UMC server

Server core

class univention.management.console.server.Application(**settings)

Bases: Application

The tornado application with all UMC resources

univention.management.console.server.tornado_log_reopen()

class univention.management.console.server.Server

Bases: object

univention-management-console-server

signal_handler_hup(signo, frame)

Handler for the postrotate action

signal_handler_sigusr2(signo, frame)

Handler for SIGUSR2 for debugging e.g. memory analysis

signal_handler_reload(signo, frame)

Handler for the reload action

signal_handler_stop(signo, frame)

classmethod reload()

run()

static analyse_memory() → None

Print the number of living UMC objects. Helpful when analysing memory leaks.

univention.management.console.server.main()

class univention.management.console.resource.Resource(application: Application, request: HTTPServerRequest, **kwargs: Any)

Bases: RequestHandler

Base class for every UMC resource

requires_authentication = True

ignore_session_timeout_reset = False

set_default_headers()

Override this to set HTTP headers at the beginning of the request.

For example, this is the place to set a custom Server header. Note that setting such headers in the normal flow of request processing may not do what you want, since headers may be reset during error handling.

async prepare()

Called at the beginning of a request before get/post/etc.

Override this method to perform common initialization regardless of the request method.

Asynchronous support: Use async def or decorate this method with .gen.coroutine to make it asynchronous. If this method returns an Awaitable execution will not proceed until the Awaitable is done.

Added in version 3.1: Asynchronous support.

check_session_validity()

get_current_user()

Override to determine the current user from, e.g., a cookie.

This method may not be a coroutine.

get_user_locale()

Override to determine the locale from the authenticated user.

If None is returned, we fall back to get_browser_locale().

This method should return a tornado.locale.Locale object, most likely obtained via a call like tornado.locale.get("en")

get_session_id()

get the current session ID from cookie (or basic auth hash).

create_sessionid(random=True)

sessionidhash()

set_session(sessionid)

expire_session()

set_cookies(*cookies, **kwargs)

get_cookie(name, default=None)

Returns the value of the request cookie with the given name.

If the named cookie is not present, returns default.

This method only returns cookies that were present in the request. It does not see the outgoing cookies set by set_cookie in this handler.

suffixed_cookie_name(name)

bind_session_to_ip()

get_ip_address()

get the IP address of client by last entry (from apache) in X-FORWARDED-FOR header

async parse_authorization()

async basic_authorization(credentials)

async bearer_authorization(bearer_token)

async refresh_oidc_session()

property lo

load_json(body)

decode_request_arguments()

content_negotiation(response, wrap=True)

get_json(result, wrap=True)

content_negotiation_json(response)

write_error(status_code, **kwargs)

Override to implement custom error pages.

write_error may call write, render, set_header, etc to produce output as usual.

If this error was caused by an uncaught exception (including HTTPError), an exc_info triple will be available as kwargs["exc_info"]. Note that this exception may not be the “current” exception for purposes of methods like sys.exc_info() or traceback.format_exc.

default_error_page(status, message, stacktrace, result=None)

default_error_page_html(status, message, stacktrace, result=None)

default_error_page_json(status, message, stacktrace, result=None)

The default error page for responses

check_acceptable(header, default='')

reverse_abs_url(name, path=None)

Implements several helper classes to handle the state of a session and the communication with the module processes

univention.management.console.resources.sanitize(*sargs, **skwargs)

exception univention.management.console.resources.CouldNotConnect

Bases: Exception

class univention.management.console.resources.ModuleProcess(module, debug='0', locale=None, no_daemonize_module_processes=False)

Bases: _ModuleConnection

handles the communication with a UMC module process

Parameters:

• module (str) – name of the module to start

• debug (str) – debug level as a string

• locale (str) – locale to use for the module process

set_exit_callback(callback)

async connect(connect_retries=0)

request(method, uri, headers=None, body=None)

get_uri(uri)

stop() → None

async stop_process()

str_returncode(returncode)

pid() → int

Returns process ID of module process

disconnect_inactivity_timer()

reset_inactivity_timer()

Resets the inactivity timer. This timer watches the inactivity of the module process. If the module did not receive a request for MODULE_INACTIVITY_TIMER seconds the module process is shut down to save resources.

class univention.management.console.resources.ModuleProxy(proxy_address, unix_socket=None)

Bases: _ModuleConnection

async connect(connect_retries=0)

request(method, uri, headers=None, body=None)

get_uri(uri)

class univention.management.console.resources.Index(application: Application, request: HTTPServerRequest, **kwargs: Any)

Bases: Resource

Redirect to correct path when bypassing gateway

get()

post()

class univention.management.console.resources.Logout(application: Application, request: HTTPServerRequest, **kwargs: Any)

Bases: Resource

Logout a user

requires_authentication = False

ignore_session_timeout_reset = True

get(**kwargs)

post(**kwargs)

class univention.management.console.resources.Nothing(application: Application, request: HTTPServerRequest, **kwargs: Any)

Bases: Resource

requires_authentication = False

async prepare(*args, **kwargs)

Called at the beginning of a request before get/post/etc.

