2 # Unix SMB/CIFS implementation.
3 # backend code for provisioning a Samba4 server
5 # Copyright (C) Jelmer Vernooij <jelmer@samba.org> 2007-2008
6 # Copyright (C) Andrew Bartlett <abartlet@samba.org> 2008-2009
7 # Copyright (C) Oliver Liebel <oliver@itc.li> 2008-2009
9 # Based on the original in EJS:
10 # Copyright (C) Andrew Tridgell <tridge@samba.org> 2005
12 # This program is free software; you can redistribute it and/or modify
13 # it under the terms of the GNU General Public License as published by
14 # the Free Software Foundation; either version 3 of the License, or
15 # (at your option) any later version.
17 # This program is distributed in the hope that it will be useful,
18 # but WITHOUT ANY WARRANTY; without even the implied warranty of
19 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
20 # GNU General Public License for more details.
22 # You should have received a copy of the GNU General Public License
23 # along with this program. If not, see <http://www.gnu.org/licenses/>.
26 """Functions for setting up a Samba configuration (LDB and LDAP backends)."""
28 from base64 import b64encode
39 from ldb import SCOPE_BASE, SCOPE_ONELEVEL, LdbError, timestring
41 from samba import Ldb, read_and_sub_file, setup_file
42 from samba.credentials import Credentials, DONT_USE_KERBEROS
43 from samba.schema import Schema
46 class SlapdAlreadyRunning(Exception):
48 def __init__(self, uri):
50 super(SlapdAlreadyRunning, self).__init__("Another slapd Instance "
51 "seems already running on this host, listening to %s." %
55 class ProvisionBackend(object):
57 def __init__(self, backend_type, paths=None, setup_path=None, lp=None,
58 credentials=None, names=None, logger=None):
59 """Provision a backend for samba4"""
61 self.setup_path = setup_path
63 self.credentials = credentials
67 self.type = backend_type
69 # Set a default - the code for "existing" below replaces this
70 self.ldap_backend_type = backend_type
73 """Initialize the backend."""
74 raise NotImplementedError(self.init)
77 """Start the backend."""
78 raise NotImplementedError(self.start)
81 """Shutdown the backend."""
82 raise NotImplementedError(self.shutdown)
86 raise NotImplementedError(self.post_setup)
89 class LDBBackend(ProvisionBackend):
92 self.credentials = None
93 self.secrets_credentials = None
95 # Wipe the old sam.ldb databases away
96 shutil.rmtree(self.paths.samdb + ".d", True)
104 def post_setup(self):
108 class ExistingBackend(ProvisionBackend):
110 def __init__(self, backend_type, paths=None, setup_path=None, lp=None,
111 credentials=None, names=None, logger=None, ldapi_uri=None):
113 super(ExistingBackend, self).__init__(backend_type=backend_type,
114 paths=paths, setup_path=setup_path, lp=lp,
115 credentials=credentials, names=names, logger=logger)
117 self.ldapi_uri = ldapi_uri
120 # Check to see that this 'existing' LDAP backend in fact exists
121 ldapi_db = Ldb(self.ldapi_uri, credentials=self.credentials)
122 ldapi_db.search(base="", scope=SCOPE_BASE,
123 expression="(objectClass=OpenLDAProotDSE)")
125 # If we have got here, then we must have a valid connection to the LDAP
126 # server, with valid credentials supplied This caused them to be set
127 # into the long-term database later in the script.
