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
	by * +0 break

access to dn.regex="^(.*,)?cn=(cups|ppolicy|packages|services|templates|admin-settings|default containers|saml-serviceprovider),cn=univention,@%@ldap/base@%@$$"
	by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
	by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
	by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
	by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
	by * +0 break

# end 61ucsschool_presettings
"""

print replace_ucr_variables(aclset)
@!@




def replace_ucr_variables(template):
	variable_token = re.compile('@[$]@')

	dir_ucsschool = {
		'DISTRICT':       'ou=[^,]+,' if configRegistry.is_true('ucsschool/ldap/district/enable') else '',
		'PUPILS':         configRegistry.get('ucsschool/ldap/default/container/pupils', 'schueler'),
		'TEACHERS':       configRegistry.get('ucsschool/ldap/default/container/teachers', 'lehrer'),
		'STAFF':          configRegistry.get('ucsschool/ldap/default/container/staff', 'mitarbeiter'),
		'TEACHERS-STAFF': configRegistry.get('ucsschool/ldap/default/container/teachers-and-staff', 'lehrer und mitarbeiter'),
		'ADMINS':         configRegistry.get('ucsschool/ldap/default/container/admins', 'admins'),
		'GRPADMINS':      configRegistry.get('ucsschool/ldap/default/groupprefix/admins', 'admins-'),
		'EXAM':           configRegistry.get('ucsschool/ldap/default/container/exam', 'examusers'),
		'CLASS':          configRegistry.get('ucsschool/ldap/default/container/class', 'klassen'),
		'ROOMS':          configRegistry.get('ucsschool/ldap/default/container/rooms', 'raeume'),
		'ALL_ADM_DC': configRegistry.get('ucsschool/ldap/default/groupname/all-administrativ-dc', 'DC-Verwaltungsnetz'),
		'ALL_ADM_MEMBER': configRegistry.get('ucsschool/ldap/default/groupname/all-administrativ-member', 'Member-Verwaltungsnetz'),
		'ALL_EDU_DC': configRegistry.get('ucsschool/ldap/default/groupname/all-educational-dc', 'DC-Edukativnetz'),
		'ALL_EDU_MEMBER': configRegistry.get('ucsschool/ldap/default/groupname/all-educational-member', 'Member-Edukativnetz'),
		'DOMAIN_ADMINS': custom_groupname('Domain Admins'),
	}

	dir_ucsschool['DOMAIN_ADMINS'] = custom_groupname('Domain Admins')
	while 1:
		i = variable_token.finditer(template)
		try:

aclset += """
# DC Slaves need write access to the members of the group Domain Computers
access to dn.exact="cn=Domain Computers,cn=groups,@%@ldap/base@%@" attrs="uniqueMember,memberUid"
	by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by * +0 break

# Slave DCs can read and write policy containers for MS GPOs and msPrintConnectionPolicy objects
access to dn.subtree="cn=policies,cn=system,@%@ldap/base@%@" filter="(|(objectClass=msGPOContainer)(objectClass=organizationalRole)(objectClass=msPrintConnectionPolicy))"
	by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by * +0 break

# Slave DCs can read and write policy containers for MS WMI filter objects
access to dn.subtree="cn=WMIPolicy,cn=system,@%@ldap/base@%@" filter="(|(objectClass=msWMISom)(objectClass=organizationalRole))"
	by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by * +0 break

# Lehrer, Mitarbeiter und OU-Admins duerfen Schueler-Passwoerter aendern

	by * +0 break

# Lehrer, Mitarbeiter und OU-Admins duerfen Raum-Gruppen anlegen und bearbeiten
access to dn.regex="^cn=@$@ROOMS@$@,cn=groups,ou=([^,]+),@$@DISTRICT@$@@%@ldap/base@%@$$" attrs=children,entry
	by set.expand="[$1] & ([ldap:///]+user/entryDN+[?entryDN?base?%28%7C%28objectClass%3DucsschoolTeacher%29%28objectClass%3DucsschoolAdministrator%29%28objectClass%3DucsschoolStaff%29%29])/ucsschoolSchool" write
@$@# old rule@$@	by dn.regex="^uid=([^,]+),cn=(@$@TEACHERS@$@|@$@TEACHERS-STAFF@$@|@$@STAFF@$@|@$@ADMINS@$@),cn=users,ou=$1,@$@DISTRICT@$@@%@ldap/base@%@$$" write
	by * +0 break

access to dn.regex="^cn=([^,]+),cn=@$@ROOMS@$@,cn=groups,ou=([^,]+),@$@DISTRICT@$@@%@ldap/base@%@$$" filter="(&(!(|(uidNumber=*)(objectClass=SambaSamAccount)))(objectClass=univentionGroup))"
	by set.expand="[$2] & ([ldap:///]+user/entryDN+[?entryDN?base?%28%7C%28objectClass%3DucsschoolTeacher%29%28objectClass%3DucsschoolAdministrator%29%28objectClass%3DucsschoolStaff%29%29])/ucsschoolSchool" write
@$@# old rule@$@	by dn.regex="^uid=([^,]+),cn=(@$@TEACHERS@$@|@$@TEACHERS-STAFF@$@|@$@STAFF@$@|@$@ADMINS@$@),cn=users,ou=$2,@$@DISTRICT@$@@%@ldap/base@%@$$" write
	by * +0 break

	by * +0 break

access to dn.subtree="cn=temporary,cn=univention,@%@ldap/base@%@"
	by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
	by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
	by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
	by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
	by * +0 break

# OU-Admins duerfen MAC-Adressen im Rechner- und DHCP-Objekt aendern


# domaincontroller slaves and memberservers of management group are not allowed to replicate pupils and teachers
access to dn.regex="^.+,cn=(@$@TEACHERS@$@|@$@PUPILS@$@),cn=users,ou=[^,]+,@$@DISTRICT@$@@%@ldap/base@%@$$"
	by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
	by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
	by * +0 break

access to filter="(|(objectClass=ucsschoolStudent)(&(objectClass=ucsschoolTeacher)(!(objectClass=ucsschoolStaff))))"
	by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
	by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
	by * +0 break

# domaincontroller slaves and memberservers of educational group are not allowed to replicate staff users
access to dn.regex="^.+,cn=@$@STAFF@$@,cn=users,ou=[^,]+,@$@DISTRICT@$@@%@ldap/base@%@$$"
	by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
	by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
	by * +0 break

access to filter="(&(objectClass=ucsschoolStaff)(!(objectClass=ucsschoolTeacher))(!(objectClass=ucsschoolAdministrator)))"
	by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
	by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
	by * +0 break

# FIXME: this rule allows to read all passwords underneath of all OU's instead of only the password belonging to the OU; explain why or fix it

# TODO: are the following attributes missing here?: 'sambaBadPasswordCount', 'krb5PasswordEnd', 'shadowMax', 'sambaAcctFlags', 'sambaPasswordHistory'
# Memberserver duerfen Passwoerter aller Objekte unterhalb einer Schule lesen
access to dn.regex="^(.+,)?ou=([^,]+),@$@DISTRICT@$@@%@ldap/base@%@$$" attrs=userPassword,krb5Key,krb5KDCFlags,sambaNTPassword,sambaLMPassword,shadowLastChange,sambaPwdLastSet,pwhistory,krb5KeyVersionNumber,sambaPwdCanChange,sambaPwdMustChange
	by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" +rscxd
	by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" +rscxd
	by * +0 break

# Alle DC-Slaves muessen alle Benutzercontainer und Gruppen jeder Schule lesen koennen
access to dn.regex="^ou=([^,]+),@$@DISTRICT@$@@%@ldap/base@%@$$" filter="objectClass=ucsschoolOrganizationalUnit"
	by group/univentionGroup/uniqueMember.expand="cn=OU$1-@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by group/univentionGroup/uniqueMember.expand="cn=OU$1-@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by dn.regex="^cn=.*,cn=server,cn=computers,ou=([^,]+),@$@DISTRICT@$@@%@ldap/base@%@$$" +rscxd
	by * +0 break

access to dn.regex="^cn=(users|groups|@$@EXAM@$@),ou=([^,]+),@$@DISTRICT@$@@%@ldap/base@%@$$"
	by group/univentionGroup/uniqueMember.expand="cn=OU$2-@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by group/univentionGroup/uniqueMember.expand="cn=OU$2-@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by dn.regex="^cn=.*,cn=server,cn=computers,ou=([^,]+),@$@DISTRICT@$@@%@ldap/base@%@$$" +rscxd
	by * +0 break

access to dn.regex="^([^,]+),cn=groups,ou=([^,]+),@$@DISTRICT@$@@%@ldap/base@%@$$"
	by group/univentionGroup/uniqueMember.expand="cn=OU$2-@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by group/univentionGroup/uniqueMember.expand="cn=OU$2-@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by dn.regex="^cn=.*,cn=server,cn=computers,ou=([^,]+),@$@DISTRICT@$@@%@ldap/base@%@$$" +rscxd
	by * +0 break

access to dn.regex="^cn=(@$@PUPILS@$@|@$@TEACHERS@$@|@$@TEACHERS-STAFF@$@|@$@STAFF@$@|@$@ADMINS@$@),cn=users,ou=([^,]+),@$@DISTRICT@$@@%@ldap/base@%@$$"
	by group/univentionGroup/uniqueMember.expand="cn=OU$2-@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by group/univentionGroup/uniqueMember.expand="cn=OU$2-@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by dn.regex="^cn=.*,cn=server,cn=computers,ou=([^,]+),@$@DISTRICT@$@@%@ldap/base@%@$$" +rscxd
	by * +0 break

# DC-Slaves muessen die Benutzer ihrer Schule lesen und schreiben duerfen
access to dn.regex="^uid=([^,]+),cn=(@$@PUPILS@$@|@$@TEACHERS@$@|@$@TEACHERS-STAFF@$@|@$@STAFF@$@|@$@ADMINS@$@),cn=users,ou=([^,]+),@$@DISTRICT@$@@%@ldap/base@%@$$"
	by set="([cn=OU]+this/ucsschoolSchool+[-@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@])/uniqueMember & user" write
	by * +0 break
access to dn.regex="^uid=([^,]+),cn=@$@EXAM@$@,ou=([^,]+),@$@DISTRICT@$@@%@ldap/base@%@$$"
	by set="([cn=OU]+this/ucsschoolSchool+[-@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@])/uniqueMember & user" write
	by * +0 break

# Schul-Slave-Server duerfen nur Eintraege ihrer OU lesen und schreiben (Passwortaenderungen etc.)

access to dn.regex="^(.+,)?ou=([^,]+),@$@DISTRICT@$@@%@ldap/base@%@$$"
	by group/univentionGroup/uniqueMember="cn=@$@DOMAIN_ADMINS@$@,cn=groups,@%@ldap/base@%@" +0 break
	by set.expand="[ldap:///ou=$2,@%@ldap/base@%@?ou?base?%28%21%28objectClass%3DucsschoolOrganizationalUnit%29%29]/ou" +0 break
	by group/univentionGroup/uniqueMember.expand="cn=OU$2-@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by group/univentionGroup/uniqueMember.expand="cn=OU$2-@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by group/univentionLDAPACL/univentionLDAPAccessWrite.expand="ou=$2,@$@DISTRICT@$@@%@ldap/base@%@" write
	by dn.regex="^uid=([^,]+),cn=(@$@TEACHERS@$@|@$@TEACHERS-STAFF@$@|@$@STAFF@$@|@$@ADMINS@$@),cn=users,ou=$2,@$@DISTRICT@$@@%@ldap/base@%@$$" +rscxd continue
	by set.expand="[$2] & ([ldap:///]+user/entryDN+[?entryDN?base?%28%7C%28objectClass%3DucsschoolTeacher%29%28objectClass%3DucsschoolAdministrator%29%28objectClass%3DucsschoolStaff%29%29])/ucsschoolSchool" +rscxd continue
	by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" +0 stop
	by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" +0 stop
	by set.expand="([ldap:///]+user/entryDN+[?entryDN?base?%28%7C%28objectClass%3DucsschoolTeacher%29%28objectClass%3DucsschoolAdministrator%29%28objectClass%3DucsschoolStaff%29%29])/ucsschoolSchool" +0 stop
	by dn.regex="^.*,ou=$2,@$@DISTRICT@$@@%@ldap/base@%@$$" +rscxd break
	by dn.regex="^.*,ou=([^,]+),@$@DISTRICT@$@@%@ldap/base@%@$$" +0 stop

	by * +0 break

# Slave-Controller duerfen Klassen-Gruppen bearbeiten (AUSNAHME! Wird fuer Lehrerzuordnung in UMC benoetigt!)
access to dn.regex="^cn=@$@CLASS@$@,cn=@$@PUPILS@$@,cn=groups,ou=([^,]+),@$@DISTRICT@$@@%@ldap/base@%@$$" attrs=children,entry
	by group/univentionGroup/uniqueMember.expand="cn=OU$1-@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by group/univentionGroup/uniqueMember.expand="cn=OU$1-@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by * +0 break

access to dn.regex="^cn=([^,]+),cn=klassen,cn=@$@PUPILS@$@,cn=groups,ou=([^,]+),@$@DISTRICT@$@@%@ldap/base@%@$$" filter="(&(!(|(uidNumber=*)(objectClass=SambaSamAccount)))(objectClass=univentionGroup))"
	by group/univentionGroup/uniqueMember.expand="cn=OU$2-@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by group/univentionGroup/uniqueMember.expand="cn=OU$2-@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by * +0 break

# Schulserver duerfen die Passwoerter aller globalen Objekte replizieren
access to dn.regex="^(.+,)?cn=(users|kerberos|computers),@%@ldap/base@%@$$"
	by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" +rscxd
	by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" +rscxd
	by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" +rscxd
	by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" +rscxd
	by * +0 break
"""


(-)ucs-school-ldap-acls-master/70ucsschool-ldap-acls-master.inst (-1 / +7 lines)

Lines 32-37	Link Here

VERSION=7

VERSION=7

. /usr/share/univention-join/joinscripthelper.lib

. /usr/share/univention-join/joinscripthelper.lib

. /usr/share/univention-lib/ldap.sh

. /usr/share/univention-lib/ldap.sh

. /usr/share/ucs-school-lib/base.sh

joinscript_init

joinscript_init

eval "$(univention-config-registry shell)"

eval "$(univention-config-registry shell)"

Lines 43-49	Link Here

	--set name="ucsschool"

	--set name="ucsschool"

# create global groups required for LDAP ACLs for UCS@school

# create global groups required for LDAP ACLs for UCS@school

for grp in "DC-Verwaltungsnetz" "Member-Verwaltungsnetz" "DC-Edukativnetz" "Member-Edukativnetz" ; do

for grp in \

		"$(ucr_names_default ucsschool/ldap/default/groupname/all-administrativ-dc)" \

		"$(ucr_names_default ucsschool/ldap/default/groupname/all-administrativ-member)" \

		"$(ucr_names_default ucsschool/ldap/default/groupname/all-educational-dc)" \

		"$(ucr_names_default ucsschool/ldap/default/groupname/all-educational-member)"; do

	univention-directory-manager groups/group create "$@" \

	univention-directory-manager groups/group create "$@" \

		--ignore_exist \

		--ignore_exist \

		--position="cn=ucsschool,cn=groups,$ldap_base" \

		--position="cn=ucsschool,cn=groups,$ldap_base" \

(-)ucs-school-ldap-acls-master/debian/control (-1 / +1 lines)

Lines 9-15	Link Here

Package: ucs-school-ldap-acls-master

Package: ucs-school-ldap-acls-master

Architecture: all

Architecture: all

Depends: univention-ldap-server, univention-ldap-config

Depends: univention-ldap-server, univention-ldap-config, shell-ucs-school

Conflicts: univention-server-slave, univention-server-member, univention-mobile-client, univention-managed-client, univention-basesystem

Conflicts: univention-server-slave, univention-server-member, univention-mobile-client, univention-managed-client, univention-basesystem

Description: Special LDAP ACLs for UCS@school

Description: Special LDAP ACLs for UCS@school

 This package provides additional LDAP ACLs for slapd

 This package provides additional LDAP ACLs for slapd




	def get_container(cls, school=None):
		return ucr.get('ldap/base')

	@classmethod
	def cn_name(cls, name, default):
		ucr_var = 'ucsschool/ldap/default/container/%s' % name
		return ucr.get(ucr_var, default)

	def create_default_containers(self, lo):
		search_base = self.get_search_base(self.name)
		cn_pupils = ldap.explode_dn(search_base.students, True)[0]
		cn_teachers = ldap.explode_dn(search_base.teachers, True)[0]
		cn_admins = ldap.explode_dn(search_base.admins, True)[0]
		cn_classes = ldap.explode_dn(search_base.classes, True)[0]
		cn_rooms = ldap.explode_dn(search_base.rooms, True)[0]
		user_containers = [cn_pupils, cn_teachers, cn_admins]
		group_containers = [cn_pupils, [cn_classes], cn_teachers, cn_rooms]
		if self.shall_create_administrative_objects():
			cn_staff = ldap.explode_dn(search_base.staff, True)[0]
			cn_teachers_staff = ldap.explode_dn(search_base.teachersAndStaff, True)[0]
			user_containers.extend([cn_staff, cn_teachers_staff])
			group_containers.append(cn_staff)
		containers_with_path = {

			for cn in containers:
				last_dn = _add_container(cn, last_dn, self.dn, path, lo)

	def group_name(self, prefix_var, default_prefix):
		ucr_var = 'ucsschool/ldap/default/groupprefix/%s' % prefix_var
		name_part = ucr.get(ucr_var, default_prefix)
		school_part = self.name.lower()
		return '%s%s' % (name_part, school_part)

	def get_umc_policy_dn(self, name):
		# at least the default ones should exist due to the join script
		return ucr.get('ucsschool/ldap/default/policy/umc/%s' % name, 'cn=ucsschool-umc-%s-default,cn=UMC,cn=policies,%s' % (name, ucr.get('ldap/base')))

			group.create(lo)

		# cn=ouadmins
		search_base = self.get_search_base(self.name)
		group = BasicGroup.cache("{}{}".format(search_base.group_prefix_admins, self.name.lower()), container=search_base.globalGroupContainer)
		group.create(lo)
		group.add_umc_policy(self.get_umc_policy_dn('admins'), lo)
		try:

			udm_obj.modify()

		# cn=schueler
		group = Group.cache("{}{}".format(search_base.group_prefix_students, self.name.lower()), self.name)
		group.create(lo)
		group.add_umc_policy(self.get_umc_policy_dn('pupils'), lo)

		# cn=lehrer
		group = Group.cache("{}{}".format(search_base.group_prefix_teachers, self.name.lower()), self.name)
		group.create(lo)
		group.add_umc_policy(self.get_umc_policy_dn('teachers'), lo)

		# cn=mitarbeiter
		if self.shall_create_administrative_objects():
			group = Group.cache("{}{}".format(search_base.group_prefix_staff, self.name.lower()), self.name)
			group.create(lo)
			group.add_umc_policy(self.get_umc_policy_dn('staff'), lo)


			return flatten([self.get_administrative_group_name(group_type, True, ou_specific, as_dn), self.get_administrative_group_name(group_type, False, ou_specific, as_dn)])
		if ou_specific == 'both':
			return flatten([self.get_administrative_group_name(group_type, domain_controller, False, as_dn), self.get_administrative_group_name(group_type, domain_controller, True, as_dn)])
		search_base = self.get_search_base(self.name)
		base_dn = ucr.get('ldap/base')
		if group_type == 'administrative':
			if domain_controller:
				if ou_specific:
					dn = search_base.administrative_ou_dc_group
				else:
					dn = search_base.administrative_dc_group
			else:
				if ou_specific:
					dn = search_base.administrative_ou_member_group
				else:
					dn = search_base.administrative_member_group
		else:
			if domain_controller:
				if ou_specific:
					dn = search_base.educational_ou_dc_group
				else:
					dn = search_base.educational_dc_group
			else:
				if ou_specific:
					dn = search_base.educational_ou_member_group
				else:
					dn = search_base.educational_member_group
		if as_dn:
			return dn
		else:
			return ldap.explode_dn(dn, True)[0]

	def get_administrative_server_names(self, lo):
		dn = self.get_administrative_group_name('administrative', ou_specific=True, as_dn=True)

(-)ucs-school-lib/python/models/share.py (-2 / +2 lines)

138

139

	def get_share_path(self):

139

	def get_share_path(self):

140

		if ucr.is_true('ucsschool/import/roleshare', True):

140

		if ucr.is_true('ucsschool/import/roleshare', True):

141

			return '/home/%s/groups/klassen/%s' % (self.school_group.school, self.name)

141

			return '/home/%s/groups/%s/%s' % (self.school_group.school, self.get_search_base(self.school).share_name_class, self.name)

142

		else:

142

		else:

143

			return '/home/groups/klassen/%s' % self.name

143

			return '/home/groups/%s/%s' % (self.get_search_base(self.school).share_name_class, self.name)




		return [self.get_group_dn('Domain Users %s' % school, school) for school in self.schools]

	def get_students_groups(self):
		prefix = self.get_search_base(self.school).group_prefix_students
		return [self.get_group_dn('%s%s' % (prefix, school), school) for school in self.schools]

	def get_teachers_groups(self):
		prefix = self.get_search_base(self.school).group_prefix_teachers
		return [self.get_group_dn('%s%s' % (prefix, school), school) for school in self.schools]

	def get_staff_groups(self):
		prefix = self.get_search_base(self.school).group_prefix_staff
		return [self.get_group_dn('%s%s' % (prefix, school), school) for school in self.schools]

	def groups_used(self, lo):


	@classmethod
	def from_student_dn(cls, lo, school, dn):
		examUserPrefix = cls.get_search_base(school).user_prefix_exam
		dn = 'uid=%s%s,%s' % (escape_dn_chars(examUserPrefix), explode_dn(dn, True)[0], cls.get_container(school))
		return cls.from_dn(dn, school, lo)

(-)ucs-school-lib/python/roleshares.py (-2 / +2 lines)

