Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/usr/bin/python
- import base64
- import logging
- import os
- import pwd
- import shlex
- import subprocess
- import sys
- from grp import getgrnam
- from optparse import OptionParser
- import DbInc
- import ldap
- import ldap.cidict
- import ldap.sasl
- import psycopg2
- import psycopg2.extras
- from ldap.controls import SimplePagedResultsControl
- fields = {
- 'WIN2003': {
- 'person': ['person'],
- 'group': ['group'],
- 'objectguid': ['objectGUID', 'dn', 'rdn'],
- 'displayname': ['name', 'cn', 'givenName', 'sn'],
- 'description': ['description'],
- 'memberof': ['memberOf'],
- 'member': ['member'],
- 'oname': ['sAMAccountName', 'mailnickname', 'uid', 'cn', 'loginname'],
- 'mails': ['mail', 'userPrincipalName', 'proxyAddresses', 'rfc822mailbox']
- },
- 'COMMUNIGATE': {
- 'person': ['inetOrgPerson'],
- 'group': ['group'],
- 'objectguid': ['uid', 'dn', 'rdn'],
- 'displayname': ['name', 'cn', 'givenName', 'sn'],
- 'memberof': ['memberof'],
- 'member': ['member'],
- 'oname': ['sAMAccountName', 'mailnickname', 'uid', 'cn', 'loginname'],
- 'mails': ['mail', 'userPrincipalName', 'proxyAddresses', 'rfc822mailbox', 'email']
- },
- 'LOTUSNOTES': {
- 'person': ['inetorgperson'],
- 'group': ['group'],
- 'objectguid': ['uid', 'dn', 'rdn'],
- 'displayname': ['name', 'cn', 'givenName', 'sn'],
- 'memberof': ['memberof'],
- 'member': ['member'],
- 'oname': ['sAMAccountName', 'mailnickname', 'uid', 'cn', 'loginname'],
- 'mails': ['mail', 'userPrincipalName', 'proxyAddresses', 'rfc822mailbox', 'email']
- },
- 'IPLANET': {
- 'person': ['inetOrgPerson'],
- 'group': ['groupOfUniqueNames'],
- 'objectguid': ['uid', 'dn', 'rdn'],
- 'displayname': ['name', 'cn', 'givenName', 'sn'],
- 'memberof': ['memberof'],
- 'member': ['uniqueMember'],
- 'oname': ['sAMAccountName', 'mailnickname', 'uid', 'cn', 'loginname'],
- 'mails': ['mail', 'userPrincipalName', 'proxyAddresses', 'rfc822mailbox', 'email']
- },
- 'NOVELL': {
- 'person': ['inetOrgPerson'],
- 'group': ['groupOfNames'],
- 'objectguid': ['uid', 'dn', 'rdn'],
- 'displayname': ['name', 'cn', 'givenName', 'sn'],
- 'memberof': ['groupMembership'],
- 'member': ['member'],
- 'oname': ['sAMAccountName', 'mailnickname', 'uid', 'cn', 'loginname'],
- 'mails': ['mail', 'userPrincipalName', 'proxyAddresses', 'rfc822mailbox', 'email']
- }
- }
- class paLdap:
- partly_succesfull_flag = False
- def __init__(self, _connector, _ldap_fields, loghandler, connect_timeout=5):
- self.connector = _connector
- self.def_domain = ''
- for part in self.connector['base_dn'].split(","):
- if not self.def_domain:
- self.def_domain = part.split("=")[1]
- else:
- self.def_domain += "." + part.split("=")[1]
- self.log_handler = loghandler
- self.ldap_fields = _ldap_fields
- self.ldap_timeout = 30
- self.connect_timeout = connect_timeout
- self.ldap_protocol = 'ldap://'
- if self.connector['is_ssl'] == 't':
- self.ldap_protocol = 'ldaps://'
- self.server = ""
- # print 'LDAP password:\n\t %s' % base64.b64decode(self.connector['ldap_password'])
- # print 'LDAP user:\n\t %s' % self.connector['bind_dn']
- self.connect()
- def connect(self):
- for ldap_server in self.connector['server_ip'].split():
- self.ldap_url = self.ldap_protocol + ldap_server + ':' + str(self.connector['port'])
- self.server = ldap_server
- try:
- self.conn = ldap.initialize(self.ldap_url)
- self.conn.network_timeout = self.connect_timeout
- self.conn.set_option(ldap.OPT_REFERRALS, 0)
- self.conn.simple_bind_s(self.connector['bind_dn'], base64.b64decode(self.connector['ldap_password']))
- return
- except ldap.SERVER_DOWN:
- LOGGER("LDAP server %s did not respond in %s seconds" % (ldap_server, self.connect_timeout), self.log_handler)
- self.conn.unbind_s()
- self.conn = None
- continue
- except ldap.INVALID_CREDENTIALS, e:
- print 'Invalid credentials error:\nERROR: %s' % str(e)
- LOGGER(str(e), self.log_handler)
- sys.exit(1)
- except ldap.LDAPError, e:
- LOGGER('LDAP connection error:\n\tERROR: %s' % e[0]["desc"], self.log_handler)
- sys.exit(1)
- LOGGER('No response from LDAP servers', self.log_handler)
- sys.exit(1)
- def disconnect(self):
- if not self.conn:
- return
- try:
- self.conn.unbind_s()
- self.conn = None
- except ldap.LDAPError, e:
- print 'LDAP disconnection error: %s' % str(e)
- LOGGER(str(e), self.log_handler)
- def ldap_paged_search(self, group=0, sizelimit=0):
