2 # Unix SMB/CIFS implementation.
3 # backend code for provisioning a Samba4 server
5 # Copyright (C) Jelmer Vernooij <jelmer@samba.org> 2007-2008
6 # Copyright (C) Andrew Bartlett <abartlet@samba.org> 2008-2009
7 # Copyright (C) Oliver Liebel <oliver@itc.li> 2008-2009
9 # Based on the original in EJS:
10 # Copyright (C) Andrew Tridgell <tridge@samba.org> 2005
12 # This program is free software; you can redistribute it and/or modify
13 # it under the terms of the GNU General Public License as published by
14 # the Free Software Foundation; either version 3 of the License, or
15 # (at your option) any later version.
17 # This program is distributed in the hope that it will be useful,
18 # but WITHOUT ANY WARRANTY; without even the implied warranty of
19 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
20 # GNU General Public License for more details.
22 # You should have received a copy of the GNU General Public License
23 # along with this program. If not, see <http://www.gnu.org/licenses/>.
26 """Functions for setting up a Samba configuration (LDB and LDAP backends)."""
28 from base64 import b64encode
39 from ldb import SCOPE_BASE, SCOPE_ONELEVEL, LdbError, timestring
41 from samba import Ldb, read_and_sub_file, setup_file
42 from samba.credentials import Credentials, DONT_USE_KERBEROS
43 from samba.schema import Schema
46 class SlapdAlreadyRunning(Exception):
48 def __init__(self, uri):
50 super(SlapdAlreadyRunning, self).__init__("Another slapd Instance "
51 "seems already running on this host, listening to %s." %
55 class BackendResult(object):
57 def report_logger(self, logger):
58 """Rerport this result to a particular logger.
61 raise NotImplementedError(self.report_logger)
64 class LDAPBackendResult(BackendResult):
66 def __init__(self, credentials, slapd_command_escaped, ldapdir):
67 self.credentials = credentials
68 self.slapd_command_escaped = slapd_command_escaped
69 self.ldapdir = ldapdir
71 def report_logger(self, logger):
72 if self.credentials.get_bind_dn() is not None:
73 logger.info("LDAP Backend Admin DN: %s" %
74 self.credentials.get_bind_dn())
76 logger.info("LDAP Admin User: %s" %
77 self.credentials.get_username())
79 if self.slapd_command_escaped is not None:
80 # now display slapd_command_file.txt to show how slapd must be
83 "Use later the following commandline to start slapd, then Samba:")
84 logger.info(self.slapd_command_escaped)
86 "This slapd-Commandline is also stored under: %s/ldap_backend_startup.sh",
90 class ProvisionBackend(object):
92 def __init__(self, backend_type, paths=None, lp=None,
93 credentials=None, names=None, logger=None):
94 """Provision a backend for samba4"""
97 self.credentials = credentials
101 self.type = backend_type
103 # Set a default - the code for "existing" below replaces this
104 self.ldap_backend_type = backend_type
107 """Initialize the backend."""
108 raise NotImplementedError(self.init)
111 """Start the backend."""
112 raise NotImplementedError(self.start)
115 """Shutdown the backend."""
116 raise NotImplementedError(self.shutdown)
118 def post_setup(self):
121 :return: A BackendResult or None
123 raise NotImplementedError(self.post_setup)
126 class LDBBackend(ProvisionBackend):
129 self.credentials = None
130 self.secrets_credentials = None
132 # Wipe the old sam.ldb databases away
133 shutil.rmtree(self.paths.samdb + ".d", True)
141 def post_setup(self):
145 class ExistingBackend(ProvisionBackend):
147 def __init__(self, backend_type, paths=None, lp=None,
148 credentials=None, names=None, logger=None, ldapi_uri=None):
150 super(ExistingBackend, self).__init__(backend_type=backend_type,
152 credentials=credentials, names=names, logger=logger,
153 ldap_backend_forced_uri=ldapi_uri)
156 # Check to see that this 'existing' LDAP backend in fact exists
157 ldapi_db = Ldb(self.ldapi_uri, credentials=self.credentials)
158 ldapi_db.search(base="", scope=SCOPE_BASE,
159 expression="(objectClass=OpenLDAProotDSE)")
161 # If we have got here, then we must have a valid connection to the LDAP
162 # server, with valid credentials supplied This caused them to be set
163 # into the long-term database later in the script.
