Attachment #5136 for bug #30722

View | Details | Raw Unified | Return to bug 30722
Collapse All | Expand All

(-)a/branches/ucs-3.1/ucs/management/univention-directory-manager-modules/modules/univention/admin/syntax.py (-3 / +3 lines)

Lines 1036-1046 class date(simple):	Link Here

1036

1037

	@classmethod

1037

	@classmethod

1038

	def parse(self, text):

1038

	def parse(self, text):

1039

		if self._re_iso.match(text) != None:

1039

		if text and self._re_iso.match(text):

1040

			year, month, day = map(lambda(x): int(x), text.split('-'))

1040

			year, month, day = map(lambda(x): int(x), text.split('-'))

1041

			if 1960 < year < 2100 and 1 <= month <= 12 and 1 <= day <= 31:

1041

			if 1960 < year < 2100 and 1 <= month <= 12 and 1 <= day <= 31:

1042

				return '%02d.%02d.%s' % ( day, month, str( year )[ 2 : ] )

1042

				return '%02d.%02d.%02d' % (day, month, year % 100)

1043

		if self._re_de.match(text) != None:

1043

		if text and self._re_de.match(text):

1044

			day, month, year = map(lambda(x): int(x), text.split('.'))

1044

			day, month, year = map(lambda(x): int(x), text.split('.'))

1045

			if 0 <= year <= 99 and 1 <= month <= 12 and 1 <= day <= 31:

1045

			if 0 <= year <= 99 and 1 <= month <= 12 and 1 <= day <= 31:

1046

				return text

1046

				return text




						except ( udm_errors.valueInvalidSyntax, udm_errors.valueError, TypeError ), e:
							subResults.append( False )
							subDetails.append( str(e) )
					result.append({
						'property': property_name,
						'valid': subResults,
						'details': subDetails
						})
				# otherwise we have a single value
				else:
					try:
						property_obj.syntax.parse( value )
						result.append({
							'property': property_name,
							'valid': True
							})
					except (udm_errors.valueInvalidSyntax, udm_errors.valueError, TypeError), ex:
						result.append({
							'property': property_name,
							'valid': False,
							'details' : str(ex)
							})

			return result

- 
--
.../modules/univention/admin/syntax.py                   |   14 +++++++++-----
1 file changed, 9 insertions(+), 5 deletions(-)

(-)a/branches/ucs-3.1/ucs/management/univention-directory-manager-modules/modules/univention/admin/syntax.py (-7 / +9 lines)

Lines 702-708 class uid(simple):	Link Here

702

"""

702

"""

703

	min_length=1

703

	min_length=1

704

	max_length=16

704

	max_length=16

705

	regex = re.compile('(?u)(^[a-zA-Z0-9])[a-zA-Z0-9._-]*([a-zA-Z0-9]$)')

705

	regex = re.compile('^(?!admin$)[a-zA-Z0-9][a-zA-Z0-9._-]*[a-zA-Z0-9]$', re.UNICODE)

706

	error_message = _("Value must not contain anything other than digits, letters, dots, dash or underscore, must be at least 2 characters long, must start and end with a digit or letter, and must not be admin!")

706

	error_message = _("Value must not contain anything other than digits, letters, dots, dash or underscore, must be at least 2 characters long, must start and end with a digit or letter, and must not be admin!")

707

708

class uid_umlauts(simple):

708

class uid_umlauts(simple):

Lines 1111-1117 class dnsSRVName(complex):	Link Here

1111

"""

1111

"""

1112

	min_elements = 2

1112

	min_elements = 2

1113

	all_required = False

1113

	all_required = False

1114

	subsyntaxes = ( ( _( 'Service' ), TwoThirdsString ), ( _( 'Protocol' ), ipProtocolSRV ), ( _( 'Extension' ), string ) )

1114

	subsyntaxes = (

1115

			(_('Service'), TwoThirdsString),

1116

			(_('Protocol'), ipProtocolSRV),

1117

			(_('Extension'), string)

1118

1115

1119

1116

class postalAddress( complex ):

1120

class postalAddress( complex ):

1117

	delimiter = ', '

1121

	delimiter = ', '

Lines 2448-2458 class LDAP_Search( select ):	Link Here

2448

	Searches can be either defined dynamically via a UDM settings/syntax

2452

	Searches can be either defined dynamically via a UDM settings/syntax

2449

	definition and using

2453

	definition and using

2450

2454

2451

	>>> LDAP_Search( syntax_name = '<NAME>' )

2455

	> LDAP_Search( syntax_name = '<NAME>' )

2452

2456

2453

	or programmatically	by directly instantiating

2457

	or programmatically by directly instantiating

2454

2458

2455

	>>> LDAP_Search( filter = '<LDAP-Search-Filter>', attribute = [ '<LDAP attributes>', ... ], value = '<LDAP attribute>', base = '<LDAP base>' )

2459

	> LDAP_Search(filter='<LDAP-Search-Filter>', attribute=['<LDAP attributes>', ...], value='<LDAP attribute>', base='<LDAP base>')

2456

"""

2460

"""

2457

	FILTER_PATTERN = '(&(objectClass=univentionSyntax)(cn=%s))'

2461

	FILTER_PATTERN = '(&(objectClass=univentionSyntax)(cn=%s))'

2458

2462

2459

2460

--

2461

.../modules/univention/admin/handlers/users/user.py           |    9 ---------

2463

.../modules/univention/admin/handlers/users/user.py           |    9 ---------

2462

1 file changed, 9 deletions(-)

2464

1 file changed, 9 deletions(-)




