%PDF- %PDF-
Mini Shell

Mini Shell

Direktori : /usr/lib/python2.7/site-packages/salt/states/
Upload File :
Create Path :
Current File : //usr/lib/python2.7/site-packages/salt/states/ldap.pyo

�
���^c@@s�dZddlmZmZmZddlZddlZddlZddlm	Z	ddl
mZddlm
Z
eje�Zed�Zd�Zd	�Zd
�ZdS(u�
Manage entries in an LDAP database
==================================

.. versionadded:: 2016.3.0

The ``states.ldap`` state module allows you to manage LDAP entries and
their attributes.
i(tabsolute_importtprint_functiontunicode_literalsN(tsix(tOrderedDict(t
OrderedSetc
@sW|dkri}ny|jd|�Wntk
r<nXtd}tj|�}||��5}t||�\}}t�}|j|�|j|�t	�}	x�|D]�}
|j
|
i��|j
|
i��xq��fD]c}t	�}x9tj|�D](\}
}t
|�s|j|
�qqWx|D]
}
||
=q6Wq�W��kr�|	j|
�q�q�Wx<|	D]4}
x$||fD]}|j|
d�q�W||
=qrWi|d6id6dd6dd6}||kr�d|d<t|d<|Std	rd
|d<|}|}|}nzt�}t�}t|d<d|d<g}t�}x|D]}
|j
|
i��|j
|
i��y�t
��r�t
��r�d}td
||
���q�d}td||
�nd}td||
���||
<�||
<t||
<WqU|jk
rT}tjd||
|�|j||
|f�qUqUXqUWt
|�r�t|d<ddjd�|D��|d<nWdQXx�|D]�}
|j
|
i��|j
|
i��i}||d|
<xn�df�dffD]T\}}t
|�sd||<q�nt��fd�tj|�D��||<q�Wq�W|S(u#Ensure the existence (or not) of LDAP entries and their attributes

    Example:

    .. code-block:: yaml

        ldapi:///:
          ldap.managed:
            - connect_spec:
                bind:
                  method: sasl

            - entries:

              # make sure the entry doesn't exist
              - cn=foo,ou=users,dc=example,dc=com:
                - delete_others: True

              # make sure the entry exists with only the specified
              # attribute values
              - cn=admin,dc=example,dc=com:
                - delete_others: True
                - replace:
                    cn:
                      - admin
                    description:
                      - LDAP administrator
                    objectClass:
                      - simpleSecurityObject
                      - organizationalRole
                    userPassword:
                      - {{pillar.ldap_admin_password}}

              # make sure the entry exists, its olcRootDN attribute
              # has only the specified value, the olcRootDN attribute
              # doesn't exist, and all other attributes are ignored
              - 'olcDatabase={1}hdb,cn=config':
                - replace:
                    olcRootDN:
                      - cn=admin,dc=example,dc=com
                    # the admin entry has its own password attribute
                    olcRootPW: []

              # note the use of 'default'.  also note how you don't
              # have to use list syntax if there is only one attribute
              # value
              - cn=foo,ou=users,dc=example,dc=com:
                - delete_others: True
                - default:
                    userPassword: changeme
                    shadowLastChange: 0
                    # keep sshPublicKey if present, but don't create
                    # the attribute if it is missing
                    sshPublicKey: []
                - replace:
                    cn: foo
                    uid: foo
                    uidNumber: 1000
                    gidNumber: 1000
                    gecos: Foo Bar
                    givenName: Foo
                    sn: Bar
                    homeDirectory: /home/foo
                    loginShell: /bin/bash
                    objectClass:
                      - inetOrgPerson
                      - posixAccount
                      - top
                      - ldapPublicKey
                      - shadowAccount

    :param name:
        The URL of the LDAP server.  This is ignored if
        ``connect_spec`` is either a connection object or a dict with
        a ``'url'`` entry.

    :param entries:
        A description of the desired state of zero or more LDAP
        entries.

        ``entries`` is an iterable of dicts.  Each of these dict's
        keys are the distinguished names (DNs) of LDAP entries to
        manage.  Each of these dicts is processed in order.  A later
        dict can reference an LDAP entry that was already mentioned in
        an earlier dict, which makes it possible for later dicts to
        enhance or alter the desired state of an LDAP entry.

        The DNs are mapped to a description of the LDAP entry's
        desired state.  These LDAP entry descriptions are themselves
        iterables of dicts.  Each dict in the iterable is processed in
        order.  They contain directives controlling the entry's state.
        The key names the directive type and the value is state
        information for the directive.  The specific structure of the
        state information depends on the directive type.

        The structure of ``entries`` looks like this::

            [{dn1: [{directive1: directive1_state,
                     directive2: directive2_state},
                    {directive3: directive3_state}],
              dn2: [{directive4: directive4_state,
                     directive5: directive5_state}]},
             {dn3: [{directive6: directive6_state}]}]

        These are the directives:

        * ``'delete_others'``
            Boolean indicating whether to delete attributes not
            mentioned in this dict or any of the other directive
            dicts for this DN.  Defaults to ``False``.

