search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
tests/dns_forwarder: Add testing for DNS forwarding
[Samba.git] / python / samba / samdb.py
blob0eaa6f5e1e67f477c1dc1f9e20ae06e07a561938
1 # Unix SMB/CIFS implementation.
2 # Copyright (C) Jelmer Vernooij <jelmer@samba.org> 2007-2010
3 # Copyright (C) Matthias Dieter Wallnoefer 2009
4 #
5 # Based on the original in EJS:
6 # Copyright (C) Andrew Tridgell <tridge@samba.org> 2005
7 # Copyright (C) Giampaolo Lauria <lauria2@yahoo.com> 2011
8 #
9 # This program is free software; you can redistribute it and/or modify
10 # it under the terms of the GNU General Public License as published by
11 # the Free Software Foundation; either version 3 of the License, or
12 # (at your option) any later version.
13 #
14 # This program is distributed in the hope that it will be useful,
15 # but WITHOUT ANY WARRANTY; without even the implied warranty of
16 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 # GNU General Public License for more details.
18 #
19 # You should have received a copy of the GNU General Public License
20 # along with this program. If not, see <http://www.gnu.org/licenses/>.
21 #
22
23 """Convenience functions for using the SAM."""
24
25 import samba
26 import ldb
27 import time
28 import base64
29 import os
30 from samba import dsdb, dsdb_dns
31 from samba.ndr import ndr_unpack, ndr_pack
32 from samba.dcerpc import drsblobs, misc
33 from samba.common import normalise_int32
34
35 __docformat__ = "restructuredText"
36
37
38 class SamDB(samba.Ldb):
39 """The SAM database."""
40
41 hash_oid_name = {}
42 hash_well_known = {}
43
44 def __init__(self, url=None, lp=None, modules_dir=None, session_info=None,
45 credentials=None, flags=0, options=None, global_schema=True,
46 auto_connect=True, am_rodc=None):
47 self.lp = lp
48 if not auto_connect:
49 url = None
50 elif url is None and lp is not None:
51 url = lp.samdb_url()
52
53 self.url = url
54
55 super(SamDB, self).__init__(url=url, lp=lp, modules_dir=modules_dir,
56 session_info=session_info, credentials=credentials, flags=flags,
57 options=options)
58
59 if global_schema:
60 dsdb._dsdb_set_global_schema(self)
61
62 if am_rodc is not None:
63 dsdb._dsdb_set_am_rodc(self, am_rodc)
64
65 def connect(self, url=None, flags=0, options=None):
66 '''connect to the database'''
67 if self.lp is not None and not os.path.exists(url):
68 url = self.lp.private_path(url)
69 self.url = url
70
71 super(SamDB, self).connect(url=url, flags=flags,
72 options=options)
73
74 def am_rodc(self):
75 '''return True if we are an RODC'''
76 return dsdb._am_rodc(self)
77
78 def am_pdc(self):
79 '''return True if we are an PDC emulator'''
80 return dsdb._am_pdc(self)
81
82 def domain_dn(self):
83 '''return the domain DN'''
84 return str(self.get_default_basedn())
85
86 def disable_account(self, search_filter):
87 """Disables an account
88
89 :param search_filter: LDAP filter to find the user (eg
90 samccountname=name)
91 """
92
93 flags = samba.dsdb.UF_ACCOUNTDISABLE
94 self.toggle_userAccountFlags(search_filter, flags, on=True)
95
96 def enable_account(self, search_filter):
97 """Enables an account
98
99 :param search_filter: LDAP filter to find the user (eg
100 samccountname=name)
101 """
102
103 flags = samba.dsdb.UF_ACCOUNTDISABLE | samba.dsdb.UF_PASSWD_NOTREQD
104 self.toggle_userAccountFlags(search_filter, flags, on=False)
105
106 def toggle_userAccountFlags(self, search_filter, flags, flags_str=None,
107 on=True, strict=False):
108 """Toggle_userAccountFlags
109
110 :param search_filter: LDAP filter to find the user (eg
111 samccountname=name)
112 :param flags: samba.dsdb.UF_* flags
113 :param on: on=True (default) => set, on=False => unset
114 :param strict: strict=False (default) ignore if no action is needed
115 strict=True raises an Exception if...