128 self.secrets_credentials = self.credentials
130 # For now, assume existing backends at least emulate OpenLDAP
131 self.ldap_backend_type = "openldap"
134 class LDAPBackend(ProvisionBackend):
136 def __init__(self, backend_type, paths=None, setup_path=None, lp=None,
137 credentials=None, names=None, logger=None, domainsid=None,
138 schema=None, hostname=None, ldapadminpass=None, slapd_path=None,
139 ldap_backend_extra_port=None, ldap_dryrun_mode=False):
141 super(LDAPBackend, self).__init__(backend_type=backend_type,
142 paths=paths, setup_path=setup_path, lp=lp,
143 credentials=credentials, names=names, logger=logger)
145 self.domainsid = domainsid
147 self.hostname = hostname
149 self.ldapdir = os.path.join(paths.private_dir, "ldap")
150 self.ldapadminpass = ldapadminpass
152 self.slapd_path = slapd_path
153 self.slapd_command = None
154 self.slapd_command_escaped = None
155 self.slapd_pid = os.path.join(self.ldapdir, "slapd.pid")
157 self.ldap_backend_extra_port = ldap_backend_extra_port
158 self.ldap_dryrun_mode = ldap_dryrun_mode
160 self.ldapi_uri = "ldapi://%s" % urllib.quote(os.path.join(self.ldapdir, "ldapi"), safe="")
162 if not os.path.exists(self.ldapdir):
163 os.mkdir(self.ldapdir)
166 from samba.provision import ProvisioningError
167 # we will shortly start slapd with ldapi for final provisioning. first
168 # check with ldapsearch -> rootDSE via self.ldapi_uri if another
169 # instance of slapd is already running
171 ldapi_db = Ldb(self.ldapi_uri)
172 ldapi_db.search(base="", scope=SCOPE_BASE,
173 expression="(objectClass=OpenLDAProotDSE)")
175 f = open(self.slapd_pid, "r")
177 if err != errno.ENOENT:
182 self.logger.info("Check for slapd Process with PID: " + str(p) + " and terminate it manually.")
183 raise SlapdAlreadyRunning(self.ldapi_uri)
185 # XXX: We should never be catching all Ldb errors
188 # Try to print helpful messages when the user has not specified the
190 if self.slapd_path is None:
191 raise ProvisioningError("Warning: LDAP-Backend must be setup with path to slapd, e.g. --slapd-path=\"/usr/local/libexec/slapd\"!")
192 if not os.path.exists(self.slapd_path):
193 self.logger.warning("Path (%s) to slapd does not exist!", self.slapd_path)
195 if not os.path.isdir(self.ldapdir):
196 os.makedirs(self.ldapdir, 0700)
198 # Put the LDIF of the schema into a database so we can search on
199 # it to generate schema-dependent configurations in Fedora DS and
201 schemadb_path = os.path.join(self.ldapdir, "schema-tmp.ldb")
203 os.unlink(schemadb_path)
207 self.schema.write_to_tmp_ldb(schemadb_path)
209 self.credentials = Credentials()
210 self.credentials.guess(self.lp)
211 # Kerberos to an ldapi:// backend makes no sense
212 self.credentials.set_kerberos_state(DONT_USE_KERBEROS)
213 self.credentials.set_password(self.ldapadminpass)
215 self.secrets_credentials = Credentials()
216 self.secrets_credentials.guess(self.lp)
217 # Kerberos to an ldapi:// backend makes no sense
218 self.secrets_credentials.set_kerberos_state(DONT_USE_KERBEROS)
219 self.secrets_credentials.set_username("samba-admin")
220 self.secrets_credentials.set_password(self.ldapadminpass)
228 from samba.provision import ProvisioningError
229 self.slapd_command_escaped = "\'" + "\' \'".join(self.slapd_command) + "\'"
230 f = open(os.path.join(self.ldapdir, "ldap_backend_startup.sh"), 'w')
232 f.write("#!/bin/sh\n" + self.slapd_command_escaped + "\n")
236 # Now start the slapd, so we can provision onto it. We keep the
237 # subprocess context around, to kill this off at the successful
239 self.slapd = subprocess.Popen(self.slapd_provision_command,
240 close_fds=True, shell=False)
243 while self.slapd.poll() is None:
244 # Wait until the socket appears
246 ldapi_db = Ldb(self.ldapi_uri, lp=self.lp, credentials=self.credentials)
247 ldapi_db.search(base="", scope=SCOPE_BASE,
248 expression="(objectClass=OpenLDAProotDSE)")
249 # If we have got here, then we must have a valid connection to the LDAP server!