Override this method to perform common initialization regardless of the request method.

Asynchronous support: Use async def or decorate this method with .gen.coroutine to make it asynchronous. If this method returns an Awaitable execution will not proceed until the Awaitable is done.

Added in version 3.1: Asynchronous support.

class univention.management.console.resources.SessionInfo(application: Application, request: HTTPServerRequest, **kwargs: Any)

Bases: Resource

Get information about the current session

requires_authentication = False

ignore_session_timeout_reset = True

get()

post()

class univention.management.console.resources.GetIPAddress(application: Application, request: HTTPServerRequest, **kwargs: Any)

Bases: Resource

Get the most likely IP address of the client

requires_authentication = False

get()

property addresses

post()

class univention.management.console.resources.NewSession(application: Application, request: HTTPServerRequest, **kwargs: Any)

Bases: Resource

Drop all information from the current session - like a relogin

get()

post()

class univention.management.console.resources.Auth(application: Application, request: HTTPServerRequest, **kwargs: Any)

Bases: Resource

Authenticate the user via PAM - either via plain password or via SAML message

requires_authentication = False

async parse_authorization()

post(*args, **kwargs)

get(*args, **kwargs)

class univention.management.console.resources.Modules(application: Application, request: HTTPServerRequest, **kwargs: Any)

Bases: Resource

Get a list of available modules

requires_authentication = False

async prepare()

Called at the beginning of a request before get/post/etc.

Override this method to perform common initialization regardless of the request method.

Asynchronous support: Use async def or decorate this method with .gen.coroutine to make it asynchronous. If this method returns an Awaitable execution will not proceed until the Awaitable is done.

Added in version 3.1: Asynchronous support.

get()

post()

class univention.management.console.resources.Categories(application: Application, request: HTTPServerRequest, **kwargs: Any)

Bases: Resource

Get a list of available categories

requires_authentication = False

async prepare()

Called at the beginning of a request before get/post/etc.

Override this method to perform common initialization regardless of the request method.

Asynchronous support: Use async def or decorate this method with .gen.coroutine to make it asynchronous. If this method returns an Awaitable execution will not proceed until the Awaitable is done.

Added in version 3.1: Asynchronous support.

get()

post()

class univention.management.console.resources.Upload(application: Application, request: HTTPServerRequest, **kwargs: Any)

Bases: Resource

Handle generic file upload which is not targeted for any module

post()

Handles a file UPLOAD request, respond with a base64 representation of the content.

class univention.management.console.resources.Command(application: Application, request: HTTPServerRequest, **kwargs: Any)

Bases: Resource

Gateway for command/upload requests to UMC module processes

requires_authentication = False

async prepare(*args, **kwargs)

Called at the beginning of a request before get/post/etc.

Override this method to perform common initialization regardless of the request method.

Asynchronous support: Use async def or decorate this method with .gen.coroutine to make it asynchronous. If this method returns an Awaitable execution will not proceed until the Awaitable is done.

Added in version 3.1: Asynchronous support.

forbidden_or_unauthenticated(message)

on_connection_close()

Called in async handlers if the client closed the connection.

Override this to clean up resources associated with long-lived connections. Note that this method is called only if the connection was closed during asynchronous processing; if you need to do cleanup after every request override on_finish instead.

Proxies may keep a connection open for a time (perhaps indefinitely) after the client has gone away, so this method may not be called promptly after the end user closes their connection.

cancel_request()

on_finish()

Called after the end of a request.

Override this method to perform cleanup, logging, etc. This method is a counterpart to prepare. on_finish may not produce any output, as it is called after the response has been sent to the client.

async get(umcp_command, command)

Handles a COMMAND request. The request must contain a valid and known command that can be accessed by the current user. If access to the command is prohibited the request is answered as a forbidden command.

If there is no running module process for the given command a new one is started and the request is added to a queue of requests that will be passed on when the process is ready.

If a module process is already running the request is passed on and the inactivity timer is reset.

get_request_header(session, methodname, umcp_command)

async post(umcp_command, command)

Handles a COMMAND request. The request must contain a valid and known command that can be accessed by the current user. If access to the command is prohibited the request is answered as a forbidden command.

If there is no running module process for the given command a new one is started and the request is added to a queue of requests that will be passed on when the process is ready.

If a module process is already running the request is passed on and the inactivity timer is reset.

async put(umcp_command, command)

Handles a COMMAND request. The request must contain a valid and known command that can be accessed by the current user. If access to the command is prohibited the request is answered as a forbidden command.

If there is no running module process for the given command a new one is started and the request is added to a queue of requests that will be passed on when the process is ready.

If a module process is already running the request is passed on and the inactivity timer is reset.

async delete(umcp_command, command)

Handles a COMMAND request. The request must contain a valid and known command that can be accessed by the current user. If access to the command is prohibited the request is answered as a forbidden command.

If there is no running module process for the given command a new one is started and the request is added to a queue of requests that will be passed on when the process is ready.

