2 # Unix SMB/CIFS implementation.
3 # backend code for provisioning a Samba4 server
5 # Copyright (C) Jelmer Vernooij <jelmer@samba.org> 2007-2008
6 # Copyright (C) Andrew Bartlett <abartlet@samba.org> 2008-2009
7 # Copyright (C) Oliver Liebel <oliver@itc.li> 2008-2009
9 # Based on the original in EJS:
10 # Copyright (C) Andrew Tridgell <tridge@samba.org> 2005
12 # This program is free software; you can redistribute it and/or modify
13 # it under the terms of the GNU General Public License as published by
14 # the Free Software Foundation; either version 3 of the License, or
15 # (at your option) any later version.
17 # This program is distributed in the hope that it will be useful,
18 # but WITHOUT ANY WARRANTY; without even the implied warranty of
19 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
20 # GNU General Public License for more details.
22 # You should have received a copy of the GNU General Public License
23 # along with this program. If not, see <http://www.gnu.org/licenses/>.
26 """Functions for setting up a Samba configuration (LDB and LDAP backends)."""
28 from base64 import b64encode
38 from ldb import SCOPE_BASE, SCOPE_ONELEVEL, LdbError, timestring
40 from samba import Ldb, read_and_sub_file, setup_file
41 from samba.credentials import Credentials, DONT_USE_KERBEROS
42 from samba.schema import Schema
43 from samba.provisionexceptions import ProvisioningError
45 class ProvisionBackend(object):
46 def __init__(self, backend_type, paths=None, setup_path=None, lp=None, credentials=None,
47 names=None, message=None):
48 """Provision a backend for samba4"""
50 self.setup_path = setup_path
52 self.credentials = credentials
54 self.message = message
56 self.type = backend_type
58 # Set a default - the code for "existing" below replaces this
59 self.ldap_backend_type = backend_type
74 class LDBBackend(ProvisionBackend):
75 def __init__(self, backend_type, paths=None, setup_path=None, lp=None, credentials=None,
76 names=None, message=None):
78 super(LDBBackend, self).__init__(
79 backend_type=backend_type,
80 paths=paths, setup_path=setup_path,
81 lp=lp, credentials=credentials,
86 self.credentials = None
87 self.secrets_credentials = None
89 # Wipe the old sam.ldb databases away
90 shutil.rmtree(self.paths.samdb + ".d", True)
93 class ExistingBackend(ProvisionBackend):
94 def __init__(self, backend_type, paths=None, setup_path=None, lp=None, credentials=None,
95 names=None, message=None,
98 super(ExistingBackend, self).__init__(
99 backend_type=backend_type,
100 paths=paths, setup_path=setup_path,
101 lp=lp, credentials=credentials,
105 self.ldapi_uri = ldapi_uri
108 #Check to see that this 'existing' LDAP backend in fact exists
109 ldapi_db = Ldb(self.ldapi_uri, credentials=self.credentials)
110 ldapi_db.search(base="", scope=SCOPE_BASE,
111 expression="(objectClass=OpenLDAProotDSE)")
113 # If we have got here, then we must have a valid connection to the LDAP server, with valid credentials supplied
114 # This caused them to be set into the long-term database later in the script.
115 self.secrets_credentials = self.credentials
117 self.ldap_backend_type = "openldap" #For now, assume existing backends at least emulate OpenLDAP
120 class LDAPBackend(ProvisionBackend):
121 def __init__(self, backend_type, paths=None, setup_path=None, lp=None, credentials=None,
122 names=None, message=None,
128 ldap_backend_extra_port=None,
129 ldap_dryrun_mode=False):
131 super(LDAPBackend, self).__init__(
132 backend_type=backend_type,
133 paths=paths, setup_path=setup_path,
134 lp=lp, credentials=credentials,
138 self.domainsid = domainsid
140 self.hostname = hostname
142 self.ldapdir = os.path.join(paths.private_dir, "ldap")
143 self.ldapadminpass = ldapadminpass
145 self.slapd_path = slapd_path
146 self.slapd_command = None
147 self.slapd_command_escaped = None
148 self.slapd_pid = os.path.join(self.ldapdir, "slapd.pid")
150 self.ldap_backend_extra_port = ldap_backend_extra_port
151 self.ldap_dryrun_mode = ldap_dryrun_mode
153 self.ldapi_uri = "ldapi://" + urllib.quote(os.path.join(self.ldapdir, "ldapi"), safe="")
155 if not os.path.exists(self.ldapdir):
156 os.mkdir(self.ldapdir)
159 # we will shortly start slapd with ldapi for final provisioning. first check with ldapsearch -> rootDSE via self.ldapi_uri
160 # if another instance of slapd is already running
162 ldapi_db = Ldb(self.ldapi_uri)
163 ldapi_db.search(base="", scope=SCOPE_BASE,
164 expression="(objectClass=OpenLDAProotDSE)")
166 f = open(self.slapd_pid, "r")
169 self.message("Check for slapd Process with PID: " + str(p) + " and terminate it manually.")