164 self.secrets_credentials = self.credentials
166 # For now, assume existing backends at least emulate OpenLDAP
167 self.ldap_backend_type = "openldap"
170 class LDAPBackend(ProvisionBackend):
172 def __init__(self, backend_type, paths=None, lp=None,
173 credentials=None, names=None, logger=None, domainsid=None,
174 schema=None, hostname=None, ldapadminpass=None,
175 slapd_path=None, ldap_backend_extra_port=None,
176 ldap_backend_forced_uri=None, ldap_dryrun_mode=True):
178 super(LDAPBackend, self).__init__(backend_type=backend_type,
180 credentials=credentials, names=names, logger=logger)
182 self.domainsid = domainsid
184 self.hostname = hostname
186 self.ldapdir = os.path.join(paths.private_dir, "ldap")
187 self.ldapadminpass = ldapadminpass
189 self.slapd_path = slapd_path
190 self.slapd_command = None
191 self.slapd_command_escaped = None
192 self.slapd_pid = os.path.join(self.ldapdir, "slapd.pid")
194 self.ldap_backend_extra_port = ldap_backend_extra_port
195 self.ldap_dryrun_mode = ldap_dryrun_mode
197 if ldap_backend_forced_uri is not None:
198 self.ldap_uri = ldap_backend_forced_uri
200 self.ldap_uri = "ldapi://%s" % urllib.quote(
201 os.path.join(self.ldapdir, "ldapi"), safe="")
203 if not os.path.exists(self.ldapdir):
204 os.mkdir(self.ldapdir)
207 from samba.provision import ProvisioningError
208 # we will shortly start slapd with ldapi for final provisioning. first
209 # check with ldapsearch -> rootDSE via self.ldap_uri if another
210 # instance of slapd is already running
212 ldapi_db = Ldb(self.ldap_uri)
213 ldapi_db.search(base="", scope=SCOPE_BASE,
214 expression="(objectClass=OpenLDAProotDSE)")
216 f = open(self.slapd_pid, "r")
218 if err != errno.ENOENT:
225 self.logger.info("Check for slapd process with PID: %s and terminate it manually." % p)
226 raise SlapdAlreadyRunning(self.ldap_uri)
228 # XXX: We should never be catching all Ldb errors
231 # Try to print helpful messages when the user has not specified the
233 if self.slapd_path is None:
234 raise ProvisioningError("Warning: LDAP-Backend must be setup with path to slapd, e.g. --slapd-path=\"/usr/local/libexec/slapd\"!")