256 self.logger.error("Could not connect to slapd started with: %s" % "\'" + "\' \'".join(self.slapd_provision_command) + "\'")
257 raise ProvisioningError("slapd never accepted a connection within 15 seconds of starting")
259 self.logger.error("Could not start slapd with: %s" % "\'" + "\' \'".join(self.slapd_provision_command) + "\'")
260 raise ProvisioningError("slapd died before we could make a connection to it")
263 # if an LDAP backend is in use, terminate slapd after final provision and check its proper termination
264 if self.slapd.poll() is None:
266 if hasattr(self.slapd, "terminate"):
267 self.slapd.terminate()
269 # Older python versions don't have .terminate()
271 os.kill(self.slapd.pid, signal.SIGTERM)
273 # and now wait for it to die
274 self.slapd.communicate()
276 def post_setup(self):
279 class OpenLDAPBackend(LDAPBackend):
281 def __init__(self, backend_type, paths=None, setup_path=None, lp=None,
282 credentials=None, names=None, logger=None, domainsid=None,
283 schema=None, hostname=None, ldapadminpass=None, slapd_path=None,
284 ldap_backend_extra_port=None, ldap_dryrun_mode=False,
285 ol_mmr_urls=None, nosync=False):
286 super(OpenLDAPBackend, self).__init__( backend_type=backend_type,
287 paths=paths, setup_path=setup_path, lp=lp,
288 credentials=credentials, names=names, logger=logger,
289 domainsid=domainsid, schema=schema, hostname=hostname,
290 ldapadminpass=ldapadminpass, slapd_path=slapd_path,
291 ldap_backend_extra_port=ldap_backend_extra_port,
292 ldap_dryrun_mode=ldap_dryrun_mode)
294 self.ol_mmr_urls = ol_mmr_urls
297 self.slapdconf = os.path.join(self.ldapdir, "slapd.conf")
298 self.modulesconf = os.path.join(self.ldapdir, "modules.conf")
299 self.memberofconf = os.path.join(self.ldapdir, "memberof.conf")
300 self.olmmrserveridsconf = os.path.join(self.ldapdir, "mmr_serverids.conf")
301 self.olmmrsyncreplconf = os.path.join(self.ldapdir, "mmr_syncrepl.conf")
302 self.olcdir = os.path.join(self.ldapdir, "slapd.d")
303 self.olcseedldif = os.path.join(self.ldapdir, "olc_seed.ldif")
305 self.schema = Schema(self.setup_path, self.domainsid,
306 schemadn=self.names.schemadn, serverdn=self.names.serverdn,
307 files=[setup_path("schema_samba4.ldif")])
309 def setup_db_config(self, dbdir):
310 """Setup a Berkeley database.
312 :param setup_path: Setup path function.
313 :param dbdir: Database directory."""
314 if not os.path.isdir(os.path.join(dbdir, "bdb-logs")):
315 os.makedirs(os.path.join(dbdir, "bdb-logs"), 0700)
316 if not os.path.isdir(os.path.join(dbdir, "tmp")):
317 os.makedirs(os.path.join(dbdir, "tmp"), 0700)
319 setup_file(self.setup_path("DB_CONFIG"),
320 os.path.join(dbdir, "DB_CONFIG"), {"LDAPDBDIR": dbdir})
323 from samba.provision import ProvisioningError
324 # Wipe the directories so we can start
325 shutil.rmtree(os.path.join(self.ldapdir, "db"), True)
327 #Allow the test scripts to turn off fsync() for OpenLDAP as for TDB and LDB
330 nosync_config = "dbnosync"
332 lnkattr = self.schema.linked_attributes()
333 refint_attributes = ""
334 memberof_config = "# Generated from Samba4 schema\n"
335 for att in lnkattr.keys():
336 if lnkattr[att] is not None:
337 refint_attributes = refint_attributes + " " + att
339 memberof_config += read_and_sub_file(self.setup_path("memberof.conf"),
340 { "MEMBER_ATTR" : att ,
341 "MEMBEROF_ATTR" : lnkattr[att] })
343 refint_config = read_and_sub_file(self.setup_path("refint.conf"),
344 { "LINK_ATTRS" : refint_attributes})
346 attrs = ["linkID", "lDAPDisplayName"]
347 res = self.schema.ldb.search(expression="(&(objectclass=attributeSchema)(searchFlags:1.2.840.113556.1.4.803:=1))", base=self.names.schemadn, scope=SCOPE_ONELEVEL, attrs=attrs)
349 for i in range (0, len(res)):
350 index_attr = res[i]["lDAPDisplayName"][0]
351 if index_attr == "objectGUID":
352 index_attr = "entryUUID"
354 index_config += "index " + index_attr + " eq\n"
356 # generate serverids, ldap-urls and syncrepl-blocks for mmr hosts
358 mmr_replicator_acl = ""
359 mmr_serverids_config = ""
360 mmr_syncrepl_schema_config = ""
361 mmr_syncrepl_config_config = ""
362 mmr_syncrepl_user_config = ""
364 if self.ol_mmr_urls is not None:
365 # For now, make these equal
366 mmr_pass = self.ldapadminpass
368 url_list=filter(None,self.ol_mmr_urls.split(','))
370 self.logger.info("Using LDAP-URL: "+url)
371 if (len(url_list) == 1):
372 raise ProvisioningError("At least 2 LDAP-URLs needed for MMR!")