116 """
117 res = self.search(base=self.domain_dn(), scope=ldb.SCOPE_SUBTREE,
118 expression=search_filter, attrs=["userAccountControl"])
119 if len(res) == 0:
120 raise Exception("Unable to find account where '%s'" % search_filter)
121 assert(len(res) == 1)
122 account_dn = res[0].dn
123
124 old_uac = int(res[0]["userAccountControl"][0])
125 if on:
126 if strict and (old_uac & flags):
127 error = "Account flag(s) '%s' already set" % flags_str
128 raise Exception(error)
129
130 new_uac = old_uac | flags
131 else:
132 if strict and not (old_uac & flags):
133 error = "Account flag(s) '%s' already unset" % flags_str
134 raise Exception(error)
135
136 new_uac = old_uac & ~flags
137
138 if old_uac == new_uac:
139 return
140
141 mod = """
142 dn: %s
143 changetype: modify
144 delete: userAccountControl
145 userAccountControl: %u
146 add: userAccountControl
147 userAccountControl: %u
148 """ % (account_dn, old_uac, new_uac)
149 self.modify_ldif(mod)
150
151 def force_password_change_at_next_login(self, search_filter):
152 """Forces a password change at next login
153
154 :param search_filter: LDAP filter to find the user (eg
155 samccountname=name)
156 """
157 res = self.search(base=self.domain_dn(), scope=ldb.SCOPE_SUBTREE,
158 expression=search_filter, attrs=[])
159 if len(res) == 0:
160 raise Exception('Unable to find user "%s"' % search_filter)
161 assert(len(res) == 1)
162 user_dn = res[0].dn
163
164 mod = """
165 dn: %s
166 changetype: modify
167 replace: pwdLastSet
168 pwdLastSet: 0
169 """ % (user_dn)
170 self.modify_ldif(mod)
171
172 def newgroup(self, groupname, groupou=None, grouptype=None,
173 description=None, mailaddress=None, notes=None, sd=None,
174 gidnumber=None, nisdomain=None):
175 """Adds a new group with additional parameters
176
177 :param groupname: Name of the new group
178 :param grouptype: Type of the new group
179 :param description: Description of the new group
180 :param mailaddress: Email address of the new group
181 :param notes: Notes of the new group
182 :param gidnumber: GID Number of the new group
183 :param nisdomain: NIS Domain Name of the new group
184 :param sd: security descriptor of the object
185 """
186
187 group_dn = "CN=%s,%s,%s" % (groupname, (groupou or "CN=Users"), self.domain_dn())
188
189 # The new user record. Note the reliance on the SAMLDB module which
190 # fills in the default informations
191 ldbmessage = {"dn": group_dn,
192 "sAMAccountName": groupname,
193 "objectClass": "group"}
194
195 if grouptype is not None:
196 ldbmessage["groupType"] = normalise_int32(grouptype)
197
198 if description is not None:
199 ldbmessage["description"] = description
200
201 if mailaddress is not None:
202 ldbmessage["mail"] = mailaddress
203
204 if notes is not None:
205 ldbmessage["info"] = notes
206
207 if gidnumber is not None:
208 ldbmessage["gidNumber"] = normalise_int32(gidnumber)
209
210 if nisdomain is not None:
211 ldbmessage["msSFU30Name"] = groupname
212 ldbmessage["msSFU30NisDomain"] = nisdomain
213
214 if sd is not None:
215 ldbmessage["nTSecurityDescriptor"] = ndr_pack(sd)
216
217 self.add(ldbmessage)
218
219 def deletegroup(self, groupname):
220 """Deletes a group
221
222 :param groupname: Name of the target group
223 """
224
225 groupfilter = "(&(sAMAccountName=%s)(objectCategory=%s,%s))" % (ldb.binary_encode(groupname), "CN=Group,CN=Schema,CN=Configuration", self.domain_dn())
226 self.transaction_start()
227 try:
228 targetgroup = self.search(base=self.domain_dn(), scope=ldb.SCOPE_SUBTREE,
229 expression=groupfilter, attrs=[])
230 if len(targetgroup) == 0:
231 raise Exception('Unable to find group "%s"' % groupname)
232 assert(len(targetgroup) == 1)
233 self.delete(targetgroup[0].dn)
234 except:
235 self.transaction_cancel()
236 raise
237 else:
238 self.transaction_commit()
239
240 def add_remove_group_members(self, groupname, members,
241 add_members_operation=True):
242 """Adds or removes group members
243
244 :param groupname: Name of the target group
245 :param members: list of group members
246 :param add_members_operation: Defines if its an add or remove
247 operation
248 """
249
250 groupfilter = "(&(sAMAccountName=%s)(objectCategory=%s,%s))" % (
251 ldb.binary_encode(groupname), "CN=Group,CN=Schema,CN=Configuration", self.domain_dn())
252
253 self.transaction_start()
254 try:
255 targetgroup = self.search(base=self.domain_dn(), scope=ldb.SCOPE_SUBTREE,
256 expression=groupfilter, attrs=['member'])