- ix = 0
- base_dn = self.connector['base_dn']
- if self.connector["server_type"] == "OPENLDAP":
- self.fields = {
- 'person': [self.connector["ldap_person_class"]],
- 'group': [self.connector["ldap_group_class"]],
- 'objectguid': [self.connector["ldap_group_id"]],
- 'displayname': [self.connector["ldap_display_name"], 'name', 'cn', 'givenName', 'sn'],
- 'dn': [self.connector["ldap_dn"]],
- 'memberof': [self.connector["ldap_member_of"]],
- 'member': [self.connector["ldap_member"]],
- 'oname': [self.connector["ldap_cn"]],
- 'mails': [self.connector["ldap_email"]],
- 'description': ['description']
- }
- else:
- self.fields = self.ldap_fields.get(self.connector["server_type"])
- if self.connector["ldap_filter"] == '' or \
- self.connector["ldap_filter"] == "objectClass=Person" or \
- self.connector["ldap_filter"] is None:
- objectClassUsers = "(objectClass=person"
- else:
- # compile filter
- objectClassUsers = "(&(objectClass=person)(|"
- for entry in self.connector["ldap_filter"].split(";"):
- objectClassUsers += "(name=%s*)" % entry
- objectClassUsers += "(cn=%s*)" % entry
- objectClassUsers += "(%s=%s*)" % (self.fields["oname"][0], entry)
- objectClassUsers += ")"
- if self.connector["ldap_group_filter"] == '' or \
- self.connector["ldap_group_filter"] == "objectClass=Group" or \
- self.connector["ldap_group_filter"] is None:
- objectClassGroups = "(objectClass=group"
- else:
- objectClassGroups = "(&(objectClass=group)(|"
- for entry in self.connector["ldap_group_filter"].split(";"):
- objectClassGroups += "(name=%s*)" % entry
- objectClassGroups += "(cn=%s*)" % entry
- objectClassGroups += "(%s=%s*)" % (self.fields["oname"][0], entry)
- objectClassGroups += ")"
- self.attrs = []
- for field in self.fields.items():
- self.attrs.extend(field[1][0].split(","))
- if not group:
- query = "%s)" % objectClassUsers
- else:
- query = "%s)" % objectClassGroups
- self.ldap_page_size = 0
- try:
- msgid_test = self.conn.search_ext(base_dn, ldap.SCOPE_SUBTREE, query, attrlist=self.attrs, serverctrls=[])
- res_test = self.conn.result3(msgid=msgid_test, timeout=self.ldap_timeout)
- except ldap.SIZELIMIT_EXCEEDED, e:
- self.disconnect()
- self.connect()
- self.ldap_page_size = 100
- self.paged_results_control = SimplePagedResultsControl(True, self.ldap_page_size, '')
- except ldap.FILTER_ERROR, e:
- LOGGER('LDAP filter error:\n\tERROR: %s' % e[0]["desc"], self.log_handler)
- sys.exit()
- while True:
- if self.ldap_page_size == 0:
- serverctrls = []
- else:
- serverctrls = [self.paged_results_control]
- try:
- msgid = self.conn.search_ext(base_dn, ldap.SCOPE_SUBTREE, query, attrlist=self.attrs, serverctrls=serverctrls)
- res = self.conn.result3(msgid=msgid, timeout=self.ldap_timeout)
- unused_code, results, unused_msgid, serverctrls = res
- except ldap.FILTER_ERROR, e:
- LOGGER('LDAP filter error:\n\tERROR: %s' % e[0]["desc"], self.log_handler)
- sys.exit(1)
- for result in results:
- ix += 1
- # users.append(result)
- yield result
- if sizelimit and ix >= sizelimit:
- self.partly_succesfull_flag = True
- break
- if sizelimit and ix >= sizelimit:
- self.partly_succesfull_flag = True
- break
- cookie = None
- for serverctrl in serverctrls:
- if serverctrl.controlType == ldap.CONTROL_PAGEDRESULTS:
- cookie = serverctrl.cookie
- if cookie:
- self.paged_results_control.cookie = cookie
- break
- if not cookie:
- break
- def get_connector_users(self):
- self.users = {}
- # LOGGER("got obj from ldap",self.log_handler)
- # print self.def_domain
- counter = 0
- for user in self.ldap_paged_search():
- self.ldap_ogid = ''
- tmp_user = {}
- if type(user[1]) is dict:
- # print user
- tmp_user["isgroup"] = 0
- tmp_user["obj_dn"] = user[0]
- for attributes in self.fields["objectguid"]:
- for attr in attributes.split(","):
- if user[1].has_key(attr):
- self.ldap_ogid = user[1][attr][0].encode('hex')
- break
- if not self.ldap_ogid:
- self.ldap_ogid = user[0].encode('hex')
- for attributes in self.fields["displayname"]:
- for attr in attributes.split(","):
- if user[1].has_key(attr):
- tmp_user["obj_full_name"] = user[1][attr][0]
- break
- not_valid_user = False
- for attributes in self.fields["oname"]:
- for attr in attributes.split(","):
- if user[1].has_key(attr):
- if "$" not in user[1][attr][0].lower():
- # tmp_user["userlogin"] = user[1][attr][0].replace(' ','_')