375 mmr_on_config = "MirrorMode On"
376 mmr_replicator_acl = " by dn=cn=replicator,cn=samba read"
380 mmr_serverids_config += read_and_sub_file(self.setup_path("mmr_serverids.conf"),
381 { "SERVERID" : str(serverid),
382 "LDAPSERVER" : url })
385 mmr_syncrepl_schema_config += read_and_sub_file(
386 self.setup_path("mmr_syncrepl.conf"),
388 "MMRDN": self.names.schemadn,
390 "MMR_PASSWORD": mmr_pass})
393 mmr_syncrepl_config_config += read_and_sub_file(
394 self.setup_path("mmr_syncrepl.conf"), {
396 "MMRDN": self.names.configdn,
398 "MMR_PASSWORD": mmr_pass})
401 mmr_syncrepl_user_config += read_and_sub_file(
402 self.setup_path("mmr_syncrepl.conf"), {
404 "MMRDN": self.names.domaindn,
406 "MMR_PASSWORD": mmr_pass })
407 # OpenLDAP cn=config initialisation
408 olc_syncrepl_config = ""
410 # if mmr = yes, generate cn=config-replication directives
411 # and olc_seed.lif for the other mmr-servers
412 if self.ol_mmr_urls is not None:
414 olc_serverids_config = ""
415 olc_syncrepl_seed_config = ""
416 olc_mmr_config += read_and_sub_file(
417 self.setup_path("olc_mmr.conf"), {})
420 serverid = serverid + 1
421 olc_serverids_config += read_and_sub_file(
422 self.setup_path("olc_serverid.conf"), {
423 "SERVERID" : str(serverid), "LDAPSERVER" : url })
426 olc_syncrepl_config += read_and_sub_file(
427 self.setup_path("olc_syncrepl.conf"), {
428 "RID" : str(rid), "LDAPSERVER" : url,
429 "MMR_PASSWORD": mmr_pass})
431 olc_syncrepl_seed_config += read_and_sub_file(
432 self.setup_path("olc_syncrepl_seed.conf"), {
433 "RID" : str(rid), "LDAPSERVER" : url})
435 setup_file(self.setup_path("olc_seed.ldif"), self.olcseedldif,
436 {"OLC_SERVER_ID_CONF": olc_serverids_config,
437 "OLC_PW": self.ldapadminpass,
438 "OLC_SYNCREPL_CONF": olc_syncrepl_seed_config})
441 setup_file(self.setup_path("slapd.conf"), self.slapdconf,
442 {"DNSDOMAIN": self.names.dnsdomain,
443 "LDAPDIR": self.ldapdir,
444 "DOMAINDN": self.names.domaindn,
445 "CONFIGDN": self.names.configdn,
446 "SCHEMADN": self.names.schemadn,
447 "MEMBEROF_CONFIG": memberof_config,
448 "MIRRORMODE": mmr_on_config,
449 "REPLICATOR_ACL": mmr_replicator_acl,
450 "MMR_SERVERIDS_CONFIG": mmr_serverids_config,
451 "MMR_SYNCREPL_SCHEMA_CONFIG": mmr_syncrepl_schema_config,
452 "MMR_SYNCREPL_CONFIG_CONFIG": mmr_syncrepl_config_config,
453 "MMR_SYNCREPL_USER_CONFIG": mmr_syncrepl_user_config,
454 "OLC_SYNCREPL_CONFIG": olc_syncrepl_config,
455 "OLC_MMR_CONFIG": olc_mmr_config,
456 "REFINT_CONFIG": refint_config,
457 "INDEX_CONFIG": index_config,
458 "NOSYNC": nosync_config})
460 self.setup_db_config(os.path.join(self.ldapdir, "db", "user"))
461 self.setup_db_config(os.path.join(self.ldapdir, "db", "config"))
462 self.setup_db_config(os.path.join(self.ldapdir, "db", "schema"))