Lines 36-42	Link Here

import univention.config_registry

import univention.config_registry

from ucsschool.lib.roles import role_pupil, role_teacher, role_staff

from ucsschool.lib.roles import role_pupil, role_teacher, role_staff

from ucsschool.lib.i18n import ucs_school_name_i18n

from ucsschool.lib.i18n import ucs_school_name_i18n

from ucsschool.lib.models import Group, School

from ucsschool.lib.models import Group, School, Share

from ucsschool.lib.schoolldap import LDAP_Connection, USER_READ, USER_WRITE, MACHINE_READ

from ucsschool.lib.schoolldap import LDAP_Connection, USER_READ, USER_WRITE, MACHINE_READ

import univention.admin.uexceptions

import univention.admin.uexceptions

import univention.admin.uldap as udm_uldap

import univention.admin.uldap as udm_uldap

Lines 151-157	Link Here

151

		ucr.load()

151

		ucr.load()

152

153

	school_ou = school.name

153

	school_ou = school.name

154

	share_container_dn = school.get_search_base(school.name).shares

154

	share_container_dn = Share.get_container(school.name)

155

156

	teacher_groupname = '-'.join((ucs_school_name_i18n(role_teacher), school_ou))

156

	teacher_groupname = '-'.join((ucs_school_name_i18n(role_teacher), school_ou))

157

	teacher_group = Group(name=teacher_groupname, school=school_ou).get_udm_object(ldap_user_read)

157

	teacher_group = Group(name=teacher_groupname, school=school_ou).get_udm_object(ldap_user_read)

(-)ucs-school-lib/python/schoolldap.py (-10 / +129 lines)

Lines 177-183	Link Here

177

		self._school = school or availableSchools[0]

177

		self._school = school or availableSchools[0]

178

		self._schoolDN = dn or School.cache(self.school).dn

178

		self._schoolDN = dn or School.cache(self.school).dn

179

180

		# prefixes

180

181

		# When adding/updating UCRV defaults, also add/update them in shell/base.sh.

182

183

184

185

		# When changing any of ucsschool/ldap/default/groupname/all-{administrativ, educational}-{dc, member}

186

		# copy the changes to ucs-school-ldap-acls-master/{61ucsschool_presettings, 65ucsschool}.

187

188

189

		# containers

181

		self._containerAdmins = ucr.get('ucsschool/ldap/default/container/admins', 'admins')

190

		self._containerAdmins = ucr.get('ucsschool/ldap/default/container/admins', 'admins')

182

		self._containerStudents = ucr.get('ucsschool/ldap/default/container/pupils', 'schueler')

191

		self._containerStudents = ucr.get('ucsschool/ldap/default/container/pupils', 'schueler')

183

		self._containerStaff = ucr.get('ucsschool/ldap/default/container/staff', 'mitarbeiter')

192

		self._containerStaff = ucr.get('ucsschool/ldap/default/container/staff', 'mitarbeiter')

Lines 186-197	Link Here

186

		self._containerClass = ucr.get('ucsschool/ldap/default/container/class', 'klassen')

195

		self._containerClass = ucr.get('ucsschool/ldap/default/container/class', 'klassen')

187

		self._containerRooms = ucr.get('ucsschool/ldap/default/container/rooms', 'raeume')

196

		self._containerRooms = ucr.get('ucsschool/ldap/default/container/rooms', 'raeume')

188

		self._examUserContainerName = ucr.get('ucsschool/ldap/default/container/exam', 'examusers')

197

		self._examUserContainerName = ucr.get('ucsschool/ldap/default/container/exam', 'examusers')

189

		self._examGroupNameTemplate = ucr.get('ucsschool/ldap/default/groupname/exam', 'OU%(ou)s-Klassenarbeit')

198

		# group names

190

199

		self._examGroupName = ucr.get('ucsschool/ldap/default/groupname/exam',

200

			'OU%(ou)s-Klassenarbeit') % {'ou': self._school.lower()}

201

		self._all_administrativ_dc = ucr.get('ucsschool/ldap/default/groupname/all-administrativ-dc',

202

			'DC-Verwaltungsnetz')

203

		self._all_administrativ_member = ucr.get('ucsschool/ldap/default/groupname/all-administrativ-member',

204

			'Member-Verwaltungsnetz')

205

		self._all_educational_dc = ucr.get('ucsschool/ldap/default/groupname/all-educational-dc',

206

			'DC-Edukativnetz')

207

		self._all_educational_member = ucr.get('ucsschool/ldap/default/groupname/all-educational-member',

208

			'Member-Edukativnetz')

209

		self._ou_administrativ_dc = ucr.get('ucsschool/ldap/default/groupname/ou-administrativ-dc',

210

			'OU%(ou)s-DC-Verwaltungsnetz') % {'ou': self._school.lower()}

211

		self._ou_administrativ_member = ucr.get('ucsschool/ldap/default/groupname/ou-administrativ-member',

212

			'OU%(ou)s-Member-Verwaltungsnetz') % {'ou': self._school.lower()}

213

		self._ou_educational_dc = ucr.get('ucsschool/ldap/default/groupname/ou-educational-dc',

214

			'OU%(ou)s-DC-Edukativnetz') % {'ou': self._school.lower()}

215

		self._ou_educational_member = ucr.get('ucsschool/ldap/default/groupname/ou-educational-member',

216

			'OU%(ou)s-Member-Edukativnetz') % {'ou': self._school.lower()}

217

		# group prefixes

191

		self.group_prefix_students = ucr.get('ucsschool/ldap/default/groupprefix/pupils', 'schueler-')

218

		self.group_prefix_students = ucr.get('ucsschool/ldap/default/groupprefix/pupils', 'schueler-')

192

		self.group_prefix_teachers = ucr.get('ucsschool/ldap/default/groupprefix/teachers', 'lehrer-')

219

		self.group_prefix_teachers = ucr.get('ucsschool/ldap/default/groupprefix/teachers', 'lehrer-')

193

		self.group_prefix_admins = ucr.get('ucsschool/ldap/default/groupprefix/admins', 'admins-')

220

		self.group_prefix_admins = ucr.get('ucsschool/ldap/default/groupprefix/admins', 'admins-')

194

		self.group_prefix_staff = ucr.get('ucsschool/ldap/default/groupprefix/staff', 'mitarbeiter-')

221

		self.group_prefix_staff = ucr.get('ucsschool/ldap/default/groupprefix/staff', 'mitarbeiter-')

222

		# user prefix

223

		self.user_prefix_exam = ucr.get('ucsschool/ldap/default/userprefix/exam', 'exam-')

224

		# share/directory names

225

		self.share_name_class = ucr.get('ucsschool/ldap/default/share/class', 'klassen')

226

		self.share_name_pupils = ucr.get('ucsschool/ldap/default/share/pupils', 'schueler')

227

		self.share_name_teachers = ucr.get('ucsschool/ldap/default/share/teachers', 'lehrer')

228

		self.share_name_exams = ucr.get('ucsschool/ldap/default/share/exams', 'Klassenarbeiten')

229

		self.share_name_marktplatz = ucr.get('ucsschool/import/generate/share/marktplatz/name', 'Marktplatz')

195

230

196

	@classmethod

231

	@classmethod

197

	def getOU(cls, dn):

232

	def getOU(cls, dn):

Lines 260-284	Link Here

260

295

261

	@property

296

	@property

262

	def students(self):

297

	def students(self):

298

		"""cn=schueler,cn=users,<ou dn>"""

263

		return "cn=%s,cn=users,%s" % (self._containerStudents, self.schoolDN)

299

		return "cn=%s,cn=users,%s" % (self._containerStudents, self.schoolDN)

264

300

265

	@property

301

	@property

302

	def students_group(self):

303

		"""cn=schueler,cn=groups,<ou dn>"""

304

		return "cn=%s,cn=groups,%s" % (self._containerStudents, self.schoolDN)

305

306

	@property

307

	def students_ou_group(self):

308

		"""cn=schueler-%(ou)s,cn=groups,<ou dn> (ou already replaced)"""

309

		return "cn=%s%s,cn=groups,%s" % (self.group_prefix_students, self.school, self.schoolDN)

310

311

	@property

266

	def teachers(self):

312

	def teachers(self):

313

		"""cn=lehrer,cn=users,<ou dn>"""

267

		return "cn=%s,cn=users,%s" % (self._containerTeachers, self.schoolDN)

314

		return "cn=%s,cn=users,%s" % (self._containerTeachers, self.schoolDN)

268

315

269

	@property

316

	@property

317

	def teachers_group(self):

318

		"""cn=lehrer,cn=groups,<ou dn>"""

319

		return "cn=%s,cn=groups,%s" % (self._containerTeachers, self.schoolDN)

320

321

	@property

322

	def teachers_ou_group(self):

323

		"""cn=lehrer-%(ou)s,cn=groups,<ou dn> (ou already replaced)"""

324

		return "cn=%s%s,cn=groups,%s" % (self.group_prefix_teachers, self.school, self.schoolDN)

325

326

	@property

270

	def teachersAndStaff(self):

327

	def teachersAndStaff(self):

328

		"""cn=lehrer und mitarbeiter,cn=users,<ou dn>"""

271

		return "cn=%s,cn=users,%s" % (self._containerTeachersAndStaff, self.schoolDN)

329

		return "cn=%s,cn=users,%s" % (self._containerTeachersAndStaff, self.schoolDN)

272

330

273

	@property

331

	@property

274

	def staff(self):

332

	def staff(self):

333

		"""cn=mitarbeiter,cn=users,<ou dn>"""

275

		return "cn=%s,cn=users,%s" % (self._containerStaff, self.schoolDN)

334

		return "cn=%s,cn=users,%s" % (self._containerStaff, self.schoolDN)

276

335

277

	@property

336

	@property

337

	def staff_group(self):

338

		"""cn=mitarbeiter,cn=groups,<ou dn>"""

339

		return "cn=%s,cn=groups,%s" % (self._containerStaff, self.schoolDN)

340

341

	@property

342

	def staff_ou_group(self):

343

		"""cn=mitarbeiter-%(ou)s,cn=groups,<ou dn> (ou already replaced)"""

344

		return "cn=%s%s,cn=groups,%s" % (self.group_prefix_staff, self.school, self.schoolDN)

345

346

	@property

278

	def admins(self):

347

	def admins(self):

348

		"""cn=admins,cn=users,<ou dn>"""

279

		return "cn=%s,cn=users,%s" % (self._containerAdmins, self.schoolDN)

349

		return "cn=%s,cn=users,%s" % (self._containerAdmins, self.schoolDN)

280

350

281

	@property

351

	@property

352

	def admin_group(self):

353

		"""cn=admins-%(ou)s,cn=ouadmins,cn=groups,<ou dn> (ou already replaced)"""

354

		return "cn=%s%s,cn=ouadmins,cn=groups,%s" % (self.group_prefix_admins, self.school, self.schoolDN)

355

356

	@property

282

	def classShares(self):

357

	def classShares(self):

283

		return "cn=%s,cn=shares,%s" % (self._containerClass, self.schoolDN)

358

		return "cn=%s,cn=shares,%s" % (self._containerClass, self.schoolDN)

284

359

Lines 304-331	Link Here

304

379

305

	@property

380

	@property

306

	def educationalDCGroup(self):

381

	def educationalDCGroup(self):

307

		return "cn=OU%s-DC-Edukativnetz,cn=ucsschool,cn=groups,%s" % (self.school, self._ldapBase)

382

		"""deprecated, please use educational_ou_dc_group"""

383

		return self.educational_ou_dc_group

308

384

309

	@property

385

	@property

310

	def educationalMemberGroup(self):

386

	def educationalMemberGroup(self):

311

		return "cn=OU%s-Member-Edukativnetz,cn=ucsschool,cn=groups,%s" % (self.school, self._ldapBase)

387

		"""deprecated, please use educational_ou_member_group"""

388

		return self.educational_ou_member_group

312

389

313

	@property

390

	@property

314

	def administrativeDCGroup(self):

391

	def administrativeDCGroup(self):

315

		return "cn=OU%s-DC-Verwaltungsnetz,cn=ucsschool,cn=groups,%s" % (self.school, self._ldapBase)

392

		"""deprecated, please use administrative_ou_dc_group"""

393

		return self.administrative_ou_dc_group

316

394

317

	@property

395

	@property

318

	def administrativeMemberGroup(self):

396

	def administrativeMemberGroup(self):

319

		return "cn=OU%s-Member-Verwaltungsnetz,cn=ucsschool,cn=groups,%s" % (self.school, self._ldapBase)

397

		"""deprecated, please use administrative_ou_member_group"""

398

		return self.administrative_ou_member_group

320

399

321

	@property

400

	@property

401

	def administrative_dc_group(self):

402

		"""cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,<ldap base>"""

403

		return "cn=%s,cn=ucsschool,cn=groups,%s" % (self._all_administrativ_dc, self._ldapBase)

404

405

	@property

406

	def administrative_member_group(self):

407

		"""cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,<ldap base>"""

408

		return "cn=%s,cn=ucsschool,cn=groups,%s" % (self._all_administrativ_member, self._ldapBase)

409

410

	@property

411

	def educational_dc_group(self):

412

		"""cn=DC-Edukativnetz,cn=ucsschool,cn=groups,<ldap base>"""

413

		return "cn=%s,cn=ucsschool,cn=groups,%s" % (self._all_educational_dc, self._ldapBase)

414

415

	@property

416

	def educational_member_group(self):

417

		"""cn=Member-Edukativnetz,cn=ucsschool,cn=groups,<ldap base>"""

418

		return "cn=%s,cn=ucsschool,cn=groups,%s" % (self._all_educational_member, self._ldapBase)

419

420

	@property

421

	def educational_ou_dc_group(self):

422

		"""cn=OU%(ou)s-DC-Edukativnetz,cn=ucsschool,cn=groups,<ldap base> (ou already replaced)"""

423

		return "cn=%s,cn=ucsschool,cn=groups,%s" % (self._ou_educational_dc, self._ldapBase)

424

425

	@property

426

	def educational_ou_member_group(self):

427

		"""cn=OU%(ou)s-Member-Edukativnetz,cn=ucsschool,cn=groups,<ldap base> (ou already replaced)"""

428

		return "cn=%s,cn=ucsschool,cn=groups,%s" % (self._ou_educational_member, self._ldapBase)

429

430

	@property

431

	def administrative_ou_dc_group(self):

432

		"""cn=OU%(ou)s-DC-Verwaltungsnetz,cn=ucsschool,cn=groups,<ldap base> (ou already replaced)"""

433

		return "cn=%s,cn=ucsschool,cn=groups,%s" % (self._ou_administrativ_dc, self._ldapBase)

434

435

	@property

436

	def administrative_ou_member_group(self):

437

		"""cn=OU%(ou)s-Member-Verwaltungsnetz,cn=ucsschool,cn=groups,<ldap base> (ou already replaced)"""

438

		return "cn=%s,cn=ucsschool,cn=groups,%s" % (self._ou_administrativ_member, self._ldapBase)

439

440

	@property

322

	def examGroupName(self):

441

	def examGroupName(self):

323

		# replace '%(ou)s' strings in generic exam_group_name

442

		"""OU%(ou)s-Klassenarbeit (only name, not a DN, ou already replaced)"""

324

		ucr_value_keywords = {'ou': self.school}

443

		return self._examGroupName

325

		return self._examGroupNameTemplate % ucr_value_keywords

326

444

327

	@property

445

	@property

328

	def examGroup(self):

446

	def examGroup(self):

447

		"""cn=OU%(ou)s-Klassenarbeit,cn=ucsschool,cn=groups,<ldap base> (ou already replaced)"""

329

		return "cn=%s,cn=ucsschool,cn=groups,%s" % (self.examGroupName, self._ldapBase)

448

		return "cn=%s,cn=ucsschool,cn=groups,%s" % (self.examGroupName, self._ldapBase)

330

449

331

	def isWorkgroup(self, groupDN):

450

	def isWorkgroup(self, groupDN):




	#
	# $ servers_school_ous -h $(ucr get ldap/master) -p $(ucr get ldap/master/port)
	# ou=bar,dc=example,dc=com
	local ldap_hostdn ldap_base ldap_server ldap_port IFS res
	. /usr/share/univention-lib/ucr.sh

	ldap_base="$(/usr/sbin/univention-config-registry get ldap/base)"

	res=""
	for oudn in $(univention-ldapsearch $ldap_server $ldap_port -xLLL -b "$ldap_base" 'objectClass=ucsschoolOrganizationalUnit' dn | ldapsearch-wrapper | sed -nre 's/^dn: //p') ; do
		ouname="$(school_ou "$oudn")"
		search_str="(|(cn=$(ucr_names_default ucsschool/ldap/default/groupname/ou-educational-dc ${ouname}))(cn=$(ucr_names_default ucsschool/ldap/default/groupname/ou-administrativ-dc OU${ouname})))"
		if ! is_ucr_true ucsschool/singlemaster; then
			search_str="(&${search_str}(uniqueMember=${ldap_hostdn}))"
			search_str="(&(|(cn=OU${ouname}-DC-Edukativnetz)(cn=OU${ouname}-DC-Verwaltungsnetz))(uniqueMember=${ldap_hostdn}))"
		fi
		if univention-ldapsearch $ldap_server $ldap_port -xLLL "$search_str" dn | grep -q "^dn: "; then
			res="$res

	done
	echo -n "${res}" | egrep -v "^\s*$"
}

replace_ou() {
	# syntax: replace_ou <template> <ou>
	#
	# Replace '%(ou)s' in <template> with <ou>
	#
	# example:
	# $ replace_ou "OU%(ou)s-DC-Edukativnetz" "myschool"
	# "OUmyschool-DC-Edukativnetz
	if [ "$#" != 2 ]; then
		echo "syntax: replace_ou <template> <ou>"
		return 1
	fi
	echo -n "$1" | sed "s/%(ou)s/$2/"
}

ucr_names_default() {
	# syntax: ucr_names_default <ucr> [ou]
	#
	# Get UCR value or default, optionally replace '%(ou)s'.
	#
	# example:
	# $ ucr_names_default "ucsschool/ldap/default/container/pupils"
	# "schueler
	# $ ucr_names_default "ucsschool/ldap/default/groupname/ou-administrativ-dc" "myschool"
	# "OUmyschool-DC-Verwaltungsnetz"
	local res

	if [ "$#" -lt 1 -o "$#" -gt 2 ]; then
		echo "syntax: ucr_names_default <ucr> [ou]"
		return 1
	fi
	if [ $(echo -n "$1" | cut -f 1-3 -d '/') != 'ucsschool/ldap/default' ]; then
		echo "<ucr> must be a UCR variable from ucsschool/ldap/default/*/*"
		return 1
	fi

	#
	# When adding/updating UCRV defaults, also add/update them in python/schoolldap.py.
	#

	res="$(ucr get $1)"
	if [ -z "$res" ]; then
		case "$1" in
			# containers
			'ucsschool/ldap/default/container/admins') res='admins';;
			'ucsschool/ldap/default/container/pupils') res='schueler';;
			'ucsschool/ldap/default/container/staff') res='mitarbeiter';;
			'ucsschool/ldap/default/container/teachers-and-staff') res='lehrer und mitarbeiter';;
			'ucsschool/ldap/default/container/teachers') res='lehrer';;
			'ucsschool/ldap/default/container/class') res='klassen';;
			'ucsschool/ldap/default/container/rooms') res='raeume';;
			'ucsschool/ldap/default/container/exam') res='examusers';;
			# group names
			'ucsschool/ldap/default/groupname/exam') res='OU%(ou)%s-Klassenarbeit';;
			'ucsschool/ldap/default/groupname/all-administrativ-dc') res='DC-Verwaltungsnetz';;
			'ucsschool/ldap/default/groupname/all-administrativ-member') res='Member-Verwaltungsnetz';;
			'ucsschool/ldap/default/groupname/all-educational-dc') res='DC-Edukativnetz';;
			'ucsschool/ldap/default/groupname/all-educational-member') res='Member-Edukativnetz';;
			'ucsschool/ldap/default/groupname/ou-administrativ-dc') res='OU%(ou)s-DC-Verwaltungsnetz';;
			'ucsschool/ldap/default/groupname/ou-administrativ-member') res='OU%(ou)s-Member-Verwaltungsnetz';;
			'ucsschool/ldap/default/groupname/ou-educational-dc') res='OU%(ou)s-DC-Edukativnetz';;
			'ucsschool/ldap/default/groupname/ou-educational-member') res='OU%(ou)s-Member-Edukativnetz';;
			# group prefixes
			'ucsschool/ldap/default/groupprefix/pupils') res='schueler-';;
			'ucsschool/ldap/default/groupprefix/teachers') res='lehrer-';;
			'ucsschool/ldap/default/groupprefix/admins') res='admins-';;
			'ucsschool/ldap/default/groupprefix/staff') res='mitarbeiter-';;
			# user prefix
			'ucsschool/ldap/default/userprefix/exam') res='exam-';;
			# share/directory names
			'ucsschool/ldap/default/share/class') res='klassen';;
			'ucsschool/ldap/default/share/pupils') res='schueler';;
			'ucsschool/ldap/default/share/teachers') res='lehrer';;
			'ucsschool/ldap/default/share/exams') res='Klassenarbeiten';;
			'ucsschool/import/generate/share/marktplatz/name') res='Marktplatz';;
		esac
	fi
	if [ -z "$res" ]; then
		echo "Error: Unknown UCR $1."
		return 1
	fi

	if [ -z "$2" ]; then
		echo -n "$res"
	else
		replace_ou "$res" "$2"
	fi
}

(-)ucs-school-netlogon-user-logonscripts/99ucs-school-netlogon-user-logonscripts.inst (-3 / +6 lines)

Lines 32-40	Link Here

VERSION="1"

VERSION="1"

. /usr/share/univention-join/joinscripthelper.lib

. /usr/share/univention-join/joinscripthelper.lib

. /usr/share/ucs-school-lib/base.sh

joinscript_init

joinscript_init

eval "$(univention-config-registry shell)"

eval "$(univention-config-registry shell)"

share_name="$(ucr_names_default ucsschool/import/generate/share/marktplatz/name)"

# samba 4 netlogon share

# samba 4 netlogon share

myrealm=$(echo $kerberos_realm |  awk '{print tolower($0)}')

myrealm=$(echo $kerberos_realm |  awk '{print tolower($0)}')

Lines 43-51	Link Here

fi

fi

univention-config-registry set \

univention-config-registry set \

    ucsschool/userlogon/commonshares?"Marktplatz" \

    ucsschool/userlogon/commonshares?"$share_name" \

    ucsschool/userlogon/commonshares/server/Marktplatz?"$hostname" \

    "ucsschool/userlogon/commonshares/server/$share_name?$hostname" \

    ucsschool/userlogon/commonshares/letter/Marktplatz?"M" \

    "ucsschool/userlogon/commonshares/letter/$share_name?M" \

    ucsschool/userlogon/classshareletter?"K" \

    ucsschool/userlogon/classshareletter?"K" \

    ucsschool/netlogon/ucs-school-netlogon-user-logonscripts/script?'user\%USERNAME%.vbs'

    ucsschool/netlogon/ucs-school-netlogon-user-logonscripts/script?'user\%USERNAME%.vbs'

(-)ucs-school-netlogon-user-logonscripts/debian/control (+1 lines)

Lines 13-18	Link Here

 univention-directory-listener,

 univention-directory-listener,

 ucs-school-netlogon,

 ucs-school-netlogon,

 shell-univention-lib,

 shell-univention-lib,

 shell-ucs-school,

 univention-config

 univention-config

Description: UCS@school userspecific netlogon scripts

Description: UCS@school userspecific netlogon scripts

 This package provides a listener-module that creates

 This package provides a listener-module that creates




#DEBHELPER#

. /usr/share/univention-lib/all.sh
. /usr/share/ucs-school-lib/base.sh

eval "$(ucr shell)"
share_name="$(ucr_names_default ucsschool/import/generate/share/marktplatz/name)"

univention-config-registry set \
	samba/homedirletter?I \
    ucsschool/userlogon/commonshares?"$share_name" \
    "ucsschool/userlogon/commonshares/server/$share_name?$hostname" \
    "ucsschool/userlogon/commonshares/letter/$share_name?M" \
    ucsschool/userlogon/classshareletter?"K" \
    ucsschool/netlogon/ucs-school-netlogon-user-logonscripts/script?'user\%USERNAME%.vbs' \
	ucsschool/userlogon/myshares/enabled?no

(-)ucs-school-umc-computerroom/umc/python/computerroom/__init__.py (-1 / +1 lines)

Lines 700-706	Link Here

700

			vset[vunset[-1]] = shareMode

700

			vset[vunset[-1]] = shareMode

701

			vextract.append('samba/othershares/hosts/deny')

701

			vextract.append('samba/othershares/hosts/deny')

702

			vappend[vextract[-1]] = hosts

702

			vappend[vextract[-1]] = hosts

703

			vextract.append('samba/share/Marktplatz/hosts/deny')

703

			vextract.append('samba/share/{}/hosts/deny'.format(School.get_search_base(self._italc.school).share_name_marktplatz))

704

			vappend[vextract[-1]] = hosts

704

			vappend[vextract[-1]] = hosts

705

		else:

705

		else:

706

			vunset_now.append('samba/sharemode/room/%s' % self._italc.room)

706

			vunset_now.append('samba/sharemode/room/%s' % self._italc.room)

(-)ucs-school-umc-csv-import/umc/python/schoolcsvimport/util.py (-1 / +1 lines)

Lines 126-132	Link Here

126

			firstname = firstname[:5] + '.'

