summaryrefslogtreecommitdiffstats
path: root/ipaserver/plugins/ldapapi.py
blob: 847e2d2bad054212de0b873d2613f5f5a578517b (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
# Authors:
#   Rob Crittenden <rcritten@redhat.com>
#   Jason Gerard DeRose <jderose@redhat.com>
#
# Copyright (C) 2008  Red Hat
# see file 'COPYING' for use and warranty information
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program.  If not, see <http://www.gnu.org/licenses/>.

"""
Backend plugin for LDAP.

This wraps the python-ldap bindings.
"""

import ldap as _ldap
import ldap.dn
from ipalib import api
from ipalib import errors
from ipalib.crud import CrudBackend
from ipaserver import servercore, ipaldap
import krbV


class ldap(CrudBackend):
    """
    LDAP backend plugin.
    """

    def __init__(self):
        self.dn = _ldap.dn
        super(ldap, self).__init__()

    def create_connection(self, ccache):
        if ccache is None:
            raise errors.CCacheError()
        conn = ipaldap.IPAdmin(self.env.ldap_host, self.env.ldap_port)
        principal = krbV.CCache(
            name=ccache, context=krbV.default_context()
        ).principal().name
        conn.set_krbccache(ccache, principal)
        return conn

    def destroy_connection(self):
        self.conn.unbind_s()

    def make_user_dn(self, uid):
        """
        Construct user dn from uid.
        """
        return 'uid=%s,%s,%s' % (
            self.dn.escape_dn_chars(uid),
            self.api.env.container_user,
            self.api.env.basedn,
        )

    def make_group_dn(self, cn):
        """
        Construct group dn from cn.
        """
        return 'cn=%s,%s,%s' % (
            self.dn.escape_dn_chars(cn),
            self.api.env.container_group,
            self.api.env.basedn,
        )

    def make_hostgroup_dn(self, cn):
        """
        Construct group of hosts dn from cn.
        """
        return 'cn=%s,%s,%s' % (
            self.dn.escape_dn_chars(cn),
            self.api.env.container_hostgroup,
            self.api.env.basedn,
        )

    def make_taskgroup_dn(self, cn):
        """
        Construct group of tasks dn from cn.
        """
        return 'cn=%s,%s,%s' % (
            self.dn.escape_dn_chars(cn),
            self.api.env.container_taskgroup,
            self.api.env.basedn,
        )

    def make_service_dn(self, principal):
        """
        Construct service principal dn from principal name
        """
        return 'krbprincipalname=%s,%s,%s' % (
            self.dn.escape_dn_chars(principal),
            self.api.env.container_service,
            self.api.env.basedn,
        )

    def make_host_dn(self, hostname):
        """
        Construct host dn from hostname
        """
        return 'fqdn=%s,%s,%s' % (
            self.dn.escape_dn_chars(hostname),
            self.api.env.container_host,
            self.api.env.basedn,
        )

    def make_application_dn(self, appname):
        """
        Construct application dn from cn.
        """
        return 'cn=%s,%s,%s' % (
            self.dn.escape_dn_chars(appname),
            self.api.env.container_applications,
            self.api.env.basedn,
        )

    def make_policytemplate_dn(self, appname, uuid):
        """
        Construct policytemplate dn from appname
        """
        return 'ipaUniqueID=%s,%s' % (
            self.dn.escape_dn_chars(uuid),
            self.make_application_dn(appname),
        )

    def make_role_application_dn(self, appname):
        """
        Construct application role container from appname
        """
        return 'cn=%s,%s,%s' % (
            self.dn.escape_dn_chars(appname),
            self.api.env.container_roles,
            self.api.env.basedn,
        )

    def make_role_policytemplate_dn(self, appname, uuid):
        """
        Construct policytemplate dn from uuid and appname
        """
        return 'ipaUniqueID=%s,cn=templates,%s' % (
            self.dn.escape_dn_chars(uuid),
            self.make_role_application_dn(appname),
        )

    def make_policygroup_dn(self, uuid):
        """
        Construct policygroup dn from uuid
        """
        return 'ipaUniqueID=%s,%s,%s' % (
            self.dn.escape_dn_chars(uuid),
            self.api.env.container_policygroups,
            self.api.env.basedn,
        )

    def make_policy_dn(self, uuid, polgroup_uuid):
        """
        Construct policy dn from uuid of policy and its policygroup
        """
        return 'ipaUniqueID=%s,%s' % (
            self.dn.escape_dn_chars(uuid),
            self.make_policygroup_dn(polgroup_uuid),
        )