If a module process is already running the request is passed on and the inactivity timer is reset.

async patch(umcp_command, command)

Handles a COMMAND request. The request must contain a valid and known command that can be accessed by the current user. If access to the command is prohibited the request is answered as a forbidden command.

If there is no running module process for the given command a new one is started and the request is added to a queue of requests that will be passed on when the process is ready.

If a module process is already running the request is passed on and the inactivity timer is reset.

async options(umcp_command, command)

Handles a COMMAND request. The request must contain a valid and known command that can be accessed by the current user. If access to the command is prohibited the request is answered as a forbidden command.

If there is no running module process for the given command a new one is started and the request is added to a queue of requests that will be passed on when the process is ready.

If a module process is already running the request is passed on and the inactivity timer is reset.

class univention.management.console.resources.UCR(application: Application, request: HTTPServerRequest, **kwargs: Any)

Bases: Resource

Get UCR Variables matching a pattern

get(*args, **kwargs)

post(*args, **kwargs)

class univention.management.console.resources.Meta(application: Application, request: HTTPServerRequest, **kwargs: Any)

Bases: Resource

Get Metainformation about the environment

requires_authentication = False

META_JSON_PATH = '/var/www/univention/meta.json'

META_UCR_VARS = ['domainname', 'hostname', 'ldap/master', 'license/base', 'server/role', 'ssl/validity/host', 'ssl/validity/root', 'ssl/validity/warning', 'umc/web/favorites/default', 'umc/web/piwik', 'update/available', 'update/reboot/required', 'uuid/license', 'uuid/system', 'version/erratalevel', 'version/patchlevel', 'version/releasename', 'version/version']

get()

post()

class univention.management.console.resources.Info(application: Application, request: HTTPServerRequest, **kwargs: Any)

Bases: Resource

Get UCS and UMC version number and SSL validity

CHANGELOG_VERSION = re.compile('^[^(]*\\(([^)]*)\\).*')

get_umc_version()

get_ucs_version()

get()

post()

class univention.management.console.resources.Hosts(application: Application, request: HTTPServerRequest, **kwargs: Any)

Bases: Resource

List all directory nodes in the domain

get()

post()

get_hosts()

class univention.management.console.resources.Set(application: Application, request: HTTPServerRequest, **kwargs: Any)

Bases: Resource

Generic set of locale, user preferences (favorites) or password

..deprecated:: 5.0

use specific pathes (“set/{password,locale,user/preferences}”) instead

async post()

class univention.management.console.resources.SetLocale(application: Application, request: HTTPServerRequest, **kwargs: Any)

Bases: Resource

Set the locale for the session.

Deprecated since version 5.0: set language via Accept-Language HTTP header

requires_authentication = False

post(*args, **kwargs)

class univention.management.console.resources.SetPassword(application: Application, request: HTTPServerRequest, **kwargs: Any)

Bases: Resource

Change the password of the currently authenticated user

post(*args, **kwargs)

class univention.management.console.resources.UserPreferences(application: Application, request: HTTPServerRequest, **kwargs: Any)

Bases: Resource

get user specific preferences like favorites

get()

post()

class univention.management.console.resources.SetUserPreferences(application: Application, request: HTTPServerRequest, **kwargs: Any)

Bases: UserPreferences

set user specific preferences like favorites

get()

post(*args, **kwargs)

async univention.management.console.resources.wait_task(event)

class univention.management.console.resources.SSELogoutNotifer(application: Application, request: HTTPServerRequest, **kwargs: Any)

Bases: Resource

requires_authentication = True

wait_task = None

cancelled = True

async wait(event: Event)

async get()

on_connection_close()

Called in async handlers if the client closed the connection.

Override this to clean up resources associated with long-lived connections. Note that this method is called only if the connection was closed during asynchronous processing; if you need to do cleanup after every request override on_finish instead.

Proxies may keep a connection open for a time (perhaps indefinitely) after the client has gone away, so this method may not be called promptly after the end user closes their connection.

on_finish()

Called after the end of a request.

Override this method to perform cleanup, logging, etc. This method is a counterpart to prepare. on_finish may not produce any output, as it is called after the response has been sent to the client.

class univention.management.console.session.User

Bases: object

Information about the authenticated user

ip

authenticated

username

password

auth_type

user_dn

object_id

session_end_time

roles

federated_account

class univention.management.console.session.Session(session_id)

Bases: object

A interface to session data

sessions = <univention.management.console.session_dict.SessionDict object>

classmethod get_or_create(session_id)

classmethod put(session_id, session)

classmethod expire(session_id, reload=True)

Removes a session when the connection to the UMC server has died or the session is expired

session_id

user

saml

oidc

acls

processes

renew()

async authenticate(args)

async change_password(args)

set_credentials(username, password, auth_type, object_id=None, roles=None, federated_account=False)

get_user_ldap_connection(**kwargs)

is_saml_user()

is_oidc_user()

get_umc_password()

get_umc_auth_type()

logout(reload=True)

reset_timeout()

disconnect_timer()

timed_out(now=None, session_end_time=None)

property session_end_time

on_logout()

class univention.management.console.session.IACLs(session)