235 if not os.path.exists(self.slapd_path):
236 self.logger.warning("Path (%s) to slapd does not exist!",
239 if not os.path.isdir(self.ldapdir):
240 os.makedirs(self.ldapdir, 0700)
242 # Put the LDIF of the schema into a database so we can search on
243 # it to generate schema-dependent configurations in Fedora DS and
245 schemadb_path = os.path.join(self.ldapdir, "schema-tmp.ldb")
247 os.unlink(schemadb_path)
251 self.schema.write_to_tmp_ldb(schemadb_path)
253 self.credentials = Credentials()
254 self.credentials.guess(self.lp)
255 # Kerberos to an ldapi:// backend makes no sense
256 self.credentials.set_kerberos_state(DONT_USE_KERBEROS)
257 self.credentials.set_password(self.ldapadminpass)
259 self.secrets_credentials = Credentials()
260 self.secrets_credentials.guess(self.lp)
261 # Kerberos to an ldapi:// backend makes no sense
262 self.secrets_credentials.set_kerberos_state(DONT_USE_KERBEROS)
263 self.secrets_credentials.set_username("samba-admin")
264 self.secrets_credentials.set_password(self.ldapadminpass)
272 from samba.provision import ProvisioningError
273 self.slapd_command_escaped = "\'" + "\' \'".join(self.slapd_command) + "\'"
274 ldap_backend_script = os.path.join(self.ldapdir, "ldap_backend_startup.sh")
275 f = open(ldap_backend_script, 'w')
277 f.write("#!/bin/sh\n" + self.slapd_command_escaped + " $@\n")
281 os.chmod(ldap_backend_script, 0755)
283 # Now start the slapd, so we can provision onto it. We keep the
284 # subprocess context around, to kill this off at the successful
286 self.slapd = subprocess.Popen(self.slapd_provision_command,
287 close_fds=True, shell=False)
290 while self.slapd.poll() is None:
291 # Wait until the socket appears
293 ldapi_db = Ldb(self.ldap_uri, lp=self.lp, credentials=self.credentials)
294 ldapi_db.search(base="", scope=SCOPE_BASE,
295 expression="(objectClass=OpenLDAProotDSE)")
296 # If we have got here, then we must have a valid connection to
304 self.logger.error("Could not connect to slapd started with: %s" % "\'" + "\' \'".join(self.slapd_provision_command) + "\'")
305 raise ProvisioningError("slapd never accepted a connection within 15 seconds of starting")
307 self.logger.error("Could not start slapd with: %s" % "\'" + "\' \'".join(self.slapd_provision_command) + "\'")
308 raise ProvisioningError("slapd died before we could make a connection to it")
311 # if an LDAP backend is in use, terminate slapd after final provision
312 # and check its proper termination
313 if self.slapd.poll() is None:
315 if getattr(self.slapd, "terminate", None) is not None:
316 self.slapd.terminate()
318 # Older python versions don't have .terminate()
320 os.kill(self.slapd.pid, signal.SIGTERM)
322 # and now wait for it to die
323 self.slapd.communicate()
325 def post_setup(self):
326 return LDAPBackendResult(self.credentials, self.slapd_command_escaped,
330 class OpenLDAPBackend(LDAPBackend):
332 def __init__(self, backend_type, paths=None, lp=None,
333 credentials=None, names=None, logger=None, domainsid=None,
334 schema=None, hostname=None, ldapadminpass=None, slapd_path=None,
335 ldap_backend_extra_port=None, ldap_dryrun_mode=True,
336 ol_mmr_urls=None, nosync=False, ldap_backend_forced_uri=None):
337 from samba.provision import setup_path
338 super(OpenLDAPBackend, self).__init__( backend_type=backend_type,
340 credentials=credentials, names=names, logger=logger,
341 domainsid=domainsid, schema=schema, hostname=hostname,
342 ldapadminpass=ldapadminpass, slapd_path=slapd_path,
343 ldap_backend_extra_port=ldap_backend_extra_port,
344 ldap_backend_forced_uri=ldap_backend_forced_uri,
345 ldap_dryrun_mode=ldap_dryrun_mode)
347 self.ol_mmr_urls = ol_mmr_urls
350 self.slapdconf = os.path.join(self.ldapdir, "slapd.conf")
351 self.modulesconf = os.path.join(self.ldapdir, "modules.conf")
352 self.memberofconf = os.path.join(self.ldapdir, "memberof.conf")
353 self.olmmrserveridsconf = os.path.join(self.ldapdir, "mmr_serverids.conf")
354 self.olmmrsyncreplconf = os.path.join(self.ldapdir, "mmr_syncrepl.conf")
355 self.olcdir = os.path.join(self.ldapdir, "slapd.d")
356 self.olcseedldif = os.path.join(self.ldapdir, "olc_seed.ldif")
358 self.schema = Schema(self.domainsid,
359 schemadn=self.names.schemadn, files=[
360 setup_path("schema_samba4.ldif")])
362 def setup_db_config(self, dbdir):
363 """Setup a Berkeley database.