            If you don't want to delete an attribute if present, but
            you also don't want to add it if it is missing or modify
            it if it is present, you can use either the ``'default'``
            directive or the ``'add'`` directive with an empty value
            list.

        * ``'default'``
            A dict mapping an attribute name to an iterable of default
            values for that attribute.  If the attribute already
            exists, it is left alone.  If not, it is created using the
            given list of values.

            An empty value list is useful when you don't want to
            create an attribute if it is missing but you do want to
            preserve it if the ``'delete_others'`` key is ``True``.

        * ``'add'``
            Attribute values to add to the entry.  This is a dict
            mapping an attribute name to an iterable of values to add.

            An empty value list is useful when you don't want to
            create an attribute if it is missing but you do want to
            preserve it if the ``'delete_others'`` key is ``True``.

        * ``'delete'``
            Attribute values to remove from the entry.  This is a dict
            mapping an attribute name to an iterable of values to
            delete from the attribute.  If the iterable is empty, all
            of the attribute's values are deleted.

        * ``'replace'``
            Attributes to replace.  This is a dict mapping an
            attribute name to an iterable of values.  Any existing
            values for the attribute are deleted, then the given
            values are added.  The iterable may be empty.

        In the above directives, the iterables of attribute values may
        instead be ``None``, in which case an empty list is used, or a
        scalar such as a string or number, in which case a new list
        containing the scalar is used.

        Note that if all attribute values are removed from an entry,
        the entire entry is deleted.

    :param connect_spec:
        See the description of the ``connect_spec`` parameter of the
        :py:func:`ldap3.connect <salt.modules.ldap3.connect>` function
        in the :py:mod:`ldap3 <salt.modules.ldap3>` execution module.
        If this is a dict and the ``'url'`` entry is not specified,
        the ``'url'`` entry is set to the value of the ``name``
        parameter.

    :returns:
        A dict with the following keys:

        * ``'name'``
            This is the same object passed to the ``name`` parameter.

        * ``'changes'``
            This is a dict describing the changes made (or, in test
            mode, the changes that would have been attempted).  If no
            changes were made (or no changes would have been
            attempted), then this dict is empty.  Only successful
            changes are included.

            Each key is a DN of an entry that was changed (or would
            have been changed).  Entries that were not changed (or
            would not have been changed) are not included.  The value
            is a dict with two keys:

            * ``'old'``
                The state of the entry before modification.  If the
                entry did not previously exist, this key maps to
                ``None``.  Otherwise, the value is a dict mapping each
                of the old entry's attributes to a list of its values
                before any modifications were made.  Unchanged
                attributes are excluded from this dict.

            * ``'new'``
                The state of the entry after modification.  If the
                entry was deleted, this key maps to ``None``.
                Otherwise, the value is a dict mapping each of the
                entry's attributes to a list of its values after the
                modifications were made.  Unchanged attributes are
                excluded from this dict.

            Example ``'changes'`` dict where a new entry was created
            with a single attribute containing two values::

                {'dn1': {'old': None,
                         'new': {'attr1': ['val1', 'val2']}}}

            Example ``'changes'`` dict where a new attribute was added
            to an existing entry::

                {'dn1': {'old': {},
                         'new': {'attr2': ['val3']}}}

        * ``'result'``
            One of the following values:

            * ``True`` if no changes were necessary or if all changes
              were applied successfully.
            * ``False`` if at least one change was unable to be applied.
            * ``None`` if changes would be applied but it is in test
              mode.
    uurlu
ldap3.connectunameuchangesuresultuucommentuLDAP entries already setutestuWould change LDAP entriesu!Successfully updated LDAP entriesumodifyuldap3.changeudeleteuldap3.deleteuaddu	ldap3.addufailed to %s entry %s (%s)u
failed to u, cs@s;|]1\}}}|d|dtj|�dVqdS(u entry u(u)N(Rt	text_type(t.0toptdnterr((s4/usr/lib/python2.7/site-packages/salt/states/ldap.pys	<genexpr>]sNuoldunewc3@sK|]A\}}�j|d��j|d�kr|t|�fVqdS(N(((tgettsorted(Rtattrtvals(tnto(s4/usr/lib/python2.7/site-packages/salt/states/ldap.pys	<genexpr>ls	(tNonet
setdefaulttAttributeErrort__salt__tinspectt	getmodulet_process_entriesRtupdatetsetRRt	iteritemstlentaddtpoptTruet__opts__t	LDAPErrortlogt	exceptiontappendtFalsetjointdict(tnametentriestconnect_spectconnecttldap3tltoldtnewtdn_settdn_to_deleteR	txt	to_deleteR
Rtrettchanged_oldtchanged_newtsuccess_dn_setterrsRR
tchangestxn((RRs4/usr/lib/python2.7/site-packages/salt/states/ldap.pytmanageds��	

	

	
	






			

	




%
"c@st�}t�}x`|D]X}xOtj|�D]>\}}|j|d�}|dkr�td||d�}t|�dkr�||�t�fd��D��}ni}|||<ntj	|�}	|	||<it
d6t�d6}
x|D]}t|	|
|�q�W|
dr/t�}x.|	D]&}
|
|
dkr(|j
|
�q(q(Wx|D]
}
|	|
=qYWq/q/WqW||fS(uTHelper for managed() to process entries and return before/after views

    Collect the current database state and update it according to the
    data in :py:func:`managed`'s ``entries`` parameter.  Return the
    current database state and what it will look like after
    modification.