Bases: object

Interface for UMC-ACL information

property acls

is_command_allowed(command, options, flavor)

get_permitted_commands(moduleManager)

is_module_singleton(module_name)

get_module_proxy_address(module_name)

get_module_providing(moduleManager, command)

get_method_name(moduleManager, module_name, command)

class univention.management.console.session.Processes(session)

Bases: object

Interface for module processes

singletons = {}

property acls

processes(module_name)

get_process(module_name, accepted_language, no_daemonize_module_processes=False)

stop_process(module_name)

process_exited(module_name, exit_code)

has_active_module_processes()

Resources

Module definitions

The UMC server does not load the Python modules to get the details about the modules name, description and functionality. Therefore each UMC module must provide an XML file containing this kind of information.

The following example defines a module with the id udm:

<?xml version="1.0" encoding="UTF-8"?>
<umc version="2.0">
    <module id="udm" icon="udm-module" version="1.0">
        <name>Univention Directory Manager</name>
        <description>Manages all UDM modules</description>
        <flavor icon="udm-users" id="users/user">
            <name>Users</name>
            <description>Managing users</description>
        </flavor>
        <categories>
            <category name="domain" />
        </categories>
        <requiredCommands>
            <requiredCommand name="udm/query" />
        </requiredCommands>
        <command name="udm/query" function="query" />
        <command name="udm/containers" function="containers" />
    </module>
</umc>

The module tag defines the basic details of a UMC module

id

This identifier must be unique among the modules of an UMC server. Other files may extend the definition of a module by adding more flavors or categories.

icon

The value of this attribute defines an identifier for the icon that should be used for the module. Details for installing icons can be found in the section Packaging

The child elements name and description define the English human readable name and description of the module. For other translations the build tools will create translation files. Details can be found in the section Packaging.

This example defines a so called flavor. A flavor defines a new name, description and icon for the same UMC module. This can be used to show several”virtual” modules in the overview of the web frontend. Additionally the flavor is passed to the UMC server with each request i.e. the UMC module has the possibility to act differently for a specific flavor.

As the next element categories is defined in the example. The child elements category set the categories wthin the overview where the module should be shown. Each module can be more than one category. The attribute name is to identify the category internally. The UMC server brings a set of pre-defined categories:

favorites

This category is intended to be filled by the user herself.

system

Tools manipulating the system itself (e.g. software installation) should go in here.

At the end of the definition file a list of commands is specified. The UMC server only passes commands to a UMC module that are defined. A command definition has two attributes:

name

is the name of the command that is passed to the UMC module. Within the request this is the path segement of the URL after /univention/command/.

function

defines the method to be invoked within the Python module when the command is called.

keywords

defined keywords for the module to ensure searchability

The translations are stored in extra po files that are generated by the UMC build tools.

class univention.management.console.module.Command(name='', method=None, allow_anonymous=False)

Bases: JSON_Object

Represents a request URL path handled by a module

SEPARATOR = '/'

fromJSON(json)

class univention.management.console.module.Flavor(id='', icon='', name='', description='', overwrites=None, deactivated=False, priority=-1, translationId=None, keywords=None, categories=None, required_commands=None, version=None, hidden=False)

Bases: JSON_Object

Defines a flavor of a module. This provides another name and icon in the overview and may influence the behavior of the module.

merge(other)

class univention.management.console.module.Module(id='', name='', url='', description='', icon='', categories=None, flavors=None, commands=None, priority=-1, keywords=None, translationId=None, required_commands=None, version=None, singleton=False, proxy=None)

Bases: JSON_Object

Represents a command attribute

fromJSON(json)

append_flavors(flavors)

merge_flavors(other_flavors)

merge(other)

merge another Module object into current one

class univention.management.console.module.Link(id='', name='', url='', description='', icon='', categories=None, flavors=None, commands=None, priority=-1, keywords=None, translationId=None, required_commands=None, version=None, singleton=False, proxy=None)

Bases: Module

class univention.management.console.module.XML_Definition(root=None, filename=None)

Bases: ElementTree

container for the interface description of a module

property name

property version

property url

property description

property keywords

property id

property priority

property translationId

property singleton

property icon

property deactivated

property flavors

Retrieve list of flavor objects

property categories

commands()

Generator to iterate over the commands

get_module()

get_flavor(name)

Retrieves details of a flavor

get_command(name)

Retrieves details of a command

class univention.management.console.module.Manager

Bases: dict

Manager of all available modules

DIRECTORY = '/usr/share/univention-management-console/modules'

modules()

Returns list of module names

load()

Loads the list of available modules. As the list is cleared before, the method can also be used for reloading

is_command_allowed(acls, command, hostname=None, options={}, flavor=None)

get_module(module_id)

permitted_commands(hostname, acls)

Retrieves a list of all modules and commands available according to the ACLs (instance of LDAP_ACLs)

{ id : Module, … }

is_singleton(module_name)

proxy_address(module_name)

module_providing(modules, command)

Searches a dictionary of modules (as returned by permitted_commands) for the given command. If found, the id of the module is returned, otherwise None

Category definitions

The UMC server provides the possibility to define categories used to sort the available UMC modules into groups. Each module can be in as many groups as desired.