257 if len(targetgroup) == 0:
258 raise Exception('Unable to find group "%s"' % groupname)
259 assert(len(targetgroup) == 1)
260
261 modified = False
262
263 addtargettogroup = """
264 dn: %s
265 changetype: modify
266 """ % (str(targetgroup[0].dn))
267
268 for member in members:
269 targetmember = self.search(base=self.domain_dn(), scope=ldb.SCOPE_SUBTREE,
270 expression="(|(sAMAccountName=%s)(CN=%s))" % (
271 ldb.binary_encode(member), ldb.binary_encode(member)), attrs=[])
272
273 if len(targetmember) != 1:
274 raise Exception('Unable to find "%s". Operation cancelled.' % member)
275
276 if add_members_operation is True and (targetgroup[0].get('member') is None or str(targetmember[0].dn) not in targetgroup[0]['member']):
277 modified = True
278 addtargettogroup += """add: member
279 member: %s
280 """ % (str(targetmember[0].dn))
281
282 elif add_members_operation is False and (targetgroup[0].get('member') is not None and str(targetmember[0].dn) in targetgroup[0]['member']):
283 modified = True
284 addtargettogroup += """delete: member
285 member: %s
286 """ % (str(targetmember[0].dn))
287
288 if modified is True:
289 self.modify_ldif(addtargettogroup)
290
291 except:
292 self.transaction_cancel()
293 raise
294 else:
295 self.transaction_commit()
296
297 def newuser(self, username, password,
298 force_password_change_at_next_login_req=False,
299 useusernameascn=False, userou=None, surname=None, givenname=None,
300 initials=None, profilepath=None, scriptpath=None, homedrive=None,
301 homedirectory=None, jobtitle=None, department=None, company=None,
302 description=None, mailaddress=None, internetaddress=None,
303 telephonenumber=None, physicaldeliveryoffice=None, sd=None,
304 setpassword=True, uidnumber=None, gidnumber=None, gecos=None,
305 loginshell=None, uid=None, nisdomain=None, unixhome=None):
306 """Adds a new user with additional parameters
307
308 :param username: Name of the new user
309 :param password: Password for the new user
310 :param force_password_change_at_next_login_req: Force password change
311 :param useusernameascn: Use username as cn rather that firstname +
312 initials + lastname
313 :param userou: Object container (without domainDN postfix) for new user
314 :param surname: Surname of the new user
315 :param givenname: First name of the new user
316 :param initials: Initials of the new user
317 :param profilepath: Profile path of the new user
318 :param scriptpath: Logon script path of the new user
319 :param homedrive: Home drive of the new user
320 :param homedirectory: Home directory of the new user
321 :param jobtitle: Job title of the new user
322 :param department: Department of the new user
323 :param company: Company of the new user
324 :param description: of the new user
325 :param mailaddress: Email address of the new user
326 :param internetaddress: Home page of the new user
327 :param telephonenumber: Phone number of the new user
328 :param physicaldeliveryoffice: Office location of the new user
329 :param sd: security descriptor of the object
330 :param setpassword: optionally disable password reset
331 :param uidnumber: RFC2307 Unix numeric UID of the new user
332 :param gidnumber: RFC2307 Unix primary GID of the new user
333 :param gecos: RFC2307 Unix GECOS field of the new user
334 :param loginshell: RFC2307 Unix login shell of the new user
335 :param uid: RFC2307 Unix username of the new user
336 :param nisdomain: RFC2307 Unix NIS domain of the new user
337 :param unixhome: RFC2307 Unix home directory of the new user
338 """
339
340 displayname = ""
341 if givenname is not None:
342 displayname += givenname
343
344 if initials is not None:
345 displayname += ' %s.' % initials
346
347 if surname is not None:
348 displayname += ' %s' % surname
349
350 cn = username
351 if useusernameascn is None and displayname is not "":
352 cn = displayname
353
354 user_dn = "CN=%s,%s,%s" % (cn, (userou or "CN=Users"), self.domain_dn())
355
356 dnsdomain = ldb.Dn(self, self.domain_dn()).canonical_str().replace("/", "")
357 user_principal_name = "%s@%s" % (username, dnsdomain)
358 # The new user record. Note the reliance on the SAMLDB module which
359 # fills in the default informations
360 ldbmessage = {"dn": user_dn,
361 "sAMAccountName": username,
362 "userPrincipalName": user_principal_name,
363 "objectClass": "user"}
364
365 if surname is not None:
366 ldbmessage["sn"] = surname
367
368 if givenname is not None:
369 ldbmessage["givenName"] = givenname