365 :param dbdir: Database directory.
367 from samba.provision import setup_path
368 if not os.path.isdir(os.path.join(dbdir, "bdb-logs")):
369 os.makedirs(os.path.join(dbdir, "bdb-logs"), 0700)
370 if not os.path.isdir(os.path.join(dbdir, "tmp")):
371 os.makedirs(os.path.join(dbdir, "tmp"), 0700)
373 setup_file(setup_path("DB_CONFIG"),
374 os.path.join(dbdir, "DB_CONFIG"), {"LDAPDBDIR": dbdir})
377 from samba.provision import ProvisioningError, setup_path
378 # Wipe the directories so we can start
379 shutil.rmtree(os.path.join(self.ldapdir, "db"), True)
381 # Allow the test scripts to turn off fsync() for OpenLDAP as for TDB
385 nosync_config = "dbnosync"
387 lnkattr = self.schema.linked_attributes()
388 refint_attributes = ""
389 memberof_config = "# Generated from Samba4 schema\n"
390 for att in lnkattr.keys():
391 if lnkattr[att] is not None:
392 refint_attributes = refint_attributes + " " + att
394 memberof_config += read_and_sub_file(
395 setup_path("memberof.conf"), {
397 "MEMBEROF_ATTR" : lnkattr[att] })
399 refint_config = read_and_sub_file(setup_path("refint.conf"),
400 { "LINK_ATTRS" : refint_attributes})
402 attrs = ["linkID", "lDAPDisplayName"]
403 res = self.schema.ldb.search(expression="(&(objectclass=attributeSchema)(searchFlags:1.2.840.113556.1.4.803:=1))", base=self.names.schemadn, scope=SCOPE_ONELEVEL, attrs=attrs)
405 for i in range (0, len(res)):
406 index_attr = res[i]["lDAPDisplayName"][0]
407 if index_attr == "objectGUID":
408 index_attr = "entryUUID"
410 index_config += "index " + index_attr + " eq\n"
412 # generate serverids, ldap-urls and syncrepl-blocks for mmr hosts
414 mmr_replicator_acl = ""
415 mmr_serverids_config = ""
416 mmr_syncrepl_schema_config = ""
417 mmr_syncrepl_config_config = ""
418 mmr_syncrepl_user_config = ""
420 if self.ol_mmr_urls is not None:
421 # For now, make these equal
422 mmr_pass = self.ldapadminpass
424 url_list = filter(None,self.ol_mmr_urls.split(','))
426 self.logger.info("Using LDAP-URL: "+url)
427 if len(url_list) == 1:
428 raise ProvisioningError("At least 2 LDAP-URLs needed for MMR!")