173 raise ProvisioningError("Warning: Another slapd Instance seems already running on this host, listening to " + self.ldapi_uri + ". Please shut it down before you continue. ")
178 # Try to print helpful messages when the user has not specified the path to slapd
179 if self.slapd_path is None:
180 raise ProvisioningError("Warning: LDAP-Backend must be setup with path to slapd, e.g. --slapd-path=\"/usr/local/libexec/slapd\"!")
181 if not os.path.exists(self.slapd_path):
182 self.message (self.slapd_path)
183 raise ProvisioningError("Warning: Given Path to slapd does not exist!")
186 if not os.path.isdir(self.ldapdir):
187 os.makedirs(self.ldapdir, 0700)
189 # Put the LDIF of the schema into a database so we can search on
190 # it to generate schema-dependent configurations in Fedora DS and
192 schemadb_path = os.path.join(self.ldapdir, "schema-tmp.ldb")
194 os.unlink(schemadb_path)
198 self.schema.write_to_tmp_ldb(schemadb_path)
200 self.credentials = Credentials()
201 self.credentials.guess(self.lp)
202 #Kerberos to an ldapi:// backend makes no sense
203 self.credentials.set_kerberos_state(DONT_USE_KERBEROS)
204 self.credentials.set_password(self.ldapadminpass)
206 self.secrets_credentials = Credentials()
207 self.secrets_credentials.guess(self.lp)
208 #Kerberos to an ldapi:// backend makes no sense
209 self.secrets_credentials.set_kerberos_state(DONT_USE_KERBEROS)
210 self.secrets_credentials.set_username("samba-admin")
211 self.secrets_credentials.set_password(self.ldapadminpass)
219 self.slapd_command_escaped = "\'" + "\' \'".join(self.slapd_command) + "\'"
220 open(self.ldapdir + "/ldap_backend_startup.sh", 'w').write("#!/bin/sh\n" + self.slapd_command_escaped + "\n")
222 # Now start the slapd, so we can provision onto it. We keep the
223 # subprocess context around, to kill this off at the successful
225 self.slapd = subprocess.Popen(self.slapd_provision_command, close_fds=True, shell=False)
227 while self.slapd.poll() is None:
228 # Wait until the socket appears
230 ldapi_db = Ldb(self.ldapi_uri, lp=self.lp, credentials=self.credentials)
231 ldapi_db.search(base="", scope=SCOPE_BASE,
232 expression="(objectClass=OpenLDAProotDSE)")
233 # If we have got here, then we must have a valid connection to the LDAP server!