370
371 if displayname is not "":
372 ldbmessage["displayName"] = displayname
373 ldbmessage["name"] = displayname
374
375 if initials is not None:
376 ldbmessage["initials"] = '%s.' % initials
377
378 if profilepath is not None:
379 ldbmessage["profilePath"] = profilepath
380
381 if scriptpath is not None:
382 ldbmessage["scriptPath"] = scriptpath
383
384 if homedrive is not None:
385 ldbmessage["homeDrive"] = homedrive
386
387 if homedirectory is not None:
388 ldbmessage["homeDirectory"] = homedirectory
389
390 if jobtitle is not None:
391 ldbmessage["title"] = jobtitle
392
393 if department is not None:
394 ldbmessage["department"] = department
395
396 if company is not None:
397 ldbmessage["company"] = company
398
399 if description is not None:
400 ldbmessage["description"] = description
401
402 if mailaddress is not None:
403 ldbmessage["mail"] = mailaddress
404
405 if internetaddress is not None:
406 ldbmessage["wWWHomePage"] = internetaddress
407
408 if telephonenumber is not None:
409 ldbmessage["telephoneNumber"] = telephonenumber
410
411 if physicaldeliveryoffice is not None:
412 ldbmessage["physicalDeliveryOfficeName"] = physicaldeliveryoffice
413
414 if sd is not None:
415 ldbmessage["nTSecurityDescriptor"] = ndr_pack(sd)
416
417 ldbmessage2 = None
418 if any(map(lambda b: b is not None, (uid, uidnumber, gidnumber, gecos,
419 loginshell, nisdomain, unixhome))):
420 ldbmessage2 = ldb.Message()
421 ldbmessage2.dn = ldb.Dn(self, user_dn)
422 if uid is not None:
423 ldbmessage2["uid"] = ldb.MessageElement(str(uid), ldb.FLAG_MOD_REPLACE, 'uid')
424 if uidnumber is not None:
425 ldbmessage2["uidNumber"] = ldb.MessageElement(str(uidnumber), ldb.FLAG_MOD_REPLACE, 'uidNumber')
426 if gidnumber is not None:
427 ldbmessage2["gidNumber"] = ldb.MessageElement(str(gidnumber), ldb.FLAG_MOD_REPLACE, 'gidNumber')
428 if gecos is not None:
429 ldbmessage2["gecos"] = ldb.MessageElement(str(gecos), ldb.FLAG_MOD_REPLACE, 'gecos')
430 if loginshell is not None:
431 ldbmessage2["loginShell"] = ldb.MessageElement(str(loginshell), ldb.FLAG_MOD_REPLACE, 'loginShell')
432 if unixhome is not None:
433 ldbmessage2["unixHomeDirectory"] = ldb.MessageElement(
434 str(unixhome), ldb.FLAG_MOD_REPLACE, 'unixHomeDirectory')
435 if nisdomain is not None:
436 ldbmessage2["msSFU30NisDomain"] = ldb.MessageElement(
437 str(nisdomain), ldb.FLAG_MOD_REPLACE, 'msSFU30NisDomain')
438 ldbmessage2["msSFU30Name"] = ldb.MessageElement(
439 str(username), ldb.FLAG_MOD_REPLACE, 'msSFU30Name')
440 ldbmessage2["unixUserPassword"] = ldb.MessageElement(
441 'ABCD!efgh12345$67890', ldb.FLAG_MOD_REPLACE,
442 'unixUserPassword')
443
444 self.transaction_start()
445 try:
446 self.add(ldbmessage)
447 if ldbmessage2:
448 self.modify(ldbmessage2)
449
450 # Sets the password for it
451 if setpassword:
452 self.setpassword("(samAccountName=%s)" % ldb.binary_encode(username), password,
453 force_password_change_at_next_login_req)
454 except:
455 self.transaction_cancel()
456 raise
457 else:
458 self.transaction_commit()
459
460
461 def deleteuser(self, username):
462 """Deletes a user
463
464 :param username: Name of the target user
465 """
466
467 filter = "(&(sAMAccountName=%s)(objectCategory=%s,%s))" % (ldb.binary_encode(username), "CN=Person,CN=Schema,CN=Configuration", self.domain_dn())
468 self.transaction_start()
469 try:
470 target = self.search(base=self.domain_dn(), scope=ldb.SCOPE_SUBTREE,
471 expression=filter, attrs=[])
472 if len(target) == 0:
473 raise Exception('Unable to find user "%s"' % username)
474 assert(len(target) == 1)
475 self.delete(target[0].dn)
476 except:
477 self.transaction_cancel()
478 raise
479 else:
480 self.transaction_commit()
481
482 def setpassword(self, search_filter, password,
483 force_change_at_next_login=False, username=None):
484 """Sets the password for a user
485
486 :param search_filter: LDAP filter to find the user (eg
487 samccountname=name)
488 :param password: Password for the user
489 :param force_change_at_next_login: Force password change
490 """
491 self.transaction_start()
492 try:
493 res = self.search(base=self.domain_dn(), scope=ldb.SCOPE_SUBTREE,
494 expression=search_filter, attrs=[])
495 if len(res) == 0:
496 raise Exception('Unable to find user "%s"' % (username or search_filter))
497 if len(res) > 1:
498 raise Exception('Matched %u multiple users with filter "%s"' % (len(res), search_filter))
499 user_dn = res[0].dn