- tmp_user["obj_login"] = user[1][attr][0].lower()
- break
- else:
- not_valid_user = True
- if not tmp_user.has_key("obj_login"):
- not_valid_user = True
- if not_valid_user:
- continue
- # tmp_user["oname"] += "@" + self.def_domain
- # tmp_user["userlogin"] += "@" + self.def_domain
- aliases = []
- tmp_aliases = set()
- for attributes in self.fields["mails"]:
- for attr in attributes.split(","):
- if user[1].has_key(attr):
- for alias in user[1][attr]:
- pe = alias.split(":")
- if pe[0].lower() == "smtp":
- if pe[1].lower() not in aliases:
- aliases.append(pe[1].lower())
- elif "@" in alias and alias.lower() not in aliases:
- aliases.append(alias.lower())
- if len(aliases):
- tmp_user["email"] = aliases[0]
- else:
- # tmp_user["email"] = "%s@%s" % (tmp_user["userlogin"], self.def_domain)
- tmp_user["email"] = "%s@%s" % (tmp_user["obj_login"], self.def_domain)
- if len(aliases) > 0:
- # tmp_user["def_email"] = aliases[0]
- tmp_user["email"] = aliases[0]
- tmp_aliases = set(aliases[1:])
- tmp_user["aliases"] = tmp_aliases
- memberOf = set()
- for attributes in self.fields["memberof"]:
- for attr in attributes.split(","):
- if user[1].has_key(attr):
- for group in user[1][attr]:
- memberOf.add(group)
- tmp_user["memberOf"] = memberOf
- counter += 1
- self.users[str(self.ldap_ogid)] = tmp_user
- return counter
- def get_connector_groups(self):
- self.groups = {}
- self.ldap_ogid = ''
- for group in self.ldap_paged_search(1):
- tmp_group = {}
- if type(group[1]) is dict:
- # print group
- tmp_group["isgroup"] = 1
- # tmp_group["group_dn"] = group[0]
- tmp_group["obj_dn"] = group[0]
- for attributes in self.fields["objectguid"]:
- for attr in attributes.split(","):
- if group[1].has_key(attr):
- self.ldap_ogid = group[1][attr][0].encode('hex')
- break
- if not self.ldap_ogid:
- self.ldap_ogid = group[0].encode('hex')
- for attributes in self.fields["displayname"]:
- for attr in attributes.split(","):
- if group[1].has_key(attr):
- # tmp_group["fullname"] = group[1][attr][0]
- tmp_group["obj_full_name"] = group[1][attr][0]
- break
- for attributes in self.fields["description"]:
- for attr in attributes.split(","):
- if group[1].has_key(attr):
- tmp_group["obj_description"] = group[1][attr][0]
- break
- else:
- tmp_group["obj_description"] = 'None'
- members = set()
- for attributes in self.fields["member"]:
- for attr in attributes.split(","):
- if group[1].has_key(attr):
- for user in group[1][attr]:
- members.add(user)
- tmp_group["member"] = members
- for attributes in self.fields["oname"]:
- for attr in attributes.split(","):
- if group[1].has_key(attr):
- # tmp_group["oname"] = group[1][attr][0].replace(' ','_')
- # tmp_group["userlogin"] = group[1][attr][0].replace(' ','_')
- # tmp_group["userlogin"] = group[1][attr][0]
- tmp_group["obj_login"] = group[1][attr][0]
- break
- # tmp_group["oname"] += "@" + self.def_domain
- # tmp_group["userlogin"] += "@" + self.def_domain
- aliases = []
- tmp_aliases = set()
- for attributes in self.fields["mails"]:
- for attr in attributes.split(","):
- if group[1].has_key(attr):
- for alias in group[1][attr]:
- pe = alias.split(":")
- if pe[0].lower() == "smtp":
- if pe[1].lower() not in aliases:
- aliases.append(pe[1].lower())
- elif "@" in alias and alias.lower() not in aliases:
- aliases.append(alias.lower())
- if len(aliases) > 0:
- tmp_group["def_email"] = aliases[0]
- tmp_aliases = set(aliases[1:])
- tmp_group["aliases"] = tmp_aliases
- self.groups[str(self.ldap_ogid)] = dict(tmp_group)
- # if len(tmp_group["aliases"]) or tmp_group.has_key("def_email"):
- # tmp_group["isgroup"] = 0
- # tmp_group["oname"] += "_aga"
- # tmp_group["dn"] += " Auto-group alias"
- # tmp_group["fullName"] += " Auto-group alias"
- # self.users[str(self.ldap_ogid + "_aga")] = tmp_group
- def __del__(self):
- self.disconnect()
- class paDB:
- def __init__(self, loghandler):
- self.log_handler = loghandler
- try:
- _db = 'um'
- _user = 'postgres'
- _host = '127.0.0.1'
- # _host='192.168.7.202'
- # self.db=psycopg2.connect(database='secure',host='192.168.7.102',user='pineapp')
- self.db = psycopg2.connect(database=_db, user=_user, host=_host)
- self.cur = self.db.cursor(cursor_factory=psycopg2.extras.DictCursor)
- except:
- # Get the most recent exception
- exceptionType, exceptionValue, exceptionTraceback = sys.exc_info()
- # Exit the script and print an error telling what happened.