126

			firstname = firstname[:5] + '.'

127

128

		username = firstname + lastname[:5]

128

		username = firstname + lastname[:5]

129

		maxlength = 20 - len(ucr.get('ucsschool/ldap/default/userprefix/exam', 'exam-'))

129

		maxlength = 20 - len(self.get_search_base(self.school).user_prefix_exam)

130

		return replace_invalid_chars(username[:maxlength])

130

		return replace_invalid_chars(username[:maxlength])

131

132

	@classmethod

132

	@classmethod

(-)ucs-school-umc-exam/debian/control (+1 lines)

Lines 31-36	Link Here

 python-ucs-school,

 python-ucs-school,

 ucs-school-import,

 ucs-school-import,

 shell-univention-lib,

 shell-univention-lib,

 shell-ucs-school,

 univention-ldap-config (>= 9.0.27-3),

 univention-ldap-config (>= 9.0.27-3),

Description: UMC module delivering backend services for ucs-school-umc-exam

Description: UMC module delivering backend services for ucs-school-umc-exam

 UMC module delivering backend services for ucs-school-umc-exam

 UMC module delivering backend services for ucs-school-umc-exam




[ $# -ne 2 ] && echo "USAGE: $(basename $0) FILE DN" && exit 1

. /usr/share/univention-lib/ucr.sh
. /usr/share/ucs-school-lib/base.sh

eval "$(ucr shell)"


	district=",ou=${ou:0:2}"
fi

examusers="$(ucr_names_default ucsschool/ldap/default/container/exam)"
if [ -z "$examusers" ] ; then
	examusers='examusers'
fi

udm container/cn create --ignore_exists \
	--position "ou=${ou}${district},${ldap_base}" \
	--set name="${examusers}" \

ou_specific_examgroupname="$(ucr_names_default ucsschool/ldap/default/groupname/exam)"
if [ -z "$examgroupname" ] ; then
	examgroupname='OU%(ou)s-Klassenarbeit'
fi
ou_specific_examgroupname=$(python -c "print '$examgroupname' % {'ou': '$ou'}")

udm groups/group create --ignore_exists \
	--position "cn=ucsschool,cn=groups,${ldap_base}" \




import univention.config_registry
import univention.uldap
import univention.admin.uldap
from ucsschool.lib.models import ExamStudent
from univention.lib.umc_connection import UMCConnection
from univention.admin.uexceptions import noObject
from ldap.filter import escape_filter_chars

		self.hostname = self.ucr.get('hostname')
		self.umcp = self.get_UMCP_connection()
		self.lo = self.get_LDAP_connection()
		self.exam_prefix = self.ucr.get('ucsschool/ldap/default/userprefix/exam', 'exam-')
		self.DIR_ROOMS = '/var/cache/ucs-school-umc-computerroom'
		self.DIR_EXAMS = self.ucr.get('ucsschool/exam/cache', '/var/lib/ucs-school-umc-schoolexam')


			ou_list = self.lo.search(filter='(objectClass=ucsschoolOrganizationalUnit)')
			for ou_dn, ou_attrs in ou_list:
				ou_name = ou_attrs['ou'][0]
				exam_prefix = ExamStudent.get_search_base(ou_name).user_prefix_exam
				try:
					userlist = mod_user.lookup({}, lo, 'uid=%s*' % (escape_filter_chars(exam_prefix),), base=ExamStudent.get_container(ou_name))
				except noObject:
					# no exam users container in this OU
					continue




import traceback
import re
from ldap.filter import filter_format
from ldap import explode_dn

from univention.management.console.config import ucr
from univention.management.console.log import MODULE

	def __init__(self):
		SchoolBaseModule.__init__(self)

		self._examUserPrefix = ucr.get('ucsschool/ldap/default/userprefix/exam', 'exam-')

		# cache objects
		self._udm_modules = dict()
		self._examGroup = None

	def examUserContainerDN(self, ldap_admin_write, ldap_position, school):
		'''lookup examUserContainerDN, create it if missing'''
		if not self._examUserContainerDN:
			examUsers = ExamStudent.get_container(school)
			examUserContainerName = explode_dn(ExamStudent.get_search_base(school).examUsers, True)[0]
			examUserContainerName = search_base._examUserContainerName
			try:
				ldap_admin_write.searchDn('(objectClass=organizationalRole)', examUsers, scope='base')
			except univention.admin.uexceptions.noObject:

		user_orig = user.get_udm_object(ldap_admin_write)

		# uid and DN of exam_user
		exam_user_prefix = ExamStudent.get_search_base(school).user_prefix_exam
		exam_user_uid = "".join((exam_user_prefix, user_orig['username']))
		exam_user_dn = "uid=%s,%s" % (exam_user_uid, self.examUserContainerDN(ldap_admin_write, ldap_position, user.school or school))

		try:




import univention.testing.udm
import univention.testing.utils as utils
from univention.testing.umc2 import Client
from ucsschool.lib.models import SchoolClass


def _dir(userName):

# get the current printed jobs
def queryPrintJobs(connection, printerName, cName, school, pattern, basedn):
	if cName != 'None':
		cdn = SchoolClass(school=school, name=cName).dn
			cName,
			school,
			basedn)
	else:
		cdn = cName
	param = {'school': school, 'class': cdn, 'pattern': pattern}

				klasse1_dn = udm.create_object(
					'groups/group',
					name='%s-1A' % school,
					position=SchoolClass.get_container(oudn)
				)
				klasse2_dn = udm.create_object(
					'groups/group',
					name='%s-2B' % school,
					position=SchoolClass.get_container(school)
				)
				tea, teadn = schoolenv.create_user(school, is_teacher=True)
				stu1, stu1_dn = schoolenv.create_user(school)

(-)ucs-test-ucsschool/90_ucsschool/101_exam_mode (-2 / +2 lines)

Lines 14-20	Link Here

import univention.testing.ucsschool as utu

import univention.testing.ucsschool as utu

import univention.testing.udm

import univention.testing.udm

import univention.testing.strings as uts

import univention.testing.strings as uts

from ucsschool.lib.models import Student

from ucsschool.lib.models import SchoolClass, Student

def main():

def main():

Lines 32-38	Link Here

				else:

				else:

					edudc = ucr.get('hostname')

					edudc = ucr.get('hostname')

				school, oudn = schoolenv.create_ou(name_edudc=edudc)

				school, oudn = schoolenv.create_ou(name_edudc=edudc)

				klasse_dn = udm.create_object('groups/group', name='%s-AA1' % school, position="cn=klassen,cn=schueler,cn=groups,%s" % oudn)

				klasse_dn = udm.create_object('groups/group', name='%s-AA1' % school, position=SchoolClass.get_container(school))

				tea, teadn = schoolenv.create_user(school, is_teacher=True)

				tea, teadn = schoolenv.create_user(school, is_teacher=True)

				stu, studn = schoolenv.create_user(school)

				stu, studn = schoolenv.create_user(school)

(-)ucs-test-ucsschool/90_ucsschool/101_exam_mode_group_members (-6 / +14 lines)

Lines 16-22	Link Here

import univention.testing.udm

import univention.testing.udm

import univention.testing.utils as utils

import univention.testing.utils as utils

import univention.testing.strings as uts

import univention.testing.strings as uts

from ucsschool.lib.models import Student

from ucsschool.lib.models import ExamStudent, SchoolClass, Student

def main():

def main():

Lines 31-37	Link Here

				else:

				else:

					edudc = ucr.get('hostname')

					edudc = ucr.get('hostname')

				school, oudn = schoolenv.create_ou(name_edudc=edudc)

				school, oudn = schoolenv.create_ou(name_edudc=edudc)

				klasse_dn = udm.create_object('groups/group', name='%s-AA1' % school, position="cn=klassen,cn=schueler,cn=groups,%s" % oudn)

				klasse_dn = udm.create_object(

					'groups/group',

					name='%s-AA1' % school,

					position=SchoolClass.get_container(school)

				tea, teadn = schoolenv.create_user(school, is_teacher=True)

				tea, teadn = schoolenv.create_user(school, is_teacher=True)

				stu, studn = schoolenv.create_user(school)

				stu, studn = schoolenv.create_user(school)

				student2 = Student(

				student2 = Student(

Lines 68-84	Link Here

				try:

				try:

					expected_memberUid = ["%s$" % pc2.name, "exam-%s" % stu, "exam-%s" % student2.name]

					expected_memberUid = ["%s$" % pc2.name, "exam-%s" % stu, "exam-%s" % student2.name]

					expected_uniqueMember = ["%s" % pc2.dn, "uid=exam-%s,cn=examusers,%s" % (stu, oudn), "uid=exam-%s,cn=examusers,%s" % (student2.name, oudn)]

					expected_uniqueMember = [

						pc2.dn,

						ExamStudent(school=school, name=stu).dn,

						ExamStudent(school=school, name=student2.name).dn

					# Get the current attributes values

					# Get the current attributes values

					lo = getMachineConnection()

					lo = getMachineConnection()

					exam_group_dn = "cn=OU%s-Klassenarbeit,cn=ucsschool,cn=groups,%s" % (school, ucr.get('ldap/base'))

					exam_group_dn = ExamStudent.get_search_base(school).examGroup

					memberUid = lo.search(base=exam_group_dn)[0][1].get('memberUid')

					memberUid = lo.search(base=exam_group_dn)[0][1].get('memberUid')

					uniqueMember = lo.search(base=exam_group_dn)[0][1].get('uniqueMember')

					uniqueMember = lo.search(base=exam_group_dn)[0][1].get('uniqueMember')

					if (set(memberUid) != set(expected_memberUid)):

					if set(memberUid) != set(expected_memberUid):

						utils.fail("Current memberUid = %r\nExpected = %r" % (memberUid, expected_memberUid))

						utils.fail("Current memberUid = %r\nExpected = %r" % (memberUid, expected_memberUid))

					if (set(uniqueMember) != set(expected_uniqueMember)):

					if set(uniqueMember) != set(expected_uniqueMember):

						utils.fail("Current uniqueMember = %r\nExpected= %r" % (uniqueMember, expected_uniqueMember))

						utils.fail("Current uniqueMember = %r\nExpected= %r" % (uniqueMember, expected_uniqueMember))

				finally:

				finally:

(-)ucs-test-ucsschool/90_ucsschool/101_exam_mode_settings (-2 / +2 lines)

Lines 18-24	Link Here

import univention.testing.ucsschool as utu

import univention.testing.ucsschool as utu

import univention.testing.udm

import univention.testing.udm

import univention.testing.strings as uts

import univention.testing.strings as uts

from ucsschool.lib.models import Student

from ucsschool.lib.models import SchoolClass, Student

def main():

def main():

Lines 37-43	Link Here

					edudc = ucr.get('hostname')

					edudc = ucr.get('hostname')

				school, oudn = schoolenv.create_ou(name_edudc=edudc)

				school, oudn = schoolenv.create_ou(name_edudc=edudc)

				klasse_dn = udm.create_object('groups/group', name='%s-AA1' % school, position="cn=klassen,cn=schueler,cn=groups,%s" % oudn)

				klasse_dn = udm.create_object('groups/group', name='%s-AA1' % school, position=SchoolClass.get_container(school))

				tea, teadn = schoolenv.create_user(school, is_teacher=True)

				tea, teadn = schoolenv.create_user(school, is_teacher=True)

				stu, studn = schoolenv.create_user(school)

				stu, studn = schoolenv.create_user(school)




import univention.testing.ucr as ucr_test
import univention.testing.ucsschool as utu
import univention.testing.utils as utils
from ucsschool.lib.models import ClassShare, SchoolClass


BACKUP_PATH = '/home/backup/groups'





def share_dn(class_name, school):
	return ClassShare(school=school, name=class_name).dn
		return 'cn=%s,cn=klassen,cn=shares,ou=%s,%s' % (class_name, school, ucr.get('ldap/base'))


def class_dn(class_name, school):
	return SchoolClass(school=school, name=class_name).dn
		return 'cn=%s,cn=klassen,cn=schueler,cn=groups,ou=%s,%s' % (class_name, school, ucr.get('ldap/base'))


def share_path(class_name, school):
	sc = SchoolClass(school=school, name=class_name)
	path = ClassShare(school=school, name=class_name, school_group=sc).get_share_path()
	if os.path.exists(path):
		return path


(-)ucs-test-ucsschool/90_ucsschool/110_set_default-umc-users (-1 / +2 lines)

Lines 10-15	Link Here

import ldap

import ldap

import univention.testing.ucr as ucr_test

import univention.testing.ucr as ucr_test

import univention.testing.utils as utils

import univention.testing.utils as utils

from ucsschool.lib.models import Group

def main():

def main():

Lines 38-44	Link Here

					utils.fail('Attribute %s was not found in ldap object %r' % (

					utils.fail('Attribute %s was not found in ldap object %r' % (

						'univentionPolicyReference', base))

						'univentionPolicyReference', base))

				except ldap.NO_SUCH_OBJECT as e:

				except ldap.NO_SUCH_OBJECT as e:

					if "cn=groups,%s" % (schoolenv.get_ou_base_dn(school),) in str(e):

					if Group.get_container(school) in str(e):

						print ('* Cought an expected exception: %r' % e)

						print ('* Cought an expected exception: %r' % e)

					else:

					else:

						utils.fail('Unexpected Exception: %r' % e)

						utils.fail('Unexpected Exception: %r' % e)

(-)ucs-test-ucsschool/90_ucsschool/131_check_for_nfs_shares (-1 / +1 lines)

Lines 19-25	Link Here

			for share in Share.get_all(lo, school.name):

			for share in Share.get_all(lo, school.name):

				share_udm = share.get_udm_object(lo)

				share_udm = share.get_udm_object(lo)

				if "nfs" in share_udm.options:

				if "nfs" in share_udm.options:

					if share.name in ["Marktplatz", "iTALC-Installation"]:

					if share.name in [Share.get_search_base(school).share_name_marktplatz, "iTALC-Installation"]:

						print("*** Ignoring //{}/{} (Bug #42514)".format(school.name, share.name))

						print("*** Ignoring //{}/{} (Bug #42514)".format(school.name, share.name))

					else:

					else:

						nfs_shares.append((school.name, share.name))

						nfs_shares.append((school.name, share.name))

(-)ucs-test-ucsschool/90_ucsschool/16_s4_slave_automatic_srv_record (-2 / +2 lines)

Lines 135-141	Link Here

135

					position="cn=dc,cn=server,cn=computers,%s" % (school.dn,),

135

					position="cn=dc,cn=server,cn=computers,%s" % (school.dn,),

136

					domain=ucr.get('domainname'),

136

					domain=ucr.get('domainname'),

137

					service=("S4 SlavePDC", _local_ucsschool_service),

137

					service=("S4 SlavePDC", _local_ucsschool_service),

138

					groups=("cn=DC-Edukativnetz,cn=ucsschool,cn=groups,%(ldap/base)s" % ucr)

138

					groups=(school.get_search_base(school.name).educational_dc_group)

139

140

141

				positive_test_fqdn = ".".join((positive_test_hostname, ucr.get('domainname')))

141

				positive_test_fqdn = ".".join((positive_test_hostname, ucr.get('domainname')))

Lines 148-154	Link Here

148

					position="cn=dc,cn=server,cn=computers,%s" % (school.dn,),

148

					position="cn=dc,cn=server,cn=computers,%s" % (school.dn,),

149

					domain=ucr.get('domainname'),

149

					domain=ucr.get('domainname'),

150

					service=("S4 SlavePDC", _not_local_ucsschool_service),

150

					service=("S4 SlavePDC", _not_local_ucsschool_service),

151

					groups=("cn=DC-Edukativnetz,cn=ucsschool,cn=groups,%(ldap/base)s" % ucr)

151

					groups=(school.get_search_base(school.name).educational_dc_group)

152

153

154

				negative_test_fqdn = ".".join((negative_test_hostname, ucr.get('domainname')))

154

				negative_test_fqdn = ".".join((negative_test_hostname, ucr.get('domainname')))




import univention.testing.ucsschool as utu
import univention.testing.udm as udm_test
import univention.testing.utils as utils
from ucsschool.lib.models import School
from univention.testing.umc2 import Client



				utils.wait_for_replication_and_postrun()

				basedn = ucr.get('ldap/base')
				search_base = School.get_search_base(school)
				position = search_base.admins
				groups = [search_base.admin_group]
				dn, schooladmin = udm.create_user(position=position, groups=groups)
				groups = ["cn=Domain Admins,cn=groups,%s" % (basedn,)]
				dn, domainadmin = udm.create_user(position=position, groups=groups)




import univention.testing.utils as utils
from essential.importusers_cli_v2 import CLI_Import_v2_Tester
from essential.importusers import Person
from ucsschool.lib.models import SchoolClass, WorkGroup


class Test(CLI_Import_v2_Tester):

		self.log.debug('*** Creating groups...')
		global_group_dn, global_group_name = self.udm.create_group()
		workgroup_A_dn, workgroup_A_name = self.udm.create_group(
			position=WorkGroup.get_container(self.ou_A.name),
			name="{}-{}".format(self.ou_A.name, uts.random_groupname()))
		class_A_dn, class_A_name = self.udm.create_group(
			position=SchoolClass.get_container(self.ou_A.name),
			name="{}-{}".format(self.ou_A.name, uts.random_groupname()))
		cn_A_dn = self.udm.create_object('container/cn', position=self.ou_A.dn, name='kurs-%s' % uts.random_string())
		extra_A_group1_dn, extra_A_group1_name = self.udm.create_group(position=cn_A_dn)

			name="{}-{}".format(self.ou_A.name, uts.random_groupname()))

		workgroup_B_dn, workgroup_B_name = self.udm.create_group(
			position=WorkGroup.get_container(self.ou_B.name),
			name="{}-{}".format(self.ou_B.name, uts.random_groupname()))
		class_B_dn, class_B_name = self.udm.create_group(
			position=SchoolClass.get_container(self.ou_B.name),
			name="{}-{}".format(self.ou_B.name, uts.random_groupname()))
		cn_B_dn = self.udm.create_object('container/cn', position=self.ou_B.dn, name='kurs-%s' % uts.random_string())
		extra_B_group1_dn, extra_B_group1_name = self.udm.create_group(position=cn_B_dn)




import univention.testing.utils as utils
from essential.importusers_cli_v2 import CLI_Import_v2_Tester
from essential.importusers import Person
from ucsschool.lib.models import SchoolClass


class Test(CLI_Import_v2_Tester):


		def create_user_w_two_classes(record_uid, source_uid, same_ou=True):
			cls1_dn, cls1_name = self.udm.create_group(
				position=SchoolClass.get_container(self.ou_A.name),
				name="{}-{}".format(self.ou_A.name, uts.random_groupname()))
			if same_ou:
				dn = self.ou_A.dn

				name = self.ou_B.name
				school = sorted([self.ou_A.name, self.ou_B.name])[0]
			cls2_dn, cls2_name = self.udm.create_group(
				position=SchoolClass.get_container(name),
				name="{}-{}".format(name, uts.random_groupname()))
			person = Person(school, role)
			person.update(record_uid=record_uid, source_uid=source_uid, username=uts.random_username())