500 pw = unicode('"' + password + '"', 'utf-8').encode('utf-16-le')
501 setpw = """
502 dn: %s
503 changetype: modify
504 replace: unicodePwd
505 unicodePwd:: %s
506 """ % (user_dn, base64.b64encode(pw))
507
508 self.modify_ldif(setpw)
509
510 if force_change_at_next_login:
511 self.force_password_change_at_next_login(
512 "(distinguishedName=" + str(user_dn) + ")")
513
514 # modify the userAccountControl to remove the disabled bit
515 self.enable_account(search_filter)
516 except:
517 self.transaction_cancel()
518 raise
519 else:
520 self.transaction_commit()
521
522 def setexpiry(self, search_filter, expiry_seconds, no_expiry_req=False):
523 """Sets the account expiry for a user
524
525 :param search_filter: LDAP filter to find the user (eg
526 samaccountname=name)
527 :param expiry_seconds: expiry time from now in seconds
528 :param no_expiry_req: if set, then don't expire password
529 """
530 self.transaction_start()
531 try:
532 res = self.search(base=self.domain_dn(), scope=ldb.SCOPE_SUBTREE,
533 expression=search_filter,
534 attrs=["userAccountControl", "accountExpires"])
535 if len(res) == 0:
536 raise Exception('Unable to find user "%s"' % search_filter)
537 assert(len(res) == 1)
538 user_dn = res[0].dn
539
540 userAccountControl = int(res[0]["userAccountControl"][0])
541 accountExpires = int(res[0]["accountExpires"][0])
542 if no_expiry_req:
543 userAccountControl = userAccountControl | 0x10000
544 accountExpires = 0
545 else:
546 userAccountControl = userAccountControl & ~0x10000
547 accountExpires = samba.unix2nttime(expiry_seconds + int(time.time()))
548
549 setexp = """
550 dn: %s
551 changetype: modify
552 replace: userAccountControl
553 userAccountControl: %u
554 replace: accountExpires
555 accountExpires: %u
556 """ % (user_dn, userAccountControl, accountExpires)
557
558 self.modify_ldif(setexp)
559 except:
560 self.transaction_cancel()
561 raise
562 else:
563 self.transaction_commit()
564
565 def set_domain_sid(self, sid):
566 """Change the domain SID used by this LDB.
567
568 :param sid: The new domain sid to use.
569 """
570 dsdb._samdb_set_domain_sid(self, sid)
571
572 def get_domain_sid(self):
573 """Read the domain SID used by this LDB. """
574 return dsdb._samdb_get_domain_sid(self)
575
576 domain_sid = property(get_domain_sid, set_domain_sid,
577 "SID for the domain")
578
579 def set_invocation_id(self, invocation_id):
580 """Set the invocation id for this SamDB handle.
581
582 :param invocation_id: GUID of the invocation id.
583 """
584 dsdb._dsdb_set_ntds_invocation_id(self, invocation_id)
585
586 def get_invocation_id(self):
587 """Get the invocation_id id"""
588 return dsdb._samdb_ntds_invocation_id(self)
589
590 invocation_id = property(get_invocation_id, set_invocation_id,
591 "Invocation ID GUID")
592
593 def get_oid_from_attid(self, attid):
594 return dsdb._dsdb_get_oid_from_attid(self, attid)
595
596 def get_attid_from_lDAPDisplayName(self, ldap_display_name,
597 is_schema_nc=False):
598 '''return the attribute ID for a LDAP attribute as an integer as found in DRSUAPI'''
599 return dsdb._dsdb_get_attid_from_lDAPDisplayName(self,
600 ldap_display_name, is_schema_nc)
601
602 def get_syntax_oid_from_lDAPDisplayName(self, ldap_display_name):
603 '''return the syntax OID for a LDAP attribute as a string'''
604 return dsdb._dsdb_get_syntax_oid_from_lDAPDisplayName(self, ldap_display_name)
605
606 def get_systemFlags_from_lDAPDisplayName(self, ldap_display_name):
607 '''return the systemFlags for a LDAP attribute as a integer'''
608 return dsdb._dsdb_get_systemFlags_from_lDAPDisplayName(self, ldap_display_name)
609
610 def get_linkId_from_lDAPDisplayName(self, ldap_display_name):
611 '''return the linkID for a LDAP attribute as a integer'''
612 return dsdb._dsdb_get_linkId_from_lDAPDisplayName(self, ldap_display_name)
613
614 def get_lDAPDisplayName_by_attid(self, attid):
615 '''return the lDAPDisplayName from an integer DRS attribute ID'''
616 return dsdb._dsdb_get_lDAPDisplayName_by_attid(self, attid)
617
618 def get_backlink_from_lDAPDisplayName(self, ldap_display_name):
619 '''return the attribute name of the corresponding backlink from the name
620 of a forward link attribute. If there is no backlink return None'''
621 return dsdb._dsdb_get_backlink_from_lDAPDisplayName(self, ldap_display_name)
622
623 def set_ntds_settings_dn(self, ntds_settings_dn):
624 """Set the NTDS Settings DN, as would be returned on the dsServiceName
625 rootDSE attribute.