464 if not os.path.exists(os.path.join(self.ldapdir, "db", "samba", "cn=samba")):
465 os.makedirs(os.path.join(self.ldapdir, "db", "samba", "cn=samba"), 0700)
467 setup_file(self.setup_path("cn=samba.ldif"),
468 os.path.join(self.ldapdir, "db", "samba", "cn=samba.ldif"),
469 { "UUID": str(uuid.uuid4()),
470 "LDAPTIME": timestring(int(time.time()))} )
471 setup_file(self.setup_path("cn=samba-admin.ldif"),
472 os.path.join(self.ldapdir, "db", "samba", "cn=samba", "cn=samba-admin.ldif"),
473 {"LDAPADMINPASS_B64": b64encode(self.ldapadminpass),
474 "UUID": str(uuid.uuid4()),
475 "LDAPTIME": timestring(int(time.time()))} )
477 if self.ol_mmr_urls is not None:
478 setup_file(self.setup_path("cn=replicator.ldif"),
479 os.path.join(self.ldapdir, "db", "samba", "cn=samba", "cn=replicator.ldif"),
480 {"MMR_PASSWORD_B64": b64encode(mmr_pass),
481 "UUID": str(uuid.uuid4()),
482 "LDAPTIME": timestring(int(time.time()))} )
485 mapping = "schema-map-openldap-2.3"
486 backend_schema = "backend-schema.schema"
488 f = open(self.setup_path(mapping), 'r')
489 backend_schema_data = self.schema.convert_to_openldap(
490 "openldap", f.read())
491 assert backend_schema_data is not None
492 f = open(os.path.join(self.ldapdir, backend_schema), 'w')
494 f.write(backend_schema_data)
498 # now we generate the needed strings to start slapd automatically,
500 if self.ldap_backend_extra_port is not None:
501 # When we use MMR, we can't use 0.0.0.0 as it uses the name
502 # specified there as part of it's clue as to it's own name,
503 # and not to replicate to itself
504 if self.ol_mmr_urls is None:
505 server_port_string = "ldap://0.0.0.0:%d" % self.ldap_backend_extra_port
507 server_port_string = "ldap://%s.%s:%d" (self.names.hostname,
508 self.names.dnsdomain, self.ldap_backend_extra_port)
510 server_port_string = ""
512 # Prepare the 'result' information - the commands to return in
514 self.slapd_provision_command = [self.slapd_path, "-F" + self.olcdir,
517 # copy this command so we have two version, one with -d0 and only
518 # ldapi, and one with all the listen commands
519 self.slapd_command = list(self.slapd_provision_command)
521 self.slapd_provision_command.extend([self.ldapi_uri, "-d0"])
523 uris = self.ldapi_uri
524 if server_port_string is not "":
525 uris = uris + " " + server_port_string
527 self.slapd_command.append(uris)
529 # Set the username - done here because Fedora DS still uses the admin
531 self.credentials.set_username("samba-admin")
533 # If we were just looking for crashes up to this point, it's a
534 # good time to exit before we realise we don't have OpenLDAP on
536 if self.ldap_dryrun_mode:
539 # Finally, convert the configuration into cn=config style!