430 mmr_on_config = "MirrorMode On"
431 mmr_replicator_acl = " by dn=cn=replicator,cn=samba read"
434 serverid = serverid + 1
435 mmr_serverids_config += read_and_sub_file(
436 setup_path("mmr_serverids.conf"), {
437 "SERVERID": str(serverid),
441 mmr_syncrepl_schema_config += read_and_sub_file(
442 setup_path("mmr_syncrepl.conf"), {
444 "MMRDN": self.names.schemadn,
446 "MMR_PASSWORD": mmr_pass})
449 mmr_syncrepl_config_config += read_and_sub_file(
450 setup_path("mmr_syncrepl.conf"), {
452 "MMRDN": self.names.configdn,
454 "MMR_PASSWORD": mmr_pass})
457 mmr_syncrepl_user_config += read_and_sub_file(
458 setup_path("mmr_syncrepl.conf"), {
460 "MMRDN": self.names.domaindn,
462 "MMR_PASSWORD": mmr_pass })
463 # OpenLDAP cn=config initialisation
464 olc_syncrepl_config = ""
466 # if mmr = yes, generate cn=config-replication directives
467 # and olc_seed.lif for the other mmr-servers
468 if self.ol_mmr_urls is not None:
470 olc_serverids_config = ""
471 olc_syncrepl_seed_config = ""
472 olc_mmr_config += read_and_sub_file(
473 setup_path("olc_mmr.conf"), {})
476 serverid = serverid + 1
477 olc_serverids_config += read_and_sub_file(
478 setup_path("olc_serverid.conf"), {
479 "SERVERID" : str(serverid), "LDAPSERVER" : url })
482 olc_syncrepl_config += read_and_sub_file(
483 setup_path("olc_syncrepl.conf"), {
484 "RID" : str(rid), "LDAPSERVER" : url,
485 "MMR_PASSWORD": mmr_pass})
487 olc_syncrepl_seed_config += read_and_sub_file(
488 setup_path("olc_syncrepl_seed.conf"), {
489 "RID" : str(rid), "LDAPSERVER" : url})
491 setup_file(setup_path("olc_seed.ldif"), self.olcseedldif,
492 {"OLC_SERVER_ID_CONF": olc_serverids_config,
493 "OLC_PW": self.ldapadminpass,
494 "OLC_SYNCREPL_CONF": olc_syncrepl_seed_config})
497 setup_file(setup_path("slapd.conf"), self.slapdconf,
498 {"DNSDOMAIN": self.names.dnsdomain,
499 "LDAPDIR": self.ldapdir,
500 "DOMAINDN": self.names.domaindn,
501 "CONFIGDN": self.names.configdn,
502 "SCHEMADN": self.names.schemadn,
503 "MEMBEROF_CONFIG": memberof_config,
504 "MIRRORMODE": mmr_on_config,
505 "REPLICATOR_ACL": mmr_replicator_acl,
506 "MMR_SERVERIDS_CONFIG": mmr_serverids_config,
507 "MMR_SYNCREPL_SCHEMA_CONFIG": mmr_syncrepl_schema_config,
508 "MMR_SYNCREPL_CONFIG_CONFIG": mmr_syncrepl_config_config,
509 "MMR_SYNCREPL_USER_CONFIG": mmr_syncrepl_user_config,
510 "OLC_SYNCREPL_CONFIG": olc_syncrepl_config,
511 "OLC_MMR_CONFIG": olc_mmr_config,
512 "REFINT_CONFIG": refint_config,
513 "INDEX_CONFIG": index_config,
514 "NOSYNC": nosync_config})
516 self.setup_db_config(os.path.join(self.ldapdir, "db", "user"))
517 self.setup_db_config(os.path.join(self.ldapdir, "db", "config"))
518 self.setup_db_config(os.path.join(self.ldapdir, "db", "schema"))
520 if not os.path.exists(os.path.join(self.ldapdir, "db", "samba", "cn=samba")):
521 os.makedirs(os.path.join(self.ldapdir, "db", "samba", "cn=samba"), 0700)
523 setup_file(setup_path("cn=samba.ldif"),
524 os.path.join(self.ldapdir, "db", "samba", "cn=samba.ldif"),
525 { "UUID": str(uuid.uuid4()),
526 "LDAPTIME": timestring(int(time.time()))} )
527 setup_file(setup_path("cn=samba-admin.ldif"),
528 os.path.join(self.ldapdir, "db", "samba", "cn=samba", "cn=samba-admin.ldif"),
529 {"LDAPADMINPASS_B64": b64encode(self.ldapadminpass),
530 "UUID": str(uuid.uuid4()),
531 "LDAPTIME": timestring(int(time.time()))} )