626
627 This allows the DN to be set before the database fully exists
628
629 :param ntds_settings_dn: The new DN to use
630 """
631 dsdb._samdb_set_ntds_settings_dn(self, ntds_settings_dn)
632
633 def get_ntds_GUID(self):
634 """Get the NTDS objectGUID"""
635 return dsdb._samdb_ntds_objectGUID(self)
636
637 def server_site_name(self):
638 """Get the server site name"""
639 return dsdb._samdb_server_site_name(self)
640
641 def host_dns_name(self):
642 """return the DNS name of this host"""
643 res = self.search(base='', scope=ldb.SCOPE_BASE, attrs=['dNSHostName'])
644 return res[0]['dNSHostName'][0]
645
646 def domain_dns_name(self):
647 """return the DNS name of the domain root"""
648 domain_dn = self.get_default_basedn()
649 return domain_dn.canonical_str().split('/')[0]
650
651 def forest_dns_name(self):
652 """return the DNS name of the forest root"""
653 forest_dn = self.get_root_basedn()
654 return forest_dn.canonical_str().split('/')[0]
655
656 def load_partition_usn(self, base_dn):
657 return dsdb._dsdb_load_partition_usn(self, base_dn)
658
659 def set_schema(self, schema, write_indices_and_attributes=True):
660 self.set_schema_from_ldb(schema.ldb, write_indices_and_attributes=write_indices_and_attributes)
661
662 def set_schema_from_ldb(self, ldb_conn, write_indices_and_attributes=True):
663 dsdb._dsdb_set_schema_from_ldb(self, ldb_conn, write_indices_and_attributes)
664
665 def dsdb_DsReplicaAttribute(self, ldb, ldap_display_name, ldif_elements):
666 '''convert a list of attribute values to a DRSUAPI DsReplicaAttribute'''
667 return dsdb._dsdb_DsReplicaAttribute(ldb, ldap_display_name, ldif_elements)
668
669 def dsdb_normalise_attributes(self, ldb, ldap_display_name, ldif_elements):
670 '''normalise a list of attribute values'''
671 return dsdb._dsdb_normalise_attributes(ldb, ldap_display_name, ldif_elements)
672
673 def get_attribute_from_attid(self, attid):
674 """ Get from an attid the associated attribute
675
676 :param attid: The attribute id for searched attribute
677 :return: The name of the attribute associated with this id
678 """
679 if len(self.hash_oid_name.keys()) == 0:
680 self._populate_oid_attid()
681 if self.hash_oid_name.has_key(self.get_oid_from_attid(attid)):
682 return self.hash_oid_name[self.get_oid_from_attid(attid)]
683 else:
684 return None
685
686 def _populate_oid_attid(self):
687 """Populate the hash hash_oid_name.