(-)ucs-test-ucsschool/90_ucsschool/22_computerroom_two_rooms_settings_interference (-1 / +2 lines)

Lines 11-16	Link Here

from essential.computerroom import Room, Computers, add_printer, remove_printer, clean_folder

from essential.computerroom import Room, Computers, add_printer, remove_printer, clean_folder

from essential.internetrule import InternetRule

from essential.internetrule import InternetRule

from essential.workgroup import Workgroup

from essential.workgroup import Workgroup

from ucsschool.lib.models import Share

from univention.testing.umc2 import Client

from univention.testing.umc2 import Client

from univention.testing.network import NetworkRedirector

from univention.testing.network import NetworkRedirector

import datetime

import datetime

Lines 113-119	Link Here

113

								room1.check_behavior(room1_old_settings, room1_new_settings, tea, computers_ips[1], printer_name, white_page, global_domains, ucr)

114

								room1.check_behavior(room1_old_settings, room1_new_settings, tea, computers_ips[1], printer_name, white_page, global_domains, ucr)

114

								# For DEBUG purposes

115

								# For DEBUG purposes

115

								# run_commands([['ucr', 'search', room1.name], ['ucr','search', room2.name], ['atq']], {})

116

								# run_commands([['ucr', 'search', room1.name], ['ucr','search', room2.name], ['atq']], {})

116

								clean_folder('/home/gsmitte/groups/Marktplatz/')

117

								clean_folder('/home/gsmitte/groups/{}/'.format(Share.get_search_base(school).share_name_marktplatz))

117

								clean_folder('/home/%s/lehrer/%s/' % (school, tea))

118

								clean_folder('/home/%s/lehrer/%s/' % (school, tea))

118

							# TODO Exception Errno4

119

							# TODO Exception Errno4

119

							except ConnectorError as e:

120

							except ConnectorError as e:

(-)ucs-test-ucsschool/90_ucsschool/40_schoolwizard_school_create (-27 / +22 lines)

Lines 8-14	Link Here

##   - ucs-school-master | ucs-school-singlemaster

##   - ucs-school-master | ucs-school-singlemaster

import pytest

import pytest

from ucsschool.lib.models import Group

import univention.testing.ucr as ucr_test

import univention.testing.ucr as ucr_test

import univention.testing.utils as utils

import univention.testing.utils as utils

import univention.testing.strings as uts

import univention.testing.strings as uts

Lines 31-36	Link Here

	assert connection.umc_command('schoolwizards/schools/create', jsonargs, 'schoolwizards/schools').result[0] is True

	assert connection.umc_command('schoolwizards/schools/create', jsonargs, 'schoolwizards/schools').result[0] is True

def grp_dns(ou_name, edu=True):

	search_base = Group.get_search_base(ou_name)

	if edu:

		return [search_base.educational_ou_dc_group, search_base.educational_dc_group]

	else:

		return [search_base.administrative_ou_dc_group, search_base.administrative_dc_group]

def main():

def main():

	remove_ous = []

	remove_ous = []

	testschool = UCSTestSchool()

	testschool = UCSTestSchool()

Lines 47-54	Link Here

			utils.verify_ldap_object(dc_dn, expected_attr={'cn': [dc_name]}, strict=True, should_exist=False)

			utils.verify_ldap_object(dc_dn, expected_attr={'cn': [dc_name]}, strict=True, should_exist=False)

		else:

		else:

			utils.verify_ldap_object(dc_dn, expected_attr={'cn': [dc_name]}, strict=True, should_exist=True)

			utils.verify_ldap_object(dc_dn, expected_attr={'cn': [dc_name]}, strict=True, should_exist=True)

			for grp_dn in ('cn=OU%(ou)s-DC-Edukativnetz,cn=ucsschool,cn=groups,%(basedn)s', 'cn=DC-Edukativnetz,cn=ucsschool,cn=groups,%(basedn)s', ):

			for grp_dn in grp_dns(ou_name):

				grp_dn = grp_dn % {'ou': ou_name, 'basedn': ucr.get('ldap/base')}

				utils.verify_ldap_object(grp_dn, expected_attr={'uniqueMember': [dc_dn]}, strict=False, should_exist=True)

				utils.verify_ldap_object(grp_dn, expected_attr={'uniqueMember': [dc_dn]}, strict=False, should_exist=True)

		msg = 'new random OU, new random DC'

		msg = 'new random OU, new random DC'

Lines 59-66	Link Here

		schoolwizards_schools_create(ou_name, dc_name)

		schoolwizards_schools_create(ou_name, dc_name)

		dc_dn = 'cn=%s,cn=dc,cn=server,cn=computers,%s' % (dc_name, testschool.get_ou_base_dn(ou_name))

		dc_dn = 'cn=%s,cn=dc,cn=server,cn=computers,%s' % (dc_name, testschool.get_ou_base_dn(ou_name))

		utils.verify_ldap_object(dc_dn, expected_attr={'cn': [dc_name]}, strict=True, should_exist=True)

		utils.verify_ldap_object(dc_dn, expected_attr={'cn': [dc_name]}, strict=True, should_exist=True)

		for grp_dn in ('cn=OU%(ou)s-DC-Edukativnetz,cn=ucsschool,cn=groups,%(basedn)s', 'cn=DC-Edukativnetz,cn=ucsschool,cn=groups,%(basedn)s', ):

		for grp_dn in grp_dns(ou_name):

			grp_dn = grp_dn % {'ou': ou_name, 'basedn': ucr.get('ldap/base')}

			utils.verify_ldap_object(grp_dn, expected_attr={'uniqueMember': [dc_dn]}, strict=False, should_exist=True)

			utils.verify_ldap_object(grp_dn, expected_attr={'uniqueMember': [dc_dn]}, strict=False, should_exist=True)

		msg = 'new random OU, existing DC in other OU'

		msg = 'new random OU, existing DC in other OU'

Lines 70-77	Link Here

		schoolwizards_schools_create(ou_name, dc_name)

		schoolwizards_schools_create(ou_name, dc_name)

		# reusing first DC

		# reusing first DC

		utils.verify_ldap_object(dc_dn, expected_attr={'cn': [dc_name]}, strict=True, should_exist=True)

		utils.verify_ldap_object(dc_dn, expected_attr={'cn': [dc_name]}, strict=True, should_exist=True)

		for grp_dn in ('cn=OU%(ou)s-DC-Edukativnetz,cn=ucsschool,cn=groups,%(basedn)s', 'cn=DC-Edukativnetz,cn=ucsschool,cn=groups,%(basedn)s', ):

		for grp_dn in grp_dns(ou_name):

			grp_dn = grp_dn % {'ou': ou_name, 'basedn': ucr.get('ldap/base')}

			utils.verify_ldap_object(grp_dn, expected_attr={'uniqueMember': [dc_dn]}, strict=False, should_exist=True)

			utils.verify_ldap_object(grp_dn, expected_attr={'uniqueMember': [dc_dn]}, strict=False, should_exist=True)

		msg = 'new random OU with existing DC in cn=computers,BASEDN'

		msg = 'new random OU with existing DC in cn=computers,BASEDN'

Lines 90-97	Link Here

			schoolwizards_schools_create(ou_name, dc_name)

			schoolwizards_schools_create(ou_name, dc_name)

			utils.verify_ldap_object(dc_dn, expected_attr={'cn': [dc_name]}, strict=True, should_exist=True)

			utils.verify_ldap_object(dc_dn, expected_attr={'cn': [dc_name]}, strict=True, should_exist=True)

			for grp_dn in ('cn=OU%(ou)s-DC-Edukativnetz,cn=ucsschool,cn=groups,%(basedn)s', 'cn=DC-Edukativnetz,cn=ucsschool,cn=groups,%(basedn)s', ):

			for grp_dn in grp_dns(ou_name):

				grp_dn = grp_dn % {'ou': ou_name, 'basedn': ucr.get('ldap/base')}

				utils.verify_ldap_object(grp_dn, expected_attr={'uniqueMember': [dc_dn]}, strict=False, should_exist=True)

				utils.verify_ldap_object(grp_dn, expected_attr={'uniqueMember': [dc_dn]}, strict=False, should_exist=True)

100

		msg = 'new random OU, new random DC and then try to add a second new random DC'

101

		msg = 'new random OU, new random DC and then try to add a second new random DC'

Lines 102-109	Link Here

102

		schoolwizards_schools_create(ou_name, dc_name)

106

		schoolwizards_schools_create(ou_name, dc_name)

103

		dc_dn = 'cn=%s,cn=dc,cn=server,cn=computers,%s' % (dc_name, testschool.get_ou_base_dn(ou_name))

107

		dc_dn = 'cn=%s,cn=dc,cn=server,cn=computers,%s' % (dc_name, testschool.get_ou_base_dn(ou_name))

104

		utils.verify_ldap_object(dc_dn, expected_attr={'cn': [dc_name]}, strict=True, should_exist=True)

108

		utils.verify_ldap_object(dc_dn, expected_attr={'cn': [dc_name]}, strict=True, should_exist=True)

105

		for grp_dn in ('cn=OU%(ou)s-DC-Edukativnetz,cn=ucsschool,cn=groups,%(basedn)s', 'cn=DC-Edukativnetz,cn=ucsschool,cn=groups,%(basedn)s', ):

109

		for grp_dn in grp_dns(ou_name):

106

			grp_dn = grp_dn % {'ou': ou_name, 'basedn': ucr.get('ldap/base')}

107

			utils.verify_ldap_object(grp_dn, expected_attr={'uniqueMember': [dc_dn]}, strict=False, should_exist=True)

110

			utils.verify_ldap_object(grp_dn, expected_attr={'uniqueMember': [dc_dn]}, strict=False, should_exist=True)

108

111

109

		dc_name = uts.random_string()

112

		dc_name = uts.random_string()

Lines 111-118	Link Here

111

			schoolwizards_schools_create(ou_name, dc_name)

114

			schoolwizards_schools_create(ou_name, dc_name)

112

		dc_dn = 'cn=%s,cn=dc,cn=server,cn=computers,%s' % (dc_name, testschool.get_ou_base_dn(ou_name))

115

		dc_dn = 'cn=%s,cn=dc,cn=server,cn=computers,%s' % (dc_name, testschool.get_ou_base_dn(ou_name))

113

		utils.verify_ldap_object(dc_dn, expected_attr={'cn': [dc_name]}, strict=True, should_exist=True)

116

		utils.verify_ldap_object(dc_dn, expected_attr={'cn': [dc_name]}, strict=True, should_exist=True)

114

		for grp_dn in ('cn=OU%(ou)s-DC-Edukativnetz,cn=ucsschool,cn=groups,%(basedn)s', 'cn=DC-Edukativnetz,cn=ucsschool,cn=groups,%(basedn)s', ):

117

		for grp_dn in grp_dns(ou_name):

115

			grp_dn = grp_dn % {'ou': ou_name, 'basedn': ucr.get('ldap/base')}

116

			utils.verify_ldap_object(grp_dn, expected_attr={'uniqueMember': [dc_dn]}, strict=False, should_exist=True)

118

			utils.verify_ldap_object(grp_dn, expected_attr={'uniqueMember': [dc_dn]}, strict=False, should_exist=True)

117

119

118

		msg = 'new random OU, new random administrative DC'

120

		msg = 'new random OU, new random administrative DC'

Lines 125-135	Link Here

125

		dc_dn = 'cn=%s,cn=dc,cn=server,cn=computers,%s' % (dc_name, testschool.get_ou_base_dn(ou_name))

127

		dc_dn = 'cn=%s,cn=dc,cn=server,cn=computers,%s' % (dc_name, testschool.get_ou_base_dn(ou_name))

126

		dc_dn_administrative = 'cn=%s,cn=dc,cn=server,cn=computers,%s' % (dc_name_administrative, testschool.get_ou_base_dn(ou_name))

128

		dc_dn_administrative = 'cn=%s,cn=dc,cn=server,cn=computers,%s' % (dc_name_administrative, testschool.get_ou_base_dn(ou_name))

127

		utils.verify_ldap_object(dc_dn_administrative, expected_attr={'cn': [dc_name_administrative]}, strict=True, should_exist=True)

129

		utils.verify_ldap_object(dc_dn_administrative, expected_attr={'cn': [dc_name_administrative]}, strict=True, should_exist=True)

128

		for grp_dn in ('cn=OU%(ou)s-DC-Edukativnetz,cn=ucsschool,cn=groups,%(basedn)s', 'cn=DC-Edukativnetz,cn=ucsschool,cn=groups,%(basedn)s', ):

130

		for grp_dn in grp_dns(ou_name):

129

			grp_dn = grp_dn % {'ou': ou_name, 'basedn': ucr.get('ldap/base')}

130

			utils.verify_ldap_object(grp_dn, expected_attr={'uniqueMember': [dc_dn]}, strict=False, should_exist=True)

131

			utils.verify_ldap_object(grp_dn, expected_attr={'uniqueMember': [dc_dn]}, strict=False, should_exist=True)

131

		for grp_dn in ('cn=OU%(ou)s-DC-Verwaltungsnetz,cn=ucsschool,cn=groups,%(basedn)s', 'cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,%(basedn)s', ):

132

		for grp_dn in grp_dns(ou_name, False):

132

			grp_dn = grp_dn % {'ou': ou_name, 'basedn': ucr.get('ldap/base')}

133

			utils.verify_ldap_object(grp_dn, expected_attr={'uniqueMember': [dc_dn_administrative]}, strict=False, should_exist=True)

133

			utils.verify_ldap_object(grp_dn, expected_attr={'uniqueMember': [dc_dn_administrative]}, strict=False, should_exist=True)

134

135

		msg = 'new random OU, new random educational DC and then try to add a second new random administrative DC'

135

		msg = 'new random OU, new random educational DC and then try to add a second new random administrative DC'

Lines 140-147	Link Here

140

		schoolwizards_schools_create(ou_name, dc_name)

140

		schoolwizards_schools_create(ou_name, dc_name)

141

		dc_dn = 'cn=%s,cn=dc,cn=server,cn=computers,%s' % (dc_name, testschool.get_ou_base_dn(ou_name))

141

		dc_dn = 'cn=%s,cn=dc,cn=server,cn=computers,%s' % (dc_name, testschool.get_ou_base_dn(ou_name))

142

		utils.verify_ldap_object(dc_dn, expected_attr={'cn': [dc_name]}, strict=True, should_exist=True)

142

		utils.verify_ldap_object(dc_dn, expected_attr={'cn': [dc_name]}, strict=True, should_exist=True)

143

		for grp_dn in ('cn=OU%(ou)s-DC-Edukativnetz,cn=ucsschool,cn=groups,%(basedn)s', 'cn=DC-Edukativnetz,cn=ucsschool,cn=groups,%(basedn)s', ):

143

		for grp_dn in grp_dns(ou_name):

144

			grp_dn = grp_dn % {'ou': ou_name, 'basedn': ucr.get('ldap/base')}

145

			utils.verify_ldap_object(grp_dn, expected_attr={'uniqueMember': [dc_dn]}, strict=False, should_exist=True)

144

			utils.verify_ldap_object(grp_dn, expected_attr={'uniqueMember': [dc_dn]}, strict=False, should_exist=True)

146

145

147

		dc_name_administrative = uts.random_string()

146

		dc_name_administrative = uts.random_string()

Lines 149-159	Link Here

149

			schoolwizards_schools_create(ou_name, dc_name, dc_name_administrative)

148

			schoolwizards_schools_create(ou_name, dc_name, dc_name_administrative)

150

		dc_dn_administrative = 'cn=%s,cn=dc,cn=server,cn=computers,%s' % (dc_name_administrative, testschool.get_ou_base_dn(ou_name))

149

		dc_dn_administrative = 'cn=%s,cn=dc,cn=server,cn=computers,%s' % (dc_name_administrative, testschool.get_ou_base_dn(ou_name))

151

		utils.verify_ldap_object(dc_dn_administrative, expected_attr={'cn': [dc_name_administrative]}, strict=True, should_exist=True)

150

		utils.verify_ldap_object(dc_dn_administrative, expected_attr={'cn': [dc_name_administrative]}, strict=True, should_exist=True)

152

		for grp_dn in ('cn=OU%(ou)s-DC-Edukativnetz,cn=ucsschool,cn=groups,%(basedn)s', 'cn=DC-Edukativnetz,cn=ucsschool,cn=groups,%(basedn)s', ):

151

		for grp_dn in grp_dns(ou_name):

153

			grp_dn = grp_dn % {'ou': ou_name, 'basedn': ucr.get('ldap/base')}

154

			utils.verify_ldap_object(grp_dn, expected_attr={'uniqueMember': [dc_dn]}, strict=False, should_exist=True)

152

			utils.verify_ldap_object(grp_dn, expected_attr={'uniqueMember': [dc_dn]}, strict=False, should_exist=True)

155

		for grp_dn in ('cn=OU%(ou)s-DC-Verwaltungsnetz,cn=ucsschool,cn=groups,%(basedn)s', 'cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,%(basedn)s', ):

153

		for grp_dn in grp_dns(ou_name, False):

156

			grp_dn = grp_dn % {'ou': ou_name, 'basedn': ucr.get('ldap/base')}

157

			utils.verify_ldap_object(grp_dn, expected_attr={'uniqueMember': [dc_dn_administrative]}, strict=False, should_exist=True)

154

			utils.verify_ldap_object(grp_dn, expected_attr={'uniqueMember': [dc_dn_administrative]}, strict=False, should_exist=True)

158

155

159

		msg = 'new random OU with existing administrative DC in cn=computers,BASEDN'

156

		msg = 'new random OU with existing administrative DC in cn=computers,BASEDN'

Lines 174-184	Link Here

174

171

175

			dc_dn = 'cn=%s,cn=dc,cn=server,cn=computers,%s' % (dc_name, testschool.get_ou_base_dn(ou_name))

172

			dc_dn = 'cn=%s,cn=dc,cn=server,cn=computers,%s' % (dc_name, testschool.get_ou_base_dn(ou_name))

176

			utils.verify_ldap_object(dc_dn, expected_attr={'cn': [dc_name]}, strict=True, should_exist=True)

173

			utils.verify_ldap_object(dc_dn, expected_attr={'cn': [dc_name]}, strict=True, should_exist=True)

177

			for grp_dn in ('cn=OU%(ou)s-DC-Edukativnetz,cn=ucsschool,cn=groups,%(basedn)s', 'cn=DC-Edukativnetz,cn=ucsschool,cn=groups,%(basedn)s', ):

174

			for grp_dn in grp_dns(ou_name):

178

				grp_dn = grp_dn % {'ou': ou_name, 'basedn': ucr.get('ldap/base')}

179

				utils.verify_ldap_object(grp_dn, expected_attr={'uniqueMember': [dc_dn]}, strict=False, should_exist=True)

175

				utils.verify_ldap_object(grp_dn, expected_attr={'uniqueMember': [dc_dn]}, strict=False, should_exist=True)

180

			for grp_dn in ('cn=OU%(ou)s-DC-Verwaltungsnetz,cn=ucsschool,cn=groups,%(basedn)s', 'cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,%(basedn)s', ):

176

			for grp_dn in grp_dns(ou_name, False):

181

				grp_dn = grp_dn % {'ou': ou_name, 'basedn': ucr.get('ldap/base')}

182

				utils.verify_ldap_object(grp_dn, expected_attr={'uniqueMember': [dc_dn_administrative]}, strict=False, should_exist=True)

177

				utils.verify_ldap_object(grp_dn, expected_attr={'uniqueMember': [dc_dn_administrative]}, strict=False, should_exist=True)

183

178

184

	finally:

179

	finally:




#!/usr/share/ucs-test/runner python
## -*- coding: utf-8 -*-
## desc: check marktplatz creation
## roles: [domaincontroller_master]
## tags: [apptest,ucsschool]
## exposure: dangerous
## packages: [ucs-school-umc-computerroom]
## bugs: [40785, 41231]

import univention.testing.ucr as ucr_test
import univention.testing.ucsschool as utu
import univention.testing.strings as uts
from univention.testing import utils
from univention.config_registry import handler_set, handler_unset



def main():
	with utu.UCSTestSchool() as schoolenv, ucr_test.UCSTestConfigRegistry() as ucr:
		for should_exist, variable, name in [(False, None, ''), (True, 'yes', 'Marktplatz'), (True, 'yes', uts.random_name()), (False, 'no', '')]:
			if variable is None:
				handler_unset(['ucsschool/import/generate/share/marktplatz'])
			else:
				print '### Setting ucsschool/import/generate/share/marktplatz=%s.' % variable
				handler_set(['ucsschool/import/generate/share/marktplatz=%s' % (variable,)])

			print '### Creating school. Expecting Marktplatz to exists = %r' % (should_exist,)
			if should_exist:
				if name:
					print '### Setting share name to %r.' % name
					handler_set(['ucsschool/import/generate/share/marktplatz/name={}'.format(name)])
				else:
					print '### Not setting share name, should be "Marktplatz".'
					handler_unset(['ucsschool/import/generate/share/marktplatz/name'])

			school, oudn = schoolenv.create_ou(name_edudc=ucr.get('hostname'))
			utils.wait_for_replication()
			utils.verify_ldap_object(
				'cn={},cn=shares,{}'.format(name or 'Marktplatz', oudn),
				strict=True,
				should_exist=should_exist)


if __name__ == '__main__':
	main()




from essential.schoolroom import ComputerRoom
import univention.testing.ucr as ucr_test
import univention.testing.ucsschool as utu
from ucsschool.lib.models import ClassShare, Share


def main():

			acl.assert_teacher_group('write')
			acl.assert_student_group('write')

			shares_dn = Share.get_container(school)
			acl.assert_shares(shares_dn, 'write')
			shares_dn = Share(school=school, name=Share.get_search_base(school).share_name_marktplatz).dn
			acl.assert_shares(shares_dn, 'write')
			shares_dn = ClassShare.get_container(school)
			acl.assert_shares(shares_dn, 'read')

			acl.assert_temps('write')