- LOGGER("Database connection failed!\n ->%s" % (exceptionValue), self.log_handler)
- sys.exit("Database connection failed!\n ->%s" % (exceptionValue))
- def get_connectors(self):
- self.cur.execute(DbInc.Queries["SELECT"]["connectors"])
- self.connectors = self.cur.fetchall()
- def get_connector(self, connectorID):
- self.cur.execute(DbInc.Queries["SELECT"]["connector"], [connectorID])
- self.connectors = self.cur.fetchall()
- def buid_membership(self):
- self.cur.execute(DbInc.Queries["SELECT"]["user_member_of"])
- result = self.cur.fetchall()
- self.memberShip = {}
- for row in result:
- if self.memberShip.has_key(row["groupdn"]):
- self.memberShip[row["groupdn"]].add(row["userdn"])
- else:
- memberset = set()
- memberset.add(row["userdn"])
- self.memberShip[row["groupdn"]] = memberset
- self.cur.execute(DbInc.Queries["SELECT"]["group_member_of"])
- result = self.cur.fetchall()
- for row in result:
- if self.memberShip.has_key(row["pgdn"]):
- self.memberShip[row["pgdn"]].add(row["groupdn"])
- else:
- memberset = set()
- memberset.add(row["groupdn"])
- self.memberShip[row["pgdn"]] = memberset
- def get_aliases(self):
- self.user_aliases = {}
- self.cur.execute(DbInc.Queries["SELECT"]["users_aliases"])
- _user_aliases = self.cur.fetchall()
- for row in _user_aliases:
- if self.aliases.has_key(row["object_id"]):
- if row["default_email_ind"] is True:
- self.user_aliases[row["object_id"]]['def_email'] = row["email"].lower()
- self.user_aliases[row["object_id"]]['emails'].add(row["email"].lower())
- else:
- self.user_aliases[row["object_id"]]['emails'].add(row["email"].lower())
- else:
- item = {}
- item['def_email'] = ''
- item['emails'] = set()
- if row["default_email_ind"] is True:
- item['def_email'] = row["email"].lower()
- item['emails'].add(row["email"].lower())
- else:
- item['emails'].add(row["email"].lower())
- self.user_aliases[row["object_id"]] = item
- self.group_aliases = {}
- self.cur.execute(DbInc.Queries["SELECT"]["groups_aliases"])
- _group_aliases = self.cur.fetchall()
- for row in _group_aliases:
- if self.aliases.has_key(row["object_id"]):
- if row["default_email_ind"] is True:
- self.group_aliases[row["object_id"]]['def_email'] = row["email"].lower()
- self.group_aliases[row["object_id"]]['emails'].add(row["email"].lower())
- else:
- self.group_aliases[row["object_id"]]['emails'].add(row["email"].lower())
- else:
- item = {}
- item['def_email'] = ''
- item['emails'] = set()
- if row["default_email_ind"] is True:
- item['def_email'] = row["email"].lower()
- item['emails'].add(row["email"].lower())
- else:
- item['emails'].add(row["email"].lower())
- self.group_aliases[row["uid"]] = item
- def get_objects(self, _connectorId):
- self.objects = {}
- query = DbInc.Queries["SELECT"]["users_objects"]
- data = (str(_connectorId),)
- self.cur.execute(query, data)
- _users = self.cur.fetchall()
- query = DbInc.Queries["SELECT"]["groups_objects"]
- data = (str(_connectorId),)
- self.cur.execute(query, data)
- _groups = self.cur.fetchall()
- self.InitialSqlObjects = []
- self.InitialSqlObjects.extend(_users)
- self.InitialSqlObjects.extend(_groups)
- # _objects=[]
- # _objects.extend(_users)
- # _objects.extend(_groups)
- for user in _users:
- tmp_obj = {}
- self.ldap_ogid = user["ldap_ogid"]
- tmp_obj["obj_dn"] = user["user_dn"]
- tmp_obj["obj_id"] = user["id"]
- tmp_obj["obj_login"] = user["userlogin"]
- tmp_obj["obj_full_name"] = user["fullname"]
- tmp_obj["aliases"] = user["email"]
- tmp_obj["email"] = user["email"]
- tmp_obj["obj_group_ind"] = 0
- # if self.aliases.has_key(object["user_id"]):
- # #tmp_obj["default_email_ind"] = self.user_aliases[object["user_id"]]["default_email_ind"]
- # tmp_obj["def_email"] = self.user_aliases[user["user_id"]]["def_email"]
- # tmp_obj["aliases"] = self.user_aliases[user["user_id"]]["emails"]
- self.objects[self.ldap_ogid] = tmp_obj
- for group in _groups:
- tmp_obj = {}
- self.ldap_ogid = group["ldap_ogid"]
- tmp_obj["obj_dn"] = group["group_dn"]
- tmp_obj["obj_id"] = group["id"]
- tmp_obj["obj_login"] = group["groupname"]
- tmp_obj["obj_full_name"] = group["groupname"]
- tmp_obj["obj_description"] = group["description"]
- # tmp_obj["aliases"] = group["email"]
- tmp_obj["aliases"] = ''
- tmp_obj["email"] = ''
- tmp_obj["obj_group_ind"] = 1
- # if self.aliases.has_key(object["user_id"]):
- # #tmp_obj["default_email_ind"] = self.group_aliases[object["group_id"]]["default_email_ind"]
- # tmp_obj["def_email"] = self.group_aliases[user["group_id"]]["def_email"]
- # tmp_obj["aliases"] = self.group_aliases[user["group_id"]]["emails"]
- self.objects[self.ldap_ogid] = tmp_obj
- def add_object(self, object, key, connector_id, debug, isgroup):
- # print "add_object object = [ %s ]" % object
- Log = {}
- if not isgroup:
- query = DbInc.Queries["INSERT"]["user"]
- # data =(object["userlogin"], object["fullname"], object["email"], 1, object["user_dn"], key, connector_id)
- data = (object["obj_login"].lower(), object["obj_full_name"], object["email"], 1, object["obj_dn"], key, connector_id)
- try:
- self.cur.execute(query, data)
- except psycopg2.IntegrityError as e:
- if e.pgcode == "23505":
- self.cur.execute("commit")
- Log["log"] = "Duplicate user: %s" % (object["obj_full_name"])
- # sys.exit(12)
- return Log
- # self.cur.execute("SELECT currval('pineapp.objects_oid_seq')")