688
689 This hash contains the oid of the attribute as a key and
690 its display name as a value
691 """
692 self.hash_oid_name = {}
693 res = self.search(expression="objectClass=attributeSchema",
694 controls=["search_options:1:2"],
695 attrs=["attributeID",
696 "lDAPDisplayName"])
697 if len(res) > 0:
698 for e in res:
699 strDisplay = str(e.get("lDAPDisplayName"))
700 self.hash_oid_name[str(e.get("attributeID"))] = strDisplay
701
702 def get_attribute_replmetadata_version(self, dn, att):
703 """Get the version field trom the replPropertyMetaData for
704 the given field
705
706 :param dn: The on which we want to get the version
707 :param att: The name of the attribute
708 :return: The value of the version field in the replPropertyMetaData
709 for the given attribute. None if the attribute is not replicated
710 """
711
712 res = self.search(expression="distinguishedName=%s" % dn,
713 scope=ldb.SCOPE_SUBTREE,
714 controls=["search_options:1:2"],
715 attrs=["replPropertyMetaData"])
716 if len(res) == 0:
717 return None
718
719 repl = ndr_unpack(drsblobs.replPropertyMetaDataBlob,
720 str(res[0]["replPropertyMetaData"]))
721 ctr = repl.ctr
722 if len(self.hash_oid_name.keys()) == 0:
723 self._populate_oid_attid()
724 for o in ctr.array:
725 # Search for Description
726 att_oid = self.get_oid_from_attid(o.attid)
727 if self.hash_oid_name.has_key(att_oid) and\
728 att.lower() == self.hash_oid_name[att_oid].lower():
729 return o.version
730 return None
731
732 def set_attribute_replmetadata_version(self, dn, att, value,
733 addifnotexist=False):
734 res = self.search(expression="distinguishedName=%s" % dn,
735 scope=ldb.SCOPE_SUBTREE,
736 controls=["search_options:1:2"],
737 attrs=["replPropertyMetaData"])
738 if len(res) == 0:
739 return None
740
741 repl = ndr_unpack(drsblobs.replPropertyMetaDataBlob,
742 str(res[0]["replPropertyMetaData"]))
743 ctr = repl.ctr
744 now = samba.unix2nttime(int(time.time()))
745 found = False
746 if len(self.hash_oid_name.keys()) == 0:
747 self._populate_oid_attid()
748 for o in ctr.array:
749 # Search for Description
750 att_oid = self.get_oid_from_attid(o.attid)
751 if self.hash_oid_name.has_key(att_oid) and\
752 att.lower() == self.hash_oid_name[att_oid].lower():
753 found = True
754 seq = self.sequence_number(ldb.SEQ_NEXT)
755 o.version = value
756 o.originating_change_time = now
757 o.originating_invocation_id = misc.GUID(self.get_invocation_id())
758 o.originating_usn = seq
759 o.local_usn = seq
760
761 if not found and addifnotexist and len(ctr.array) >0:
762 o2 = drsblobs.replPropertyMetaData1()
763 o2.attid = 589914
764 att_oid = self.get_oid_from_attid(o2.attid)
765 seq = self.sequence_number(ldb.SEQ_NEXT)
766 o2.version = value
767 o2.originating_change_time = now
768 o2.originating_invocation_id = misc.GUID(self.get_invocation_id())
769 o2.originating_usn = seq
770 o2.local_usn = seq
771 found = True
772 tab = ctr.array
773 tab.append(o2)
774 ctr.count = ctr.count + 1
775 ctr.array = tab
776
777 if found :
778 replBlob = ndr_pack(repl)
779 msg = ldb.Message()
780 msg.dn = res[0].dn
781 msg["replPropertyMetaData"] = ldb.MessageElement(replBlob,
782 ldb.FLAG_MOD_REPLACE,
783 "replPropertyMetaData")
784 self.modify(msg, ["local_oid:1.3.6.1.4.1.7165.4.3.14:0"])
785
786 def write_prefixes_from_schema(self):
787 dsdb._dsdb_write_prefixes_from_schema_to_ldb(self)
788
789 def get_partitions_dn(self):
790 return dsdb._dsdb_get_partitions_dn(self)
791
792 def get_nc_root(self, dn):
793 return dsdb._dsdb_get_nc_root(self, dn)
794
795 def get_wellknown_dn(self, nc_root, wkguid):
796 h_nc = self.hash_well_known.get(str(nc_root))
797 dn = None
798 if h_nc is not None:
799 dn = h_nc.get(wkguid)
800 if dn is None:
801 dn = dsdb._dsdb_get_wellknown_dn(self, nc_root, wkguid)
802 if dn is None:
803 return dn
804 if h_nc is None:
805 self.hash_well_known[str(nc_root)] = {}
806 h_nc = self.hash_well_known[str(nc_root)]
807 h_nc[wkguid] = dn
808 return dn
809
810 def set_minPwdAge(self, value):
811 m = ldb.Message()
812 m.dn = ldb.Dn(self, self.domain_dn())
813 m["minPwdAge"] = ldb.MessageElement(value, ldb.FLAG_MOD_REPLACE, "minPwdAge")
814 self.modify(m)
815
816 def get_minPwdAge(self):