(-)ucs-test-ucsschool/90_ucsschool/75_ldap_acls_staff (-1 / +2 lines)

Lines 10-15	Link Here

from essential.acl import Acl

from essential.acl import Acl

from essential.computerroom import Computers

from essential.computerroom import Computers

from essential.schoolroom import ComputerRoom

from essential.schoolroom import ComputerRoom

from ucsschool.lib.models import Share

import univention.testing.ucr as ucr_test

import univention.testing.ucr as ucr_test

import univention.testing.ucsschool as utu

import univention.testing.ucsschool as utu

Lines 50-56	Link Here

			share_dn = open_ldap_co.searchDn(filter=filter_format('(&(objectClass=univentionShare)(cn=%s))', (class_name,)))[0]

			share_dn = open_ldap_co.searchDn(filter=filter_format('(&(objectClass=univentionShare)(cn=%s))', (class_name,)))[0]

			acl.assert_share_object_access(share_dn, 'read', 'ALLOWED')

			acl.assert_share_object_access(share_dn, 'read', 'ALLOWED')

			acl.assert_share_object_access(share_dn, 'write', 'DENIED')

			acl.assert_share_object_access(share_dn, 'write', 'DENIED')

			share_dn = 'cn=Marktplatz,cn=shares,%s' % (oudn,)

			share_dn = Share(school=school, name=Share.get_search_base(school).share_name_marktplatz).dn

			acl.assert_share_object_access(share_dn, 'read', 'ALLOWED')

			acl.assert_share_object_access(share_dn, 'read', 'ALLOWED')

			acl.assert_share_object_access(share_dn, 'write', 'DENIED')

			acl.assert_share_object_access(share_dn, 'write', 'DENIED')




from essential.schoolroom import ComputerRoom
import univention.testing.ucr as ucr_test
import univention.testing.ucsschool as utu
from ucsschool.lib.models import ClassShare, Share


def main():

			acl.assert_teacher_group('write')
			acl.assert_student_group('write')

			shares_dn = Share.get_container(school)
			acl.assert_shares(shares_dn, 'write')
			shares_dn = Share(school=school, name=Share.get_search_base(school).share_name_marktplatz).dn
			acl.assert_shares(shares_dn, 'write')
			shares_dn = ClassShare.get_container(school)
			acl.assert_shares(shares_dn, 'read')

			acl.assert_temps('write')




from essential.schoolroom import ComputerRoom
import univention.testing.ucr as ucr_test
import univention.testing.ucsschool as utu
from ucsschool.lib.models import ClassShare, Share


def main():


			acl.assert_teacher_group('write')

			shares_dn = Share.get_container(school)
			acl.assert_shares(shares_dn, 'write')
			shares_dn = Share(school=school, name=Share.get_search_base(school).share_name_marktplatz).dn
			acl.assert_shares(shares_dn, 'write')
			shares_dn = ClassShare.get_container(school)
			acl.assert_shares(shares_dn, 'read')

			acl.assert_temps('write')




from univention.uldap import getMachineConnection
import univention.testing.ucr as ucr_test
import univention.testing.ucsschool as utu
from ucsschool.lib.models import Group, Policy


class FailAcl(Exception):

			room = ComputerRoom(school, host_members=computers_dns)
			room.add()

			room_container_dn = ComputerRoom.get_container(school)
			shares_dn = 'cn=shares,%s' % school_dn

			# unused?
			#
			# shares_dn = search_base.shares
			#
			# teacher_group2_dn = search_base.teachers_ou_group
			# student_group2_dn = search_base.students_ou_group
			#
			# teacher_group_dn = search_base.teachers_group
			# student_group_dn = search_base.students_group

			teacher_group_dn = 'cn=lehrer,cn=groups,%s' % school_dn
			student_group_dn = 'cn=schueler,cn=groups,%s' % school_dn

			gid_temp_dn = 'cn=gid,cn=temporary,cn=univention,%s' % base_dn
			gidNumber_temp_dn = 'cn=gidNumber,cn=temporary,cn=univention,%s' % base_dn
			sid_temp_dn = 'cn=sid,cn=temporary,cn=univention,%s' % base_dn

			mac_temp_dn = 'cn=mac,cn=temporary,cn=univention,%s' % base_dn

			global_univention_dn = 'cn=univention,%s' % base_dn
			global_policies_dn = Policy.get_container(school)
			global_dns_dn = 'cn=dns,%s' % base_dn
			global_groups_dn = Group.get_container(school)

			dhcp_dn = 'cn=%s,cn=%s,cn=dhcp,%s' % (computers_hostnames[0], school, base_dn)





@!@
# -*- coding: utf-8 -*-
import re


def replace_ucr_variables(template):
	variable_token = re.compile('@[$]@')

	dir_ucsschool = {
		'ALL_ADM_DC': configRegistry.get('ucsschool/ldap/default/groupname/all-administrativ-dc', 'DC-Verwaltungsnetz'),
		'ALL_ADM_MEMBER': configRegistry.get('ucsschool/ldap/default/groupname/all-administrativ-member', 'Member-Verwaltungsnetz'),
		'ALL_EDU_DC': configRegistry.get('ucsschool/ldap/default/groupname/all-educational-dc', 'DC-Edukativnetz'),
		'ALL_EDU_MEMBER': configRegistry.get('ucsschool/ldap/default/groupname/all-educational-member', 'Member-Edukativnetz'),
	}

	while 1:
		i = variable_token.finditer(template)
		try:
			start = i.next()
			end = i.next()
			name = template[start.end():end.start()]

			template = template[:start.start()] + dir_ucsschool.get(name,'') + template[end.end():]
		except StopIteration:
			break

	return template


aclset += """
# -*- coding: utf-8 -*-

# Slave-Controller und Member-Server duerfen Samba-Domaenenobjekt(e) modifizieren
access to filter="(objectClass=sambaDomain)"
   by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
   by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
   by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
   by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
   by * none break

# Slave-Controller und Memberserver duerfen ausschliesslich den univention-Container replizieren
access to dn="cn=univention,@%@ldap/base@%@"
   by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
   by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
   by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
   by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
   by * none break

# Slave-Controller may replicate license container
access to dn.subtree="cn=license,cn=univention,@%@ldap/base@%@"
   by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
   by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
   by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
   by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
   by * none break

# Slave-Controller duerfen custom attributes-Container und dessen Inhalt replizieren
access to dn.subtree="cn=custom attributes,cn=univention,@%@ldap/base@%@"
   by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
   by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
   by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
   by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
   by * none break

# Slave-Controller benoetigen den Console-Container fuer die Berechtigungen an der Lehrerconsole
access to dn.subtree="cn=console,cn=univention,@%@ldap/base@%@"
   by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
   by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
   by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
   by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
   by * none break 

# Slave-Controller benoetigen den UMC-Container fuer die Berechtigungen an der Lehrerconsole
access to dn.subtree="cn=UMC,cn=univention,@%@ldap/base@%@"
   by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
   by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
   by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
   by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
   by * none break 

# grant write access to domaincontroller slave/member server for certain univention app center settings
access to dn.regex="^univentionAppID=([^,]+),cn=([^,]+),cn=apps,cn=univention,@%@ldap/base@%@$" filter="(objectClass=univentionApp)"
        by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
        by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
        by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
        by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
        by * none break

access to dn.regex="^cn=([^,]+),cn=apps,cn=univention,@%@ldap/base@%@$" attrs=children,entry
        by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
        by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
        by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
        by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
        by * none break

access to dn="cn=apps,cn=univention,@%@ldap/base@%@" attrs=children,entry
        by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
        by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
        by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
        by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
        by * none break

# grant read access to domaincontroller slave/member server for all other univention app center settings
access to dn.subtree="cn=apps,cn=univention,@%@ldap/base@%@"
   by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
   by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
   by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
   by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
   by * none break 

access to dn.subtree="cn=udm_module,cn=univention,@%@ldap/base@%@"
   by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
   by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
   by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
   by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
   by * none break 

access to dn.subtree="cn=udm_hook,cn=univention,@%@ldap/base@%@"
   by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
   by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
   by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
   by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
   by * none break 

access to dn.subtree="cn=udm_syntax,cn=univention,@%@ldap/base@%@"
   by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
   by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
   by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
   by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
   by * none break 

access to dn.subtree="cn=ldapacl,cn=univention,@%@ldap/base@%@"
   by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
   by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
   by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
   by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
   by * none break 

access to dn.subtree="cn=ldapschema,cn=univention,@%@ldap/base@%@"
   by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
   by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
   by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
   by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
   by * none break 

# Slave-Controller und Member-Server benoetigen idmap-Container
access to dn.base="cn=idmap,cn=univention,@%@ldap/base@%@"
   by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
   by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
   by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
   by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
   by * none break 

# Slave-Controller und Member-Server benoetigen ID-Mapping
access to dn.subtree="cn=idmap,cn=univention,@%@ldap/base@%@" filter="(|(&(objectClass=sambaUnixIdPool)(objectClass=organizationalRole)(objectClass=top))(&(objectClass=sambaIdmapEntry)(objectClass=sambaSidEntry)))"
   by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
   by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
   by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
   by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
   by * none break

# Slave-Controller und Memberserver duerfen samba-Container und dessen Inhalt replizieren
access to dn.subtree="cn=samba,@%@ldap/base@%@"
   by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
   by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
   by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
   by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
   by * none break

# Slave-Controller needs the builtin groups
access to dn.subtree="cn=Builtin,@%@ldap/base@%@"
   by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
   by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
   by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
   by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
   by * none break 

# sonst duerfen sie nichts aus cn=univention,BASEDN replizieren
access to dn.subtree="cn=univention,@%@ldap/base@%@"
   by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
   by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
   by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
   by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
   by * none break

"""

print replace_ucr_variables(aclset)
@!@




def replace_ucr_variables(template):
	variable_token = re.compile('@[$]@')

	dir_ucsschool = {
		'DISTRICT':       'ou=[^,]+,' if configRegistry.is_true('ucsschool/ldap/district/enable') else '',
		'PUPILS':         configRegistry.get('ucsschool/ldap/default/container/pupils', 'schueler'),
		'TEACHERS':       configRegistry.get('ucsschool/ldap/default/container/teachers', 'lehrer'),
		'STAFF':          configRegistry.get('ucsschool/ldap/default/container/staff', 'mitarbeiter'),
		'TEACHERS-STAFF': configRegistry.get('ucsschool/ldap/default/container/teachers-and-staff', 'lehrer und mitarbeiter'),
		'ADMINS':         configRegistry.get('ucsschool/ldap/default/container/admins', 'admins'),
		'GRPADMINS':      configRegistry.get('ucsschool/ldap/default/groupprefix/admins', 'admins-'),
		'ROOMS':          configRegistry.get('ucsschool/ldap/default/container/rooms', 'raeume'),
		'ALL_ADM_DC': configRegistry.get('ucsschool/ldap/default/groupname/all-administrativ-dc', 'DC-Verwaltungsnetz'),
		'ALL_ADM_MEMBER': configRegistry.get('ucsschool/ldap/default/groupname/all-administrativ-member', 'Member-Verwaltungsnetz'),
		'ALL_EDU_DC': configRegistry.get('ucsschool/ldap/default/groupname/all-educational-dc', 'DC-Edukativnetz'),
		'ALL_EDU_MEMBER': configRegistry.get('ucsschool/ldap/default/groupname/all-educational-member', 'Member-Edukativnetz'),
	}


	while 1:
		i = variable_token.finditer(template)
		try:

	return template


if configRegistry.is_true('ucsschool/ldap/district/enable','no'):
if configRegistry.get('ucsschool/ldap/district/enable','no').lower() in ( 'yes', 'true', '1' ):
   aclset += """
# DCs und Memberserver erhalten Lesezugriff auf das OU-Objekt selbst (im DISTRICT-Mode notwendig)
access to dn.regex="^ou=([^,]+),@%@ldap/base@%@$$"
	by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
	by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
	by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
	by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
	by * none break

"""


# Slave controllers and memberservers require write access to virtual machine manager objects
access to dn.regex="^univentionVirtualMachineUUID=([^,]+),cn=Information,cn=Virtual Machine Manager,@%@ldap/base@%@" filter="(objectClass=univentionVirtualMachine)"
	by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by dn.regex="^[^,]+,cn=dc,cn=computers,@%@ldap/base@%@$$" write
	by dn.regex="^[^,]+,cn=memberserver,cn=computers,@%@ldap/base@%@$$" write
	by * read break

access to dn.regex="^cn=([^,]+),cn=CloudConnection,cn=Virtual Machine Manager,@%@ldap/base@%@" filter="(objectClass=univentionVirtualMachineCloudConnection)"
	by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by dn.regex="^[^,]+,cn=dc,cn=computers,@%@ldap/base@%@$$" write
	by dn.regex="^[^,]+,cn=memberserver,cn=computers,@%@ldap/base@%@$$" write
	by * read break

access to dn="cn=(Information|CloudConnection),cn=Virtual Machine Manager,@%@ldap/base@%@" attrs=children,entry
	by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by dn.regex="^[^,]+,cn=dc,cn=computers,@%@ldap/base@%@$$" write
	by dn.regex="^[^,]+,cn=memberserver,cn=computers,@%@ldap/base@%@$$" write
	by * read break


# Slave controller and memberservers may replicate the Virtual Machine Manager container
access to dn.subtree="cn=Virtual Machine Manager,@%@ldap/base@%@"
   by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
   by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
   by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
   by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
   by * read break

# Slave controller and memberservers may replicate the mail container
access to dn.subtree="cn=mail,@%@ldap/base@%@"
   by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
   by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
   by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
   by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
   by * read break

access to dn.regex="^@%@ldap/base@%@$$"


# DC Slaves need write access to the members of the group Domain Computers
access to dn.exact="cn=Domain Computers,cn=groups,@%@ldap/base@%@" attrs="uniqueMember,memberUid"
    by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
    by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
    by * none break

# Slave-Controller und Memberserver duerfen globale Container computers, shares, dns, dhcp, kerberos und policies sowie Benutzer lesen
access to dn.regex="(^(.+,)?cn=(groups|dns|dhcp|policies|computers|kerberos|shares),|^(uid=[^,]+,|)cn=users,|^)@%@ldap/base@%@$$"
	by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
	by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
	by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
	by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
	by * none break

# Slave DCs can read MS system container
access to dn.base="cn=system,@%@ldap/base@%@"
    by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
    by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
    by * none break

# Slave DCs can read and write policy containers for MS GPOs and msPrintConnectionPolicy objects
access to dn.subtree="cn=policies,cn=system,@%@ldap/base@%@" filter="(|(objectClass=msGPOContainer)(objectClass=organizationalRole)(objectClass=msPrintConnectionPolicy))"
    by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
    by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
    by * none break

# Slave DCs can read and write policy containers for MS WMI filter objects
access to dn.subtree="cn=WMIPolicy,cn=system,@%@ldap/base@%@" filter="(|(objectClass=msWMISom)(objectClass=organizationalRole))"
    by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
    by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
    by * none break

# Lehrer, Mitarbeiter und OU-Admins duerfen Schueler-Passwoerter aendern

	by * none break

# Lehrer und ouadmins duerfen Raum-Gruppen anlegen und bearbeiten
access to dn.regex="^cn=@$@ROOMS@$@,cn=groups,ou=([^,]+),@$@DISTRICT@$@@%@ldap/base@%@$$" attrs=children,entry
	by dn.regex="^uid=([^,]+),cn=(@$@TEACHERS@$@|@$@TEACHERS-STAFF@$@|@$@STAFF@$@|@$@ADMINS@$@),cn=users,ou=$1,@$@DISTRICT@$@@%@ldap/base@%@$$" write
	by * none break

access to dn.regex="^cn=([^,]+),cn=@$@ROOMS@$@,cn=groups,ou=([^,]+),@$@DISTRICT@$@@%@ldap/base@%@$$" filter="(&(!(|(uidNumber=*)(objectClass=SambaSamAccount)))(objectClass=univentionGroup))"
	by dn.regex="^uid=([^,]+),cn=(@$@TEACHERS@$@|@$@TEACHERS-STAFF@$@|@$@STAFF@$@|@$@ADMINS@$@),cn=users,ou=$2,@$@DISTRICT@$@@%@ldap/base@%@$$" write
	by * none break



# domaincontroller slaves and memberservers of management group are not allowed to replicate pupils and teachers
access to dn.regex="^.+,cn=(@$@TEACHERS@$@|@$@PUPILS@$@),cn=users,ou=[^,]+,@$@DISTRICT@$@@%@ldap/base@%@$$"
	by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
	by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
	by * none break

# domaincontroller slaves and memberservers of educational group are not allowed to replicate staff users
access to dn.regex="^.+,cn=@$@STAFF@$@,cn=users,ou=[^,]+,@$@DISTRICT@$@@%@ldap/base@%@$$"
	by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
	by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
	by * none break

# domaincontroller slaves and memberservers may replicate the OU "domain controllers"
access to dn.subtree="ou=domain controllers,@%@ldap/base@%@"
   by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
   by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
   by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
   by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
   by * read break

# Memberserver duerfen bestimmte Attribute lesen
access to dn.regex="^(.+,)?ou=([^,]+),@$@DISTRICT@$@@%@ldap/base@%@$$" attrs=userPassword,krb5Key,krb5KDCFlags,sambaNTPassword,sambaLMPassword,shadowLastChange,sambaPwdLastSet,pwhistory,krb5KeyVersionNumber,univentionWindowsReinstall,sambaPwdCanChange,sambaPwdMustChange
	by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
	by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
	by * none break

# Slave-Controller duerfen Eintraege Ihrer ou lesen und schreiben (Passwortaenderungen etc.)
# Lehrer und Memberserver duerfen sie lesen, ou-eigene bekommen Standard-ACLs, ou-fremde Server/user duerfen nichts
access to dn.regex="^(.+,)?ou=([^,]+),@$@DISTRICT@$@@%@ldap/base@%@$$"
	by group/univentionGroup/uniqueMember.expand="cn=OU$2-@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by group/univentionGroup/uniqueMember.expand="cn=OU$2-@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
    by group/univentionLDAPACL/univentionLDAPAccessWrite.expand="ou=$2,@$@DISTRICT@$@@%@ldap/base@%@" write
	by group/univentionGroup/uniqueMember.expand="cn=OU$2-@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
	by group/univentionGroup/uniqueMember.expand="cn=OU$2-@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
	by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
	by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
    by dn.regex="^uid=([^,]+),cn=(@$@TEACHERS@$@|@$@TEACHERS-STAFF@$@|@$@STAFF@$@|@$@ADMINS@$@),cn=users,ou=$2,@$@DISTRICT@$@@%@ldap/base@%@$$" read
    by dn.regex="^uid=(.+,)?cn=users,ou=$2,@$@DISTRICT@$@@%@ldap/base@%@$$" none break
    by dn.regex="^uid=(.+,)?ou=([^,]+),@$@DISTRICT@$@@%@ldap/base@%@$$" none


# Slave-Controller duerfen Klassen-Gruppen bearbeiten (AUSNAHME! Wird fuer Lehrerzuordnung in UMC benoetigt!)
access to dn.regex="^cn=klassen,cn=@$@PUPILS@$@,cn=groups,ou=([^,]+),@$@DISTRICT@$@@%@ldap/base@%@$$" attrs=children,entry
	by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by * none break

access to dn.regex="^cn=([^,]+),cn=klassen,cn=@$@PUPILS@$@,cn=groups,ou=([^,]+),@$@DISTRICT@$@@%@ldap/base@%@$$" filter="(&(!(|(uidNumber=*)(objectClass=SambaSamAccount)))(objectClass=univentionGroup))"
	by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" write
	by * none break

# Slave-Controller duerfen nagios-Container und Inhalt replizieren
access to dn.subtree="cn=nagios,@%@ldap/base@%@"
	by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
	by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
	by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
	by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" read
	by * none break

# Schüler, Lehrer, Mitarbeiter, Admins duerfen globale Container univention, policies, groups und dns lesen 


# Slave-Controller und normale Lehrer duerfen sonst nichts lesen, Schueler sowieso nicht
access to *
	by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
	by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_DC@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
	by group/univentionGroup/uniqueMember="cn=@$@ALL_ADM_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
	by group/univentionGroup/uniqueMember="cn=@$@ALL_EDU_MEMBER@$@,cn=ucsschool,cn=groups,@%@ldap/base@%@" none
	by * none break

"""




		# TODO: change school and uid at once!
		# TODO: user without classes

		search_base = User.get_search_base(b)
		domain_users_school = 'cn=Domain Users {},{}'.format(b, search_base.groups)
		teacher_group = search_base.teachers_ou_group
		staff_group = search_base.staff_ou_group
		students_group = search_base.students_ou_group
		grp1_name = uts.random_username()
		grp2_name = uts.random_username()
		two_klasses = '{0}-{1},{0}-{2}'.format(a, grp1_name, grp2_name)
		workgroup_dn, workgroup_name = udm.create_group(position=WorkGroup.get_container(a))
		global_group_dn, global_group_name = udm.create_group()

		users = [
			(env.create_user(a, classes=two_klasses), [students_group, domain_users_school, global_group_dn]),
			(env.create_user(a, is_teacher=True, classes=two_klasses), [domain_users_school, teacher_group, global_group_dn]),
			(env.create_user(a, is_staff=True), [domain_users_school, staff_group, global_group_dn]),
			(env.create_user(a, is_teacher=True, is_staff=True, classes=two_klasses), [domain_users_school, teacher_group, staff_group, global_group_dn]),
			(env.create_user(a, is_staff=True), 'mitarbeiter',
				[domain_users_school, staff_group, global_group_dn]),
			(env.create_user(a, is_teacher=True, is_staff=True, classes=two_klasses), 'lehrer',
				[domain_users_school, teacher_group, staff_group, global_group_dn]),
		]
		lo = env.open_ldap_connection()
		workgroup = WorkGroup.from_dn(workgroup_dn, None, lo)
		users_dns = [dn for (user, dn,), groups in users]
		udm.modify_object('groups/group', dn=global_group_dn, append={'users': users_dns})
		workgroup.users.extend(users_dns)
		workgroup.modify(lo)

		workgroup = WorkGroup.from_dn(workgroup_dn, None, lo)
		print('*** Users in workgroup {}: {}'.format(workgroup.name, workgroup.users))

		for (user, dn,), groups in users:
			user = User.from_dn(dn, None, lo)
			print('*** Groups {} is in: {}'.format(user, user.get_udm_object(lo)['groups']))


			print '################################'

			attrs = {
				'homeDirectory': [os.path.join('/home', user.get_roleshare_home_subdir(), user.name)],
				'ucsschoolSchool': [b],
				'departmentNumber': [b],
				# TODO: add sambaHomeDrive sambaHomePath sambaLogonScript sambaProfilePath





from datetime import datetime, timedelta
from ucsschool.lib.schoolldap import SchoolSearchBase
from ucsschool.lib.models import School, SchoolClass
from essential.computerroom import Room
from essential.exam import Exam


		return True
	utils.fail("Get-ItemProperty for %s did not return expected value (%s) for subkey %s" % (reg_key, expected_value, subkey))


def samba_check_gpo_exists(gpo_name):
	"""
	Checks that GPO with 'gpo_name' exists via samba-tool.