238 raise ProvisioningError("slapd died before we could make a connection to it")
241 # if an LDAP backend is in use, terminate slapd after final provision and check its proper termination
242 if self.slapd.poll() is None:
244 if hasattr(self.slapd, "terminate"):
245 self.slapd.terminate()
247 # Older python versions don't have .terminate()
249 os.kill(self.slapd.pid, signal.SIGTERM)
251 #and now wait for it to die
252 self.slapd.communicate()
255 class OpenLDAPBackend(LDAPBackend):
256 def __init__(self, backend_type, paths=None, setup_path=None, lp=None, credentials=None,
257 names=None, message=None,
263 ldap_backend_extra_port=None,
264 ldap_dryrun_mode=False,
268 super(OpenLDAPBackend, self).__init__(
269 backend_type=backend_type,
270 paths=paths, setup_path=setup_path,
271 lp=lp, credentials=credentials,
277 ldapadminpass=ldapadminpass,
278 slapd_path=slapd_path,
279 ldap_backend_extra_port=ldap_backend_extra_port,
280 ldap_dryrun_mode=ldap_dryrun_mode)
282 self.ol_mmr_urls = ol_mmr_urls
285 self.slapdconf = os.path.join(self.ldapdir, "slapd.conf")
286 self.modulesconf = os.path.join(self.ldapdir, "modules.conf")
287 self.memberofconf = os.path.join(self.ldapdir, "memberof.conf")
288 self.olmmrserveridsconf = os.path.join(self.ldapdir, "mmr_serverids.conf")
289 self.olmmrsyncreplconf = os.path.join(self.ldapdir, "mmr_syncrepl.conf")
290 self.olcdir = os.path.join(self.ldapdir, "slapd.d")
291 self.olcseedldif = os.path.join(self.ldapdir, "olc_seed.ldif")
293 self.schema = Schema(
296 schemadn=self.names.schemadn,
297 serverdn=self.names.serverdn,
298 files=[setup_path("schema_samba4.ldif")])
300 def setup_db_config(self, dbdir):
301 """Setup a Berkeley database.
303 :param setup_path: Setup path function.
304 :param dbdir: Database directory."""
305 if not os.path.isdir(os.path.join(dbdir, "bdb-logs")):
306 os.makedirs(os.path.join(dbdir, "bdb-logs"), 0700)
307 if not os.path.isdir(os.path.join(dbdir, "tmp")):
308 os.makedirs(os.path.join(dbdir, "tmp"), 0700)
310 setup_file(self.setup_path("DB_CONFIG"), os.path.join(dbdir, "DB_CONFIG"),
311 {"LDAPDBDIR": dbdir})
314 # Wipe the directories so we can start
315 shutil.rmtree(os.path.join(self.ldapdir, "db"), True)
317 #Allow the test scripts to turn off fsync() for OpenLDAP as for TDB and LDB
320 nosync_config = "dbnosync"
322 lnkattr = self.schema.linked_attributes()
323 refint_attributes = ""
324 memberof_config = "# Generated from Samba4 schema\n"
325 for att in lnkattr.keys():
326 if lnkattr[att] is not None:
327 refint_attributes = refint_attributes + " " + att
329 memberof_config += read_and_sub_file(self.setup_path("memberof.conf"),
330 { "MEMBER_ATTR" : att ,
331 "MEMBEROF_ATTR" : lnkattr[att] })
333 refint_config = read_and_sub_file(self.setup_path("refint.conf"),
334 { "LINK_ATTRS" : refint_attributes})
336 attrs = ["linkID", "lDAPDisplayName"]
337 res = self.schema.ldb.search(expression="(&(objectclass=attributeSchema)(searchFlags:1.2.840.113556.1.4.803:=1))", base=self.names.schemadn, scope=SCOPE_ONELEVEL, attrs=attrs)
339 for i in range (0, len(res)):
340 index_attr = res[i]["lDAPDisplayName"][0]
341 if index_attr == "objectGUID":