540 if not os.path.isdir(self.olcdir):
541 os.makedirs(self.olcdir, 0770)
543 slapd_cmd = [self.slapd_path, "-Ttest", "-n", "0", "-f", self.slapdconf, "-F", self.olcdir]
544 retcode = subprocess.call(slapd_cmd, close_fds=True,
548 self.logger.error("conversion from slapd.conf to cn=config failed slapd started with: %s" % "\'" + "\' \'".join(slapd_cmd) + "\'")
549 raise ProvisioningError("conversion from slapd.conf to cn=config failed")
551 if not os.path.exists(os.path.join(self.olcdir, "cn=config.ldif")):
552 raise ProvisioningError("conversion from slapd.conf to cn=config failed")
554 # Don't confuse the admin by leaving the slapd.conf around
555 os.remove(self.slapdconf)
558 class FDSBackend(LDAPBackend):
560 def __init__(self, backend_type, paths=None, setup_path=None, lp=None,
561 credentials=None, names=None, logger=None, domainsid=None,
562 schema=None, hostname=None, ldapadminpass=None, slapd_path=None,
563 ldap_backend_extra_port=None, ldap_dryrun_mode=False, root=None,
566 super(FDSBackend, self).__init__(backend_type=backend_type,
567 paths=paths, setup_path=setup_path, lp=lp,
568 credentials=credentials, names=names, logger=logger,
569 domainsid=domainsid, schema=schema, hostname=hostname,
570 ldapadminpass=ldapadminpass, slapd_path=slapd_path,
571 ldap_backend_extra_port=ldap_backend_extra_port,
572 ldap_dryrun_mode=ldap_dryrun_mode)
575 self.setup_ds_path = setup_ds_path
576 self.ldap_instance = self.names.netbiosname.lower()
578 self.sambadn = "CN=Samba"
580 self.fedoradsinf = os.path.join(self.ldapdir, "fedorads.inf")
581 self.partitions_ldif = os.path.join(self.ldapdir, "fedorads-partitions.ldif")
582 self.sasl_ldif = os.path.join(self.ldapdir, "fedorads-sasl.ldif")
583 self.dna_ldif = os.path.join(self.ldapdir, "fedorads-dna.ldif")
584 self.pam_ldif = os.path.join(self.ldapdir, "fedorads-pam.ldif")
585 self.refint_ldif = os.path.join(self.ldapdir, "fedorads-refint.ldif")
586 self.linked_attrs_ldif = os.path.join(self.ldapdir, "fedorads-linked-attributes.ldif")
587 self.index_ldif = os.path.join(self.ldapdir, "fedorads-index.ldif")
588 self.samba_ldif = os.path.join(self.ldapdir, "fedorads-samba.ldif")
590 self.samba3_schema = self.setup_path("../../examples/LDAP/samba.schema")
591 self.samba3_ldif = os.path.join(self.ldapdir, "samba3.ldif")
593 self.retcode = subprocess.call(["bin/oLschema2ldif",
594 "-I", self.samba3_schema,
595 "-O", self.samba3_ldif,
596 "-b", self.names.domaindn],
597 close_fds=True, shell=False)
599 if self.retcode != 0:
600 raise Exception("Unable to convert Samba 3 schema.")
602 self.schema = Schema(
605 schemadn=self.names.schemadn,
606 serverdn=self.names.serverdn,
607 files=[setup_path("schema_samba4.ldif"), self.samba3_ldif],
608 additional_prefixmap=["1000:1.3.6.1.4.1.7165.2.1", "1001:1.3.6.1.4.1.7165.2.2"])
611 from samba.provision import ProvisioningError
612 if self.ldap_backend_extra_port is not None:
613 serverport = "ServerPort=%d" % self.ldap_backend_extra_port
617 setup_file(self.setup_path("fedorads.inf"), self.fedoradsinf,
619 "HOSTNAME": self.hostname,
620 "DNSDOMAIN": self.names.dnsdomain,
621 "LDAPDIR": self.ldapdir,
622 "DOMAINDN": self.names.domaindn,
623 "LDAP_INSTANCE": self.ldap_instance,
624 "LDAPMANAGERDN": self.names.ldapmanagerdn,
625 "LDAPMANAGERPASS": self.ldapadminpass,
626 "SERVERPORT": serverport})
628 setup_file(self.setup_path("fedorads-partitions.ldif"),
629 self.partitions_ldif,
630 {"CONFIGDN": self.names.configdn,
631 "SCHEMADN": self.names.schemadn,
632 "SAMBADN": self.sambadn,
635 setup_file(self.setup_path("fedorads-sasl.ldif"), self.sasl_ldif,
636 {"SAMBADN": self.sambadn,
639 setup_file(self.setup_path("fedorads-dna.ldif"), self.dna_ldif,
640 {"DOMAINDN": self.names.domaindn,
641 "SAMBADN": self.sambadn,
642 "DOMAINSID": str(self.domainsid),
645 setup_file(self.setup_path("fedorads-pam.ldif"), self.pam_ldif)