	# returns the difference in hours between local time and GMT (is -1 for CET and CEST)
	return time.timezone/3600

def shift(string, offset):
	# shifts the string #offset chars to the left
	if offset<0:
		for i in range(0, abs(offset)):
			string=string[-1:]+string[:-1]
	else:
		for i in range(0, offset):
			string=string[1:]+string[:1]
	return string

def load_certificate(user_certificate):
	"""Import a certificate in DER format"""
- 
--
.../univention/admin/handlers/users/user.py        |   92 ++++++++++----------
1 file changed, 46 insertions(+), 46 deletions(-)




import univention.admin.mungeddial as mungeddial
import univention.admin.handlers.settings.prohibited_username

import univention.debug as ud
import univention.password

translation=univention.admin.localization.translation('univention.admin.handlers.users')

	return time.strftime("%Y-%m-%d",time.gmtime(long(days)*3600*24))

def sambaWorkstationsMap(workstations):
	ud.debug(ud.ADMIN, ud.ALL, 'samba: sambaWorkstationMap: in=%s; out=%s' % (workstations,string.join(workstations, ',')))
	return string.join(workstations, ',')

def sambaWorkstationsUnmap(workstations):
	ud.debug(ud.ADMIN, ud.ALL, 'samba: sambaWorkstationUnmap: in=%s; out=%s' % (workstations[0],string.split(workstations[0],',')))
	return string.split(workstations[0],',')

def logonHoursMap(logontimes):

		elif re.match('^emailAddress=', i):
			value['certificateSubjectMail']=string.split(i, '=')[1]

	ud.debug(ud.ADMIN, ud.ERROR, 'value=%s' % value)
	return value

def mapHomePostalAddress(old):

	try:
		return base64.encodestring( value[ 0 ] )
	except Exception, e:
		ud.debug(ud.ADMIN, ud.ERROR, 'ERROR in users.user.mapBase64(): %s' % e)
	return ""

def mapBase64( value ):

	try:
		return base64.decodestring( value )
	except Exception, e:
		ud.debug(ud.ADMIN, ud.ERROR, 'ERROR in users.user.mapBase64(): %s' % e)
	return ""

mapping.register('userCertificate', 'userCertificate;binary', mapBase64, unmapBase64 )

				if options[opt].matches(ocs):
					self.options.append(opt)
		else:
			ud.debug(ud.ADMIN, ud.INFO, 'users/user.py: reset options to default by _define_options' )
			self._define_options( options )

		if 'posix' in self.options:

			# shadowExpire contains the absolute date to expire the account.

			if 'shadowExpire' in self.oldattr and len(self.oldattr['shadowExpire']) > 0 :
				ud.debug(ud.ADMIN, ud.INFO, 'userexpiry: %s' % posixDaysToDate(self.oldattr['shadowExpire'][0]))
				if self.oldattr['shadowExpire'][0] != '1':
					self.info['userexpiry'] = posixDaysToDate(self.oldattr['shadowExpire'][0])
			if 'shadowLastChange' in self.oldattr and 'shadowMax' in self.oldattr and len(self.oldattr['shadowLastChange']) > 0 and len(self.oldattr['shadowMax']) > 0:
				try:
					self.info['passwordexpiry'] = posixDaysToDate(int(self.oldattr['shadowLastChange'][0]) +  int(self.oldattr['shadowMax'][0]))
				except:
					ud.debug(ud.ADMIN, ud.WARN, 'users/user: failed to calculate password expiration correctly, use only shadowMax instead')
					self.info['passwordexpiry'] = posixDaysToDate(int(self.oldattr['shadowMax'][0]))

		if 'kerberos' in self.options:
			if self.oldattr.has_key('krb5ValidEnd'):
				krb5validend=self.oldattr['krb5ValidEnd'][0]
				ud.debug(ud.ADMIN, ud.INFO, 'krb5validend is: %s' %
						       krb5validend)
				self.info['userexpiry']="%s-%s-%s"%(krb5validend[0:4],krb5validend[4:6],krb5validend[6:8])
		elif 'samba' in self.options:
			if self.oldattr.has_key('sambaKickoffTime'):
				ud.debug(ud.ADMIN, ud.INFO, 'sambaKickoffTime is: %s' %
						       self.oldattr['sambaKickoffTime'][0])
				self.info['userexpiry']=time.strftime("%Y-%m-%d",time.gmtime(long(self.oldattr['sambaKickoffTime'][0])+(3600*24)))


			# FIXME: we should NEVER catch all exceptions
			except Exception, e:
				# at least write some debuging output..
				ud.debug(ud.ADMIN, ud.INFO, 'Caught exception: %s' % e )
				ud.debug(ud.ADMIN, ud.INFO, 'Continuing without dn..')
				self.dn=None
				return


				self['lastname']=sn
		except Exception, e:					# FIXME: we should NEVER catch all exceptions
			# at least write some debuging output..
			ud.debug(ud.ADMIN, ud.INFO, 'Caught exception: %s' % e )
			ud.debug(ud.ADMIN, ud.INFO, 'Continuing without dn..')
			self.dn=None
			return


						self['groups']=self.lo.searchDn(filter='(&(cn=*)(|(objectClass=univentionGroup)(objectClass=sambaGroupMapping))(uniqueMember=%s))' % univention.admin.filter.escapeForLdapFilter(self.dn))
					else:
						self.groupsLoaded=0
						ud.debug(ud.ADMIN, ud.INFO, 'user: open with loadGroups=false for user %s'%self['username'])
					primaryGroupNumber=self.oldattr.get('gidNumber',[''])[0]
					if primaryGroupNumber:
						primaryGroupResult=self.lo.searchDn('(&(cn=*)(|(objectClass=posixGroup)(objectClass=sambaGroupMapping))(gidNumber='+primaryGroupNumber+'))')

							except:
								primaryGroup = None

							ud.debug(ud.ADMIN, ud.INFO, 'user: could not find primaryGroup, setting primaryGroup to %s' % primaryGroup)

							self['primaryGroup']=primaryGroup
							self.newPrimaryGroupDn=primaryGroup


		# change memberUid if we have a new username
		if not old_uid == new_uid and self.exists():
			ud.debug(ud.ADMIN, ud.INFO, 'users/user: rewrite memberuid after rename')
			for group in new_groups:
				self.__rewrite_member_uid( group )

		group_mod = univention.admin.modules.get('groups/group')

		ud.debug(ud.ADMIN, ud.INFO, 'users/user: check groups in old_groups')
		for group in old_groups:
			if group and not case_insensitive_in_list(group, self.info.get('groups', [])) and group.lower() != self['primaryGroup'].lower():
				grpobj = group_mod.object(None, self.lo, self.position, group)
				grpobj.fast_member_remove( [ self.dn ], [ old_uid ] )