342 index_attr = "entryUUID"
344 index_config += "index " + index_attr + " eq\n"
346 # generate serverids, ldap-urls and syncrepl-blocks for mmr hosts
348 mmr_replicator_acl = ""
349 mmr_serverids_config = ""
350 mmr_syncrepl_schema_config = ""
351 mmr_syncrepl_config_config = ""
352 mmr_syncrepl_user_config = ""
355 if self.ol_mmr_urls is not None:
356 # For now, make these equal
357 mmr_pass = self.ldapadminpass
359 url_list=filter(None,self.ol_mmr_urls.split(' '))
360 if (len(url_list) == 1):
361 url_list=filter(None,self.ol_mmr_urls.split(','))
364 mmr_on_config = "MirrorMode On"
365 mmr_replicator_acl = " by dn=cn=replicator,cn=samba read"
369 mmr_serverids_config += read_and_sub_file(self.setup_path("mmr_serverids.conf"),
370 { "SERVERID" : str(serverid),
371 "LDAPSERVER" : url })
374 mmr_syncrepl_schema_config += read_and_sub_file(self.setup_path("mmr_syncrepl.conf"),
376 "MMRDN": self.names.schemadn,
378 "MMR_PASSWORD": mmr_pass})
381 mmr_syncrepl_config_config += read_and_sub_file(self.setup_path("mmr_syncrepl.conf"),
383 "MMRDN": self.names.configdn,
385 "MMR_PASSWORD": mmr_pass})
388 mmr_syncrepl_user_config += read_and_sub_file(self.setup_path("mmr_syncrepl.conf"),
390 "MMRDN": self.names.domaindn,
392 "MMR_PASSWORD": mmr_pass })
393 # OpenLDAP cn=config initialisation
394 olc_syncrepl_config = ""
396 # if mmr = yes, generate cn=config-replication directives
397 # and olc_seed.lif for the other mmr-servers
398 if self.ol_mmr_urls is not None:
400 olc_serverids_config = ""
401 olc_syncrepl_seed_config = ""
402 olc_mmr_config += read_and_sub_file(self.setup_path("olc_mmr.conf"),{})
406 olc_serverids_config += read_and_sub_file(self.setup_path("olc_serverid.conf"),
407 { "SERVERID" : str(serverid),
408 "LDAPSERVER" : url })
411 olc_syncrepl_config += read_and_sub_file(self.setup_path("olc_syncrepl.conf"),
414 "MMR_PASSWORD": mmr_pass})
416 olc_syncrepl_seed_config += read_and_sub_file(self.setup_path("olc_syncrepl_seed.conf"),
420 setup_file(self.setup_path("olc_seed.ldif"), self.olcseedldif,
421 {"OLC_SERVER_ID_CONF": olc_serverids_config,
422 "OLC_PW": self.ldapadminpass,
423 "OLC_SYNCREPL_CONF": olc_syncrepl_seed_config})
426 setup_file(self.setup_path("slapd.conf"), self.slapdconf,
427 {"DNSDOMAIN": self.names.dnsdomain,
428 "LDAPDIR": self.ldapdir,
429 "DOMAINDN": self.names.domaindn,
430 "CONFIGDN": self.names.configdn,
431 "SCHEMADN": self.names.schemadn,
432 "MEMBEROF_CONFIG": memberof_config,
433 "MIRRORMODE": mmr_on_config,
434 "REPLICATOR_ACL": mmr_replicator_acl,
435 "MMR_SERVERIDS_CONFIG": mmr_serverids_config,
436 "MMR_SYNCREPL_SCHEMA_CONFIG": mmr_syncrepl_schema_config,
437 "MMR_SYNCREPL_CONFIG_CONFIG": mmr_syncrepl_config_config,
438 "MMR_SYNCREPL_USER_CONFIG": mmr_syncrepl_user_config,
439 "OLC_SYNCREPL_CONFIG": olc_syncrepl_config,
440 "OLC_MMR_CONFIG": olc_mmr_config,
441 "REFINT_CONFIG": refint_config,
442 "INDEX_CONFIG": index_config,
443 "NOSYNC": nosync_config})
445 self.setup_db_config(os.path.join(self.ldapdir, "db", "user"))
446 self.setup_db_config(os.path.join(self.ldapdir, "db", "config"))
447 self.setup_db_config(os.path.join(self.ldapdir, "db", "schema"))