    def make_policy_blob_dn(self, blob_uuid, policy_uuid, polgroup_uuid):
        """
        Construct policy blob dn from uuids of its policy and policygroup
        objects
        """
        return 'ipaUniqueID=%s,%s' % (
            self.dn.escape_dn_chars(blob_uuid),
            self.make_policy_dn(policy_uuid, polgroup_uuid),
        )

    def make_policylink_dn(self, uuid):
        """
        Construct policy link dn from uuid
        """
        return 'ipaUniqueID=%s,%s,%s' % (
            self.dn.escape_dn_chars(uuid),
            self.api.env.container_policylinks,
            self.api.env.basedn,
        )

    def get_object_type(self, attribute):
        """
        Based on attribute, make an educated guess as to the type of
        object we're looking for.
        """
        attribute = attribute.lower()
        object_type = None
        if attribute == "uid": # User
            object_type = "posixAccount"
        elif attribute == "cn": # Group
            object_type = "ipaUserGroup"
        elif attribute == "krbprincipalname": # Service
            object_type = "krbPrincipal"

        return object_type

    def find_entry_dn(self, key_attribute, primary_key, object_type=None, base=None):
        """
        Find an existing entry's dn from an attribute
        """
        key_attribute = key_attribute.lower()
        if not object_type:
            object_type = self.get_object_type(key_attribute)
        if not object_type:
            return None

        search_filter = "(&(objectclass=%s)(%s=%s))" % (
            object_type,
            key_attribute,
            self.dn.escape_dn_chars(primary_key)
        )

        if not base:
            base = self.api.env.container_accounts

        search_base = "%s, %s" % (base, self.api.env.basedn)

        entry = servercore.get_sub_entry(search_base, search_filter, ['dn', 'objectclass'])

        return entry.get('dn')

    def get_base_entry(self, searchbase, searchfilter, attrs):
        return servercore.get_base_entry(searchbase, searchfilter, attrs)

    def get_sub_entry(self, searchbase, searchfilter, attrs):
        return servercore.get_sub_entry(searchbase, searchfilter, attrs)

    def get_one_entry(self, searchbase, searchfilter, attrs):
        return servercore.get_one_entry(searchbase, searchfilter, attrs)

    def get_ipa_config(self):
        """Return a dictionary of the IPA configuration"""
        return servercore.get_ipa_config()

    def mark_entry_active(self, dn):
        return servercore.mark_entry_active(dn)

    def mark_entry_inactive(self, dn):
        return servercore.mark_entry_inactive(dn)

    def _generate_search_filters(self, **kw):
        """Generates a search filter based on a list of words and a list
           of fields to search against.

           Returns a tuple of two filters: (exact_match, partial_match)
        """

        # construct search pattern for a single word
        # (|(f1=word)(f2=word)...)
        exact_pattern = "(|"
        for field in kw.keys():
            exact_pattern += "(%s=%s)" % (field, kw[field])
        exact_pattern += ")"

        sub_pattern = "(|"
        for field in kw.keys():
            sub_pattern += "(%s=*%s*)" % (field, kw[field])
        sub_pattern += ")"

        # construct the giant match for all words
        exact_match_filter = "(&" + exact_pattern + ")"
        partial_match_filter = "(|" + sub_pattern + ")"

        return (exact_match_filter, partial_match_filter)

    def _get_scope(self, scope_str):
        scope_dict = {'one'     : _ldap.SCOPE_ONELEVEL,
                      'subtree' : _ldap.SCOPE_SUBTREE,
                      'base'    : _ldap.SCOPE_BASE }
        return scope_dict.get(scope_str, _ldap.SCOPE_SUBTREE)

    def modify_password(self, dn, **kw):
        return servercore.modify_password(dn, kw.get('oldpass', ''), kw.get('newpass'))

    def add_member_to_group(self, memberdn, groupdn, memberattr='member'):
        """
        Add a new member to a group.

        :param memberdn: the DN of the member to add
        :param groupdn: the DN of the group to add a member to
        """
        return servercore.add_member_to_group(memberdn, groupdn, memberattr)

    def remove_member_from_group(self, memberdn, groupdn, memberattr='member'):
        """
        Remove a new member from a group.

