Attachment #8455 for bug #43628

(-)conffiles/etc/univention/s4connector/s4/mapping.py (+3 lines)

Lines 759-764	Link Here

759

			post_ucs_modify_functions=[

759

			post_ucs_modify_functions=[

760

				univention.s4connector.s4.ntsecurity_descriptor.ntsd_to_ucs,

760

				univention.s4connector.s4.ntsecurity_descriptor.ntsd_to_ucs,

761

],

761

],

762

			pre_con_modify_functions=[

763

				univention.s4connector.s4.ntsecurity_descriptor.ntsd_is_unchanged_in_s4,

764

],

762

			post_con_create_functions = [

765

			post_con_create_functions = [

763

				univention.s4connector.s4.ntsecurity_descriptor.ntsd_to_s4,

766

				univention.s4connector.s4.ntsecurity_descriptor.ntsd_to_s4,

764

],

767

],




		ucs_create_functions=[],
		con_create_extenstions=[],
		post_con_create_functions=[],
		pre_con_modify_functions=[],
		post_con_modify_functions=[],
		post_ucs_modify_functions=[],
		post_attributes=None,

		self.con_create_extenstions = con_create_extenstions

		self.post_con_create_functions = post_con_create_functions
		self.pre_con_modify_functions = pre_con_modify_functions
		self.post_con_modify_functions = post_con_modify_functions
		self.post_ucs_modify_functions = post_ucs_modify_functions


			except (ldap.SERVER_DOWN, SystemExit):
				raise
			except:  # FIXME: which exception is to be caught?
				self._debug_traceback(ud.ERROR, "failed in post_ucs_modify_functions")
				result = False

			if result:




				else:
					ud.debug(ud.LDAP, ud.INFO, "to modify: %s" % object['dn'])
					ud.debug(ud.LDAP, ud.ALL, "sync_from_ucs: modlist: %s" % modlist)

				if hasattr(self.property[property_type], "pre_con_modify_functions"):
					for f in self.property[property_type].pre_con_modify_functions:
						ud.debug(ud.LDAP, ud.INFO, "Call pre_con_modify_function: %s" % f)
						if not f(self, property_type, object):
							ud.debug(ud.LDAP, ud.INFO, "sync_from_ucs: Veto by pre_con_modify_function %s" % f)
							ud.debug(ud.LDAP, ud.INFO, "sync_from_ucs: Skipping modify")

							ud.debug(ud.LDAP, ud.INFO, "sync_from_ucs: unlock UCS entryUUID: %s" % entryUUID)
							self.lockingdb.unlock_ucs(entryUUID)

							self._check_dn_mapping(pre_mapped_ucs_dn, object['dn'])
							return True
						ud.debug(ud.LDAP, ud.INFO, "Call pre_con_modify_function: %s (ok)" % f)

				if modlist:
					try:
						self.lo_s4.lo.modify_ext_s(compatible_modstring(object['dn']), compatible_modlist(modlist), serverctrls=self.serverctrls_for_add_and_modify)
					except:




	domain_sid = security.dom_sid(s4connector.s4_sid)
	return decode_sd_in_ndr_to_sddl(domain_sid, ntsd_ndr)

# Pre-modify function

def ntsd_is_unchanged_in_s4(s4connector, key, object):
	(s4_dn, s4_attributes) = s4connector.lo_s4.lo.search_s(s4_dn, ldap.SCOPE_BASE, '(objectClass=*)', ['nTSecurityDescriptor', 'uSNChanged', 'objectGUID'])[0]
	ntsd_ndr = s4_attributes.get('nTSecurityDescriptor')
	if ntsd_ndr:
		domain_sid = security.dom_sid(s4connector.s4_sid)
		s4_ntsd_sddl = decode_sd_in_ndr_to_sddl(domain_sid, ntsd_ndr[0])
		if s4_ntsd_sddl == ucs_ntsd_sddl:
			ud.debug(ud.LDAP, ud.INFO, 'ntsd_to_s4: nTSecurityDescriptors are equal')
			return True

		guid_blob = s4_attributes.get('objectGUID')[0]
		objectGUID = str(ndr_unpack(misc.GUID, guid_blob))
		old_s4_object = s4connector.s4cache.get_entry(objectGUID)
		if old_s4_object:
			if old_s4_object.get('uSNChanged')[0] != s4_attributes.get('uSNChanged')[0]:
				ud.debug(ud.LDAP, ud.PROCESS, "ntsd_to_s4: skipping, S4-Object changed: %s" % object['dn'])
				return False
	return True

# Post-create/modify functions



		return

	ucs_ntsd_sddl = object['attributes']['msNTSecurityDescriptor'][0]
	(s4_dn, s4_attributes) = s4connector.lo_s4.lo.search_s(s4_dn, ldap.SCOPE_BASE, '(objectClass=*)', ['nTSecurityDescriptor', 'objectGUID'])[0]
	ntsd_ndr = s4_attributes.get('nTSecurityDescriptor')
	if ntsd_ndr:
		domain_sid = security.dom_sid(s4connector.s4_sid)

			ud.debug(ud.LDAP, ud.INFO, 'ntsd_to_s4: nTSecurityDescriptors are equal')
			return

		guid_blob = s4_attributes.get('objectGUID')[0]
		objectGUID = str(ndr_unpack(misc.GUID, guid_blob))
		old_s4_object = s4connector.s4cache.get_entry(objectGUID)
		if old_s4_object:
			if old_s4_object.get('uSNChanged')[0] != s4_attributes.get('uSNChanged')[0]:
				ud.debug(ud.LDAP, ud.PROCESS, "ntsd_to_s4: skipping, S4-Object changed: %s" % object['dn'])
				return

		ud.debug(ud.LDAP, ud.INFO, 'ntsd_to_s4: changing nTSecurityDescriptor from %s to %s' % (s4_ntsd_sddl, ucs_ntsd_sddl))

		ucs_ntsd_ndr = encode_sddl_to_sd_in_ndr(domain_sid, ucs_ntsd_sddl)

Return to bug 43628