- # curr_oid = self.cur.fetchone()
- if Log.has_key("log") or Log.has_key("debug"):
- Log["log"] += "Adding NEW user: %s" % (object["obj_full_name"])
- Log["debug"] += "\n" + Log["log"]
- else:
- Log["log"] = "Adding NEW user: %s" % (object["obj_full_name"])
- Log["debug"] = "\n" + Log["log"]
- if debug:
- if Log.has_key("log") or Log.has_key("debug"):
- Log["debug"] += "\n\t%s" % (self.cur.mogrify(query, data))
- else:
- Log["debug"] = "\n\t%s" % (self.cur.mogrify(query, data))
- else:
- query = DbInc.Queries["INSERT"]["group"]
- # data =(object["userlogin"], object["group_dn"], key, 1, connector_id)
- data = (object["obj_login"], object["obj_dn"], key, 1, connector_id, object["obj_description"])
- try:
- self.cur.execute(query, data)
- except psycopg2.IntegrityError as e:
- if e.pgcode == "23505":
- self.cur.execute("commit")
- Log["log"] = "Duplicate user: %s" % (object["obj_full_name"])
- # sys.exit(12)
- return Log
- if Log.has_key("log") or Log.has_key("debug"):
- Log["log"] += "Adding NEW group: %s" % (object["obj_login"])
- Log["debug"] = "\n" + Log["log"]
- else:
- Log["log"] = "Adding NEW group: %s" % (object["obj_login"])
- Log["debug"] = "\n" + Log["log"]
- if debug:
- if Log.has_key("debug"):
- Log["debug"] += "\n\t%s" % (self.cur.mogrify(query, data))
- else:
- Log["debug"] = "\n\t%s" % (self.cur.mogrify(query, data))
- return Log
- def update_object(self, ldap_user, ldap_userid, _connectorId, debug, isgroup):
- Log = {}
- userUpToDate = 1
- if debug:
- if Log.has_key("debug"):
- if not isgroup:
- Log["debug"] += "Processing: %s\n" % (ldap_user["obj_full_name"])
- if isgroup:
- Log["debug"] += "Processing: %s\n" % (ldap_user["obj_login"])
- else:
- if not isgroup:
- Log["debug"] = "Processing: %s\n" % (ldap_user["obj_full_name"])
- if isgroup:
- Log["debug"] = "Processing: %s\n" % (ldap_user["obj_login"])
- for key, val in ldap_user.items():
- if self.objects[ldap_userid].has_key(key):
- if not type(self.objects[ldap_userid][key]).__name__ == 'set':
- if not ldap_user[key] == self.objects[ldap_userid][key]:
- if key == "obj_login":
- if not ldap_user[key].lower() == self.objects[ldap_userid][key].lower():
- if not isgroup:
- query = DbInc.Queries["UPDATE"]["user_login"]
- data = (ldap_user[key].lower(), self.objects[ldap_userid]["obj_id"],)
- if Log.has_key("log"):
- Log["log"] += "\nUpdating User Login \"%s\" to \"%s\"" % (self.objects[ldap_userid][key], ldap_user[key].lower())
- else:
- Log["log"] = "Updating User Login \"%s\" to \"%s\"" % (self.objects[ldap_userid][key], ldap_user[key].lower())
- if debug:
- if Log.has_key("debug"):
- Log["debug"] += "\t%s\n" % (self.cur.mogrify(query, data))
- else:
- Log["debug"] = "\t%s\n" % (self.cur.mogrify(query, data))
- if isgroup:
- query = DbInc.Queries["UPDATE"]["group_login"]
- data = (ldap_user[key], self.objects[ldap_userid]["obj_id"],)
- if Log.has_key("log"):
- Log["log"] += "\nUpdating Group Login \"%s\" to \"%s\"" % (self.objects[ldap_userid][key], ldap_user[key])
- else:
- Log["log"] = "Updating Group Login \"%s\" to \"%s\"" % (self.objects[ldap_userid][key], ldap_user[key])
- if debug:
- if Log.has_key("debug"):
- Log["debug"] += "\t%s\n" % (self.cur.mogrify(query, data))
- else:
- Log["debug"] = "\t%s\n" % (self.cur.mogrify(query, data))
- self.cur.execute(query, data)
- userUpToDate = 0
- if key == "obj_full_name":
- if not isgroup:
- query = DbInc.Queries["UPDATE"]["user_fullname"]
- data = (ldap_user[key], self.objects[ldap_userid]["obj_id"],)
- self.cur.execute(query, data)
- userUpToDate = 0
- if Log.has_key("log"):
- Log["log"] += "\nOID(%s) Updating User fullname \"%s\" to \"%s\"" % (self.objects[ldap_userid]["obj_id"], self.objects[ldap_userid][key], ldap_user[key])
- else:
- Log["log"] = "OID(%s) Updating User fullname \"%s\" to \"%s\"" % (self.objects[ldap_userid]["obj_id"], self.objects[ldap_userid][key], ldap_user[key])
- if debug:
- if Log.has_key("debug"):
- Log["debug"] += "\t%s\n" % (self.cur.mogrify(query, data))
- else:
- Log["debug"] = "\t%s\n" % (self.cur.mogrify(query, data))
- if key == "obj_dn":
- if isgroup:
- query = DbInc.Queries["UPDATE"]["group_dn"]
- else:
- query = DbInc.Queries["UPDATE"]["user_dn"]
- data = (ldap_user[key], self.objects[ldap_userid]["obj_id"],)
- self.cur.execute(query, data)
- if Log.has_key("log"):
- Log["log"] += "\nUpdating dn \"%s\" to \"%s\"" % (self.objects[ldap_userid][key], ldap_user[key])
- else:
- Log["log"] = "Updating dn \"%s\" to \"%s\"" % (self.objects[ldap_userid][key], ldap_user[key])
- if debug:
- userUpToDate = 0
- if Log.has_key("debug"):
- Log["debug"] += "\t%s\n" % (self.cur.mogrify(query, data))
- else:
- Log["debug"] = "\t%s\n" % (self.cur.mogrify(query, data))
- if key == "obj_description":
- if isgroup:
- query = DbInc.Queries["UPDATE"]["group_description"]
- data = (ldap_user[key], self.objects[ldap_userid]["obj_id"],)
- self.cur.execute(query, data)
- if Log.has_key("log"):
- Log["log"] += "\nUpdating Group Description \"%s\" to \"%s\"" % (self.objects[ldap_userid][key], ldap_user[key])
- else:
- Log["log"] = "Updating Group Description \"%s\" to \"%s\"" % (self.objects[ldap_userid][key], ldap_user[key])
- if debug:
- userUpToDate = 0
- if Log.has_key("debug"):
- Log["debug"] += "\t%s\n" % (self.cur.mogrify(query, data))
- else:
- Log["debug"] = "\t%s\n" % (self.cur.mogrify(query, data))