	klasse_dn = udm.create_object(
		'groups/group',
		name=schoolclassname,
		position=SchoolClass.get_container(school)
	)

	student_pwd = "univention"




import univention.testing.ucr as ucr_test
import univention.testing.ucsschool as utu
import univention.testing.strings as uts
from ucsschool.lib.models import ComputerRoom, School


class FailAcl(Exception):

		self.access_allowance = access_allowance
		self.ucr = ucr_test.UCSTestConfigRegistry()
		self.ucr.load()
		self.search_base = School.get_search_base(self.school)

	def assert_acl(self, target_dn, access, attrs, access_allowance=None):
		"""Test ACL rule:\n

	def assert_room(self, room_dn, access):
		"""Lehrer und ouadmins duerfen Raum-Gruppen anlegen und bearbeiten
		"""
		target_dn = ComputerRoom.get_container(self.school)
		attrs = [
			'children',
			'entry',

		"""Lehrer, Mitarbeiter und Mitglieder der lokalen Administratoren
		duerfen Arbeitsgruppen anlegen und aendern
		"""
		group_dn = self.search_base.teachers_group
		attrs = [
			'children',
			'entry',

		self.assert_acl(group_dn, access, attrs)

	def assert_student_group(self, access):
		group_dn = self.search_base.students_group
		attrs = [
			'children',
			'entry',

(-)ucs-test-ucsschool/90_ucsschool/essential/computerroom.py (-12 / +16 lines)

Lines 7-12	Link Here

from ucsschool.lib.models import IPComputer as IPComputerLib

from ucsschool.lib.models import IPComputer as IPComputerLib

from ucsschool.lib.models import MacComputer as MacComputerLib

from ucsschool.lib.models import MacComputer as MacComputerLib

from ucsschool.lib.models import WindowsComputer as WindowsComputerLib

from ucsschool.lib.models import WindowsComputer as WindowsComputerLib

from ucsschool.lib.models import School as SchoolLib

from ucsschool.lib.models import ComputerRoom as ComputerRoomLib

from univention.testing.umc2 import Client

from univention.testing.umc2 import Client

from univention.testing.umc2 import ConnectionError

from univention.testing.umc2 import ConnectionError

import copy

import copy

Lines 92-101	Link Here

	def __init__(self, school, name=None, dn=None, description=None, host_members=None):

	def __init__(self, school, name=None, dn=None, description=None, host_members=None):

		self.school = school

		self.school = school

		self.name = name if name else uts.random_name()

		self.name = name if name else uts.random_name()

		self.dn = dn if dn else 'cn=%s-%s,cn=raeume,cn=groups,%s' % (

		self.dn = dn if dn else ComputerRoomLib(school=school, name='{}-{}'.format(school, self.name)).dn

			school, self.name, utu.UCSTestSchool().get_ou_base_dn(school))

		self.description = description if description else uts.random_name()

		self.description = description if description else uts.random_name()

		self.host_members = host_members or []

		self.host_members = host_members or []

100

		self.marktplatz_name = SchoolLib.get_search_base(self.school).share_name_marktplatz

101

100

	def get_room_user(self, client):

102

	def get_room_user(self, client):

101

		print 'Executing command: computerroom/rooms in school:', self.school

103

		print 'Executing command: computerroom/rooms in school:', self.school

Lines 286-320	Link Here

286

			utils.fail('Write to home directory result (%r), expected (%r)' % (write[0], expected_result))

288

			utils.fail('Write to home directory result (%r), expected (%r)' % (write[0], expected_result))

287

289

288

	def check_marktplatz_read(self, user, ip_address, passwd='univention', expected_result=0):

290

	def check_marktplatz_read(self, user, ip_address, passwd='univention', expected_result=0):

289

		print '.... Check Marktplatz read ....'

291

		print '.... Check Marktplatz ({}) read ....'.format(self.marktplatz_name)

290

		cmd_read_marktplatz = ['smbclient', '//%(ip)s/Marktplatz', '-U', '%(user)s', '-c', 'dir']

292

		cmd_read_marktplatz = ['smbclient', '//%(ip)s/%(marktplatz_name)s', '-U', '%(user)s', '-c', 'dir']

291

		read = run_commands(

293

		read = run_commands(

292

			[cmd_read_marktplatz],

294

			[cmd_read_marktplatz],

293

295

294

				'ip': ip_address,

296

				'ip': ip_address,

295

				'user': '{0}%{1}'.format(user, passwd)

297

				'user': '{0}%{1}'.format(user, passwd),

298

				'marktplatz_name': self.marktplatz_name

296

299

297

300

298

		if read[0] != expected_result:

301

		if read[0] != expected_result:

299

			print 'FAIL .. Read Marktplatz directory result (%r), expected (%r)' % (read[0], expected_result)

302

			print 'FAIL .. Read Marktplatz (%s) directory result (%r), expected (%r)' % (self.marktplatz_name, read[0], expected_result)

300

			utils.fail('Read Marktplatz directory result (%r), expected (%r)' % (read[0], expected_result))

303

			utils.fail('Read Marktplatz (%s) directory result (%r), expected (%r)' % (self.marktplatz_name, read[0], expected_result))

301

304

302

	def check_marktplatz_write(self, user, ip_address, passwd='univention', expected_result=0):

305

	def check_marktplatz_write(self, user, ip_address, passwd='univention', expected_result=0):

303

		print '.... Check Marktplatz write ....'

306

		print '.... Check Marktplatz ({}) write ....'.format(self.marktplatz_name)

304

		f = tempfile.NamedTemporaryFile(dir='/tmp')

307

		f = tempfile.NamedTemporaryFile(dir='/tmp')

305

		cmd_write_marktplatz = ['smbclient', '//%(ip)s/Marktplatz', '-U', '%(user)s', '-c', 'put %(filename)s']

308

		cmd_write_marktplatz = ['smbclient', '//%(ip)s/%(marktplatz_name)s', '-U', '%(user)s', '-c', 'put %(filename)s']

306

		write = run_commands(

309

		write = run_commands(

307

			[cmd_write_marktplatz],

310

			[cmd_write_marktplatz],

308

311

309

				'ip': ip_address,

312

				'ip': ip_address,

310

				'user': '{0}%{1}'.format(user, passwd),

313

				'user': '{0}%{1}'.format(user, passwd),

311

				'filename': '%s %s' % (f.name, f.name.split('/')[-1])

314

				'filename': '%s %s' % (f.name, f.name.split('/')[-1]),

315

				'marktplatz_name': self.marktplatz_name,

312

316

313

317

314

		f.close()

318

		f.close()

315

		if write[0] != expected_result:

319

		if write[0] != expected_result:

316

			print 'FAIL .. Write to Marktplatz directory result (%r), expected (%r)' % (write[0], expected_result)

320

			print 'FAIL .. Write to Marktplatz (%s) directory result (%r), expected (%r)' % (self.marktplatz_name, write[0], expected_result)

317

			utils.fail('Write to Marktplatz directory result (%r), expected (%r)' % (write[0], expected_result))

321

			utils.fail('Write to Marktplatz (%s) directory result (%r), expected (%r)' % (self.marktplatz_name, write[0], expected_result))

318

322

319

	def check_share_access(self, user, ip_address, expected_home_result, expected_marktplatz_result):

323

	def check_share_access(self, user, ip_address, expected_home_result, expected_marktplatz_result):

320

		self.check_home_read(user, ip_address, expected_result=expected_home_result)

324

		self.check_home_read(user, ip_address, expected_result=expected_home_result)

(-)ucs-test-ucsschool/90_ucsschool/essential/distribution.py (-4 / +30 lines)

Lines 13-18	Link Here

import univention.testing.strings as uts

import univention.testing.strings as uts

import univention.testing.ucr as ucr_test

import univention.testing.ucr as ucr_test

import univention.testing.utils as utils

import univention.testing.utils as utils

from ucsschool.lib.models import School

class Distribution(object):

class Distribution(object):

Lines 505-518	Link Here

505

		path = ''

506

		path = ''

506

		self.ucr.load()

507

		self.ucr.load()

507

		roleshare = self.ucr.get('ucsschool/import/roleshare')

508

		roleshare = self.ucr.get('ucsschool/import/roleshare')

509

		collect_from = self.ucr.get('ucsschool/datadistribution/datadir/sender', 'Unterrichtsmaterial')

510

		distribute_to = self.ucr.get('ucsschool/datadistribution/datadir/recipient', 'Unterrichtsmaterial')

511

		search_base = School.get_search_base(self.school)

508

		if purpose == 'distribute':

512

		if purpose == 'distribute':

509

			if roleshare == 'no' or roleshare is False:

513

			if roleshare == 'no' or roleshare is False:

510

				path = '/home/{0}/Unterrichtsmaterial/{1}/'.format(user, self.name)

514

				path = '/home/{}/{}/{}/'.format(

515

					user,

516

					distribute_to,

517

					self.name

518

511

			else:

519

			else:

512

				path = '/home/{0}/schueler/{1}/Unterrichtsmaterial/{2}'.format(self.school, user, self.name)

520

				path = '/home/{}/{}/{}/{}/{}'.format(

521

					self.school,

522

					search_base.share_name_pupils,

523

					user,

524

					distribute_to,

525

					self.name

526

513

		elif purpose == 'collect':

527

		elif purpose == 'collect':

514

			if roleshare == 'no' or roleshare is False:

528

			if roleshare == 'no' or roleshare is False:

515

				path = '/home/{0}/Unterrichtsmaterial/{1}/{2}/'.format(self.sender, self.name, user)

529

				path = '/home/{}/{}/{}/{}/'.format(

530

						self.sender,

531

						collect_from,

532

						self.name,

533

						user

534

516

			else:

535

			else:

517

				path = '/home/{0}/lehrer/{1}/Unterrichtsmaterial/{2}/{3}'.format(self.school, self.sender, self.name, user)

536

				path = '/home/{}/{}/{}/{}/{}/{}'.format(

537

					self.school,

538

					search_base.share_name_teachers,

539

					self.sender,

540

					collect_from,

541

					self.name,

542

					user

543

518

		return path

544

		return path




import subprocess
import univention.testing.strings as uts
import univention.testing.utils as utils
from ucsschool.lib.models import School


class StartFail(Exception):

		self.shareMode = shareMode
		self.internetRule = internetRule
		self.customRule = customRule
		self.search_base = School.get_search_base(self.school)

		if connection:
			self.client = connection

	def check_collect(self):
		account = utils.UCSTestDomainAdminCredentials()
		admin = account.username
		path = '/home/%s/%s/%s' % (admin, self.search_base.share_name_exams, self.name)
		path_files = get_dir_files(path)
		if not set(self.files).issubset(set(path_files)):
			utils.fail('%r were not collected to %r' % (self.files, path))

			utils.fail('%r were not uploaded to %r' % (self.files, path))

	def check_distribute(self):
		path = '/home/%s/%s' % (self.school, self.search_base.share_name_pupils)
		path_files = get_dir_files(path)
		if not set(self.files).issubset(set(path_files)):
			utils.fail('%r were not uploaded to %r' % (self.files, path))

(-)ucs-test-ucsschool/90_ucsschool/essential/importcomputers.py (-5 / +5 lines)

Lines 146-156	Link Here

146

		print 'verify computer: %s' % self.name

146

		print 'verify computer: %s' % self.name

147

148

		utils.verify_ldap_object(self.dn, expected_attr=self.expected_attributes(), should_exist=True)

148

		utils.verify_ldap_object(self.dn, expected_attr=self.expected_attributes(), should_exist=True)

149

		search_base = SchoolLib.get_search_base(self.school)

150

		verwaltung_member_group1 = 'cn=OU%s-Member-Verwaltungsnetz,cn=ucsschool,cn=groups,%s' % (self.school, configRegistry.get('ldap/base'))

150

		verwaltung_member_group1 = search_base.administrative_ou_member_group

151

		verwaltung_member_group2 = 'cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,%s' % (configRegistry.get('ldap/base'))

151

		verwaltung_member_group2 = search_base.administrative_member_group

152

		edukativ_member_group1 = 'cn=OU%s-Member-Edukativnetz,cn=ucsschool,cn=groups,%s' % (self.school, configRegistry.get('ldap/base'))

152

		edukativ_member_group1 = search_base.educational_ou_member_group

153

		edukativ_member_group2 = 'cn=Member-Edukativnetz,cn=ucsschool,cn=groups,%s' % (configRegistry.get('ldap/base'))

153

		edukativ_member_group2 = search_base.educational_member_group

154

		if self.zone == 'verwaltung':

154

		if self.zone == 'verwaltung':

155

			utils.verify_ldap_object(verwaltung_member_group1, expected_attr={'uniqueMember': [self.dn]}, strict=False, should_exist=True)

155

			utils.verify_ldap_object(verwaltung_member_group1, expected_attr={'uniqueMember': [self.dn]}, strict=False, should_exist=True)

156

			utils.verify_ldap_object(verwaltung_member_group2, expected_attr={'uniqueMember': [self.dn]}, strict=False, should_exist=True)

156

			utils.verify_ldap_object(verwaltung_member_group2, expected_attr={'uniqueMember': [self.dn]}, strict=False, should_exist=True)




import univention.testing.strings as uts
from ucsschool.lib.models import SchoolClass as GroupLib
from ucsschool.lib.models import School as SchoolLib
from ucsschool.lib.models import ClassShare as ClassShareLib
import ucsschool.lib.models.utils

from essential.importou import remove_ou, get_school_base

configRegistry = univention.config_registry.ConfigRegistry()
configRegistry.load()

cn_pupils = configRegistry.get('ucsschool/ldap/default/container/pupils', 'schueler')


class Group:

	def __init__(self, school):


		self.school_base = get_school_base(self.school)

		self.dn = GroupLib(school=self.school, name=self.name).dn
		self.share_dn = ClassShareLib(school=self.school, name=self.name).dn

	def set_mode_to_modify(self):
		self.mode = 'M'

(-)ucs-test-ucsschool/90_ucsschool/essential/importou.py (-58 / +57 lines)

Lines 13-18	Link Here

import univention.uldap

import univention.uldap

import univention.admin.uldap

import univention.admin.uldap

import ldap

import univention.admin.modules

import univention.admin.modules

import univention.admin.filter

import univention.admin.filter

import univention.config_registry

import univention.config_registry

Lines 299-310	Link Here

299

	old_dhcpd_ldap_base = ucr.get('dhcpd/ldap/base')

300

	old_dhcpd_ldap_base = ucr.get('dhcpd/ldap/base')

300

	lo = univention.uldap.getMachineConnection()

301

	lo = univention.uldap.getMachineConnection()

301

	base_dn = ucr.get('ldap/base')

302

	base_dn = ucr.get('ldap/base')

303

	search_base = School.get_search_base(ou)

302

304

303

	cn_pupils = ucr.get('ucsschool/ldap/default/container/pupils', 'schueler')

305

	cn_pupils = ldap.explode_dn(search_base.students, True)[0]

304

	cn_teachers = ucr.get('ucsschool/ldap/default/container/teachers', 'lehrer')

306

	cn_teachers = ldap.explode_dn(search_base.teachers, True)[0]

305

	cn_teachers_staff = ucr.get('ucsschool/ldap/default/container/teachers-and-staff', 'lehrer und mitarbeiter')

307

	cn_teachers_staff = ldap.explode_dn(search_base.teachersAndStaff, True)[0]

306

	cn_admins = ucr.get('ucsschool/ldap/default/container/admins', 'admins')

308

	cn_admins = ldap.explode_dn(search_base.admins, True)[0]

307

	cn_staff = ucr.get('ucsschool/ldap/default/container/staff', 'mitarbeiter')

309

	cn_staff = ldap.explode_dn(search_base.staff, True)[0]

310

	cn_class = ldap.explode_dn(search_base.classes, True)[0]

311

	cn_rooms = ldap.explode_dn(search_base.rooms, True)[0]

308

312

309

	singlemaster = ucr.is_true('ucsschool/singlemaster')

313

	singlemaster = ucr.is_true('ucsschool/singlemaster')

310

	noneducational_create_objects = ucr.is_true('ucsschool/ldap/noneducational/create/objects')

314

	noneducational_create_objects = ucr.is_true('ucsschool/ldap/noneducational/create/objects')

Lines 332-374	Link Here

332

336

333

	utils.verify_ldap_object(ou_base, expected_attr={'ou': [ou], 'ucsschoolClassShareFileServer': [sharefileserver_dn], 'ucsschoolHomeShareFileServer': [sharefileserver_dn]}, should_exist=must_exist)

337

	utils.verify_ldap_object(ou_base, expected_attr={'ou': [ou], 'ucsschoolClassShareFileServer': [sharefileserver_dn], 'ucsschoolHomeShareFileServer': [sharefileserver_dn]}, should_exist=must_exist)

334

338

335

	utils.verify_ldap_object('cn=printers,%s' % ou_base, expected_attr={'cn': ['printers']}, should_exist=must_exist)

339

	utils.verify_ldap_object(search_base.printers, expected_attr={'cn': ['printers']}, should_exist=must_exist)

336

	utils.verify_ldap_object('cn=users,%s' % ou_base, expected_attr={'cn': ['users']}, should_exist=must_exist)

340

	utils.verify_ldap_object(search_base.users, expected_attr={'cn': ['users']}, should_exist=must_exist)

337

	utils.verify_ldap_object('cn=%s,cn=users,%s' % (cn_pupils, ou_base), expected_attr={'cn': [cn_pupils]}, should_exist=must_exist)

341

	utils.verify_ldap_object(search_base.students, expected_attr={'cn': [cn_pupils]}, should_exist=must_exist)

338

	utils.verify_ldap_object('cn=%s,cn=users,%s' % (cn_teachers, ou_base), expected_attr={'cn': [cn_teachers]}, should_exist=must_exist)

342

	utils.verify_ldap_object(search_base.teachers, expected_attr={'cn': [cn_teachers]}, should_exist=must_exist)

339

	utils.verify_ldap_object('cn=%s,cn=users,%s' % (cn_admins, ou_base), expected_attr={'cn': [cn_admins]}, should_exist=must_exist)

343

	utils.verify_ldap_object(search_base.admins, expected_attr={'cn': [cn_admins]}, should_exist=must_exist)

340

	utils.verify_ldap_object('cn=%s,cn=users,%s' % (cn_admins, ou_base), expected_attr={'cn': [cn_admins]}, should_exist=must_exist)

341

344

342

	utils.verify_ldap_object('cn=computers,%s' % ou_base, expected_attr={'cn': ['computers']}, should_exist=must_exist)

345

	utils.verify_ldap_object(search_base.computers, expected_attr={'cn': ['computers']}, should_exist=must_exist)

343

	utils.verify_ldap_object('cn=server,cn=computers,%s' % ou_base, expected_attr={'cn': ['server']}, should_exist=must_exist)

346

	utils.verify_ldap_object('cn=server,cn=computers,%s' % ou_base, expected_attr={'cn': ['server']}, should_exist=must_exist)

344

	utils.verify_ldap_object('cn=dc,cn=server,cn=computers,%s' % ou_base, expected_attr={'cn': ['dc']}, should_exist=must_exist)

347

	utils.verify_ldap_object('cn=dc,cn=server,cn=computers,%s' % ou_base, expected_attr={'cn': ['dc']}, should_exist=must_exist)

345

	utils.verify_ldap_object('cn=networks,%s' % ou_base, expected_attr={'cn': ['networks']}, should_exist=must_exist)

348

	utils.verify_ldap_object(search_base.networks, expected_attr={'cn': ['networks']}, should_exist=must_exist)

346

	utils.verify_ldap_object('cn=groups,%s' % ou_base, expected_attr={'cn': ['groups']}, should_exist=must_exist)

349

	utils.verify_ldap_object(search_base.groups, expected_attr={'cn': ['groups']}, should_exist=must_exist)

347

	utils.verify_ldap_object('cn=%s,cn=groups,%s' % (cn_pupils, ou_base), expected_attr={'cn': [cn_pupils]}, should_exist=must_exist)

350

	utils.verify_ldap_object(search_base.workgroups, expected_attr={'cn': [cn_pupils]}, should_exist=must_exist)

348

	utils.verify_ldap_object('cn=%s,cn=groups,%s' % (cn_teachers, ou_base), expected_attr={'cn': [cn_teachers]}, should_exist=must_exist)

351

	utils.verify_ldap_object(search_base.teachers_group, expected_attr={'cn': [cn_teachers]}, should_exist=must_exist)

349

	utils.verify_ldap_object('cn=klassen,cn=%s,cn=groups,%s' % (cn_pupils, ou_base), expected_attr={'cn': ['klassen']}, should_exist=must_exist)

352

	utils.verify_ldap_object(search_base.classes, expected_attr={'cn': [cn_class]}, should_exist=must_exist)

350

	utils.verify_ldap_object('cn=raeume,cn=groups,%s' % ou_base, expected_attr={'cn': ['raeume']}, should_exist=must_exist)

353

	utils.verify_ldap_object(search_base.rooms, expected_attr={'cn': [cn_rooms]}, should_exist=must_exist)