449 if not os.path.exists(os.path.join(self.ldapdir, "db", "samba", "cn=samba")):
450 os.makedirs(os.path.join(self.ldapdir, "db", "samba", "cn=samba"), 0700)
452 setup_file(self.setup_path("cn=samba.ldif"),
453 os.path.join(self.ldapdir, "db", "samba", "cn=samba.ldif"),
454 { "UUID": str(uuid.uuid4()),
455 "LDAPTIME": timestring(int(time.time()))} )
456 setup_file(self.setup_path("cn=samba-admin.ldif"),
457 os.path.join(self.ldapdir, "db", "samba", "cn=samba", "cn=samba-admin.ldif"),
458 {"LDAPADMINPASS_B64": b64encode(self.ldapadminpass),
459 "UUID": str(uuid.uuid4()),
460 "LDAPTIME": timestring(int(time.time()))} )
462 if self.ol_mmr_urls is not None:
463 setup_file(self.setup_path("cn=replicator.ldif"),
464 os.path.join(self.ldapdir, "db", "samba", "cn=samba", "cn=replicator.ldif"),
465 {"MMR_PASSWORD_B64": b64encode(mmr_pass),
466 "UUID": str(uuid.uuid4()),
467 "LDAPTIME": timestring(int(time.time()))} )
470 mapping = "schema-map-openldap-2.3"
471 backend_schema = "backend-schema.schema"
473 backend_schema_data = self.schema.ldb.convert_schema_to_openldap("openldap", open(self.setup_path(mapping), 'r').read())
474 assert backend_schema_data is not None
475 open(os.path.join(self.ldapdir, backend_schema), 'w').write(backend_schema_data)
477 # now we generate the needed strings to start slapd automatically,
479 if self.ldap_backend_extra_port is not None:
480 # When we use MMR, we can't use 0.0.0.0 as it uses the name
481 # specified there as part of it's clue as to it's own name,
482 # and not to replicate to itself
483 if self.ol_mmr_urls is None:
484 server_port_string = "ldap://0.0.0.0:%d" % self.ldap_backend_extra_port
486 server_port_string = "ldap://" + self.names.hostname + "." + self.names.dnsdomain +":%d" % self.ldap_backend_extra_port
488 server_port_string = ""
490 # Prepare the 'result' information - the commands to return in particular
491 self.slapd_provision_command = [self.slapd_path]
493 self.slapd_provision_command.append("-F" + self.olcdir)
495 self.slapd_provision_command.append("-h")
497 # copy this command so we have two version, one with -d0 and only ldapi, and one with all the listen commands
498 self.slapd_command = list(self.slapd_provision_command)
500 self.slapd_provision_command.append(self.ldapi_uri)
501 self.slapd_provision_command.append("-d0")
503 uris = self.ldapi_uri
504 if server_port_string is not "":
505 uris = uris + " " + server_port_string
507 self.slapd_command.append(uris)
509 # Set the username - done here because Fedora DS still uses the admin DN and simple bind
510 self.credentials.set_username("samba-admin")
512 # If we were just looking for crashes up to this point, it's a
513 # good time to exit before we realise we don't have OpenLDAP on
515 if self.ldap_dryrun_mode:
518 # Finally, convert the configuration into cn=config style!
519 if not os.path.isdir(self.olcdir):
520 os.makedirs(self.olcdir, 0770)
522 retcode = subprocess.call([self.slapd_path, "-Ttest", "-f", self.slapdconf, "-F", self.olcdir], close_fds=True, shell=False)
524 # We can't do this, as OpenLDAP is strange. It gives an error
525 # output to the above, but does the conversion sucessfully...