533 if self.ol_mmr_urls is not None:
534 setup_file(setup_path("cn=replicator.ldif"),
535 os.path.join(self.ldapdir, "db", "samba", "cn=samba", "cn=replicator.ldif"),
536 {"MMR_PASSWORD_B64": b64encode(mmr_pass),
537 "UUID": str(uuid.uuid4()),
538 "LDAPTIME": timestring(int(time.time()))} )
540 mapping = "schema-map-openldap-2.3"
541 backend_schema = "backend-schema.schema"
543 f = open(setup_path(mapping), 'r')
545 backend_schema_data = self.schema.convert_to_openldap(
546 "openldap", f.read())
549 assert backend_schema_data is not None
550 f = open(os.path.join(self.ldapdir, backend_schema), 'w')
552 f.write(backend_schema_data)
556 # now we generate the needed strings to start slapd automatically,
557 if self.ldap_backend_extra_port is not None:
558 # When we use MMR, we can't use 0.0.0.0 as it uses the name
559 # specified there as part of it's clue as to it's own name,
560 # and not to replicate to itself
561 if self.ol_mmr_urls is None:
562 server_port_string = "ldap://0.0.0.0:%d" % self.ldap_backend_extra_port
564 server_port_string = "ldap://%s.%s:%d" (self.names.hostname,
565 self.names.dnsdomain, self.ldap_backend_extra_port)
567 server_port_string = ""
569 # Prepare the 'result' information - the commands to return in
571 self.slapd_provision_command = [self.slapd_path, "-F" + self.olcdir,
574 # copy this command so we have two version, one with -d0 and only
575 # ldapi (or the forced ldap_uri), and one with all the listen commands
576 self.slapd_command = list(self.slapd_provision_command)
578 self.slapd_provision_command.extend([self.ldap_uri, "-d0"])
581 if server_port_string is not "":
582 uris = uris + " " + server_port_string
584 self.slapd_command.append(uris)
586 # Set the username - done here because Fedora DS still uses the admin
588 self.credentials.set_username("samba-admin")
590 # Wipe the old sam.ldb databases away
591 shutil.rmtree(self.olcdir, True)
592 os.makedirs(self.olcdir, 0770)
594 # If we were just looking for crashes up to this point, it's a
595 # good time to exit before we realise we don't have OpenLDAP on
597 if self.ldap_dryrun_mode:
600 slapd_cmd = [self.slapd_path, "-Ttest", "-n", "0", "-f",
601 self.slapdconf, "-F", self.olcdir]
602 retcode = subprocess.call(slapd_cmd, close_fds=True, shell=False)
605 self.logger.error("conversion from slapd.conf to cn=config failed slapd started with: %s" % "\'" + "\' \'".join(slapd_cmd) + "\'")
606 raise ProvisioningError("conversion from slapd.conf to cn=config failed")
608 if not os.path.exists(os.path.join(self.olcdir, "cn=config.ldif")):
609 raise ProvisioningError("conversion from slapd.conf to cn=config failed")
611 # Don't confuse the admin by leaving the slapd.conf around
612 os.remove(self.slapdconf)
615 class FDSBackend(LDAPBackend):
617 def __init__(self, backend_type, paths=None, lp=None,
618 credentials=None, names=None, logger=None, domainsid=None,
619 schema=None, hostname=None, ldapadminpass=None, slapd_path=None,
620 ldap_backend_extra_port=None, ldap_dryrun_mode=True, root=None,
623 from samba.provision import setup_path
625 super(FDSBackend, self).__init__(backend_type=backend_type,
627 credentials=credentials, names=names, logger=logger,
628 domainsid=domainsid, schema=schema, hostname=hostname,
