Hot-keys on this page
r m x p toggle line displays
j k next/prev highlighted chunk
0 (zero) top of page
1 (one) first highlighted chunk
# Authors: # Rob Crittenden <rcritten@redhat.com> # # Copyright (C) 2008 Red Hat # see file 'COPYING' for use and warranty information # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation, either version 3 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program. If not, see <http://www.gnu.org/licenses/>.
# The Python re module doesn't do nested parenthesis
# Break the ACI into 3 pieces: target, name, permissions/bind_rules
# Break the permissions/bind_rules out
# Break the bind rule out
"selfwrite", "proxy", "all"]
""" Holds the basic data for an ACI entry, as stored in the cn=accounts entry in LDAP. Has methods to parse an ACI string and export to an ACI String. """
"""Fake getting attributes by key for sorting""" if key == 0: return self.name if key == 1: return self.source_group if key == 2: return self.dest_group raise TypeError("Unknown key value %s" % key)
"""An alias for export_to_string()"""
"""Output a Directory Server-compatible ACI string""" else:
# Remove leading and trailing quotes
# We should have the form (a = b)(a = b)... # Peek at the next char before giving up raise SyntaxError("No operator in target, got '%s'" % operator) raise SyntaxError('No end parenthesis in target, got %s' % end)
# Make a string of the form attr || attr || ... into a list else:
raise SyntaxError, "malformed ACI, unable to find version %s" % acistr raise SyntaxError, "malformed ACI, match for version and bind rule failed %s" % acistr raise SyntaxError, "malformed ACI, permissions match failed %s" % acistr
"""Do some basic verification that this will produce a valid LDAP ACI.
returns True if valid """ raise SyntaxError, "permissions must be a list" raise SyntaxError, "invalid permission: '%s'" % p raise SyntaxError, "name must be set" raise SyntaxError, "name must be a string" raise SyntaxError, "target must be a non-empty dictionary" raise SyntaxError, "bindrule must be a dictionary" raise SyntaxError, "bindrule is missing a component"
if 'targetattr' in self.target: del self.target['targetattr'] return attr = [attr]
raise SyntaxError, "malformed bind rule"
""" Compare the current ACI to another one to see if they are the same.
returns True if equal, False if not. """
return False return False
return False
return False if self.target.get('targetattr',{}).get('operator') != b.target.get('targetattr',{}).get('operator'): return False
return False return False
except Exception: # If anything throws up then they are not equal return False
# We got this far so lets declare them the same
""" Extracts all the cn's from a list of aci's and returns them as a hash from group_dn to group_cn.
It first tries to cheat by looking at the first rdn for the group dn. If that's not cn for some reason, it looks up the group. """ group_dn_to_cn = {} for aci in aci_list: for dn in (aci.source_group, aci.dest_group): if not group_dn_to_cn.has_key(dn): rdn_list = ldap.explode_dn(dn, 0) first_rdn = rdn_list[0] (type,value) = first_rdn.split('=') if type == "cn": group_dn_to_cn[dn] = value else: try: group = client.get_entry_by_dn(dn, ['cn']) group_dn_to_cn[dn] = group.getValue('cn') except Exception: group_dn_to_cn[dn] = 'unknown'
return group_dn_to_cn
# a = ACI('(targetattr="title")(targetfilter="(memberOf=cn=bar,cn=groups,cn=accounts ,dc=example,dc=com)")(version 3.0;acl "foobar";allow (write) groupdn="ldap:///cn=foo,cn=groups,cn=accounts,dc=example,dc=com";)') # print a # a = ACI('(target="ldap:///uid=bjensen,dc=example,dc=com")(targetattr=*) (version 3.0;acl "aci1";allow (write) userdn="ldap:///self";)') # print a # a = ACI(' (targetattr = "givenName || sn || cn || displayName || title || initials || loginShell || gecos || homePhone || mobile || pager || facsimileTelephoneNumber || telephoneNumber || street || roomNumber || l || st || postalCode || manager || secretary || description || carLicense || labeledURI || inetUserHTTPURL || seeAlso || employeeType || businessCategory || ou")(version 3.0;acl "Self service";allow (write) userdn = "ldap:///self";)') # print a
a = ACI('(target="ldap:///uid=*,cn=users,cn=accounts,dc=example,dc=com")(version 3.0;acl "add_user";allow (add) groupdn="ldap:///cn=add_user,cn=taskgroups,dc=example,dc=com";)') print a print "---"
a = ACI('(targetattr=member)(target="ldap:///cn=ipausers,cn=groups,cn=accounts,dc=example,dc=com")(version 3.0;acl "add_user_to_default_group";allow (write) groupdn="ldap:///cn=add_user_to_default_group,cn=taskgroups,dc=example,dc=com";)') print a print "---"
a = ACI('(targetattr!=member)(target="ldap:///cn=ipausers,cn=groups,cn=accounts,dc=example,dc=com")(version 3.0;acl "add_user_to_default_group";allow (write) groupdn="ldap:///cn=add_user_to_default_group,cn=taskgroups,dc=example,dc=com";)') print a print "---"
a = ACI('(targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "change_password"; allow (write) groupdn = "ldap:///cn=change_password,cn=taskgroups,dc=example,dc=com";)') print a print "---"
a = ACI() a.name ="foo" a.set_target_attr(['title','givenname'], "!=") # a.set_bindrule("groupdn = \"ldap:///cn=foo,cn=groups,cn=accounts,dc=example,dc=com\"") a.set_bindrule_keyword("groupdn") a.set_bindrule_operator("=") a.set_bindrule_expression ("\"ldap:///cn=foo,cn=groups,cn=accounts,dc=example,dc=com\"") a.permissions = ['read','write','add'] print a
b = ACI() b.name ="foo" b.set_target_attr(['givenname','title'], "!=") b.set_bindrule_keyword("groupdn") b.set_bindrule_operator("=") b.set_bindrule_expression ("\"ldap:///cn=foo,cn=groups,cn=accounts,dc=example,dc=com\"") b.permissions = ['add','read','write'] print b
print a.isequal(b)
a = ACI('(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";)') print a
a = ACI('(targetfilter = "(|(objectClass=person)(objectClass=krbPrincipalAux)(objectClass=posixAccount)(objectClass=groupOfNames)(objectClass=posixGroup))")(targetattr != "aci || userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "Account Admins can manage Users and Groups"; allow (add, delete, read, write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=greyoak,dc=com";)') print a |