		ud.debug(ud.ADMIN, ud.INFO, 'users/user: check groups in info[groups]')
		for group in self.info.get('groups', []):
			if group and not case_insensitive_in_list(group, old_groups):
				grpobj = group_mod.object(None, self.lo, self.position, group)
				grpobj.fast_member_add( [ self.dn ], [ new_uid ] )

		if univention.admin.baseConfig.is_true("directory/manager/user/primarygroup/update", True):
			ud.debug(ud.ADMIN, ud.INFO, 'users/user: check primaryGroup')
			if not self.exists() and self.info.get('primaryGroup'):
				grpobj = group_mod.object(None, self.lo, self.position, self.info.get('primaryGroup'))
				grpobj.fast_member_add( [ self.dn ], [ new_uid ] )

				if UIDs:
					new_uids.append(UIDs[0])
					if len(UIDs) > 1:
						ud.debug(ud.ADMIN, ud.WARN, 'users/user: A groupmember has multiple UIDs (%s %s)' % (memberDNstr, repr(uid_list)))
		self.lo.modify(group, [ ( 'memberUid', uids, new_uids ) ] )

	def __primary_group(self):

			searchResult=self.lo.search(base=self.oldinfo['primaryGroup'], attr=['gidNumber'])
			for tmp,number in searchResult:
				oldPrimaryGroup = number['gidNumber']
			ud.debug(ud.ADMIN, ud.INFO, 'users/user: set gidNumber by oldinfo')
			self.lo.modify(self.dn, [('gidNumber',oldPrimaryGroup[0], primaryGroupNumber[0])])
			if 'samba' in self.options:
				ud.debug(ud.ADMIN, ud.INFO, 'users/user: set sambaPrimaryGroupSID by oldinfo')
				self.lo.modify(self.dn, [('sambaPrimaryGroupSID',oldPrimaryGroup[0], primaryGroupSambaNumber[0])])
		else:
			searchResult=self.lo.search(base=self.dn, scope='base', attr=['gidNumber'])
			for tmp,number in searchResult:
				oldNumber = number['gidNumber']
			ud.debug(ud.ADMIN, ud.INFO, 'users/user: set gidNumber')
			self.lo.modify(self.dn, [('gidNumber',oldNumber, primaryGroupNumber[0])])
			if 'samba' in self.options:
				ud.debug(ud.ADMIN, ud.INFO, 'users/user: set sambaPrimaryGroupSID')
				self.lo.modify(self.dn, [('sambaPrimaryGroupSID',oldNumber, primaryGroupSambaNumber[0])])



			group_mod = univention.admin.modules.get('groups/group')
			grpobj = group_mod.object(None, self.lo, self.position, self.newPrimaryGroupDn)
			grpobj.fast_member_add( [ self.dn ], [ new_uid ] )
			ud.debug(ud.ADMIN, ud.INFO, 'users/user: adding to new primaryGroup %s (uid=%s)' % (self.newPrimaryGroupDn, new_uid))

		self.save()


		return self['username']+'@'+realm

	def _ldap_pre_create(self):
		_d=ud.function('admin.handlers.users.user.object._ldap_pre_create')

		self.dn='uid=%s,%s' % ( self['username'], self.position.getDn())
		ud.debug(ud.ADMIN, ud.INFO, 'users/user: dn was set to %s'%self.dn)
		if not self['password']:
			self['password']=self.oldattr.get('password',[''])[0]
			self.modifypassword=0

		sambaPwdLastSetValue = ''	# if is filled, it will be added to ml in the end

		if self.options != self.old_options:
			ud.debug(ud.ADMIN, ud.INFO, 'options: %s' % self.options)
			ud.debug(ud.ADMIN, ud.INFO, 'old_options: %s' % self.old_options)
			# pki option add / remove
			if 'pki' in self.options and not 'pki' in self.old_options:
				ud.debug(ud.ADMIN, ud.INFO, 'added pki option')
				ocs=self.oldattr.get('objectClass', [])
				if not 'pkiUser' in ocs:
					ml.insert(0, ('objectClass', '', 'pkiUser'))
			if not 'pki' in self.options and 'pki' in self.old_options:
				ud.debug(ud.ADMIN, ud.INFO, 'remove pki option')
				ocs=self.oldattr.get('objectClass', [])
				if 'pkiUser' in ocs:
					ml.insert(0, ('objectClass', 'pkiUser', ''))

						ml=self._remove_attr(ml,attr)
			# ldap_pwd option add / remove
			if 'ldap_pwd' in self.options and not 'ldap_pwd' in self.old_options:
				ud.debug(ud.ADMIN, ud.INFO, 'added ldap_pwd option')
				ocs=self.oldattr.get('objectClass', [])
				if not 'simpleSecurityObject' in ocs:
					ml.insert(0, ('objectClass', '', 'simpleSecurityObject'))
					ml.insert(0, ('objectClass', '', 'uidObject'))
			if not 'ldap_pwd' in self.options and 'ldap_pwd' in self.old_options:
				ud.debug(ud.ADMIN, ud.INFO, 'remove ldap_pwd option')
				ocs=self.oldattr.get('objectClass', [])
				if 'simpleSecurityObject' in ocs:
					ml.insert(0, ('objectClass', 'simpleSecurityObject', ''))


						shadowLastChangeValue = str(int(now))

					ud.debug(ud.ADMIN, ud.INFO, 'shadowMax: %s' % shadowMax)
					old_shadowMax=self.oldattr.get('shadowMax', '')
					if old_shadowMax != shadowMax:
						ml.append(('shadowMax',self.oldattr.get('shadowMax', [''])[0], shadowMax))

						krb5PasswordEnd=''
					else:
						krb5PasswordEnd="%s" % "20"+expiry[6:8]+expiry[3:5]+expiry[0:2]+"000000Z"
					ud.debug(ud.ADMIN, ud.INFO, 'krb5PasswordEnd: %s' % krb5PasswordEnd)
					old_krb5PasswordEnd=self.oldattr.get('krb5PasswordEnd', '')
					if old_krb5PasswordEnd != krb5PasswordEnd:
						ml.append(('krb5PasswordEnd',self.oldattr.get('krb5PasswordEnd', [''])[0], krb5PasswordEnd))