629 ldapadminpass=ldapadminpass, slapd_path=slapd_path,
630 ldap_backend_extra_port=ldap_backend_extra_port,
631 ldap_backend_forced_uri=ldap_backend_forced_uri,
632 ldap_dryrun_mode=ldap_dryrun_mode)
635 self.setup_ds_path = setup_ds_path
636 self.ldap_instance = self.names.netbiosname.lower()
638 self.sambadn = "CN=Samba"
640 self.fedoradsinf = os.path.join(self.ldapdir, "fedorads.inf")
641 self.partitions_ldif = os.path.join(self.ldapdir,
642 "fedorads-partitions.ldif")
643 self.sasl_ldif = os.path.join(self.ldapdir, "fedorads-sasl.ldif")
644 self.dna_ldif = os.path.join(self.ldapdir, "fedorads-dna.ldif")
645 self.pam_ldif = os.path.join(self.ldapdir, "fedorads-pam.ldif")
646 self.refint_ldif = os.path.join(self.ldapdir, "fedorads-refint.ldif")
647 self.linked_attrs_ldif = os.path.join(self.ldapdir,
648 "fedorads-linked-attributes.ldif")
649 self.index_ldif = os.path.join(self.ldapdir, "fedorads-index.ldif")
650 self.samba_ldif = os.path.join(self.ldapdir, "fedorads-samba.ldif")
652 self.samba3_schema = setup_path(
653 "../../examples/LDAP/samba.schema")
654 self.samba3_ldif = os.path.join(self.ldapdir, "samba3.ldif")
656 self.retcode = subprocess.call(["bin/oLschema2ldif",
657 "-I", self.samba3_schema,
658 "-O", self.samba3_ldif,
659 "-b", self.names.domaindn],
660 close_fds=True, shell=False)
662 if self.retcode != 0:
663 raise Exception("Unable to convert Samba 3 schema.")
665 self.schema = Schema(
667 schemadn=self.names.schemadn,
668 files=[setup_path("schema_samba4.ldif"), self.samba3_ldif],
669 additional_prefixmap=["1000:1.3.6.1.4.1.7165.2.1",
670 "1001:1.3.6.1.4.1.7165.2.2"])
673 from samba.provision import ProvisioningError, setup_path
674 if self.ldap_backend_extra_port is not None:
675 serverport = "ServerPort=%d" % self.ldap_backend_extra_port
679 setup_file(setup_path("fedorads.inf"), self.fedoradsinf,
681 "HOSTNAME": self.hostname,
682 "DNSDOMAIN": self.names.dnsdomain,
683 "LDAPDIR": self.ldapdir,
684 "DOMAINDN": self.names.domaindn,
685 "LDAP_INSTANCE": self.ldap_instance,
686 "LDAPMANAGERDN": self.names.ldapmanagerdn,
687 "LDAPMANAGERPASS": self.ldapadminpass,
688 "SERVERPORT": serverport})
690 setup_file(setup_path("fedorads-partitions.ldif"),
691 self.partitions_ldif,
692 {"CONFIGDN": self.names.configdn,
693 "SCHEMADN": self.names.schemadn,
694 "SAMBADN": self.sambadn,
697 setup_file(setup_path("fedorads-sasl.ldif"), self.sasl_ldif,
698 {"SAMBADN": self.sambadn,
701 setup_file(setup_path("fedorads-dna.ldif"), self.dna_ldif,
702 {"DOMAINDN": self.names.domaindn,
703 "SAMBADN": self.sambadn,
704 "DOMAINSID": str(self.domainsid),
707 setup_file(setup_path("fedorads-pam.ldif"), self.pam_ldif)
709 lnkattr = self.schema.linked_attributes()
711 f = open(setup_path("fedorads-refint-delete.ldif"), 'r')
713 refint_config = f.read()
720 for attr in lnkattr.keys():
721 if lnkattr[attr] is not None:
722 refint_config += read_and_sub_file(
723 setup_path("fedorads-refint-add.ldif"),
724 { "ARG_NUMBER" : str(argnum),
725 "LINK_ATTR" : attr })
726 memberof_config += read_and_sub_file(
727 setup_path("fedorads-linked-attributes.ldif"),
728 { "MEMBER_ATTR" : attr,
729 "MEMBEROF_ATTR" : lnkattr[attr] })
730 index_config += read_and_sub_file(
731 setup_path("fedorads-index.ldif"), { "ATTR" : attr })
734 f = open(self.refint_ldif, 'w')
736 f.write(refint_config)