The category definitions are stored in XML files that structured as in the following example

<?xml version="1.0" encoding="UTF-8"?>
<umc version="2.0">
    <categories>
        <category id="id1">
            <name>Category 1</name>
        </category>
        <category id="id2">
            <name>Category 2 on {hostname}.{domainname}</name>
        </category>
    </categories>
</umc>

Each file can define several categories. For each of these categories an unique identifier and the english description must be specified. The translations are stored in extra po files that are generated by the UMC build tools.

Within the description of a category UCR variable names can be used that will be substituted by the value. Therefore the name of the variables must be given in curly braces {VARIABLE}.

class univention.management.console.category.XML_Definition(root=None, filename=None, domain=None)

Bases: ElementTree

Represents a category definition.

property name

Returns the descriptive name of the category

property id

Returns the unique identifier of the category

property icon

property color

property priority

Returns the priority of the category. If no priority is defined the default priority of -1 is returned. None is returned if the specified priority is not a valid float

Return type:

float or None

json()

Returns a JSON compatible representation of the category

Return type:

dict

class univention.management.console.category.Manager

Bases: dict

This class manages all available categories.

DIRECTORY = '/usr/share/univention-management-console/categories'

all()

load()

Locales

The translations provided by the UMC server are technically based on gettext library. As the server needs to provide translations for several different components that deliver their own translation files this module provides a simple way for the UMC server to get the required translations. Components that provide their own translation files:

• the UMC core — Python code directly imported by the UMC server

• categories

• module definitions

class univention.management.console.locales.I18N(locale=None, domain=None)

Bases: object

Provides a translation function for a given language and translation domain.

Parameters:

• locale (str) – the locale to provide

• domain (str) – the translation domain to use

LOCALE_DIR = '/usr/share/univention-management-console/i18n/'

load(locale=None, domain=None)

Tries to load the translation file specified by the given locale and domain. If the given locale could not be found the method tries to find the translation domain for the systems default locale. No translation is provided when this fails too.

Parameters:

• locale (str) – the locale to provide

• domain (str) – the translation domain to use

exists(message)

Verifies if the translation file contains a translation for the given text.

Parameters:

message (str) – the text to search for

Return type:

bool

class univention.management.console.locales.I18N_Manager

Bases: dict

This class handles the I18N instances within an UMC session.

As the UMC server handles all sessions opened on a system that may all use a different language it uses one I18N_Manager per session.

set_locale(locale)

Sets the locale to use within the I18N_Manager.

Parameters:

locale (str) – locale to use

Security

class univention.management.console.auth.AuthenticationResult(result: BaseException | dict[str, str], locale: str | None)

Bases: object

class univention.management.console.auth.AuthHandler

Bases: object

get_handler(locale)

authenticate(pam, args)

class univention.management.console.saml.SAMLUser(response, message)

Bases: object

SAML specific user information

name_id

message

username

session_end_time

on_logout()

exception univention.management.console.saml.SamlError(_=<bound method NullTranslation.translate of <univention.lib.i18n.NullTranslation object>>)

Bases: HTTPError

Errors caused during SAML authentication

error(status=400)

from_exception(etype, exc, etraceback)

unknown_principal(*args, **kwargs)

unsupported_binding(*args, **kwargs)

unknown_logout_binding(*args, **kwargs)

verification_error(*args, **kwargs)

unsolicited_response(*args, **kwargs)

status_error(*args, **kwargs)

missing_key(*args, **kwargs)

signature_error(*args, **kwargs)

unparsed_saml_response(*args, **kwargs)

no_identity_provider(*args, **kwargs)

multiple_identity_provider(*args, **kwargs)

class univention.management.console.saml.SAMLResource(application: Application, request: HTTPServerRequest, **kwargs: Any)

Bases: Resource

Base class for all SAML resources

requires_authentication = False

SP = None

configfile = '/usr/share/univention-management-console/saml/sp.py'

idp_query_param = 'IdpQuery'

bindings = ['urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect', 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST', 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact']

outstanding_queries = {}

classmethod on_logout(name_id)

class univention.management.console.saml.SamlMetadata(application: Application, request: HTTPServerRequest, **kwargs: Any)

Bases: SAMLResource

Get the SAML XML Metadata

get()

class univention.management.console.saml.SamlACS(application: Application, request: HTTPServerRequest, **kwargs: Any)

Bases: SAMLResource

SAML attribute consuming service (or Single Sign On redirection)

property sp

classmethod reload()

async get()

async post()

async attribute_consuming_service(binding, message, relay_state)

async attribute_consuming_service_iframe(binding, message, relay_state)

async pam_saml_authentication(saml)

parse_authn_response(message, binding)

do_single_sign_on(**kwargs)

create_authn_request(**kwargs)

Creates the SAML <AuthnRequest> request and returns the SAML binding and HTTP response.