				shadowExpire=''
				if self['userexpiry']:
					shadowExpire="%d" % long(time.mktime(time.strptime(self['userexpiry'],"%d.%m.%y"))/3600/24+1)
					ud.debug(ud.ADMIN, ud.INFO, 'shadowExpire: %s' % shadowExpire)
				old_shadowExpire=self.oldattr.get('shadowExpire', '')
				if old_shadowExpire != shadowExpire:
					ml.append(('shadowExpire',self.oldattr.get('shadowExpire', [''])[0], shadowExpire))

				sambaKickoffTime=''
				if self['userexpiry']:
					sambaKickoffTime="%d" % long(time.mktime(time.strptime(self['userexpiry'],"%d.%m.%y")))
					ud.debug(ud.ADMIN, ud.INFO, 'sambaKickoffTime: %s' % sambaKickoffTime)
				old_sambaKickoffTime=self.oldattr.get('sambaKickoffTime', '')
				if old_sambaKickoffTime != sambaKickoffTime:
					ml.append(('sambaKickoffTime',self.oldattr.get('sambaKickoffTime', [''])[0], sambaKickoffTime))

				krb5ValidEnd=''
				if self['userexpiry']:
					krb5ValidEnd="%s" % "20"+self['userexpiry'][6:8]+self['userexpiry'][3:5]+self['userexpiry'][0:2]+"000000Z"
					ud.debug(ud.ADMIN, ud.INFO, 'krb5ValidEnd: %s' % krb5ValidEnd)
				old_krb5ValidEnd=self.oldattr.get('krb5ValidEnd', '')
				if old_krb5ValidEnd != krb5ValidEnd:
					if not self['userexpiry']:

			if 'kerberos' in self.options:
				expiry=time.strftime("%d.%m.%y",time.gmtime((long(time.time()))))
				krb5PasswordEnd="%s" % "20"+expiry[6:8]+expiry[3:5]+expiry[0:2]+"000000Z"
				ud.debug(ud.ADMIN, ud.INFO, 'krb5PasswordEnd: %s' % krb5PasswordEnd)
				old_krb5PasswordEnd=self.oldattr.get('krb5PasswordEnd', '')
				if old_krb5PasswordEnd != krb5PasswordEnd:
					ml.append(('krb5PasswordEnd',self.oldattr.get('krb5PasswordEnd', [''])[0], krb5PasswordEnd))

				now=(long(time.time())/3600/24)
				shadowLastChangeValue = str(int(now))

				ud.debug(ud.ADMIN, ud.INFO, 'shadowMax: %s' % shadowMax)
				old_shadowMax=self.oldattr.get('shadowMax', [''])[0]
				if old_shadowMax != shadowMax:
					ml.append(('shadowMax', old_shadowMax, shadowMax))

			if 'samba' in self.options:
				sambaPwdLastSetValue = str(long(time.time()))
				# transfered into ml below
				ud.debug(ud.ADMIN, ud.INFO, 'sambaPwdLastSetValue: %s' % sambaPwdLastSetValue)

			# 4. set kerberos attribute
			if 'kerberos' in self.options:

				else:
					expiry=time.strftime("%d.%m.%y",time.gmtime((long(time.time()) + (expiryInterval*3600*24))))
					krb5PasswordEnd="%s" % "20"+expiry[6:8]+expiry[3:5]+expiry[0:2]+"000000Z"
				ud.debug(ud.ADMIN, ud.INFO, 'krb5PasswordEnd: %s' % krb5PasswordEnd)
				old_krb5PasswordEnd=self.oldattr.get('krb5PasswordEnd', [''])[0]
				if old_krb5PasswordEnd != krb5PasswordEnd:
					ml.append(('krb5PasswordEnd',old_krb5PasswordEnd, krb5PasswordEnd))

			else:
				try:
					self.alloc.append( ( 'mailPrimaryAddress', self[ 'mailPrimaryAddress' ] ) )
					ud.debug( ud.ADMIN, ud.INFO, "LOCKING: %s" % self[ 'mailPrimaryAddress' ] )
					univention.admin.allocators.request( self.lo, self.position, 'mailPrimaryAddress', value = self[ 'mailPrimaryAddress' ] )
					ud.debug( ud.ADMIN, ud.INFO, "LOCKING DONE: %s" % self[ 'mailPrimaryAddress' ] )
				except univention.admin.uexceptions.noLock:
					self.cancel()
					raise univention.admin.uexceptions.mailAddressUsed
- 
--
.../univention/admin/handlers/users/user.py        |  120 +++++++++-----------
1 file changed, 55 insertions(+), 65 deletions(-)




	return time.strftime("%Y-%m-%d",time.gmtime(long(days)*3600*24))

def sambaWorkstationsMap(workstations):
	tmp = ','.join(workstations)
	ud.debug(ud.ADMIN, ud.ALL, 'samba: sambaWorkstationMap: in=%s; out=%s' % (workstations, tmp))
	return tmp

def sambaWorkstationsUnmap(workstations):
	tmp = workstations[0].split(',')
	ud.debug(ud.ADMIN, ud.ALL, 'samba: sambaWorkstationUnmap: in=%s; out=%s' % (workstations[0], tmp))
	return tmp

def logonHoursMap(logontimes):
	"converts the bitfield 001110010110...100 to the respective string"


	def convert_certdate (certdate):
		datestring=str(certdate)
		dl = datestring.split()
		month=[None, 'Jan', 'Feb', 'Mar', 'Apr', 'May', 'Jun', 'Jul', 'Aug', 'Sep', 'Oct', 'Nov', 'Dec' ]
		try:
			dl[0]=month.index(dl[0])