817 res = self.search(self.domain_dn(), scope=ldb.SCOPE_BASE, attrs=["minPwdAge"])
818 if len(res) == 0:
819 return None
820 elif not "minPwdAge" in res[0]:
821 return None
822 else:
823 return res[0]["minPwdAge"][0]
824
825 def set_minPwdLength(self, value):
826 m = ldb.Message()
827 m.dn = ldb.Dn(self, self.domain_dn())
828 m["minPwdLength"] = ldb.MessageElement(value, ldb.FLAG_MOD_REPLACE, "minPwdLength")
829 self.modify(m)
830
831 def get_minPwdLength(self):
832 res = self.search(self.domain_dn(), scope=ldb.SCOPE_BASE, attrs=["minPwdLength"])
833 if len(res) == 0:
834 return None
835 elif not "minPwdLength" in res[0]:
836 return None
837 else:
838 return res[0]["minPwdLength"][0]
839
840 def set_pwdProperties(self, value):
841 m = ldb.Message()
842 m.dn = ldb.Dn(self, self.domain_dn())
843 m["pwdProperties"] = ldb.MessageElement(value, ldb.FLAG_MOD_REPLACE, "pwdProperties")
844 self.modify(m)
845
846 def get_pwdProperties(self):
847 res = self.search(self.domain_dn(), scope=ldb.SCOPE_BASE, attrs=["pwdProperties"])
848 if len(res) == 0:
849 return None
850 elif not "pwdProperties" in res[0]:
851 return None
852 else:
853 return res[0]["pwdProperties"][0]
854
855 def set_dsheuristics(self, dsheuristics):
856 m = ldb.Message()
857 m.dn = ldb.Dn(self, "CN=Directory Service,CN=Windows NT,CN=Services,%s"
858 % self.get_config_basedn().get_linearized())
859 if dsheuristics is not None:
860 m["dSHeuristics"] = ldb.MessageElement(dsheuristics,
861 ldb.FLAG_MOD_REPLACE, "dSHeuristics")
862 else:
863 m["dSHeuristics"] = ldb.MessageElement([], ldb.FLAG_MOD_DELETE,
864 "dSHeuristics")
865 self.modify(m)
866
867 def get_dsheuristics(self):
868 res = self.search("CN=Directory Service,CN=Windows NT,CN=Services,%s"
869 % self.get_config_basedn().get_linearized(),
870 scope=ldb.SCOPE_BASE, attrs=["dSHeuristics"])
871 if len(res) == 0:
872 dsheuristics = None
873 elif "dSHeuristics" in res[0]:
874 dsheuristics = res[0]["dSHeuristics"][0]
875 else:
876 dsheuristics = None
877
878 return dsheuristics
879
880 def create_ou(self, ou_dn, description=None, name=None, sd=None):
881 """Creates an organizationalUnit object
882 :param ou_dn: dn of the new object
883 :param description: description attribute
884 :param name: name atttribute
885 :param sd: security descriptor of the object, can be
886 an SDDL string or security.descriptor type
887 """
888 m = {"dn": ou_dn,
889 "objectClass": "organizationalUnit"}
890
891 if description:
892 m["description"] = description
893 if name:
894 m["name"] = name
895
896 if sd:
897 m["nTSecurityDescriptor"] = ndr_pack(sd)
898 self.add(m)
899
900 def sequence_number(self, seq_type):
901 """Returns the value of the sequence number according to the requested type
902 :param seq_type: type of sequence number
903 """
904 self.transaction_start()
905 try:
906 seq = super(SamDB, self).sequence_number(seq_type)
907 except:
908 self.transaction_cancel()
909 raise
910 else:
911 self.transaction_commit()
912 return seq
913
914 def get_dsServiceName(self):
915 '''get the NTDS DN from the rootDSE'''
916 res = self.search(base="", scope=ldb.SCOPE_BASE, attrs=["dsServiceName"])
917 return res[0]["dsServiceName"][0]
918
919 def get_serverName(self):
920 '''get the server DN from the rootDSE'''
921 res = self.search(base="", scope=ldb.SCOPE_BASE, attrs=["serverName"])
922 return res[0]["serverName"][0]
923
924 def dns_lookup(self, dns_name):
925 '''Do a DNS lookup in the database, returns the NDR database structures'''
926 return dsdb_dns.lookup(self, dns_name)
927
928 def dns_extract(self, el):
929 '''Return the NDR database structures from a dnsRecord element'''
930 return dsdb_dns.extract(el)
931
932 def dns_replace(self, dns_name, new_records):
933 '''Do a DNS modification on the database, sets the NDR database
934 structures on a DNS name
935 '''
936 return dsdb_dns.replace(self, dns_name, new_records)
937
938 def dns_replace_by_dn(self, dn, new_records):
939 '''Do a DNS modification on the database, sets the NDR database
940 structures on a LDB DN
941
942 This routine is important because if the last record on the DN
943 is removed, this routine will put a tombstone in the record.
944 '''
945 return dsdb_dns.replace_by_dn(self, dn, new_records)
Samba GIT mirror