351

354

352

	utils.verify_ldap_object('cn=dhcp,%s' % ou_base, expected_attr={'cn': ['dhcp']}, should_exist=must_exist)

355

	utils.verify_ldap_object(search_base.dhcp, expected_attr={'cn': ['dhcp']}, should_exist=must_exist)

353

	utils.verify_ldap_object('cn=policies,%s' % ou_base, expected_attr={'cn': ['policies']}, should_exist=must_exist)

356

	utils.verify_ldap_object(search_base.policies, expected_attr={'cn': ['policies']}, should_exist=must_exist)

354

	utils.verify_ldap_object('cn=shares,%s' % ou_base, expected_attr={'cn': ['shares']}, should_exist=must_exist)

357

	utils.verify_ldap_object(search_base.shares, expected_attr={'cn': ['shares']}, should_exist=must_exist)

355

	utils.verify_ldap_object('cn=klassen,cn=shares,%s' % ou_base, expected_attr={'cn': ['klassen']}, should_exist=must_exist)

358

	utils.verify_ldap_object(search_base.classShares, expected_attr={'cn': [cn_class]}, should_exist=must_exist)

356

	utils.verify_ldap_object('cn=dc,cn=server,cn=computers,%s' % ou_base, expected_attr={'cn': ['dc']}, should_exist=must_exist)

359

	utils.verify_ldap_object('cn=dc,cn=server,cn=computers,%s' % ou_base, expected_attr={'cn': ['dc']}, should_exist=must_exist)

357

360

358

	if noneducational_create_objects:

361

	if noneducational_create_objects:

359

		utils.verify_ldap_object('cn=%s,cn=users,%s' % (cn_staff, ou_base), should_exist=must_exist)

362

		utils.verify_ldap_object(search_base.staff, should_exist=must_exist)

360

		utils.verify_ldap_object('cn=%s,cn=users,%s' % (cn_teachers_staff, ou_base), should_exist=must_exist)

363

		utils.verify_ldap_object(search_base.teachersAndStaff, should_exist=must_exist)

361

		utils.verify_ldap_object('cn=%s,cn=groups,%s' % (cn_staff, ou_base), should_exist=must_exist)

364

		utils.verify_ldap_object(search_base.staff_group, should_exist=must_exist)

362

	else:

365

	else:

363

		utils.verify_ldap_object('cn=%s,cn=users,%s' % (cn_staff, ou_base), should_exist=False)

366

		utils.verify_ldap_object(search_base.staff, should_exist=False)

364

		utils.verify_ldap_object('cn=%s,cn=users,%s' % (cn_teachers_staff, ou_base), should_exist=False)

367

		utils.verify_ldap_object(search_base.teachersAndStaff, should_exist=False)

365

		utils.verify_ldap_object('cn=%s,cn=groups,%s' % (cn_staff, ou_base), should_exist=False)

368

		utils.verify_ldap_object(search_base.staff_group, should_exist=False)

366

369

367

	if noneducational_create_objects:

370

	if noneducational_create_objects:

368

		utils.verify_ldap_object('cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,%s' % base_dn, should_exist=True)

371

		utils.verify_ldap_object(search_base.administrative_dc_group, should_exist=True)

369

		utils.verify_ldap_object('cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,%s' % base_dn, should_exist=True)

372

		utils.verify_ldap_object(search_base.administrative_member_group, should_exist=True)

370

		utils.verify_ldap_object('cn=OU%s-DC-Verwaltungsnetz,cn=ucsschool,cn=groups,%s' % (ou, base_dn), should_exist=True)

373

		utils.verify_ldap_object(search_base.administrative_ou_dc_group)

371

		utils.verify_ldap_object('cn=OU%s-Member-Verwaltungsnetz,cn=ucsschool,cn=groups,%s' % (ou, base_dn), should_exist=True)

374

		utils.verify_ldap_object(search_base.administrative_ou_member_group)

372

	# This will fail because we don't cleanup these groups in cleanup_ou

375

	# This will fail because we don't cleanup these groups in cleanup_ou

373

	# else:

376

	# else:

374

	#	utils.verify_ldap_object("cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,%s" % base_dn, should_exist=False)

377

	#	utils.verify_ldap_object("cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,%s" % base_dn, should_exist=False)

Lines 382-403	Link Here

382

	if dc_administrative:

385

	if dc_administrative:

383

		verify_dc(ou, dc_administrative, TYPE_DC_ADMINISTRATIVE, base_dn, must_exist)

386

		verify_dc(ou, dc_administrative, TYPE_DC_ADMINISTRATIVE, base_dn, must_exist)

384

387

385

	grp_prefix_pupils = ucr.get('ucsschool/ldap/default/groupprefix/pupils', 'schueler-')

386

	grp_prefix_teachers = ucr.get('ucsschool/ldap/default/groupprefix/teachers', 'lehrer-')

387

	grp_prefix_admins = ucr.get('ucsschool/ldap/default/groupprefix/admins', 'admins-')

388

	grp_prefix_staff = ucr.get('ucsschool/ldap/default/groupprefix/staff', 'mitarbeiter-')

389

390

	grp_policy_pupils = ucr.get('ucsschool/ldap/default/policy/umc/pupils', 'cn=ucsschool-umc-pupils-default,cn=UMC,cn=policies,%s' % base_dn)

388

	grp_policy_pupils = ucr.get('ucsschool/ldap/default/policy/umc/pupils', 'cn=ucsschool-umc-pupils-default,cn=UMC,cn=policies,%s' % base_dn)

391

	grp_policy_teachers = ucr.get('ucsschool/ldap/default/policy/umc/teachers', 'cn=ucsschool-umc-teachers-default,cn=UMC,cn=policies,%s' % base_dn)

389

	grp_policy_teachers = ucr.get('ucsschool/ldap/default/policy/umc/teachers', 'cn=ucsschool-umc-teachers-default,cn=UMC,cn=policies,%s' % base_dn)

392

	grp_policy_admins = ucr.get('ucsschool/ldap/default/policy/umc/admins', 'cn=ucsschool-umc-admins-default,cn=UMC,cn=policies,%s' % base_dn)

390

	grp_policy_admins = ucr.get('ucsschool/ldap/default/policy/umc/admins', 'cn=ucsschool-umc-admins-default,cn=UMC,cn=policies,%s' % base_dn)

393

	grp_policy_staff = ucr.get('ucsschool/ldap/default/policy/umc/staff', 'cn=ucsschool-umc-staff-default,cn=UMC,cn=policies,%s' % base_dn)

391

	grp_policy_staff = ucr.get('ucsschool/ldap/default/policy/umc/staff', 'cn=ucsschool-umc-staff-default,cn=UMC,cn=policies,%s' % base_dn)

394

392

395

	utils.verify_ldap_object("cn=%s%s,cn=ouadmins,cn=groups,%s" % (grp_prefix_admins, ou, base_dn), expected_attr={'univentionPolicyReference': [grp_policy_admins]}, should_exist=True)

393

	utils.verify_ldap_object(search_base.admin_group, expected_attr={'univentionPolicyReference': [grp_policy_admins]}, should_exist=True)

396

	utils.verify_ldap_object("cn=%s%s,cn=groups,%s" % (grp_prefix_pupils, ou, ou_base), expected_attr={'univentionPolicyReference': [grp_policy_pupils]}, should_exist=must_exist)

394

	utils.verify_ldap_object(search_base.students_ou_group, expected_attr={'univentionPolicyReference': [grp_policy_pupils]}, should_exist=must_exist)

397

	utils.verify_ldap_object("cn=%s%s,cn=groups,%s" % (grp_prefix_teachers, ou, ou_base), expected_attr={'univentionPolicyReference': [grp_policy_teachers]}, should_exist=must_exist)

395

	utils.verify_ldap_object(search_base.teachers_ou_group, expected_attr={'univentionPolicyReference': [grp_policy_teachers]}, should_exist=must_exist)

398

396

399

	if noneducational_create_objects:

397

	if noneducational_create_objects:

400

		utils.verify_ldap_object("cn=%s%s,cn=groups,%s" % (grp_prefix_staff, ou, ou_base), expected_attr={'univentionPolicyReference': [grp_policy_staff]}, should_exist=must_exist)

398

		utils.verify_ldap_object(search_base.staff_ou_group, expected_attr={'univentionPolicyReference': [grp_policy_staff]}, should_exist=must_exist)

401

399

402

	dcmaster_module = univention.admin.modules.get("computers/domaincontroller_master")

400

	dcmaster_module = univention.admin.modules.get("computers/domaincontroller_master")

403

	dcbackup_module = univention.admin.modules.get("computers/domaincontroller_backup")

401

	dcbackup_module = univention.admin.modules.get("computers/domaincontroller_backup")

Lines 410-416	Link Here

410

	# check group membership

408

	# check group membership

411

	#  slave should be member

409

	#  slave should be member

412

	#  master and backup should not be member

410

	#  master and backup should not be member

413

	dcgroups = ["cn=OU%s-DC-Edukativnetz,cn=ucsschool,cn=groups,%s" % (ou, base_dn), "cn=DC-Edukativnetz,cn=ucsschool,cn=groups,%s" % (base_dn)]

411

	dcgroups = [search_base.educational_ou_dc_group, search_base.educational_dc_group]

414

412

415

	if must_exist:

413

	if must_exist:

416

		if masterobjs:

414

		if masterobjs:

Lines 486-518	Link Here

486

		base_dn = ucr.get('ldap/base')

484

		base_dn = ucr.get('ldap/base')

487

	ou_base = get_ou_base(ou, ucr.is_true('ucsschool/ldap/district/enable', False))

485

	ou_base = get_ou_base(ou, ucr.is_true('ucsschool/ldap/district/enable', False))

488

	dc_dn = 'cn=%s,cn=dc,cn=server,cn=computers,%s' % (dc_name, ou_base)

486

	dc_dn = 'cn=%s,cn=dc,cn=server,cn=computers,%s' % (dc_name, ou_base)

487

	search_base = School.get_search_base(ou)

489

488

490

	# define list of (un-)desired group memberships ==> [(IS_MEMBER, GROUP_DN), ...]

489

	# define list of (un-)desired group memberships ==> [(IS_MEMBER, GROUP_DN), ...]

491

	group_dn_list = []

490

	group_dn_list = []

492

	if dc_type == TYPE_DC_ADMINISTRATIVE:

491

	if dc_type == TYPE_DC_ADMINISTRATIVE:

493

		group_dn_list += [

492

		group_dn_list += [

494

			(True, 'cn=OU%s-DC-Verwaltungsnetz,cn=ucsschool,cn=groups,%s' % (ou.lower(), base_dn)),

493

			(True, search_base.administrative_ou_dc_group),

495

			(True, 'cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,%s' % (base_dn, )),

494

			(True, search_base.administrative_dc_group),

496

			(False, 'cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,%s' % base_dn),

495

			(False, search_base.administrative_member_group),

497

			(False, 'cn=OU%s-Member-Verwaltungsnetz,cn=ucsschool,cn=groups,%s' % (ou, base_dn)),

496

			(False, search_base.administrative_ou_member_group),

498

			(False, 'cn=OU%s-DC-Edukativnetz,cn=ucsschool,cn=groups,%s' % (ou.lower(), base_dn)),

497

			(False, search_base.educational_ou_dc_group),

499

			(False, 'cn=DC-Edukativnetz,cn=ucsschool,cn=groups,%s' % (base_dn, )),

498

			(False, search_base.educational_dc_group),

500

			(False, 'cn=Member-Edukativnetz,cn=ucsschool,cn=groups,%s' % base_dn),

499

			(False, search_base.educational_member_group),

501

			(False, 'cn=OU%s-Member-Edukativnetz,cn=ucsschool,cn=groups,%s' % (ou, base_dn)),

500

			(False, search_base.educational_ou_member_group),

502

501

503

	else:

502

	else:

504

		group_dn_list += [

503

		group_dn_list += [

505

			(True, 'cn=OU%s-DC-Edukativnetz,cn=ucsschool,cn=groups,%s' % (ou.lower(), base_dn)),

504

			(True, search_base.educational_ou_dc_group),

506

			(True, 'cn=DC-Edukativnetz,cn=ucsschool,cn=groups,%s' % (base_dn, )),

505

			(True, search_base.educational_dc_group),

507

			(False, 'cn=Member-Edukativnetz,cn=ucsschool,cn=groups,%s' % base_dn),

506

			(False, search_base.educational_member_group),

508

			(False, 'cn=OU%s-Member-Edukativnetz,cn=ucsschool,cn=groups,%s' % (ou, base_dn)),

507

			(False, search_base.educational_ou_member_group),

509

508

510

		if ucr.is_true('ucsschool/ldap/noneducational/create/objects', must_exist):

509

		if ucr.is_true('ucsschool/ldap/noneducational/create/objects', must_exist):

511

			group_dn_list += [

510

			group_dn_list += [

512

				(False, 'cn=OU%s-DC-Verwaltungsnetz,cn=ucsschool,cn=groups,%s' % (ou.lower(), base_dn)),

511

				(False, search_base.administrative_ou_dc_group),

513

				(False, 'cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,%s' % (base_dn, )),

512

				(False, search_base.administrative_dc_group),

514

				(False, 'cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,%s' % base_dn),

513

				(False, search_base.administrative_member_group),

515

				(False, 'cn=OU%s-Member-Verwaltungsnetz,cn=ucsschool,cn=groups,%s' % (ou, base_dn)),

514

				(False, search_base.administrative_ou_member_group),

516

515

517

516

518

	utils.verify_ldap_object(dc_dn, should_exist=must_exist)

517

	utils.verify_ldap_object(dc_dn, should_exist=must_exist)




from univention.testing.decorators import SetTimeout
import univention.uldap
import univention.config_registry
from ucsschool.lib.models import SchoolClass as SchoolClassLib
from ucsschool.lib.models import Student as StudentLib
from ucsschool.lib.models import Teacher as TeacherLib
from ucsschool.lib.models import Staff as StaffLib


HOOK_BASEDIR = '/usr/share/ucs-school-import/hooks'

i
class ImportUser(Exception):
	pass


configRegistry = univention.config_registry.ConfigRegistry()
configRegistry.load()

cn_pupils = configRegistry.get('ucsschool/ldap/default/container/pupils', 'schueler')
cn_teachers = configRegistry.get('ucsschool/ldap/default/container/teachers', 'lehrer')
cn_teachers_staff = configRegistry.get('ucsschool/ldap/default/container/teachers-and-staff', 'lehrer und mitarbeiter')
cn_staff = configRegistry.get('ucsschool/ldap/default/container/staff', 'mitarbeiter')

grp_prefix_pupils = configRegistry.get('ucsschool/ldap/default/groupprefix/pupils', 'schueler-')
grp_prefix_teachers = configRegistry.get('ucsschool/ldap/default/groupprefix/teachers', 'lehrer-')
grp_prefix_admins = configRegistry.get('ucsschool/ldap/default/groupprefix/admins', 'admins-')
grp_prefix_staff = configRegistry.get('ucsschool/ldap/default/groupprefix/staff', 'mitarbeiter-')


class Person(object):

	def __init__(self, school, role):

		self.username = uts.random_name()
		self.school = school
		self.schools = [school]
		self.search_base = SchoolLib.get_search_base(self.school)
		self.role = role
		self.record_uid = None
		self.source_uid = None

		self.mail = '%s@%s' % (self.username, configRegistry.get('domainname'))
		self.school_classes = {}
		if self.is_student():
			self.user_type = StudentLib
			self.role_group_dn = self.search_base.students_ou_group
		elif self.is_teacher():
			self.user_type = TeacherLib
			self.role_group_dn = self.search_base.teachers_ou_group
		elif self.is_teacher_staff():
			self.user_type = TeachersAndStaffLib
			self.role_group_dn = self.search_base.teachers_ou_group
		elif self.is_staff():
			self.user_type = StaffLib
			self.role_group_dn = self.search_base.staff_ou_group
		self.mode = 'A'
		self.active = True
		self.password = None

		self.append_random_groups()

	def make_dn(self):
		return self.user_type(school=self.school, name=self.username).dn

	@property
	def homedir(self):
		subdir = ''
		if configRegistry.is_true('ucsschool/import/roleshare', True):
			subdir = self.user_type(school=self.school, name=self.username).get_roleshare_home_subdir()
		else:
			subdir = ''
				subdir = os.path.join(self.school, 'lehrer')
			elif self.is_teacher_staff():
				subdir = os.path.join(self.school, 'lehrer')
			elif self.is_staff():
				subdir = os.path.join(self.school, 'mitarbeiter')
		return os.path.join('/home', subdir, self.username)

	def make_school_base(self):


		for school, classes in self.school_classes.iteritems():
			for cl in classes:
				cl_group_dn = SchoolClassLib(school=school, name=cl).dn
				utils.verify_ldap_object(cl_group_dn, expected_attr={'uniqueMember': [self.dn], 'memberUid': [self.username]}, strict=False, should_exist=True)

		assert self.school in self.schools

		utils.verify_ldap_object(self.role_group_dn, expected_attr={'uniqueMember': [self.dn], 'memberUid': [self.username]}, strict=False, should_exist=True)
			role_group_dn = 'cn=%s%s,cn=groups,%s' % (self.grp_prefix, school, get_school_base(school))
			utils.verify_ldap_object(role_group_dn, expected_attr={'uniqueMember': [self.dn], 'memberUid': [self.username]}, strict=False, should_exist=True)

		print 'person OK: %s' % self.username



		'name': name,
		'service': 'Windows Profile Server',
	}
	udm.create_object('computers/memberserver', position=SchoolComputerLib.get_container(ou), **properties)

	udm.create_object('computers/memberserver', position=school_base, **properties)

def create_home_server(udm, ou, name):
def create_home_server(udm, name):
	properties = {
		'name': name,
	}
	udm.create_object('computers/memberserver', position=SchoolComputerLib.get_container(ou), **properties)


def import_users_basics(use_cli_api=True, use_python_api=False):


						if home_server_at_ou:
							home_server_at_ou = uts.random_name()
							create_home_server(udm, school_name, home_server_at_ou)
							create_ou_cli(school_name, sharefileserver=home_server_at_ou)
						else:
							create_ou_cli(school_name)

(-)ucs-test-ucsschool/90_ucsschool/essential/internetrule.py (-1 / +2 lines)

Lines 15-20	Link Here

import univention.testing.utils as utils

import univention.testing.utils as utils

from univention.testing.ucsschool import UCSTestSchool

from univention.testing.ucsschool import UCSTestSchool

import univention.testing.ucsschool as utu

import univention.testing.ucsschool as utu

from ucsschool.lib.models import SchoolClass as SchoolClassLib

class InternetRule(object):

class InternetRule(object):

Lines 193-199	Link Here

193

			ucsschool = UCSTestSchool()

194

			ucsschool = UCSTestSchool()

194

			groupdn = ucsschool.get_workinggroup_dn(school, groupName)

195

			groupdn = ucsschool.get_workinggroup_dn(school, groupName)

195

		elif groupType == 'class':

196

		elif groupType == 'class':

196

			groupdn = 'cn=%s-%s,cn=klassen,cn=schueler,cn=groups,%s' % (school, groupName, school_basedn)

197

			groupdn = SchoolClassLib(school=schoolenv.name, name="{}-{}".format(school, groupName)).dn

197

198

		if default:

199

		if default:

199

			name = '$default$'

200

			name = '$default$'




from univention.testing.umc2 import Client
import univention.testing.ucr as ucr_test
from univention.testing.ucsschool import UCSTestSchool
from ucsschool.lib.models import SchoolClass as SchoolClassLib


class GetFail(Exception):

					k, classes_names))

	def dn(self):
		return SchoolClassLib(school=self.school, name="{}-{}".format(self.school, self.name)).dn
			self.school, self.name, UCSTestSchool().get_ou_base_dn(self.school)
		)

	def get(self):
		"""Get class"""

(-)ucs-test-ucsschool/90_ucsschool/essential/school.py (-43 / +43 lines)

Lines 4-9	Link Here

.. moduleauthor:: Ammar Najjar <najjar@univention.de>

.. moduleauthor:: Ammar Najjar <najjar@univention.de>

"""

"""

import ldap

from essential.importcomputers import random_ip

from essential.importcomputers import random_ip

from essential.importou import DCNotFound, DCMembership, DhcpdLDAPBase, TYPE_DC_ADMINISTRATIVE

from essential.importou import DCNotFound, DCMembership, DhcpdLDAPBase, TYPE_DC_ADMINISTRATIVE

from essential.importou import get_ou_base, verify_dc, get_school_ou_from_dn, TYPE_DC_EDUCATIONAL

from essential.importou import get_ou_base, verify_dc, get_school_ou_from_dn, TYPE_DC_EDUCATIONAL

Lines 13-18	Link Here

import univention.testing.ucr as ucr_test

import univention.testing.ucr as ucr_test

import univention.testing.utils as utils

import univention.testing.utils as utils

import univention.uldap

import univention.uldap

from ucsschool.lib.models import (School as LibSchool, ComputerRoom as LibComputerRoom, SchoolClass as LibSchoolClass,

	Staff as LibStaff, TeachersAndStaff as LibTeachersAndStaff, Teacher as LibTeacher, Student as LibStudent)

class GetFail(Exception):

class GetFail(Exception):

Lines 251-262	Link Here

251

		old_dhcpd_ldap_base = ucr.get('dhcpd/ldap/base')

254

		old_dhcpd_ldap_base = ucr.get('dhcpd/ldap/base')

252

		lo = univention.uldap.getMachineConnection()

255

		lo = univention.uldap.getMachineConnection()

253

		base_dn = ucr.get('ldap/base')

256

		base_dn = ucr.get('ldap/base')

257

		search_base = LibSchool.get_search_base(ou)

254

258

255

		cn_pupils = ucr.get('ucsschool/ldap/default/container/pupils', 'schueler')

259

		cn_pupils = ldap.explode_dn(LibStudent.get_container(ou), True)[0]

256

		cn_teachers = ucr.get('ucsschool/ldap/default/container/teachers', 'lehrer')

260

		cn_teachers = ldap.explode_dn(LibTeacher.get_container(ou), True)[0]

257

		cn_teachers_staff = ucr.get('ucsschool/ldap/default/container/teachers-and-staff', 'lehrer und mitarbeiter')