	if not serial:
		return {}

	ATTR = {
			"C": "Country",
			"ST": "State",
			"L": "Location",
			"O": "Organisation",
			"OU": "OrganisationalUnit",
			"CN": "CommonName",
			"emailAddress": "Mail",
			}[key]
	value = {
			'certificateDateNotBefore': convert_certdate(not_before),
			'certificateDateNotAfter': convert_certdate(not_after),
			'certificateVersion': str(version),
			'certificateSerial': str(serial),
			}
	for i in issuer.split('/'):
		try:
			key, val = i.split('=', 1)
		except ValueError:
			continue
		try:
			attr = "certificateIssuer%s" % ATTR[key]
		except KeyError:
			continue
		value[attr] = val
			value['certificateIssuerOrganisationalUnit']=string.split(i, '=')[1]
		elif re.match('^CN=', i):
			value['certificateIssuerCommonName']=string.split(i, '=')[1]
		elif re.match('^emailAddress=', i):
			value['certificateIssuerMail']=string.split(i, '=')[1]
	for i in subject.split('/'):
		try:
			key, val = i.split('=', 1)
		except ValueError:
			continue
		try:
			attr = "certificateSubject%s" % ATTR[key]
		except KeyError:
			continue
		value[attr] = val
			value['certificateSubjectOrganisationalUnit']=string.split(i, '=')[1]
		elif re.match('^CN=', i):
			value['certificateSubjectCommonName']=string.split(i, '=')[1]
		elif re.match('^emailAddress=', i):
			value['certificateSubjectMail']=string.split(i, '=')[1]

	ud.debug(ud.ADMIN, ud.ERROR, 'value=%s' % value)
	return value

			self['disabled']='all'

	def __is_kerberos_disabled(self):
		return self['disabled'] in ('all', 'kerberos', 'posix_kerberos', 'windows_kerberos')

		return False
	def __is_windows_disabled(self):
		return self['disabled'] in ('all', 'windows', 'windows_posix', 'windows_kerberos')

		return False
	def __is_posix_disabled(self):
		return self['disabled'] in ('all', 'posix', 'posix_kerberos', 'windows_posix')
			return True
		return False

	def __pwd_is_auth_saslpassthrough(self, password):
		if password.startswith('{SASL}') and univention.admin.baseConfig.get('directory/manager/web/modules/users/user/auth/saslpassthrough','no').lower() == 'keep':

			if self['passwordexpiry']:
				today=time.strftime('%Y-%m-%d').split('-')
				expiry=self['passwordexpiry'].split('-')
				if int(''.join(today)) >= int(''.join(expiry)):
				# today.reverse()
				if int(string.join(today,''))>=int(string.join(expiry,'')):
					self['pwdChangeNextLogin']='1'

			if 'samba' in self.options:

	def __passwordInHistory(self, newpassword, pwhistory):
		# first calc hash for the new pw
		s = hashlib.sha1( newpassword.encode( 'utf-8' ) )
		newpwhash = s.hexdigest().upper()
		return pwhistory.find(newpwhash) >= 0
			# password has already been used.
			return 1
		return 0

	def __getPWHistory(self, newpassword, pwhistory, pwhlen):
		# first calc hash for the new pw
		s = hashlib.sha1( newpassword.encode( 'utf-8' ) )
		newpwhash = s.hexdigest().upper()

		# split the history
		if len(pwhistory.strip()):
			pwlist = pwhistory.split(' ')
		else:
			pwlist = []


					else:
						pwlist.append(newpwhash)
		# and build the new history
		res = ' '.join(pwlist)
		return res

	def __getsmbPWHistory(self, newpassword, smbpwhistory, smbpwhlen):
		# split the history
		if len(smbpwhistory.strip()):
			pwlist = smbpwhistory.split(' ')
		else:
			pwlist = []


					pwlist.append(smbpwhash)

		# and build the new history
		res = ''.join(pwlist)
		return res

	def __generate_user_sid(self, uidNum):
- 
--
.../univention/admin/handlers/users/user.py        |   37 +++++++++++++-------
1 file changed, 25 insertions(+), 12 deletions(-)




	return value

def mapHomePostalAddress(old):
	"""Map address to LDAP encoding.
	>>> mapHomePostalAddress(["a", "b", "c"])
	'a$b$c'
	"""
	return '$'.join(old)

def unmapHomePostalAddress(old):
	"""Expand LDAP encoded address.
	>>> unmapHomePostalAddress(['foo'])
	[['foo', ' ', ' ']]
	>>> unmapHomePostalAddress(['foo$bar$baz'])
	[['foo', 'bar', 'baz']]
	"""
	new=[]
	for i in old:
		if '$' in i:

mapping.register('birthday', 'univentionBirthday', None, univention.admin.mapping.ListToString)

def mapKeyAndValue(old):
	"""Map (key, value) list to key=value list.
	>>> mapKeyAndValue([("a", "b")])
	['a=b']
	"""
	return ["%s=%s" % tuple(entry) for entry in old]

def unmapKeyAndValue(old):
	"""Map (key=value) list to (key, value) list.
	>>> unmapKeyAndValue(["a=b"])
	[('a', 'b')]
	"""
	return [tuple(entry.split('=', 1)) for entry in old]

def unmapBase64( value ):
	try:

			and not '$' in attr.get('uid',[])
		        and not 'univentionHost' in attr.get('objectClass', [])
			)

if __name__ == '__main__':
	import doctest
	doctest.testmod()
.../univention/admin/handlers/users/user.py        |   85 +++++---------------
1 file changed, 18 insertions(+), 67 deletions(-)




	return tmp

def logonHoursMap(logontimes):
	"""Converts array of bits set to an hex-string."""
	octets = [0] * (24 * 7 / 8)
	# convert list of bit numbers to bit-string
	# bitstring = '0' * 168
	bitstring = ''.join( map( lambda x: x in logontimes and '1' or '0', range( 168 ) ) )

	# for idx in logontimes:
	# 	bitstring[ idx ] = '1'

	logontimes = bitstring

	# the order of the bits of each byte has to be reversed. The reason for this is that
	# consecutive bytes mean consecutive 8-hrs-intervals, but the MSB stands for
	# the last hour in that interval, the 2nd leftmost bit for the second-to-last
	# hour and so on. We want to hide this from anybody using this feature.
	# See <http://ma.ph-freiburg.de/tng/tng-technical/2003-04/msg00015.html> for details.
	for hour in logontimes:
		idx, bit = divmod(hour, 8)
		octets[idx] |= 1 << bit
	return ''.join(['%02x' % _ for _ in octets])
		bitlist.reverse()
		newtimes+="".join(bitlist)
	logontimes = newtimes