528 # raise ProvisioningError("conversion from slapd.conf to cn=config failed")
530 if not os.path.exists(os.path.join(self.olcdir, "cn=config.ldif")):
531 raise ProvisioningError("conversion from slapd.conf to cn=config failed")
533 # Don't confuse the admin by leaving the slapd.conf around
534 os.remove(self.slapdconf)
537 class FDSBackend(LDAPBackend):
538 def __init__(self, backend_type, paths=None, setup_path=None, lp=None, credentials=None,
539 names=None, message=None,
545 ldap_backend_extra_port=None,
546 ldap_dryrun_mode=False,
550 super(FDSBackend, self).__init__(
551 backend_type=backend_type,
552 paths=paths, setup_path=setup_path,
553 lp=lp, credentials=credentials,
559 ldapadminpass=ldapadminpass,
560 slapd_path=slapd_path,
561 ldap_backend_extra_port=ldap_backend_extra_port,
562 ldap_dryrun_mode=ldap_dryrun_mode)
565 self.setup_ds_path = setup_ds_path
566 self.ldap_instance = self.names.netbiosname.lower()
568 self.sambadn = "CN=Samba"
570 self.fedoradsinf = os.path.join(self.ldapdir, "fedorads.inf")
571 self.partitions_ldif = os.path.join(self.ldapdir, "fedorads-partitions.ldif")
572 self.sasl_ldif = os.path.join(self.ldapdir, "fedorads-sasl.ldif")
573 self.dna_ldif = os.path.join(self.ldapdir, "fedorads-dna.ldif")
574 self.pam_ldif = os.path.join(self.ldapdir, "fedorads-pam.ldif")
575 self.refint_ldif = os.path.join(self.ldapdir, "fedorads-refint.ldif")
576 self.linked_attrs_ldif = os.path.join(self.ldapdir, "fedorads-linked-attributes.ldif")
577 self.index_ldif = os.path.join(self.ldapdir, "fedorads-index.ldif")
578 self.samba_ldif = os.path.join(self.ldapdir, "fedorads-samba.ldif")
580 self.samba3_schema = self.setup_path("../../examples/LDAP/samba.schema")
581 self.samba3_ldif = os.path.join(self.ldapdir, "samba3.ldif")
583 self.retcode = subprocess.call(["bin/oLschema2ldif", "-H", "NONE",
584 "-I", self.samba3_schema,
585 "-O", self.samba3_ldif,
586 "-b", self.names.domaindn],
587 close_fds=True, shell=False)
589 if self.retcode != 0:
590 raise Exception("Unable to convert Samba 3 schema.")
592 self.schema = Schema(
595 schemadn=self.names.schemadn,
596 serverdn=self.names.serverdn,
597 files=[setup_path("schema_samba4.ldif"), self.samba3_ldif],
598 prefixmap=["1000:1.3.6.1.4.1.7165.2.1", "1001:1.3.6.1.4.1.7165.2.2"])
601 if self.ldap_backend_extra_port is not None:
602 serverport = "ServerPort=%d" % self.ldap_backend_extra_port
606 setup_file(self.setup_path("fedorads.inf"), self.fedoradsinf,
608 "HOSTNAME": self.hostname,
609 "DNSDOMAIN": self.names.dnsdomain,
610 "LDAPDIR": self.ldapdir,
611 "DOMAINDN": self.names.domaindn,
612 "LDAP_INSTANCE": self.ldap_instance,
613 "LDAPMANAGERDN": self.names.ldapmanagerdn,
614 "LDAPMANAGERPASS": self.ldapadminpass,
615 "SERVERPORT": serverport})
617 setup_file(self.setup_path("fedorads-partitions.ldif"), self.partitions_ldif,
618 {"CONFIGDN": self.names.configdn,
619 "SCHEMADN": self.names.schemadn,
620 "SAMBADN": self.sambadn,
623 setup_file(self.setup_path("fedorads-sasl.ldif"), self.sasl_ldif,
624 {"SAMBADN": self.sambadn,
627 setup_file(self.setup_path("fedorads-dna.ldif"), self.dna_ldif,
628 {"DOMAINDN": self.names.domaindn,
629 "SAMBADN": self.sambadn,
630 "DOMAINSID": str(self.domainsid),
633 setup_file(self.setup_path("fedorads-pam.ldif"), self.pam_ldif)
635 lnkattr = self.schema.linked_attributes()
637 refint_config = open(self.setup_path("fedorads-refint-delete.ldif"), 'r').read()
642 for attr in lnkattr.keys():
643 if lnkattr[attr] is not None:
644 refint_config += read_and_sub_file(self.setup_path("fedorads-refint-add.ldif"),
645 { "ARG_NUMBER" : str(argnum) ,
646 "LINK_ATTR" : attr })
647 memberof_config += read_and_sub_file(self.setup_path("fedorads-linked-attributes.ldif"),