Returns (binding, http-arguments)

select_identity_provider()

Select an identity provider based on the available identity providers. If multiple IDP’s are set up the client might have specified one in the query string. Otherwise an error is raised where the user can choose one.

Returns the EntityID of the IDP.

get_identity_provider_destination(entity_id)

Get the destination (with SAML binding) of the specified entity_id.

Returns (binding, destination-URI)

select_service_provider()

Select the ACS-URI and binding of this service provider based on the request uri. Tries to preserve the current scheme (HTTP/HTTPS) and netloc (host/IP) but falls back to FQDN if it is not set up.

Returns (binding, service-provider-URI)

http_response(binding, http_args)

Converts the HTTP arguments from pysaml2 into the tornado response.

class univention.management.console.saml.SamlIframeACS(application: Application, request: HTTPServerRequest, **kwargs: Any)

Bases: SamlACS

Passive SAML authentication via hidden iframe

get()

post()

class univention.management.console.saml.SamlSingleLogout(application: Application, request: HTTPServerRequest, **kwargs: Any)

Bases: SamlACS

SAML Single Logout by IDP

get(*args, **kwargs)

post(*args, **kwargs)

class univention.management.console.saml.SamlLogout(application: Application, request: HTTPServerRequest, **kwargs: Any)

Bases: SamlACS

Initiate SAML Logout at the IDP

get()

post()

univention.management.console.oidc.create_federated_account(uuid)

class univention.management.console.oidc.OIDCUser(id_token, access_token, refresh_token, claims)

Bases: object

OIDC tokens of the authenticated user.

id_token

access_token

refresh_token

claims

roles

uuid

username

session_refresh_future

federated_account

property session_end_time

property token_end_time

class univention.management.console.oidc.OIDCResource(application: Application, request: HTTPServerRequest, **kwargs: Any)

Bases: OAuth2Mixin, Resource

Base class for all OIDC resources.

requires_authentication = False

async prepare()

Called at the beginning of a request before get/post/etc.

Override this method to perform common initialization regardless of the request method.

Asynchronous support: Use async def or decorate this method with .gen.coroutine to make it asynchronous. If this method returns an Awaitable execution will not proceed until the Awaitable is done.

Added in version 3.1: Asynchronous support.

get_openid_provider(issuer)

set_settings(issuer)

async bearer_authorization(bearer_token)

async authenticate(code, code_verifier, nonce)

async handle_federated_account(oidc)

async pam_oidc_authentication(oidc)

verify_id_token(token, nonce)

verify_access_token(token)

verify_logout_token(token)

async get_user_information(bearer_token)

async download_jwks()

async get_access_token(redirect_uri, code, code_verifier)

async get_new_access_token(redirect_uri, refresh_token)

async refresh_session_tokens(user)

Refresh the tokens using the refresh token.

class univention.management.console.oidc.OIDCLogin(application: Application, request: HTTPServerRequest, **kwargs: Any)

Bases: OIDCResource

User initiated login at the OP using Authentication Code Flow.

async get()

async post()

async do_single_sign_on(location, login_hint)

class univention.management.console.oidc.OIDCLogout(application: Application, request: HTTPServerRequest, **kwargs: Any)

Bases: _OIDCLogoutBase

User initiated logout at the OP

get()

User initiated front channel logout at OP.

async post()

User initiated back channel logout at OP.

class univention.management.console.oidc.OIDCLogoutFinished(application: Application, request: HTTPServerRequest, **kwargs: Any)

Bases: _OIDCLogoutBase

get()

class univention.management.console.oidc.OIDCFrontchannelLogout(application: Application, request: HTTPServerRequest, **kwargs: Any)

Bases: _OIDCLogoutBase

OP initiated frontchannel logout at this RP.

get()

class univention.management.console.oidc.OIDCBackchannelLogout(application: Application, request: HTTPServerRequest, **kwargs: Any)

Bases: OIDCResource

OP initiated backchannel logout at this RP.

post()

class univention.management.console.oidc.OIDCMetadata(application: Application, request: HTTPServerRequest, **kwargs: Any)

Bases: OIDCResource

A client metadata document suitable for dynamic client registration.

get()

UMC ACL implementation

This module implements the UMC ACLs used to define the access rights for users and groups to the UMC service.

UMC ACLs are defined by creating UMC operation set objects that are added to UMC policies. These policies can be connected with users or groups.

An UMC operation set consists of a list of UMC command patterns like

udm/* objectType=nagios/*

This specifies that all commands hat match the pattern udm/* can be called if the option objectType is given and the value matches the pattern nagios/*.

Patterns for commands and options may just use the asterik and know no other wildcards. For options there is one additional format allowed to specify that the option may not exist. Therefore the following format is used

udm/* !objectType

class univention.management.console.acl.Rule

Bases: dict

A simple class representing one ACL rule in a form that can be simply serialized.

property fromUser

Returns True if the rule was connected with a user, otherwise False

property host

Returns a hostname pattern. If the pattern matches the hostname the command is allowed on the host

property command

Returns the command pattern this rule describes

property options

Returns the option pattern for the rule

property flavor

Returns the flavor if given otherwise None

class univention.management.console.acl.ACLs(ldap_base=None, acls=None)

Bases: object

Provides methods to determine the access rights of users to specific UMC commands. It defines a cache for ACLs, a parser for command definitions of ACLs and functions for comparison.