739 f = open(self.linked_attrs_ldif, 'w')
741 f.write(memberof_config)
745 attrs = ["lDAPDisplayName"]
746 res = self.schema.ldb.search(expression="(&(objectclass=attributeSchema)(searchFlags:1.2.840.113556.1.4.803:=1))", base=self.names.schemadn, scope=SCOPE_ONELEVEL, attrs=attrs)
748 for i in range (0, len(res)):
749 attr = res[i]["lDAPDisplayName"][0]
751 if attr == "objectGUID":
754 index_config += read_and_sub_file(
755 setup_path("fedorads-index.ldif"), { "ATTR" : attr })
757 f = open(self.index_ldif, 'w')
759 f.write(index_config)
763 setup_file(setup_path("fedorads-samba.ldif"), self.samba_ldif, {
764 "SAMBADN": self.sambadn,
765 "LDAPADMINPASS": self.ldapadminpass
768 mapping = "schema-map-fedora-ds-1.0"
769 backend_schema = "99_ad.ldif"
771 # Build a schema file in Fedora DS format
772 f = open(setup_path(mapping), 'r')
774 backend_schema_data = self.schema.convert_to_openldap("fedora-ds",
778 assert backend_schema_data is not None
779 f = open(os.path.join(self.ldapdir, backend_schema), 'w')
781 f.write(backend_schema_data)
785 self.credentials.set_bind_dn(self.names.ldapmanagerdn)
787 # Destory the target directory, or else setup-ds.pl will complain
788 fedora_ds_dir = os.path.join(self.ldapdir,
789 "slapd-" + self.ldap_instance)
790 shutil.rmtree(fedora_ds_dir, True)
792 self.slapd_provision_command = [self.slapd_path, "-D", fedora_ds_dir,
793 "-i", self.slapd_pid]
794 # In the 'provision' command line, stay in the foreground so we can
796 self.slapd_provision_command.append("-d0")
798 #the command for the final run is the normal script
799 self.slapd_command = [os.path.join(self.ldapdir,
800 "slapd-" + self.ldap_instance, "start-slapd")]
802 # If we were just looking for crashes up to this point, it's a
803 # good time to exit before we realise we don't have Fedora DS on
804 if self.ldap_dryrun_mode:
807 # Try to print helpful messages when the user has not specified the
808 # path to the setup-ds tool
809 if self.setup_ds_path is None:
810 raise ProvisioningError("Fedora DS LDAP-Backend must be setup with path to setup-ds, e.g. --setup-ds-path=\"/usr/sbin/setup-ds.pl\"!")
811 if not os.path.exists(self.setup_ds_path):
812 self.logger.warning("Path (%s) to slapd does not exist!",
815 # Run the Fedora DS setup utility
816 retcode = subprocess.call([self.setup_ds_path, "--silent", "--file",
817 self.fedoradsinf], close_fds=True, shell=False)
819 raise ProvisioningError("setup-ds failed")
822 retcode = subprocess.call([
823 os.path.join(self.ldapdir, "slapd-" + self.ldap_instance, "ldif2db"), "-s", self.sambadn, "-i", self.samba_ldif],
824 close_fds=True, shell=False)
826 raise ProvisioningError("ldif2db failed")
828 def post_setup(self):
829 ldapi_db = Ldb(self.ldap_uri, credentials=self.credentials)
831 # configure in-directory access control on Fedora DS via the aci
832 # attribute (over a direct ldapi:// socket)
833 aci = """(targetattr = "*") (version 3.0;acl "full access to all by samba-admin";allow (all)(userdn = "ldap:///CN=samba-admin,%s");)""" % self.sambadn
836 m["aci"] = ldb.MessageElement([aci], ldb.FLAG_MOD_REPLACE, "aci")
838 for dnstring in (self.names.domaindn, self.names.configdn,
839 self.names.schemadn):
840 m.dn = ldb.Dn(ldapi_db, dnstring)
842 return LDAPBackendResult(self.credentials, self.slapd_command_escaped,