	# create a hexnumber from each 8-bit-segment
	ret=""
	for i in range(0,21):
	        val=0
	        exp=7
	        for j in range((i*8), (i*8)+8):
	                if not (logontimes[j]=="0"):
	                        val+=2**exp
	                exp-=1
		# we now have: 0<=val<=255
	        hx=hex(val)[2:4]
	        if len(hx)==1: hx="0"+hx
	        ret+=hx

	return ret

def logonHoursUnmap(logontimes):
	"""Converts hex-string to an array of bits set."""
	times = logontimes[0].ljust(42, '0')[:42]
	assert len(times) == 24 * 7 / 4
	octets = [int(times[i : i + 2], 16) for i in range(0, len(times), 2)]
	assert len(octets) == 24 * 7 / 8
	return [idx * 8 + bit
			for (idx, value) in enumerate(octets)
			for bit in range(8)
			if value & (1 << bit)]

	# reverse order of the bits in each byte. See above for details
	newtime = ""
	for i in range(0, 21):
		bitlist=list(ret[(i*8):(i*8)+8])
		bitlist.reverse()
		newtime+="".join(bitlist)

	# convert bit-string to list
	return filter( lambda i: newtime[ i ] == '1', range( 168 ) )

def intToBinary(val):
        ret=""
        while val>0:
                ret=str(val&1)+ret
                val=val>>1
        # pad with leading 0s until length is n*8
        if ret=="": ret="0"
        while not (len(ret)%8==0):
                ret="0"+ret
        return ret

def GMTOffset():
	# returns the difference in hours between local time and GMT (is -1 for CET and CEST)
- 
--
.../univention/admin/handlers/users/user.py        |   89 ++++++++------------
1 file changed, 35 insertions(+), 54 deletions(-)




					return []
				if pwhistoryPolicy and pwhistoryPolicy.has_key('length') and pwhistoryPolicy['length']:
					pwhlen = int(pwhistoryPolicy['length'])
					newPWHistory = object.__getPWHistory(self['password'], pwhistory, pwhlen)
					ml.append(('pwhistory', self.oldattr.get('pwhistory', [''])[0], newPWHistory))
			if pwhistoryPolicy != None and pwhistoryPolicy['pwLength'] != None and pwhistoryPolicy['pwLength'] != 0 and self['overridePWLength'] != '1':
					if len(self['password']) < int(pwhistoryPolicy['pwLength']):

		newpwhash = s.hexdigest().upper()
		return pwhistory.find(newpwhash) >= 0

	@staticmethod
	def __getPWHistory(newpassword, pwhistory, pwhlen):
		"""Save history of previopusly used passwords.
		>>> object.__getPWHistory("a", "b", 0)
		"b"
		>>> object.__getPWHistory("a", "", 1)
		"86F7E437FAA5A7FCE15D1DDCB9EAEAEA377667B8"
		>>> object.__getPWHistory("a", "b", 1)
		"86F7E437FAA5A7FCE15D1DDCB9EAEAEA377667B8"
		>>> object.__getPWHistory("a", "b", 2)
		"b 86F7E437FAA5A7FCE15D1DDCB9EAEAEA377667B8"
		"""
		#this preserves a temporary disabled history
		if pwhlen > 0:
			# first calc hash for the new pw
			s = hashlib.sha1(newpassword.encode('utf-8'))
			newpwhash = s.hexdigest().upper()

			# split the history
			pwlist = pwhistory.strip().split(' ')
			# append new hash
			pwlist.append(newpwhash)
			# strip old hashes
			pwlist = pwlist[-pwhlen:]
			# build histroy
			pwhistory = ' '.join(pwlist)
		return pwhistory
						# just to be sure...
						pwlist[1:] = []
					else:
						pwlist.append(newpwhash)
		# and build the new history
		res = ' '.join(pwlist)
		return res

	def __getsmbPWHistory(self, newpassword, smbpwhistory, smbpwhlen):
		# split the history

		pwdhash = hashlib.md5(salt + pwd).hexdigest().upper()
		smbpwhash = hexsalt+pwdhash

		# split the history
		pwlist = smbpwhistory.strip().split(' ')
		# append new hash
		pwlist.append(smbpwhash)
		# strip old hashes
		pwlist = pwlist[-smbpwhlen:]
		# build history
		smbpwhistory = ''.join(pwlist)
		return smbpwhistory
				pwlist.append(smbpwhash)
			else:
				# or replace the history completely
				if len(pwlist) > 0:
					pwlist[0] = smbpwhash
					# just to be sure...
					pwlist[1:] = []
				else:
					pwlist.append(smbpwhash)

		# and build the new history
		res = ''.join(pwlist)
		return res

	def __generate_user_sid(self, uidNum):
		# TODO: cleanup function
- 
--
.../modules/univention/admin/password.py           |   54 +++++++++++---------
1 file changed, 29 insertions(+), 25 deletions(-)




# /usr/share/common-licenses/AGPL-3; if not, see
# <http://www.gnu.org/licenses/>.

import heimdal
import smbpasswd
from univention.config_registry import ConfigRegistry
from crypt import crypt as _crypt

configRegistry = ConfigRegistry()
configRegistry.load()

def crypt(password):
	"""return crypt hash"""

	valid = ['.', '/', 'a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j',
		'k', 'l', 'm', 'n', 'o', 'p', 'q', 'r', 's', 't', 'u', 'v',
		'w', 'x', 'y', 'z', 'A', 'B', 'C', 'D', 'E', 'F', 'G', 'H',
		'I', 'J', 'K', 'L', 'M', 'N', 'O', 'P', 'Q', 'R', 'S', 'T',
		'U', 'V', 'W', 'X', 'Y', 'Z', '0', '1', '2', '3', '4', '5',
		'6', '7', '8', '9' ]
	salt = ''
	urandom = open("/dev/urandom", "r")
	for i in xrange(0, 16): # up to 16 bytes of salt are evaluated by crypt(3), overhead is ignored
		o = ord(urandom.read(1))
		while not o < 256 / len(crypt.VALID) * len(crypt.VALID): # make sure not to skew the distribution when using modulo
			o = ord(urandom.read(1))
		salt = salt + crypt.VALID[(o % len(crypt.VALID))]
	urandom.close()