        :param memberdn: the DN of the member to remove
        :param groupdn: the DN of the group to remove a member from
        """
        return servercore.remove_member_from_group(memberdn, groupdn, memberattr)

    # The CRUD operations

    def strip_none(self, kw):
        """
        Remove any None values present in the LDAP attribute dict.
        """
        for (key, value) in kw.iteritems():
            if value is None:
                continue
            if type(value) in (list, tuple):
                value = filter(
                    lambda v: type(v) in (str, unicode, bool, int, float),
                    value
                )
                if len(value) > 0:
                    yield (key, value)
            else:
                assert type(value) in (str, unicode, bool, int, float)
                yield (key, value)

    def create(self, **kw):
        if servercore.entry_exists(kw['dn']):
            raise errors.DuplicateEntry
        kw = dict(self.strip_none(kw))

        entry = ipaldap.Entry(kw['dn'])

        # dn isn't allowed to be in the entry itself
        del kw['dn']

        # Fill in our new entry
        for k in kw:
            entry.setValues(k, kw[k])

        servercore.add_entry(entry)
        return self.retrieve(entry.dn)

    def retrieve(self, dn, attributes=None):
        return servercore.get_entry_by_dn(dn, attributes)

    def update(self, dn, **kw):
        result = self.retrieve(dn, ["*"] + kw.keys())

        entry = ipaldap.Entry((dn, servercore.convert_scalar_values(result)))
        start_keys = kw.keys()
        kw = dict(self.strip_none(kw))
        end_keys = kw.keys()
        removed_keys = list(set(start_keys) - set(end_keys))
        for k in kw:
            entry.setValues(k, kw[k])

        for k in removed_keys:
            entry.delAttr(k)

        servercore.update_entry(entry.toDict(), removed_keys)

        return self.retrieve(dn)

    def delete(self, dn):
        return servercore.delete_entry(dn)

    def search(self, **kw):
        objectclass = kw.get('objectclass')
        sfilter = kw.get('filter')
        attributes = kw.get('attributes')
        base = kw.get('base')
        scope = kw.get('scope')
        exactonly = kw.get('exactonly', None)
        if attributes:
            del kw['attributes']
        else:
            attributes = ['*']
        if objectclass:
            del kw['objectclass']
        if base:
            del kw['base']
        if sfilter:
            del kw['filter']
        if scope:
            del kw['scope']
        if exactonly is not None:
            del kw['exactonly']
        if kw:
            (exact_match_filter, partial_match_filter) = self._generate_search_filters(**kw)
        else:
            (exact_match_filter, partial_match_filter) = ('', '')
        if objectclass:
            exact_match_filter = '(&(objectClass=%s)%s)' % (objectclass, exact_match_filter)
            partial_match_filter = '(&(objectClass=%s)%s)' % (objectclass, partial_match_filter)
        else:
            exact_match_filter = '(&(objectClass=*)%s)' % exact_match_filter
            partial_match_filter = '(&(objectClass=*)%s)' % partial_match_filter
        if sfilter:
            exact_match_filter = '(%s%s)' % (sfilter, exact_match_filter)
            partial_match_filter = '(%s%s)' % (sfilter, partial_match_filter)

        search_scope = self._get_scope(scope)

        if not base:
            base = self.api.env.container_accounts

        search_base = '%s,%s' % (base, self.api.env.basedn)
        try:
            exact_results = servercore.search(search_base,
                    exact_match_filter, attributes, scope=search_scope)
        except errors.NotFound:
            exact_results = [0]

        if not exactonly:
            try:
                partial_results = servercore.search(search_base,
                        partial_match_filter, attributes, scope=search_scope)
            except errors.NotFound:
                partial_results = [0]
        else:
            partial_results = [0]

        exact_counter = exact_results[0]
        partial_counter = partial_results[0]

        exact_results = exact_results[1:]
        partial_results = partial_results[1:]

        # Remove exact matches from the partial_match list
        exact_dns = set(map(lambda e: e.get('dn'), exact_results))
        partial_results = filter(lambda e: e.get('dn') not in exact_dns,
                                 partial_results)

        if (exact_counter == -1) or (partial_counter == -1):
            counter = -1
        else:
            counter = len(exact_results) + len(partial_results)

        results = [counter]
        for r in exact_results + partial_results:
            results.append(r)

        return results

    def get_effective_rights(self, dn, attrs=None):
        binddn = self.find_entry_dn("krbprincipalname", self.conn.principal, "posixAccount")

        return servercore.get_effective_rights(binddn, dn, attrs)

api.register(ldap)