- if debug:
- if userUpToDate:
- if Log.has_key("debug"):
- Log["debug"] += "\t%s is Up to date" % (ldap_user["obj_full_name"])
- else:
- Log["debug"] = "\t%s is Up to date" % (ldap_user["obj_full_name"])
- return Log
- def del_object(self, object, debug):
- Log = {}
- if object["obj_group_ind"]:
- query = DbInc.Queries["DELETE"]["group"]
- else:
- query = DbInc.Queries["DELETE"]["user"]
- data = (object["obj_id"],)
- if not object["obj_group_ind"]:
- if Log.has_key("log"):
- Log["log"] += "\nRemoving user: %s" % (object["obj_full_name"])
- else:
- Log["log"] = "Removing user: %s" % (object["obj_full_name"])
- else:
- if Log.has_key("log"):
- Log["log"] += "\nRemoving Group: %s" % (object["obj_full_name"])
- else:
- Log["log"] = "Removing Group: %s" % (object["obj_full_name"])
- if debug:
- if Log.has_key("debug"):
- Log["debug"] += "\n\t%s" % (self.cur.mogrify(query, data))
- else:
- Log["debug"] = "\t%s" % (self.cur.mogrify(query, data))
- self.cur.execute(query, data)
- return Log
- def build_DN2OID(self, _connectorId):
- self.user_DN2OID = {}
- self.group_DN2OID = {}
- query = DbInc.Queries["SELECT"]["users_objects"]
- data = (str(_connectorId),)
- self.cur.execute(query, data)
- res = self.cur.fetchall()
- for row in res:
- self.user_DN2OID[row["user_dn"]] = row["id"]
- query = DbInc.Queries["SELECT"]["groups_objects"]
- data = (str(_connectorId),)
- self.cur.execute(query, data)
- res = self.cur.fetchall()
- for row in res:
- self.group_DN2OID[row["group_dn"]] = row["id"]
- def add_object2group(self, objectID, groupID, isgroup, debug):
- Log = {}
- if isgroup:
- query = DbInc.Queries["INSERT"]["group_member_of"]
- else:
- query = DbInc.Queries["INSERT"]["user_member_of"]
- data = (objectID, groupID)
- self.cur.execute(query, data)
- if debug:
- if Log.has_key("debug"):
- Log["debug"] += "\t%s\n" % (self.cur.mogrify(query, data))
- else:
- Log["debug"] = "\t%s\n" % (self.cur.mogrify(query, data))
- def del_object2group(self, objectID, groupID, isgroup, debug):
- Log = {}
- if isgroup:
- query = DbInc.Queries["DELETE"]["group_member_of"]
- else:
- query = DbInc.Queries["DELETE"]["user_member_of"]
- data = (objectID, groupID)
- self.cur.execute(query, data)
- if debug:
- if Log.has_key("debug"):
- Log["debug"] += "\t%s\n" % (self.cur.mogrify(query, data))
- else:
- Log["debug"] = "\t%s\n" % (self.cur.mogrify(query, data))
- def set_ldapogid(self, dn, ldapogid, isgroup, debug):
- Log = {}
- if isgroup:
- query = DbInc.Queries["UPDATE"]["group_ldap_ogid"]
- else:
- query = DbInc.Queries["UPDATE"]["user_ldap_ogid"]
- data = (dn, ldapogid)
- self.cur.execute(query, data)
- if Log.has_key("log"):
- Log["log"] += "\nSetting Up LdapOgid (%s) for: (%s)" % (dn, ldapogid)
- else:
- Log["log"] = "Setting Up LdapOgid (%s) for: (%s)" % (dn, ldapogid)
- if debug:
- if Log.has_key("debug"):
- Log["debug"] += "\t%s\n" % (self.cur.mogrify(query, data))
- else:
- Log["debug"] = "\t%s\n" % (self.cur.mogrify(query, data))
- return Log
- def ldap_ogid_exists(self):
- """Get information about ldap_ogid column"""
- self.cur.execute("""
- SELECT 1
- FROM information_schema.columns
- WHERE column_name = 'ldap_ogid'
- """)
- return True if self.cur.rowcount else False
- def add_ldap_ogid_column(self):
- """Alter db schema and add missing column"""
- sql = [
- 'alter table policy.users add column ldap_ogid character varying;',
- 'alter table policy.groups add column ldap_ogid character varying;'
- ]
- try:
- for query in sql:
- self.cur.execute(query)
- self.db.commit()
- return True
- except Exception as e:
- print e
- self.db.rollback()
- def LOGGER(msg):
- logger = logging.getLogger('ldap_sync')
- hdlr = logging.FileHandler('./ldap_sync.log')
- # formatter = logging.Formatter('%(asctime)s %(levelname)s %(message)s')
- formatter = logging.Formatter('%(asctime)s %(name)s %(message)s')
- hdlr.setFormatter(formatter)
- logger.addHandler(hdlr)
- logger.setLevel(logging.INFO)
- logger.info(msg)
- def LOGGER(msg, hndl):
- hndl.info(msg)
- print msg
- def init_LOGGER():
- logger = logging.getLogger('ldap_sync')
- hdlr = logging.FileHandler('/tmp/ldap_sync.log')
- os.fchown(hdlr.stream.fileno(), pwd.getpwnam('apache').pw_uid, getgrnam("apache").gr_gid)
- # formatter = logging.Formatter('%(asctime)s %(levelname)s %(message)s')
- formatter = logging.Formatter('%(asctime)s %(name)s %(message)s')
- hdlr.setFormatter(formatter)
- logger.addHandler(hdlr)
- logger.setLevel(logging.INFO)
- return logger
- def runsystemcmd(cmd, debug, log_handler):
- LOGGER("Running: %s" % cmd, log_handler)
- # (output, err) = subprocess.Popen(shlex.split(cmd), stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True).communicate()
- p = subprocess.Popen(shlex.split(cmd), shell=False)
- try:
- os.waitpid(p.pid, 0)[1]
- except:
- pass
- def main():
- parser = OptionParser()
- parser.add_option("-d", "--debug", dest="debug", action="store_true", default=False, help="set DEBUG true")
- parser.add_option("-l", "--ldapid", dest="ldapid", action="store", help="Test LDAP connector ID")
- parser.add_option("--connectorid", dest="connectorid", action="store", help="Synchronize connector ID")
- parser.add_option("--SetLdapOgid", dest="SetLdapOgid", action="store_true", default=False, help="Setting LdapOgids of existing users and groups in case that are missing ...")