	method = configRegistry.get('password/hashing/method', 'sha-512').upper()
	method_id = crypt.METHOD.get(method, 6)
	return _crypt(password.encode('utf-8'), '$%s$%s$' % (method_id, salt, ))
crypt.VALID = (
		'.', '/', 'a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j',
		'k', 'l', 'm', 'n', 'o', 'p', 'q', 'r', 's', 't', 'u', 'v',
		'w', 'x', 'y', 'z', 'A', 'B', 'C', 'D', 'E', 'F', 'G', 'H',
		'I', 'J', 'K', 'L', 'M', 'N', 'O', 'P', 'Q', 'R', 'S', 'T',
		'U', 'V', 'W', 'X', 'Y', 'Z', '0', '1', '2', '3', '4', '5',
		'6', '7', '8', '9',
		)
crypt.METHOD = {
		'MD5': '1',
		'SHA256': '5',
		'SHA-256': '5',
		'SHA512': '6',
		'SHA-512': '6',
		}

def ntlm(password):
	"""return tuple with NT and LanMan hash"""

	return (nt, lm)

def krb5_asn1(principal, password, krb5_context=None):
	if isinstance(principal, unicode):
	if type(principal) == types.UnicodeType:
		principal = str( principal )
	if isinstance(password, unicode):
		password = str( password )
	if not krb5_context:
		krb5_context = heimdal.context()
	result = []
	for krb5_etype in krb5_context.get_permitted_enctypes():
		if str(krb5_etype) == 'des3-cbc-md5' and configRegistry.is_false('password/krb5/enctype/des3-cbc-md5', True):
			continue
		krb5_principal = heimdal.principal(krb5_context, principal)
		krb5_keyblock = heimdal.keyblock(krb5_context, krb5_etype, password, krb5_principal)
		krb5_salt = heimdal.salt(krb5_context, krb5_principal)
		result.append(heimdal.asn1_encode_key(krb5_keyblock, krb5_salt, 0))
	return result
- 
--
.../modules/univention/admin/handlers/users/user.py           |    9 ++-------
1 file changed, 2 insertions(+), 7 deletions(-)




			pwlist = []

		#calculate the password hash & salt
		salt=''
		urandom = open('/dev/urandom', 'r')
		#get 16 bytes from urandom for salting our hash
		salt = urandom.read(16)
		for i in range(0, len(rand)):
			salt = salt + '%.2X' % ord(rand[i])
		#we have to have that in hex
		hexsalt = salt.encode('hex').upper()
		#and binary for calculating the md5
		salt = self.getbytes(salt)
		#we need the ntpwd binary data to
		pwd = self.getbytes(newpassword)
		#calculating hash. sored as a 32byte hex in sambePasswordHistory,
- 
--
.../modules/univention/admin/handlers/users/user.py             |    7 +------
1 file changed, 1 insertion(+), 6 deletions(-)




		#we have to have that in hex
		hexsalt = salt.encode('hex').upper()
		#we need the ntpwd binary data to
		pwd = newpassword.decode('hex')
		#calculating hash. sored as a 32byte hex in sambePasswordHistory,
		#syntax like that: [Salt][MD5(Salt+Hash)]
		#	First 16bytes ^		^ last 16bytes.


		return userSid

	def getbytes(self, string):
		#return byte values of a string (for smbPWHistory)
		bytes = [int(string[i:i+2], 16) for i in xrange(0, len(string), 2)]
		return struct.pack("%iB" % len(bytes), *bytes)

	def cancel(self):
		for i,j in self.alloc:
			univention.admin.allocators.release(self.lo, self.position, i, j)
- 
--
.../univention/admin/handlers/users/user.py        |   70 +++++++++++---------
1 file changed, 39 insertions(+), 31 deletions(-)





import hashlib
import os
import string
import re
import copy
import time
import types
import struct
import tempfile
from M2Crypto import X509

			pwhistoryPolicy = self.loadPolicyObject('policies/pwhistory')
			if self['overridePWHistory'] != '1':
				#TODO: if checkbox "override pwhistory" is not set
				if object._passwordInHistory(self['password'], pwhistory):
					raise univention.admin.uexceptions.pwalreadyused
					return []
				if pwhistoryPolicy and pwhistoryPolicy.has_key('length') and pwhistoryPolicy['length']:
					pwhlen = int(pwhistoryPolicy['length'])
					newPWHistory = object._getPWHistory(self['password'], pwhistory, pwhlen)
					ml.append(('pwhistory', self.oldattr.get('pwhistory', [''])[0], newPWHistory))
			if pwhistoryPolicy != None and pwhistoryPolicy['pwLength'] != None and pwhistoryPolicy['pwLength'] != 0 and self['overridePWLength'] != '1':
					if len(self['password']) < int(pwhistoryPolicy['pwLength']):

				sambaPwdLastSetValue = str(long(time.time()))

				smbpwhistoryPolicy = self.loadPolicyObject('policies/pwhistory')
				if smbpwhistoryPolicy and smbpwhistoryPolicy['length'] != None:
					smbpwhlen = int(pwhistoryPolicy['length'])
					smbpwhistory=self.oldattr.get('sambaPasswordHistory',[''])[0]
					newsmbPWHistory = object._getsmbPWHistory(password_nt, smbpwhistory, smbpwhlen)
					ml.append(('sambaPasswordHistory', self.oldattr.get('sambaPasswordHistory', [''])[0], newsmbPWHistory))

			if 'kerberos' in self.options:

						ml.insert(0, ('objectClass', '', 'automount'))

					am_host=share['host']
					if not self['homeSharePath'] or not isinstance(self['homeSharePath'], basestring):
						raise univention.admin.uexceptions.missingInformation, _('%(homeSharePath)s must be given if %(homeShare)s is given.') % {'homeSharePath' : _('Home share path'), 'homeShare' : _('Home share')}
					else:
						am_path = os.path.abspath(os.path.join(share['path'], self['homeSharePath']))

				self.move_subelements(tmpdn, olddn, subelements, ignore_license)
				raise

	@staticmethod
	def _passwordInHistory(newpassword, pwhistory):
		"""Check if new password was already used.
		>>> object._passwordInHistory('a', '')
		False
		>>> object._passwordInHistory('a', 'b')
		False
		>>> object._passwordInHistory('a', 'b 86F7E437FAA5A7FCE15D1DDCB9EAEAEA377667B8')
		True
		"""
		# first calc hash for the new pw
		s = hashlib.sha1(newpassword.encode('utf-8'))
		newpwhash = s.hexdigest().upper()
		pwlist = pwhistory.strip().split(' ')
		return newpwhash in pwlist