MATCH_NONE = 0

MATCH_PART = 1

MATCH_FULL = 2

CACHE_DIR = '/var/cache/univention-management-console/acls'

defines the directory for the cache files

reload()

is_command_allowed(command, hostname=None, options={}, flavor=None)

This method verifies if the given command (with options and flavor) is on the named host allowed.

Parameters:

• command (str) – the command to check access for

• hostname (str) – FQDN of the host

• options (dict) – the command options given in the HTTP request

• flavor (str) – the flavor given in the HTTP request

Return type:

bool

json()

Returns the ACL definitions in a JSON compatible form.

class univention.management.console.acl.LDAP_ACLs(username, userdn, ldap_base)

Bases: ACLs

Reads ACLs from LDAP directory for the given username. By inheriting the class ACLs the ACL definitions can be cached on the local system. If the LDAP server can not be reached the cache is used if available.

FROM_USER = True

FROM_GROUP = False

reload(lo=None)

exception univention.management.console.pam.AuthenticationError

Bases: Exception

exception univention.management.console.pam.AuthenticationFailed

Bases: AuthenticationError

exception univention.management.console.pam.AuthenticationInformationMissing(message: str, missing_prompts: Any)

Bases: AuthenticationError

exception univention.management.console.pam.AccountExpired

Bases: AuthenticationError

exception univention.management.console.pam.PasswordExpired

Bases: AuthenticationError

exception univention.management.console.pam.PasswordChangeFailed

Bases: AuthenticationError

class univention.management.console.pam.PamAuth(locale: str | None = None)

Bases: object

known_errors: dict[str | Pattern[str], str] = {"Password doesn't meet complexity requirement.": 'The password is too simple.', "The passwort didn't pass quality check": 'The password is too simple.', ': Es basiert auf einem Wörterbucheintrag': 'The password is based on a dictionary word.', ': Es enthält nicht genug unterschiedliche Zeichen': 'The password does not contain enough different characters.', ': Es ist VIEL zu kurz': 'The password is too short.', ': Es ist zu einfach/systematisch': 'The password is too simple.', ': Es ist zu kurz': 'The password is too short.', ': Password already used': 'The password was already used.', ': Password does not meet complexity requirements': 'The password is too simple.', ': Password is too short': 'The password is too short.', ': is a palindrome': 'The password is a palindrome.', ': it does not contain enough DIFFERENT characters': 'The password does not contain enough different characters.', ': it is WAY too short': 'The password is too short.', ': it is based on a dictionary word': 'The password is based on a dictionary word.', ': it is too simplistic/systematic': 'The password is too simple.', 'BAD PASSWORD: is too simple': 'The password is too simple.', 'BAD PASSWORD: it is WAY too short': 'The password is too short.', 'Bad: new and old password are too similar': 'The password is too similar to the old one.', 'Bad: new and old password must differ by more than just case': 'The password is too similar to the old one.', 'Bad: new password cannot be a palindrome': 'The password is a palindrome.', 'Bad: new password is just a wrapped version of the old one': 'The password is too similar to the old one.', 'Bad: new password is too simple': 'The password is too simple.', 'Bad: new password must be different than the old one': 'The password was already used.', 'Error: Password does not meet complexity requirements': 'The password is too simple.', 'Insufficient Password Quality': 'The password is too simple.', 'Password Insufficient': 'The password is too simple.', 'Password Too Young': 'The minimum password age is not reached yet.', 'Password already used': 'The password was already used.', 'Password change rejected, password changes may not be permitted on this account, or the minimum password age may not have elapsed.': 'The minimum password age is not reached yet.', 'Password contains parts of the full user name.': 'The password contains parts of the full user name.', 'Password contains user account name.': 'The password contains user account name.', 'Password does not meet complexity requirements': 'The password is too simple.', 'Password does not meet the password complexity requirements.': 'The password does not meet the password complexity requirements.', 'Password has been already used. Choose another.': 'The password was already used.', 'Password has been already used.': 'The password was already used.', 'Password is too short': 'The password is too short.', 'Passwort nicht geändert': 'The password was already used.', 'Schlechtes Passwort: Es basiert auf einem (umgekehrten) W?rterbucheintrag': 'The password is based on a dictionary word.', 'Schlechtes Passwort: Es basiert auf einem (umgekehrten) Wörterbucheintrag': 'The password is based on a dictionary word.', 'Schlechtes Passwort: Es basiert auf einem W?rterbucheintrag': 'The password is based on a dictionary word.', 'Schlechtes Passwort: Es basiert auf einem Wörterbucheintrag': 'The password is based on a dictionary word.', 'Schlechtes Passwort: Es ist VIEL zu kurz': 'The password is too short.', 'Schlechtes Passwort: Es ist zu kurz': 'The password is too short.', 'Schlechtes Passwort: ist dem alten zu ?hnlich': 'The password is too similar to the old one.', 'Schlechtes Passwort: ist dem alten zu ähnlich': 'The password is too similar to the old one.', 'Schlechtes Passwort: ist ein Palindrome': 'The password is a palindrome.', 'Schlechtes Passwort: ist zu einfach': 'The password is too simple.', 'Schlechtes Passwort: wurde gedreht': 'The password is a palindrome.', 'Sie müssen ein kürzeres Passwort wählen.': 'The password is too long.', 'Unable to reach any changepw server  in realm %s': 'Make sure the kerberos service is functioning or inform an Administrator.', 'You must choose a longer passwordPassword Too Short': 'The password is too short.', 'You must choose a shorter password.': 'The password is too long.', 'You must wait longer to change your password': 'The minimum password age is not reached yet.', 'case changes only': 'The password is too similar to the old one.', 'contains too long of a monotonic character sequence': 'The password does not contain enough different characters.', 'contains too many same characters consecutively': 'The password does not contain enough different characters.', 'is a palindrome': 'The password is a palindrome.', 'is rotated': 'The password was already used.', 'is the same as the old one': 'The password was already used.', 'is too similar to the old one': 'The password is too similar to the old one.', 'is too simple': 'The password is too simple.', 'not enough character classes': 'The password does not contain enough different characters.', 'password unchanged': 'The password was already used.', re.compile('Password is already in password history. New password must not match any of your (?P<history>\\d+) previous passwords.', re.IGNORECASE): 'The password was already used.', re.compile('Password too short, password must be at least (?P<minlen>\\d+) characters long.', re.IGNORECASE): 'The password is too short.', re.compile('^Password is already in password history$'): 'The password was already used.', re.compile('^Password too short$'): 'The password is too short.'}