648 { "MEMBER_ATTR" : attr ,
649 "MEMBEROF_ATTR" : lnkattr[attr] })
650 index_config += read_and_sub_file(self.setup_path("fedorads-index.ldif"),
654 open(self.refint_ldif, 'w').write(refint_config)
655 open(self.linked_attrs_ldif, 'w').write(memberof_config)
657 attrs = ["lDAPDisplayName"]
658 res = self.schema.ldb.search(expression="(&(objectclass=attributeSchema)(searchFlags:1.2.840.113556.1.4.803:=1))", base=self.names.schemadn, scope=SCOPE_ONELEVEL, attrs=attrs)
660 for i in range (0, len(res)):
661 attr = res[i]["lDAPDisplayName"][0]
663 if attr == "objectGUID":
666 index_config += read_and_sub_file(self.setup_path("fedorads-index.ldif"),
669 open(self.index_ldif, 'w').write(index_config)
671 setup_file(self.setup_path("fedorads-samba.ldif"), self.samba_ldif,
672 {"SAMBADN": self.sambadn,
673 "LDAPADMINPASS": self.ldapadminpass
676 mapping = "schema-map-fedora-ds-1.0"
677 backend_schema = "99_ad.ldif"
679 # Build a schema file in Fedora DS format
680 backend_schema_data = self.schema.ldb.convert_schema_to_openldap("fedora-ds", open(self.setup_path(mapping), 'r').read())
681 assert backend_schema_data is not None
682 open(os.path.join(self.ldapdir, backend_schema), 'w').write(backend_schema_data)
684 self.credentials.set_bind_dn(self.names.ldapmanagerdn)
686 # Destory the target directory, or else setup-ds.pl will complain
687 fedora_ds_dir = os.path.join(self.ldapdir, "slapd-" + self.ldap_instance)
688 shutil.rmtree(fedora_ds_dir, True)
690 self.slapd_provision_command = [self.slapd_path, "-D", fedora_ds_dir, "-i", self.slapd_pid]
691 #In the 'provision' command line, stay in the foreground so we can easily kill it
692 self.slapd_provision_command.append("-d0")
694 #the command for the final run is the normal script
695 self.slapd_command = [os.path.join(self.ldapdir, "slapd-" + self.ldap_instance, "start-slapd")]
697 # If we were just looking for crashes up to this point, it's a
698 # good time to exit before we realise we don't have Fedora DS on
699 if self.ldap_dryrun_mode:
702 # Try to print helpful messages when the user has not specified the path to the setup-ds tool
703 if self.setup_ds_path is None:
704 raise ProvisioningError("Warning: Fedora DS LDAP-Backend must be setup with path to setup-ds, e.g. --setup-ds-path=\"/usr/sbin/setup-ds.pl\"!")
705 if not os.path.exists(self.setup_ds_path):
706 self.message (self.setup_ds_path)
707 raise ProvisioningError("Warning: Given Path to slapd does not exist!")
709 # Run the Fedora DS setup utility
710 retcode = subprocess.call([self.setup_ds_path, "--silent", "--file", self.fedoradsinf], close_fds=True, shell=False)
712 raise ProvisioningError("setup-ds failed")
715 retcode = subprocess.call([
716 os.path.join(self.ldapdir, "slapd-" + self.ldap_instance, "ldif2db"), "-s", self.sambadn, "-i", self.samba_ldif],
717 close_fds=True, shell=False)
719 raise ProvisioningError("ldif2db failed")
721 def post_setup(self):
722 ldapi_db = Ldb(self.ldapi_uri, credentials=self.credentials)
724 # delete default SASL mappings
725 res = ldapi_db.search(expression="(!(cn=samba-admin mapping))", base="cn=mapping,cn=sasl,cn=config", scope=SCOPE_ONELEVEL, attrs=["dn"])
727 # configure in-directory access control on Fedora DS via the aci attribute (over a direct ldapi:// socket)
728 for i in range (0, len(res)):
729 dn = str(res[i]["dn"])
732 aci = """(targetattr = "*") (version 3.0;acl "full access to all by samba-admin";allow (all)(userdn = "ldap:///CN=samba-admin,%s");)""" % self.sambadn
735 m["aci"] = ldb.MessageElement([aci], ldb.FLAG_MOD_REPLACE, "aci")
737 m.dn = ldb.Dn(ldapi_db, self.names.domaindn)
740 m.dn = ldb.Dn(ldapi_db, self.names.configdn)
743 m.dn = ldb.Dn(ldapi_db, self.names.schemadn)
git.samba.org / amitay / samba.git / blob