261

		cn_teachers_staff = ldap.explode_dn(LibTeachersAndStaff.get_container(ou), True)[0]

258

		cn_admins = ucr.get('ucsschool/ldap/default/container/admins', 'admins')

262

		cn_admins = ldap.explode_dn(search_base.admins, True)[0]

259

		cn_staff = ucr.get('ucsschool/ldap/default/container/staff', 'mitarbeiter')

263

		cn_staff = ldap.explode_dn(LibStaff.get_container(ou), True)[0]

264

		cn_class = ldap.explode_dn(LibSchoolClass.get_container(ou), True)[0]

265

		cn_rooms = ldap.explode_dn(LibComputerRoom.get_container(ou), True)[0]

260

266

261

		singlemaster = ucr.is_true('ucsschool/singlemaster')

267

		singlemaster = ucr.is_true('ucsschool/singlemaster')

262

		noneducational_create_objects = ucr.is_true('ucsschool/ldap/noneducational/create/objects')

268

		noneducational_create_objects = ucr.is_true('ucsschool/ldap/noneducational/create/objects')

Lines 290-332	Link Here

290

296

291

		utils.verify_ldap_object(ou_base, expected_attr={'ou': [ou], 'ucsschoolClassShareFileServer': [classsharefileserver_dn], 'ucsschoolHomeShareFileServer': [homesharefileserver_dn]}, should_exist=must_exist)

297

		utils.verify_ldap_object(ou_base, expected_attr={'ou': [ou], 'ucsschoolClassShareFileServer': [classsharefileserver_dn], 'ucsschoolHomeShareFileServer': [homesharefileserver_dn]}, should_exist=must_exist)

292

298

293

		utils.verify_ldap_object('cn=printers,%s' % ou_base, expected_attr={'cn': ['printers']}, should_exist=must_exist)

299

		utils.verify_ldap_object(search_base.printers, expected_attr={'cn': ['printers']}, should_exist=must_exist)

294

		utils.verify_ldap_object('cn=users,%s' % ou_base, expected_attr={'cn': ['users']}, should_exist=must_exist)

300

		utils.verify_ldap_object(search_base.users, expected_attr={'cn': ['users']}, should_exist=must_exist)

295

		utils.verify_ldap_object('cn=%s,cn=users,%s' % (cn_pupils, ou_base), expected_attr={'cn': [cn_pupils]}, should_exist=must_exist)

301

		utils.verify_ldap_object(search_base.students, expected_attr={'cn': [cn_pupils]}, should_exist=must_exist)

296

		utils.verify_ldap_object('cn=%s,cn=users,%s' % (cn_teachers, ou_base), expected_attr={'cn': [cn_teachers]}, should_exist=must_exist)

302

		utils.verify_ldap_object(search_base.teachers, expected_attr={'cn': [cn_teachers]}, should_exist=must_exist)

297

		utils.verify_ldap_object('cn=%s,cn=users,%s' % (cn_admins, ou_base), expected_attr={'cn': [cn_admins]}, should_exist=must_exist)

303

		utils.verify_ldap_object(search_base.admins, expected_attr={'cn': [cn_admins]}, should_exist=must_exist)

298

		utils.verify_ldap_object('cn=%s,cn=users,%s' % (cn_admins, ou_base), expected_attr={'cn': [cn_admins]}, should_exist=must_exist)

299

304

300

		utils.verify_ldap_object('cn=computers,%s' % ou_base, expected_attr={'cn': ['computers']}, should_exist=must_exist)

305

		utils.verify_ldap_object(search_base.computers, expected_attr={'cn': ['computers']}, should_exist=must_exist)

301

		utils.verify_ldap_object('cn=server,cn=computers,%s' % ou_base, expected_attr={'cn': ['server']}, should_exist=must_exist)

306

		utils.verify_ldap_object('cn=server,cn=computers,%s' % ou_base, expected_attr={'cn': ['server']}, should_exist=must_exist)

302

		utils.verify_ldap_object('cn=dc,cn=server,cn=computers,%s' % ou_base, expected_attr={'cn': ['dc']}, should_exist=must_exist)

307

		utils.verify_ldap_object('cn=dc,cn=server,cn=computers,%s' % ou_base, expected_attr={'cn': ['dc']}, should_exist=must_exist)

303

		utils.verify_ldap_object('cn=networks,%s' % ou_base, expected_attr={'cn': ['networks']}, should_exist=must_exist)

308

		utils.verify_ldap_object(search_base.networks, expected_attr={'cn': ['networks']}, should_exist=must_exist)

304

		utils.verify_ldap_object('cn=groups,%s' % ou_base, expected_attr={'cn': ['groups']}, should_exist=must_exist)

309

		utils.verify_ldap_object(search_base.groups, expected_attr={'cn': ['groups']}, should_exist=must_exist)

305

		utils.verify_ldap_object('cn=%s,cn=groups,%s' % (cn_pupils, ou_base), expected_attr={'cn': [cn_pupils]}, should_exist=must_exist)

310

		utils.verify_ldap_object(search_base.workgroups, expected_attr={'cn': [cn_pupils]}, should_exist=must_exist)

306

		utils.verify_ldap_object('cn=%s,cn=groups,%s' % (cn_teachers, ou_base), expected_attr={'cn': [cn_teachers]}, should_exist=must_exist)

311

		utils.verify_ldap_object(search_base.teachers_group, expected_attr={'cn': [cn_teachers]}, should_exist=must_exist)

307

		utils.verify_ldap_object('cn=klassen,cn=%s,cn=groups,%s' % (cn_pupils, ou_base), expected_attr={'cn': ['klassen']}, should_exist=must_exist)

312

		utils.verify_ldap_object(search_base.classes, expected_attr={'cn': [cn_class]}, should_exist=must_exist)

308

		utils.verify_ldap_object('cn=raeume,cn=groups,%s' % ou_base, expected_attr={'cn': ['raeume']}, should_exist=must_exist)

313

		utils.verify_ldap_object(search_base.rooms, expected_attr={'cn': [cn_rooms]}, should_exist=must_exist)

309

314

310

		utils.verify_ldap_object('cn=dhcp,%s' % ou_base, expected_attr={'cn': ['dhcp']}, should_exist=must_exist)

315

		utils.verify_ldap_object(search_base.dhcp, expected_attr={'cn': ['dhcp']}, should_exist=must_exist)

311

		utils.verify_ldap_object('cn=policies,%s' % ou_base, expected_attr={'cn': ['policies']}, should_exist=must_exist)

316

		utils.verify_ldap_object(search_base.policies, expected_attr={'cn': ['policies']}, should_exist=must_exist)

312

		utils.verify_ldap_object('cn=shares,%s' % ou_base, expected_attr={'cn': ['shares']}, should_exist=must_exist)

317

		utils.verify_ldap_object(search_base.shares, expected_attr={'cn': ['shares']}, should_exist=must_exist)

313

		utils.verify_ldap_object('cn=klassen,cn=shares,%s' % ou_base, expected_attr={'cn': ['klassen']}, should_exist=must_exist)

318

		utils.verify_ldap_object(search_base.classShares, expected_attr={'cn': [cn_class]}, should_exist=must_exist)

314

		utils.verify_ldap_object('cn=dc,cn=server,cn=computers,%s' % ou_base, expected_attr={'cn': ['dc']}, should_exist=must_exist)

319

		utils.verify_ldap_object('cn=dc,cn=server,cn=computers,%s' % ou_base, expected_attr={'cn': ['dc']}, should_exist=must_exist)

315

320

316

		if noneducational_create_objects:

321

		if noneducational_create_objects:

317

			utils.verify_ldap_object('cn=%s,cn=users,%s' % (cn_staff, ou_base), should_exist=must_exist)

322

			utils.verify_ldap_object(search_base.staff, should_exist=must_exist)

318

			utils.verify_ldap_object('cn=%s,cn=users,%s' % (cn_teachers_staff, ou_base), should_exist=must_exist)

323

			utils.verify_ldap_object(search_base.teachersAndStaff, should_exist=must_exist)

319

			utils.verify_ldap_object('cn=%s,cn=groups,%s' % (cn_staff, ou_base), should_exist=must_exist)

324

			utils.verify_ldap_object(search_base.staff_group, should_exist=must_exist)

320

		else:

325

		else:

321

			utils.verify_ldap_object('cn=%s,cn=users,%s' % (cn_staff, ou_base), should_exist=False)

326

			utils.verify_ldap_object(search_base.staff, should_exist=False)

322

			utils.verify_ldap_object('cn=%s,cn=users,%s' % (cn_teachers_staff, ou_base), should_exist=False)

327

			utils.verify_ldap_object(search_base.teachersAndStaff, should_exist=False)

323

			utils.verify_ldap_object('cn=%s,cn=groups,%s' % (cn_staff, ou_base), should_exist=False)

328

			utils.verify_ldap_object(search_base.staff_group, should_exist=False)

324

329

325

		if noneducational_create_objects:

330

		if noneducational_create_objects:

326

			utils.verify_ldap_object('cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,%s' % base_dn, should_exist=True)

331

			utils.verify_ldap_object(search_base.administrative_dc_group, should_exist=True)

327

			utils.verify_ldap_object('cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,%s' % base_dn, should_exist=True)

332

			utils.verify_ldap_object(search_base.administrative_member_group, should_exist=True)

328

			utils.verify_ldap_object('cn=OU%s-DC-Verwaltungsnetz,cn=ucsschool,cn=groups,%s' % (ou, base_dn), should_exist=True)

333

			utils.verify_ldap_object(search_base.administrative_ou_dc_group)

329

			utils.verify_ldap_object('cn=OU%s-Member-Verwaltungsnetz,cn=ucsschool,cn=groups,%s' % (ou, base_dn), should_exist=True)

334

			utils.verify_ldap_object(search_base.administrative_ou_member_group)

330

		# This will fail because we don't cleanup these groups in cleanup_ou

335

		# This will fail because we don't cleanup these groups in cleanup_ou

331

		# else:

336

		# else:

332

		#	utils.verify_ldap_object("cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,%s" % base_dn, should_exist=False)

337

		#	utils.verify_ldap_object("cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,%s" % base_dn, should_exist=False)

Lines 340-361	Link Here

340

		if dc_administrative:

345

		if dc_administrative:

341

			verify_dc(ou, dc_administrative, TYPE_DC_ADMINISTRATIVE, base_dn, must_exist)

346

			verify_dc(ou, dc_administrative, TYPE_DC_ADMINISTRATIVE, base_dn, must_exist)

342

347

343

		grp_prefix_pupils = ucr.get('ucsschool/ldap/default/groupprefix/pupils', 'schueler-')

344

		grp_prefix_teachers = ucr.get('ucsschool/ldap/default/groupprefix/teachers', 'lehrer-')

345

		grp_prefix_admins = ucr.get('ucsschool/ldap/default/groupprefix/admins', 'admins-')

346

		grp_prefix_staff = ucr.get('ucsschool/ldap/default/groupprefix/staff', 'mitarbeiter-')

347

348

		grp_policy_pupils = ucr.get('ucsschool/ldap/default/policy/umc/pupils', 'cn=ucsschool-umc-pupils-default,cn=UMC,cn=policies,%s' % base_dn)

348

		grp_policy_pupils = ucr.get('ucsschool/ldap/default/policy/umc/pupils', 'cn=ucsschool-umc-pupils-default,cn=UMC,cn=policies,%s' % base_dn)

349

		grp_policy_teachers = ucr.get('ucsschool/ldap/default/policy/umc/teachers', 'cn=ucsschool-umc-teachers-default,cn=UMC,cn=policies,%s' % base_dn)

349

		grp_policy_teachers = ucr.get('ucsschool/ldap/default/policy/umc/teachers', 'cn=ucsschool-umc-teachers-default,cn=UMC,cn=policies,%s' % base_dn)

350

		grp_policy_admins = ucr.get('ucsschool/ldap/default/policy/umc/admins', 'cn=ucsschool-umc-admins-default,cn=UMC,cn=policies,%s' % base_dn)

350

		grp_policy_admins = ucr.get('ucsschool/ldap/default/policy/umc/admins', 'cn=ucsschool-umc-admins-default,cn=UMC,cn=policies,%s' % base_dn)

351

		grp_policy_staff = ucr.get('ucsschool/ldap/default/policy/umc/staff', 'cn=ucsschool-umc-staff-default,cn=UMC,cn=policies,%s' % base_dn)

351

		grp_policy_staff = ucr.get('ucsschool/ldap/default/policy/umc/staff', 'cn=ucsschool-umc-staff-default,cn=UMC,cn=policies,%s' % base_dn)

352

353

		utils.verify_ldap_object("cn=%s%s,cn=ouadmins,cn=groups,%s" % (grp_prefix_admins, ou, base_dn), expected_attr={'univentionPolicyReference': [grp_policy_admins]}, should_exist=True)

353

		utils.verify_ldap_object(search_base.admin_group, expected_attr={'univentionPolicyReference': [grp_policy_admins]}, should_exist=True)

354

		utils.verify_ldap_object("cn=%s%s,cn=groups,%s" % (grp_prefix_pupils, ou, ou_base), expected_attr={'univentionPolicyReference': [grp_policy_pupils]}, should_exist=must_exist)

354

		utils.verify_ldap_object(search_base.students_ou_group, expected_attr={'univentionPolicyReference': [grp_policy_pupils]}, should_exist=must_exist)

355

		utils.verify_ldap_object("cn=%s%s,cn=groups,%s" % (grp_prefix_teachers, ou, ou_base), expected_attr={'univentionPolicyReference': [grp_policy_teachers]}, should_exist=must_exist)

355

		utils.verify_ldap_object(search_base.teachers_ou_group, expected_attr={'univentionPolicyReference': [grp_policy_teachers]}, should_exist=must_exist)

356

357

		if noneducational_create_objects:

357

		if noneducational_create_objects:

358

			utils.verify_ldap_object("cn=%s%s,cn=groups,%s" % (grp_prefix_staff, ou, ou_base), expected_attr={'univentionPolicyReference': [grp_policy_staff]}, should_exist=must_exist)

358

			utils.verify_ldap_object(search_base.staff_ou_group, expected_attr={'univentionPolicyReference': [grp_policy_staff]}, should_exist=must_exist)

359

360

		dcmaster_module = univention.admin.modules.get("computers/domaincontroller_master")

360

		dcmaster_module = univention.admin.modules.get("computers/domaincontroller_master")

361

		dcbackup_module = univention.admin.modules.get("computers/domaincontroller_backup")

361

		dcbackup_module = univention.admin.modules.get("computers/domaincontroller_backup")

Lines 368-374	Link Here

368

		# check group membership

368

		# check group membership

369

		#  slave should be member

369

		#  slave should be member

370

		#  master and backup should not be member

370

		#  master and backup should not be member

371

		dcgroups = ["cn=OU%s-DC-Edukativnetz,cn=ucsschool,cn=groups,%s" % (ou, base_dn), "cn=DC-Edukativnetz,cn=ucsschool,cn=groups,%s" % (base_dn)]

371

		dcgroups = [search_base.educational_ou_dc_group, search_base.educational_dc_group]

372

373

		if must_exist:

373

		if must_exist:

374

			if masterobjs:

374

			if masterobjs:

Lines 412-418	Link Here

412

				# seems to be the first OU, so check the variable settings

412

				# seems to be the first OU, so check the variable settings

413

				if ucr.get('dhcpd/ldap/base') != "cn=dhcp,%s" % (ou_base,):

413

				if ucr.get('dhcpd/ldap/base') != "cn=dhcp,%s" % (ou_base,):

414

					print 'ERROR: dhcpd/ldap/base =', ucr.get('dhcpd/ldap/base')

414

					print 'ERROR: dhcpd/ldap/base =', ucr.get('dhcpd/ldap/base')

415

					print 'ERROR: expected base =', dhcp_dn

415

					print 'ERROR: expected base =', dhcp_dn  # FIXME: unresolve reference: dhcp_dn

416

					raise DhcpdLDAPBase()

416

					raise DhcpdLDAPBase()

417

418

			# use the UCR value and check if the DHCP service exists

418

			# use the UCR value and check if the DHCP service exists

(-)ucs-test-ucsschool/90_ucsschool/essential/schoolroom.py (-1 / +2 lines)

Lines 3-8	Link Here

import univention.testing.ucr as ucr_test

import univention.testing.ucr as ucr_test

import univention.testing.ucsschool as utu

import univention.testing.ucsschool as utu

import univention.testing.utils as utils

import univention.testing.utils as utils

from ucsschool.lib.models import LibComputerRoom

class FailQuery(Exception):

class FailQuery(Exception):

Lines 49-55	Link Here

		self.client = Client.get_test_connection()

		self.client = Client.get_test_connection()

	def dn(self):

	def dn(self):

		return 'cn=%s-%s,cn=raeume,cn=groups,%s' % (self.school, self.name, utu.UCSTestSchool().get_ou_base_dn(self.school))

		return LibComputerRoom(school="myschool", name='{}-{}'.format("myschool", "myname")).dn

	def add(self, should_pass=True):

	def add(self, should_pass=True):

		param = [{

		param = [{




import univention.admin.uldap as udm_uldap
import univention.admin.uexceptions as udm_errors

from ucsschool.lib.models import School, User, Student, Teacher, TeachersAndStaff, Staff, SchoolClass, WorkGroup, Share
from ucsschool.lib.models.utils import add_stream_logger_to_schoollib
from ucsschool.lib.models.group import ComputerRoom


	PATH_CMD_CREATE_OU = PATH_CMD_BASE + '/create_ou'

	PATH_CMD_IMPORT_USER = PATH_CMD_BASE + '/import_user'
	CN_STUDENT = _ucr.get('ucsschool/ldap/default/container/pupils', 'schueler')
	CN_TEACHERS = _ucr.get('ucsschool/ldap/default/container/teachers', 'lehrer')
	CN_TEACHERS_STAFF = _ucr.get('ucsschool/ldap/default/container/teachers-and-staff', 'lehrer und mitarbeiter')
	CN_ADMINS = _ucr.get('ucsschool/ldap/default/container/admins', 'admins')
	CN_STAFF = _ucr.get('ucsschool/ldap/default/container/staff', 'mitarbeiter')

	def __init__(self):
		self._cleanup_ou_names = set()

		print ''
		print '*** Purging OU %s and related objects' % ou_name
		# remove OU specific groups
		search_base = School.get_search_base(ou_name)
		for grpdn in (
				search_base.administrative_ou_member_group,
				search_base.educational_ou_member_group,
				search_base.examGroup,
				search_base.administrative_ou_dc_group,
				search_base.educational_ou_dc_group,
				search_base.admin_group):
		):
			grpdn = grpdn % {'ou': ou_name, 'basedn': self._ucr.get('ldap/base')}
			self._remove_udm_object('groups/group', grpdn)

		# remove OU recursively

		Returns user container for specified user role and ou_name.
		"""
		if is_teacher and is_staff:
			return TeachersAndStaff.get_container(ou_name)
		if is_teacher:
			return Teacher.get_container(ou_name)
		if is_staff:
			return Staff.get_container(ou_name)
		return Student.get_container(ou_name)

	def get_workinggroup_dn(self, ou_name, group_name):
		"""
		Return the DN of the specified working group.
		"""
		return WorkGroup(school=ou_name, name="{}-{}".format(ou_name, group_name)).dn

	def get_workinggroup_share_dn(self, ou_name, group_name):
		"""
		Return the DN of the share object for the specified working group.
		"""
		return Share(school=ou_name, name="{}-{}".format(ou_name, group_name)).dn

	def create_teacher(self, *args, **kwargs):
		return self.create_user(*args, is_teacher=True, is_staff=False, **kwargs)

		return school_admin, dn

	def create_domain_admin(self, ou_name, username=None, password='univention'):
		search_base = School.get_search_base(ou_name)
		position = search_base.admins
		groups = ["cn=Domain Admins,cn=groups,%s" % (self.LDAP_BASE,)]
		udm = udm_test.UCSTestUDM()
		if username is None:

			class_name = uts.random_username()
		if not class_name.startswith('{}-'.format(ou_name)):
			class_name = '{}-{}'.format(ou_name, class_name)
		grp_dn = SchoolClass(school=ou_name, name=class_name).dn
		kwargs = {
			'school': ou_name,
			'name': class_name,

			workgroup_name = uts.random_username()
		if not workgroup_name.startswith('{}-'.format(ou_name)):
			workgroup_name = '{}-{}'.format(ou_name, workgroup_name)
		grp_dn = 'cn={},cn=schueler,cn=groups,ou={},{}'.format(workgroup_name, ou_name, self.LDAP_BASE)
		kwargs = {
			'school': ou_name,
			'name': workgroup_name,

		if wait_for_replication:
			utils.wait_for_replication()

		return workgroup_name, WorkGroup(**kwargs).dn

	def create_computerroom(self, ou_name, name=None, description=None, host_members=None, wait_for_replication=True):
		"""

(-)univention-management-console-module-selective-udm/umc/python/selective-udm/__init__.py (-1 / +2 lines)

Lines 48-53	Link Here

from univention.management.console.modules.sanitizers import StringSanitizer

from univention.management.console.modules.sanitizers import StringSanitizer

from univention.management.console.modules.decorators import sanitize

from univention.management.console.modules.decorators import sanitize

from ucsschool.lib.schoolldap import LDAP_Connection, SchoolBaseModule, ADMIN_WRITE, USER_READ

from ucsschool.lib.schoolldap import LDAP_Connection, SchoolBaseModule, ADMIN_WRITE, USER_READ

from ucsschool.lib.models import SchoolComputer

from univention.management.console.config import ucr

from univention.management.console.config import ucr

Lines 89-95	Link Here

			raise UMC_Error(_('Could not determine schoolOU.'))

			raise UMC_Error(_('Could not determine schoolOU.'))

		# Set new position

		# Set new position

		ldap_position.setDn(search_base.computers)

		ldap_position.setDn(SchoolComputer.get_container(search_base.school))

		self._check_usersid_join_permissions(ldap_user_read, request.options.get('usersid'))

		self._check_usersid_join_permissions(ldap_user_read, request.options.get('usersid'))

Return to bug 41231