	@staticmethod
	def _getPWHistory(newpassword, pwhistory, pwhlen):
		"""Save history of previopusly used passwords.
		>>> object._getPWHistory('a', 'b', 0)
		'b'
		>>> object._getPWHistory('a', '', 1)
		'86F7E437FAA5A7FCE15D1DDCB9EAEAEA377667B8'
		>>> object._getPWHistory('a', 'b', 1)
		'86F7E437FAA5A7FCE15D1DDCB9EAEAEA377667B8'
		>>> object._getPWHistory('a', 'b', 2)
		'b 86F7E437FAA5A7FCE15D1DDCB9EAEAEA377667B8'
		"""
		#this preserves a temporary disabled history
		if pwhlen > 0:

			pwhistory = ' '.join(pwlist)
		return pwhistory

	@staticmethod
	def _getsmbPWHistory(self, newpassword, smbpwhistory, smbpwhlen):
		"""Save history of previopusly used passwords.
		"""
		else:
			pwlist = []

		#calculate the password hash & salt
		urandom = open('/dev/urandom', 'r')
		try:
			#get 16 bytes from urandom for salting our hash
			salt = urandom.read(16)
		finally:
			urandom.close()
		#we have to have that in hex
		hexsalt = salt.encode('hex').upper()
		#we need the ntpwd binary data to
		password = newpassword.decode('hex')
		#calculating hash. sored as a 32byte hex in sambePasswordHistory,
		#syntax like that: [Salt][MD5(Salt+Hash)]
		#	First 16bytes ^		^ last 16bytes.
		pwdhash = hashlib.md5(salt + password).hexdigest().upper()
		smbpwhash = hexsalt + pwdhash

		# split the history
		pwlist = smbpwhistory.strip().split(' ')
- 
--
.../univention/admin/handlers/users/user.py        |  116 ++++++--------------
1 file changed, 33 insertions(+), 83 deletions(-)





def load_certificate(user_certificate):
	"""Import a certificate in DER format"""
	if not user_certificate:

	tempf=tempfile.mktemp()
	fh=open(tempf,'w')
	fh.write( certificate )
	fh.close()

	x509 = X509.load_cert( tempf, format = X509.FORMAT_DER )
	os.unlink( tempf )
	if not x509:
		return {}
	try:
		certificate = base64.decodestring( user_certificate )
	except base64.binascii.Error, ex:

	if not not_after or not not_before:
		return {}

	def convert_certdate (certdate):
		datestring=str(certdate)
		dl = datestring.split()
		month=[None, 'Jan', 'Feb', 'Mar', 'Apr', 'May', 'Jun', 'Jul', 'Aug', 'Sep', 'Oct', 'Nov', 'Dec' ]
		try:
			dl[0]=month.index(dl[0])
		except:
			return ''
		return "%s-%02d-%02d" % ( dl[ 3 ], int( dl[ 0 ] ), int( dl[ 1 ] ) )

	issuer=str(x509.get_issuer())
	if not issuer:
		return {}

	subject=str(x509.get_subject())
	if not subject:
		return {}

	version=x509.get_version()
	if not version:
		return {}
	try:
		x509 = X509.load_cert_string(certificate, X509.FORMAT_DER)

		values = {
				'certificateDateNotBefore': x509.get_not_before().get_datetime().date().isoformat(),
				'certificateDateNotAfter': x509.get_not_after().get_datetime().date().isoformat(),
				'certificateVersion': str(x509.get_version()),
				'certificateSerial': str(x509.get_serial_number()),
				}
		flags = X509.m2.XN_FLAG_SEP_MULTILINE & ~X509.m2.ASN1_STRFLGS_ESC_MSB | X509.m2.ASN1_STRFLGS_UTF8_CONVERT
		for entity, prefix in (
			(x509.get_issuer(), "certificateIssuer"),
			(x509.get_subject(), "certificateSubject"),
			):
			for key, attr in load_certificate.ATTR.items():
				value = getattr(entity, key)
				values[prefix + attr] = value
	except (X509.X509Error, AttributeError), ex:
		return {}

	ud.debug(ud.ADMIN, ud.ERROR, 'value=%s' % values)
	return values
load_certificate.ATTR = {
			"C": "Country",
			"ST": "State",
			"L": "Location",

			"OU": "OrganisationalUnit",
			"CN": "CommonName",
			"emailAddress": "Mail",
			}[key]
	value = {
			'certificateDateNotBefore': convert_certdate(not_before),
			'certificateDateNotAfter': convert_certdate(not_after),
			'certificateVersion': str(version),
			'certificateSerial': str(serial),
			}
	for i in issuer.split('/'):
		try:
			key, val = i.split('=', 1)
		except ValueError:
			continue
		try:
			attr = "certificateIssuer%s" % ATTR[key]
		except KeyError:
			continue
		value[attr] = val
	for i in subject.split('/'):
		try:
			key, val = i.split('=', 1)
		except ValueError:
			continue
		try:
			attr = "certificateSubject%s" % ATTR[key]
		except KeyError:
			continue
		value[attr] = val

	ud.debug(ud.ADMIN, ud.ERROR, 'value=%s' % value)
	return value

def mapHomePostalAddress(old):
	"""Map address to LDAP encoding.

		self.old_options= copy.deepcopy( self.options )


	def reload_certificate(self):
		"""Reload user certificate."""
		self.info['certificateSubjectCountry']=''
		self.info['certificateSubjectState']=''
		self.info['certificateSubjectLocation']=''

		self.info['certificateDateNotAfter']=''
		self.info['certificateVersion']=''
		self.info['certificateSerial']=''
		certificate = self.info.get('userCertificate')
		values = load_certificate(certificate)
		if values:
			for key, value in values.items():
				self.info[key] = value
			values=load_certificate(self.info['userCertificate'])
			if not values:
				self.__certificate_clean()
			else:
				for i in values.keys():
					self.info[i]=values[i]
		else:
			self.info['userCertificate'] = ''

	def hasChanged(self, key):
		if key == 'disabled':
- 

Return to bug 30722