- (options, args) = parser.parse_args(sys.argv[1:])
- log_handler = init_LOGGER()
- # print options
- debug = options.debug
- connectorID = None
- check_only = False
- partly_successful_flag = False
- user_counter = 0
- # Check if python-ldap up to date, or ldap paged search will fail
- ldap_version = tuple(int(i) for i in ldap.__version__.split("."))
- if ldap_version < (2, 4):
- LOGGER("python-ldap module version is lover than 2.4,"
- "update needed.", log_handler)
- sys.exit(1)
- try:
- with open("/usr/local/pineapp/x700/etc/PA_ALLOWED_USERS", "r") as allowed_users_file:
- max_allowed_users = allowed_users_file.read()
- try:
- max_allowed_users = int(max_allowed_users)
- except:
- LOGGER("illegal file contents (expected int)", log_handler)
- # if we can't read max users consider we have unlimited license
- max_allowed_users = 0
- except IOError:
- LOGGER("Allowed users file does not exists", log_handler)
- # if we can't read max users consider we have unlimited license
- max_allowed_users = 0
- if options.ldapid:
- try:
- connectorID = int(options.ldapid)
- check_only = True
- except:
- print("Connector ID should be integer!")
- sys.exit(1)
- elif options.connectorid:
- try:
- connectorID = int(options.connectorid)
- except:
- print("Connector ID should be integer!")
- sys.exit(1)
- if options.ldapid and options.connectorid:
- print("Test and synchronize commands cannot be used together. Please choose one only.")
- sys.exit(1)
- if debug:
- debugLog = ''
- LOGGER("START", log_handler)
- sql = paDB(log_handler)
- if connectorID:
- sql.get_connector(connectorID)
- else:
- sql.get_connectors()
- if len(sql.connectors) == 0:
- print("Connector with ID %s wasn't found." % connectorID)
- sys.exit(1)
- # some backuped schema may not contain column `ldap_ogid`, try to add it
- if not sql.ldap_ogid_exists():
- LOGGER(
- "Missing `ldap_ogid` in policy schema, adding...", log_handler)
- if not sql.add_ldap_ogid_column():
- sys.exit(1)
- cix = 0
- for connector in sql.connectors:
- pldap = paLdap(connector, fields, log_handler)
- if check_only:
- # pldap.connect()
- pldap.disconnect()
- sys.exit(0)
- ldap_memberShip = {}
- LOGGER("Synchronizing against LDAP (%s)" % (pldap.server), log_handler)
- user_count = pldap.get_connector_users()
- pldap.get_connector_groups()
- ldap_objects = {}
- if max_allowed_users == 0:
- ldap_objects.update(pldap.users)
- elif user_counter + user_count <= max_allowed_users:
- # in case when connector user count is lower than
- # max_users
- ldap_objects.update(pldap.users)
- user_counter += user_count
- elif user_counter < max_allowed_users < user_counter + user_count:
- # in case when max_users limit is not yet used and
- # connector has another chunk of objects
- for key, user in pldap.users.items():
- if user_counter == max_allowed_users:
- partly_successful_flag = True
- break
- ldap_objects.update({key: user})
- user_counter += 1
- else:
- partly_successful_flag = True
- ldap_objects.update(pldap.groups)
- sql.get_objects(connector["ldap_id"])
- sql_objects = {}
- sql_objects.update(sql.objects)
- if options.SetLdapOgid:
- cix += 1
- for o in sql.InitialSqlObjects:
- for k, v in ldap_objects.items():
- if o.has_key("user_dn"):
- if ldap_objects[k]["obj_dn"] == o["user_dn"]:
- log = sql.set_ldapogid(k, o["user_dn"], 0, debug)
- if log.has_key("log") and not debug:
- LOGGER(log["log"], log_handler)
- if debug:
- LOGGER(log["debug"], log_handler)
- else:
- if ldap_objects[k]["obj_dn"] == o["group_dn"]:
- log = sql.set_ldapogid(k, o["group_dn"], 1, debug)
- if log.has_key("log") and not debug:
- LOGGER(log["log"], log_handler)
- if debug:
- LOGGER(log["debug"], log_handler)
- if cix == len(sql.connectors):
- sql.db.commit()
- LOGGER("\n\nLdapOgids were fixed please run sync again without \"--SetLdapOgid\" option", log_handler)
- sys.exit()
- else:
- continue
- for k, v in sql_objects.items():
- if not ldap_objects.has_key(k):
- log = sql.del_object(sql_objects[k], debug)
- if log.has_key("log") and not debug:
- LOGGER(log["log"], log_handler)
- if debug:
- LOGGER(log["debug"], log_handler)
- for k, v in ldap_objects.items():
- if not sql_objects.has_key(k):
- log = sql.add_object(ldap_objects[k], k, connector["ldap_id"], debug, ldap_objects[k]["isgroup"])
- if log.has_key("log") and not debug:
- LOGGER(log["log"], log_handler)
- if debug:
- if log.has_key("debug"):
- LOGGER(log["debug"], log_handler)
- else:
- log = sql.update_object(ldap_objects[k], k, connector["ldap_id"], debug, ldap_objects[k]["isgroup"])
- if log.has_key("log") and not debug:
- LOGGER(log["log"], log_handler)
- if debug:
- if log.has_key("debug"):
- LOGGER(log["debug"], log_handler)
- ### Building LDAP Group and User memberships
- if ldap_objects[k]["isgroup"]:
- if ldap_objects[k].has_key("member"):
- ldap_memberShip[ldap_objects[k]["obj_dn"]] = ldap_objects[k]["member"]
- else:
- if ldap_objects[k].has_key("memberOf"):
- for groupDN in list(ldap_objects[k]["memberOf"]):
- if ldap_memberShip.has_key(groupDN):
- ldap_memberShip[groupDN].add(ldap_objects[k]["obj_dn"])
- else:
- tmp_set = set()
- tmp_set.add(ldap_objects[k]["obj_dn"])
- ldap_memberShip[groupDN] = tmp_set
- sql.build_DN2OID(connector["ldap_id"])
- sql.buid_membership()
- for groupDN, members in sql.memberShip.items():
- if ldap_memberShip.has_key(groupDN):
- if len(members.difference(ldap_memberShip[groupDN])):
- isgroup = False
- for member in list(members.difference(ldap_memberShip[groupDN])):
- if sql.user_DN2OID.has_key(member) and sql.group_DN2OID.has_key(groupDN):
- # LOGGER("Removing user (%s) from group (%s)" % (member, sql.group_DN2OID[groupDN]), log_handler)
- LOGGER("Removing user [%s](OID: %s) to group [%s](GID: %s)" % (member, sql.user_DN2OID[member],
- groupDN, sql.group_DN2OID[groupDN]), log_handler)
- sql.del_object2group(sql.user_DN2OID[member], sql.group_DN2OID[groupDN], isgroup, debug)
- if sql.group_DN2OID.has_key(member) and sql.group_DN2OID.has_key(groupDN):
- isgroup = True
- # LOGGER("Removing group (%s) from group (%s)" % (member, sql.group_DN2OID[groupDN]), log_handler)
- LOGGER("Removing group [%s](GID: %s) from group [%s](GID: %s)" % (member, sql.group_DN2OID[member],
- groupDN, sql.group_DN2OID[groupDN]), log_handler)
- sql.del_object2group(sql.group_DN2OID[member], sql.group_DN2OID[groupDN], isgroup, debug)
- for groupDN, members in ldap_memberShip.items():
- if not sql.memberShip.has_key(groupDN):
- for member in list(members):
- isgroup = False
- if sql.user_DN2OID.has_key(member) and sql.group_DN2OID.has_key(groupDN):
- # LOGGER("Adding User(DN): %s to group (%s) " % (sql.user_DN2OID[member],sql.group_DN2OID[groupDN]),log_handler)
- LOGGER("Adding User(DN): [%s](OID: %s) to group [%s](GID: %s)" % (member, sql.user_DN2OID[member],
- groupDN, sql.group_DN2OID[groupDN]), log_handler)
- sql.add_object2group(sql.user_DN2OID[member], sql.group_DN2OID[groupDN], isgroup, debug)
- if sql.group_DN2OID.has_key(member) and sql.group_DN2OID.has_key(groupDN):
- isgroup = True
- # LOGGER("Adding Group(DN): %s to group (%s) " % (sql.group_DN2OID[member],sql.group_DN2OID[groupDN]),log_handler)
- LOGGER("Adding Group(DN): [%s](GID: %s) to group [%s](GID: %s)" % (member, sql.group_DN2OID[member],
- groupDN, sql.group_DN2OID[groupDN]), log_handler)
- sql.add_object2group(sql.group_DN2OID[member], sql.group_DN2OID[groupDN], isgroup, debug)
- else:
- if len(members.difference(sql.memberShip[groupDN])):
- for member in list(members.difference(sql.memberShip[groupDN])):
- isgroup = False
- if sql.user_DN2OID.has_key(member) and sql.group_DN2OID.has_key(groupDN):
- # LOGGER("Adding (update) User(DN): %s to group (%s) " % (member,sql.group_DN2OID[groupDN]),log_handler)
- LOGGER("Adding (update) User(DN): [%s](OID: %s) to group [%s](GID: %s)" % (member, sql.user_DN2OID[member],
- groupDN, sql.group_DN2OID[groupDN]), log_handler)
- sql.add_object2group(sql.user_DN2OID[member], sql.group_DN2OID[groupDN], isgroup, debug)
- if sql.group_DN2OID.has_key(member) and sql.group_DN2OID.has_key(groupDN):
- isgroup = True
- # LOGGER("Adding (update) Group(DN): %s to group (%s) " % (member,sql.group_DN2OID[groupDN]),log_handler)
- LOGGER("Adding (update) Group(DN): [%s](GID: %s) to group [%s](GID: %s)" % (member, sql.group_DN2OID[member],
- groupDN, sql.group_DN2OID[groupDN]), log_handler)
- sql.add_object2group(sql.group_DN2OID[member], sql.group_DN2OID[groupDN], isgroup, debug)
- sql.db.commit()
- for cmd in DbInc.PostSyncActions["CMDS"]:
- runsystemcmd(cmd, debug, log_handler)
- if debug:
- LOGGER("END", log_handler)
- if partly_successful_flag:
- sys.exit(11)
- if __name__ == "__main__":
- sys.exit(main())
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement