Changeset View
Changeset View
Standalone View
Standalone View
pykolab/setup/setup_ldap.py
Show First 20 Lines • Show All 115 Lines • ▼ Show 20 Lines | if conf.with_openldap and not conf.with_ad: | ||||
fp.close() | fp.close() | ||||
return | return | ||||
elif conf.with_ad and not conf.with_openldap: | elif conf.with_ad and not conf.with_openldap: | ||||
conf.command_set('ldap', 'auth_attributes', 'samaccountname') | conf.command_set('ldap', 'auth_attributes', 'samaccountname') | ||||
conf.command_set('ldap', 'modifytimestamp_format', '%%Y%%m%%d%%H%%M%%S.0Z') | conf.command_set('ldap', 'modifytimestamp_format', '%%Y%%m%%d%%H%%M%%S.0Z') | ||||
conf.command_set('ldap', 'unique_attribute', 'userprincipalname') | conf.command_set('ldap', 'unique_attribute', 'userprincipalname') | ||||
# TODO: These attributes need to be checked | # TODO: These attributes need to be checked | ||||
conf.command_set('ldap', 'mail_attributes', 'mail') | conf.command_set('ldap', 'mail_attributes', 'mail') | ||||
conf.command_set('ldap', 'mailserver_attributes', 'mailhost') | conf.command_set('ldap', 'mailserver_attributes', 'mailhost') | ||||
conf.command_set('ldap', 'quota_attribute', 'mailquota') | conf.command_set('ldap', 'quota_attribute', 'mailquota') | ||||
return | return | ||||
elif conf.with_ad and conf.with_openldap: | elif conf.with_ad and conf.with_openldap: | ||||
▲ Show 20 Lines • Show All 434 Lines • ▼ Show 20 Lines | """ % (_input) | ||||
log.info(_("Writing out cn=kolab,cn=config")) | log.info(_("Writing out cn=kolab,cn=config")) | ||||
dn = 'cn=kolab,cn=config' | dn = 'cn=kolab,cn=config' | ||||
# A dict to help build the "body" of the object | # A dict to help build the "body" of the object | ||||
attrs = {} | attrs = {} | ||||
attrs['objectclass'] = ['top','extensibleobject'] | attrs['objectclass'] = ['top','extensibleobject'] | ||||
attrs['cn'] = "kolab" | attrs['cn'] = "kolab" | ||||
attrs['aci'] = '(targetattr = "*") (version 3.0;acl "Kolab Services";allow (read,compare,search)(userdn = "ldap:///uid=kolab-service,ou=Special Users,%s");)' % (_input['rootdn']) | |||||
# Convert our dict to nice syntax for the add-function using modlist-module | # Convert our dict to nice syntax for the add-function using modlist-module | ||||
ldif = ldap.modlist.addModlist(attrs) | ldif = ldap.modlist.addModlist(attrs) | ||||
# Do the actual synchronous add-operation to the ldapserver | # Do the actual synchronous add-operation to the ldapserver | ||||
auth._auth.ldap.add_s(dn, ldif) | auth._auth.ldap.add_s(dn, ldif) | ||||
auth._auth.set_entry_attribute( | |||||
dn, | |||||
'aci', | |||||
'(targetattr = "*") (version 3.0;acl "Kolab Services";allow (read,compare,search)(userdn = "ldap:///%s");)' % ('uid=kolab-service,ou=Special Users,%s' % (_input['rootdn'])) | |||||
) | |||||
# TODO: Add kolab-admin role | |||||
# TODO: Assign kolab-admin admin ACLs | |||||
log.info(_("Adding domain %s to list of domains for this deployment") % (_input['domain'])) | log.info(_("Adding domain %s to list of domains for this deployment") % (_input['domain'])) | ||||
dn = "associateddomain=%s,cn=kolab,cn=config" % (_input['domain']) | dn = "associateddomain=%s,cn=kolab,cn=config" % (_input['domain']) | ||||
attrs = {} | attrs = {} | ||||
attrs['objectclass'] = ['top','domainrelatedobject'] | attrs['objectclass'] = ['top','domainrelatedobject'] | ||||
attrs['associateddomain'] = [ | attrs['associateddomain'] = [ | ||||
'%s' % (_input['domain']), | '%s' % (_input['domain']), | ||||
'%s' % (_input['fqdn']), | '%s' % (_input['fqdn']), | ||||
'localhost.localdomain', | 'localhost.localdomain', | ||||
▲ Show 20 Lines • Show All 46 Lines • ▼ Show 20 Lines | """ % (_input) | ||||
dn = "cn=config,cn=Account Policy Plugin,cn=plugins,cn=config" | dn = "cn=config,cn=Account Policy Plugin,cn=plugins,cn=config" | ||||
modlist = [] | modlist = [] | ||||
modlist.append((ldap.MOD_REPLACE, "alwaysrecordlogin", "yes")) | modlist.append((ldap.MOD_REPLACE, "alwaysrecordlogin", "yes")) | ||||
modlist.append((ldap.MOD_ADD, "stateattrname", "lastLoginTime")) | modlist.append((ldap.MOD_ADD, "stateattrname", "lastLoginTime")) | ||||
modlist.append((ldap.MOD_ADD, "altstateattrname", "createTimestamp")) | modlist.append((ldap.MOD_ADD, "altstateattrname", "createTimestamp")) | ||||
auth._auth.ldap.modify_s(dn, modlist) | auth._auth.ldap.modify_s(dn, modlist) | ||||
# TODO: Add kolab-admin role | # Add kolab-admin role | ||||
log.info(_("Adding the kolab-admin role")) | log.info(_("Adding the kolab-admin role")) | ||||
dn = "cn=kolab-admin,%s" % (_input['rootdn']) | dn = "cn=kolab-admin,%s" % (_input['rootdn']) | ||||
attrs = {} | attrs = {} | ||||
attrs['description'] = "Kolab Administrator" | attrs['description'] = "Kolab Administrator" | ||||
attrs['objectClass'] = ['top','ldapsubentry','nsroledefinition','nssimpleroledefinition','nsmanagedroledefinition'] | attrs['objectClass'] = ['top','ldapsubentry','nsroledefinition','nssimpleroledefinition','nsmanagedroledefinition'] | ||||
attrs['cn'] = "kolab-admin" | attrs['cn'] = "kolab-admin" | ||||
ldif = ldap.modlist.addModlist(attrs) | ldif = ldap.modlist.addModlist(attrs) | ||||
auth._auth.ldap.add_s(dn, ldif) | auth._auth.ldap.add_s(dn, ldif) | ||||
# TODO: User writeable attributes on root_dn | # User writeable attributes on root_dn | ||||
log.info(_("Setting access control to %s") % (_input['rootdn'])) | log.info(_("Setting access control to %s") % (_input['rootdn'])) | ||||
dn = _input['rootdn'] | dn = _input['rootdn'] | ||||
aci = [] | aci = [] | ||||
if schema_error: | if schema_error: | ||||
aci.append('(targetattr = "carLicense || description || displayName || facsimileTelephoneNumber || homePhone || homePostalAddress || initials || jpegPhoto || l || labeledURI || mobile || o || pager || photo || postOfficeBox || postalAddress || postalCode || preferredDeliveryMethod || preferredLanguage || registeredAddress || roomNumber || secretary || seeAlso || st || street || telephoneNumber || telexNumber || title || userCertificate || userPassword || userSMIMECertificate || x500UniqueIdentifier") (version 3.0; acl "Enable self write for common attributes"; allow (read,compare,search,write)(userdn = "ldap:///self");)') | aci.append('(targetattr = "carLicense || description || displayName || facsimileTelephoneNumber || homePhone || homePostalAddress || initials || jpegPhoto || l || labeledURI || mobile || o || pager || photo || postOfficeBox || postalAddress || postalCode || preferredDeliveryMethod || preferredLanguage || registeredAddress || roomNumber || secretary || seeAlso || st || street || telephoneNumber || telexNumber || title || userCertificate || userPassword || userSMIMECertificate || x500UniqueIdentifier") (version 3.0; acl "Enable self write for common attributes"; allow (read,compare,search,write)(userdn = "ldap:///self");)') | ||||
else: | else: | ||||
aci.append('(targetattr = "carLicense || description || displayName || facsimileTelephoneNumber || homePhone || homePostalAddress || initials || jpegPhoto || l || labeledURI || mobile || o || pager || photo || postOfficeBox || postalAddress || postalCode || preferredDeliveryMethod || preferredLanguage || registeredAddress || roomNumber || secretary || seeAlso || st || street || telephoneNumber || telexNumber || title || userCertificate || userPassword || userSMIMECertificate || x500UniqueIdentifier || kolabDelegate || kolabInvitationPolicy || kolabAllowSMTPSender") (version 3.0; acl "Enable self write for common attributes"; allow (read,compare,search,write)(userdn = "ldap:///self");)') | aci.append('(targetattr = "carLicense || description || displayName || facsimileTelephoneNumber || homePhone || homePostalAddress || initials || jpegPhoto || l || labeledURI || mobile || o || pager || photo || postOfficeBox || postalAddress || postalCode || preferredDeliveryMethod || preferredLanguage || registeredAddress || roomNumber || secretary || seeAlso || st || street || telephoneNumber || telexNumber || title || userCertificate || userPassword || userSMIMECertificate || x500UniqueIdentifier || kolabDelegate || kolabInvitationPolicy || kolabAllowSMTPSender") (version 3.0; acl "Enable self write for common attributes"; allow (read,compare,search,write)(userdn = "ldap:///self");)') | ||||
aci.append('(targetattr = "*") (version 3.0;acl "Directory Administrators Group";allow (all)(groupdn = "ldap:///cn=Directory Administrators,%(rootdn)s" or roledn = "ldap:///cn=kolab-admin,%(rootdn)s");)' % (_input)) | aci.append('(targetattr = "*") (version 3.0;acl "Directory Administrators Group";allow (all)(groupdn = "ldap:///cn=Directory Administrators,%(rootdn)s" or roledn = "ldap:///cn=kolab-admin,%(rootdn)s");)' % (_input)) | ||||
aci.append('(targetattr="*")(version 3.0; acl "Configuration Administrators Group"; allow (all) groupdn="ldap:///cn=Configuration Administrators,ou=Groups,ou=TopologyManagement,o=NetscapeRoot";)') | aci.append('(targetattr="*")(version 3.0; acl "Configuration Administrators Group"; allow (all) groupdn="ldap:///cn=Configuration Administrators,ou=Groups,ou=TopologyManagement,o=NetscapeRoot";)') | ||||
aci.append('(targetattr="*")(version 3.0; acl "Configuration Administrator"; allow (all) userdn="ldap:///uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot";)') | aci.append('(targetattr="*")(version 3.0; acl "Configuration Administrator"; allow (all) userdn="ldap:///uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot";)') | ||||
aci.append('(targetattr = "*")(version 3.0; acl "SIE Group"; allow (all) groupdn = "ldap:///cn=slapd-%(hostname)s,cn=389 Directory Server,cn=Server Group,cn=%(fqdn)s,ou=%(domain)s,o=NetscapeRoot";)' %(_input)) | aci.append('(targetattr = "*")(version 3.0; acl "SIE Group"; allow (all) groupdn = "ldap:///cn=slapd-%(hostname)s,cn=389 Directory Server,cn=Server Group,cn=%(fqdn)s,ou=%(domain)s,o=NetscapeRoot";)' % (_input)) | ||||
aci.append('(targetattr != "userPassword") (version 3.0;acl "Search Access";allow (read,compare,search)(userdn = "ldap:///all");)') | aci.append('(targetattr != "userPassword") (version 3.0;acl "Search Access";allow (read,compare,search)(userdn = "ldap:///all");)') | ||||
modlist = [] | modlist = [] | ||||
modlist.append((ldap.MOD_REPLACE, "aci", aci)) | modlist.append((ldap.MOD_REPLACE, "aci", aci)) | ||||
auth._auth.ldap.modify_s(dn, modlist) | auth._auth.ldap.modify_s(dn, modlist) | ||||
if os.path.isfile('/bin/systemctl'): | if os.path.isfile('/bin/systemctl'): | ||||
if not os.path.isfile('/usr/lib/systemd/system/dirsrv-admin.service'): | if not os.path.isfile('/usr/lib/systemd/system/dirsrv-admin.service'): | ||||
log.info(_("directory server admin service not available")) | log.info(_("directory server admin service not available")) | ||||
else: | else: | ||||
subprocess.call(['/bin/systemctl', 'enable', 'dirsrv-admin.service']) | subprocess.call(['/bin/systemctl', 'enable', 'dirsrv-admin.service']) | ||||
elif os.path.isfile('/sbin/chkconfig'): | elif os.path.isfile('/sbin/chkconfig'): | ||||
subprocess.call(['/sbin/chkconfig', 'dirsrv-admin', 'on']) | subprocess.call(['/sbin/chkconfig', 'dirsrv-admin', 'on']) | ||||
elif os.path.isfile('/usr/sbin/update-rc.d'): | elif os.path.isfile('/usr/sbin/update-rc.d'): | ||||
subprocess.call(['/usr/sbin/update-rc.d', 'dirsrv-admin', 'defaults']) | subprocess.call(['/usr/sbin/update-rc.d', 'dirsrv-admin', 'defaults']) | ||||
else: | else: | ||||
log.error(_("Could not start and configure to start on boot, the " + \ | log.error(_("Could not start and configure to start on boot, the " + \ | ||||
"directory server admin service.")) | "directory server admin service.")) | ||||