647 lnkattr = self.schema.linked_attributes()
649 refint_config = open(self.setup_path("fedorads-refint-delete.ldif"), 'r').read()
654 for attr in lnkattr.keys():
655 if lnkattr[attr] is not None:
656 refint_config += read_and_sub_file(self.setup_path("fedorads-refint-add.ldif"),
657 { "ARG_NUMBER" : str(argnum),
658 "LINK_ATTR" : attr })
659 memberof_config += read_and_sub_file(self.setup_path("fedorads-linked-attributes.ldif"),
660 { "MEMBER_ATTR" : attr,
661 "MEMBEROF_ATTR" : lnkattr[attr] })
662 index_config += read_and_sub_file(
663 self.setup_path("fedorads-index.ldif"), { "ATTR" : attr })
666 open(self.refint_ldif, 'w').write(refint_config)
667 open(self.linked_attrs_ldif, 'w').write(memberof_config)
669 attrs = ["lDAPDisplayName"]
670 res = self.schema.ldb.search(expression="(&(objectclass=attributeSchema)(searchFlags:1.2.840.113556.1.4.803:=1))", base=self.names.schemadn, scope=SCOPE_ONELEVEL, attrs=attrs)
672 for i in range (0, len(res)):
673 attr = res[i]["lDAPDisplayName"][0]
675 if attr == "objectGUID":
678 index_config += read_and_sub_file(
679 self.setup_path("fedorads-index.ldif"), { "ATTR" : attr })
681 open(self.index_ldif, 'w').write(index_config)
683 setup_file(self.setup_path("fedorads-samba.ldif"), self.samba_ldif,
684 {"SAMBADN": self.sambadn,
685 "LDAPADMINPASS": self.ldapadminpass
688 mapping = "schema-map-fedora-ds-1.0"
689 backend_schema = "99_ad.ldif"
691 # Build a schema file in Fedora DS format
692 backend_schema_data = self.schema.convert_to_openldap("fedora-ds", open(self.setup_path(mapping), 'r').read())
693 assert backend_schema_data is not None
694 f = open(os.path.join(self.ldapdir, backend_schema), 'w')
696 f.write(backend_schema_data)
700 self.credentials.set_bind_dn(self.names.ldapmanagerdn)
702 # Destory the target directory, or else setup-ds.pl will complain
703 fedora_ds_dir = os.path.join(self.ldapdir,
704 "slapd-" + self.ldap_instance)
705 shutil.rmtree(fedora_ds_dir, True)
707 self.slapd_provision_command = [self.slapd_path, "-D", fedora_ds_dir,
708 "-i", self.slapd_pid]
709 # In the 'provision' command line, stay in the foreground so we can
711 self.slapd_provision_command.append("-d0")
713 #the command for the final run is the normal script
714 self.slapd_command = [os.path.join(self.ldapdir,
715 "slapd-" + self.ldap_instance, "start-slapd")]
717 # If we were just looking for crashes up to this point, it's a
718 # good time to exit before we realise we don't have Fedora DS on
719 if self.ldap_dryrun_mode:
722 # Try to print helpful messages when the user has not specified the path to the setup-ds tool
723 if self.setup_ds_path is None:
724 raise ProvisioningError("Fedora DS LDAP-Backend must be setup with path to setup-ds, e.g. --setup-ds-path=\"/usr/sbin/setup-ds.pl\"!")
725 if not os.path.exists(self.setup_ds_path):
726 self.logger.warning("Path (%s) to slapd does not exist!", self.setup_ds_path)
728 # Run the Fedora DS setup utility
729 retcode = subprocess.call([self.setup_ds_path, "--silent", "--file", self.fedoradsinf], close_fds=True, shell=False)
731 raise ProvisioningError("setup-ds failed")
734 retcode = subprocess.call([
735 os.path.join(self.ldapdir, "slapd-" + self.ldap_instance, "ldif2db"), "-s", self.sambadn, "-i", self.samba_ldif],
736 close_fds=True, shell=False)
738 raise ProvisioningError("ldif2db failed")
740 def post_setup(self):
741 ldapi_db = Ldb(self.ldapi_uri, credentials=self.credentials)
743 # configure in-directory access control on Fedora DS via the aci
744 # attribute (over a direct ldapi:// socket)
745 aci = """(targetattr = "*") (version 3.0;acl "full access to all by samba-admin";allow (all)(userdn = "ldap:///CN=samba-admin,%s");)""" % self.sambadn
748 m["aci"] = ldb.MessageElement([aci], ldb.FLAG_MOD_REPLACE, "aci")
750 for dnstring in (self.names.domaindn, self.names.configdn,
751 self.names.schemadn):
752 m.dn = ldb.Dn(ldapi_db, dnstring)