custom_prompts: tuple[str, ...] = ('OTP',)

authenticate(username: str, password: str, **answers: Any) → None

change_password(username: str, old_password: str, new_password: str) → None

init() → PAM.pam

start(username: str, data: Any) → None

end() → None

conversation(auth: Any, query_list: Any, data: Any) → list

error_message(pam_err: tuple[Any, int]) → str

Helper functions

Configuration

Global configuration variables and objects for the UMC server.

This module provides a global ConfigRegistry instance ucr some constants that are used internally.

univention.management.console.config.get_int(variable, default)

Logging

This module provides a wrapper for univention.debug

class univention.management.console.log.RequestFilter(umcmodule)

Bases: Filter

Initialize a filter.

Initialize with the name of the logger which, together with its children, will have its events allowed through the filter. If no name is specified, allow every event.

request_context = <ContextVar name='request'>

filter(record)

Determine if the specified record is to be logged.

Returns True if the record should be logged, or False otherwise. If deemed appropriate, the record may be modified in-place.

univention.management.console.log.log_init(filename, log_level=2, log_pid=None, **kwargs)

Initializes Univention debug.

Parameters:

• filename (str) – The filename just needs to be a relative name. The directory /var/log/univention/ is prepended and the suffix ‘.log’ is appended.

• log_level (int) – log level to use (1-4)

• log_pid (bool) – Prefix log message with process ID

univention.management.console.log.log_set_level(level=0)

Sets the log level for all components.

Parameters:

level (int) – log level to set

univention.management.console.log.log_reopen()

Reopenes the logfile and reset the current loglevel

univention.management.console.log.init_request_context_logging(umc_module)

univention.management.console.log.add_filter(filter_, logger_names=('MAIN', 'NETWORK', 'SSL', 'ADMIN', 'LDAP', 'MODULE', 'AUTH', 'PARSER', 'LOCALE', 'ACL', 'RESOURCES', 'PROTOCOL', 'tornado'))

Decorators for common ldap functionality. Example usage:

@machine_connection(write=True)
def foobar(self, ldap_connection=None, ldap_position=None):
    return ldap_connection.search('uid=Administrator')

def foobar():
    def bind(lo):
        lo.bind('Administrator', 'univention')
    lo, po = get_user_connection(bind=bind, write=True)
    return lo.search('uid=Administrator')

univention.management.console.ldap.admin_connection(func=None, loarg='ldap_connection', poarg='ldap_position', no_cache=False, **kwargs)

univention.management.console.ldap.connection(func=None, bind=None, host=None, port=None, base=None, loarg='ldap_connection', poarg='ldap_position', no_cache=False, **kwargs)

univention.management.console.ldap.get_admin_connection(*args, **kwargs)

univention.management.console.ldap.get_connection(*args, **kwargs)

univention.management.console.ldap.get_machine_connection(*args, **kwargs)

univention.management.console.ldap.get_user_connection(*args, **kwargs)

univention.management.console.ldap.machine_connection(func=None, write=True, loarg='ldap_connection', poarg='ldap_position', no_cache=False, **kwargs)

univention.management.console.ldap.user_connection(func=None, bind=None, write=True, loarg='ldap_connection', poarg='ldap_position', no_cache=False, **kwargs)