    :param l:
        the LDAP connection object

    :param entries:
        the same object passed to the ``entries`` parameter of
        :py:func:`manage`

    :return:
        an ``(old, new)`` tuple that describes the current state of
        the entries and what they will look like after modification.
        Each item in the tuple is an OrderedDict that maps an entry DN
        to another dict that maps an attribute name to a set of its
        values (it's a set because according to the LDAP spec,
        attribute value ordering is unspecified and there can't be
        duplicates).  The structure looks like this:

            {dn1: {attr1: set([val1])},
             dn2: {attr1: set([val2]), attr2: set([val3, val4])}}

        All of an entry's attributes and values will be included, even
        if they will not be modified.  If an entry mentioned in the
        entries variable doesn't yet exist in the database, the DN in
        ``old`` will be mapped to an empty dict.  If an entry in the
        database will be deleted, the DN in ``new`` will be mapped to
        an empty dict.  All value sets are non-empty:  An attribute
        that will be added to an entry is not included in ``old``, and
        an attribute that will be deleted frm an entry is not included
        in ``new``.

        These are OrderedDicts to ensure that the user-supplied
        entries are processed in the user-specified order (in case
        there are dependencies, such as ACL rules specified in an
        early entry that make it possible to modify a later entry).
    uldap3.searchubaseic3@s5|]+}t�|�r|t�|�fVqdS(N(RR(RR
(tattrs(s4/usr/lib/python2.7/site-packages/salt/states/ldap.pys	<genexpr>�su
delete_othersumentioned_attributesN(RRRRRRRR&tcopytdeepcopyR$Rt
_update_entryR(R,R(R-R.tentries_dictR	tdirectives_seqtoldetresultstnewetentry_statust
directivesR2R
((R;s4/usr/lib/python2.7/site-packages/salt/states/ldap.pyRss8+		






	

cC@s�x�tj|�D]�\}}|dkr8||d<qnx^tj|�D]M\}}|dj|�t|�}|dkr�t|�r�||ks�t||�r�|||<q�qH|dkr�|j|j|d	��t|�r�|||<q�qH|dkrM|j|t��}t|�r�||8}t|�rJ|||<qJq�qH|dkr�|j|d�t|�r�|||<q�qHt
d|��qHWqWdS(
u�Update an entry's attributes using the provided directives

    :param entry:
        A dict mapping each attribute name to a set of its values
    :param status:
        A dict holding cross-invocation status (whether delete_others
        is True or not, and the set of mentioned attributes)
    :param directives:
        A dict mapping directive types to directive-specific state
    u
delete_othersumentioned_attributesudefaultuaddudeleteureplaceuunknown directive: N((RRRt_tosetRRRRRRt
ValueError(tentrytstatusREt	directivetstateR
Rt
existing_vals((s4/usr/lib/python2.7/site-packages/salt/states/ldap.pyR>�s2
)
cC@su|dkrt�St|tj�r2t|f�Sytd�|D��SWn$tk
rpttj|�f�SXdS(u|helper to convert various things to a set

    This enables flexibility in what users provide as the list of LDAP
    entry attribute values.  Note that the LDAP spec prohibits
    duplicate values in an attribute.

    RFC 2251 states that:
    "The order of attribute values within the vals set is undefined and
     implementation-dependent, and MUST NOT be relied upon."
    However, OpenLDAP have an X-ORDERED that is used in the config schema.
    Using sets would mean we can't pass ordered values and therefore can't
    manage parts of the OpenLDAP configuration, hence the use of OrderedSet.

    Sets are also good for automatically removing duplicates.

    None becomes an empty set.  Iterables except for strings have
    their elements added to a new set.  Non-None scalars (strings,
    numbers, non-iterable objects, etc.) are added as the only member
    of a new set.

    cs@s|]}tj|�VqdS(N(RR(RR1((s4/usr/lib/python2.7/site-packages/salt/states/ldap.pys	<genexpr>sN(RRt
isinstanceRtstring_typest	TypeErrorR(tthing((s4/usr/lib/python2.7/site-packages/salt/states/ldap.pyRF�s

(t__doc__t
__future__RRRR<Rtloggingtsalt.extRtsalt.utils.odictRtsalt.utils.osetRt	getLoggert__name__R!RR:RR>RF(((s4/usr/lib/python2.7/site-packages/salt/states/ldap.pyt<module>
s�Z	W	'

Zerion Mini Shell 1.0