univention.admin.handlers.users package#
Submodules#
univention.admin.handlers.users.contact module#
UDM module for the user contact objects
- class univention.admin.handlers.users.contact.object(co: None, lo: access, position: position | None, dn: str = '', superordinate: Self | None = None, attributes: dict[str, list[bytes]] | None = None)[source]#
Bases:
simpleLdap- module = 'users/contact'#
- description() str[source]#
Return a descriptive string for the object. By default the relative distinguished name is returned.
- Returns:
A descriptive string or none as fallback.
- classmethod unmapped_lookup_filter() conjunction[source]#
Return a LDAP filter UDM filter expression.
- Returns:
A LDAP filter expression.
See
lookup_filter().
univention.admin.handlers.users.federated_account module#
UDM module for the federated account objects
univention.admin.handlers.users.ldap module#
UDM module for the simple authentication account objects
- class univention.admin.handlers.users.ldap.object(co: None, lo: access, position: position | None, dn: str = '', superordinate: Self | None = None, attributes: dict[str, list[bytes]] | None = None)[source]#
Bases:
simpleLdap,PKIIntegration,GuardianBase- module = 'users/ldap'#
- password_length = 8#
- open() None[source]#
Opens this object.
During the initialization of this object the current set LDAP attributes are mapped into
info. This method makes it possible to e.g. resolve external references to other objects which are not represented in the raw LDAP attributes of this object, for example the group memberships of a user.By default only the open hook for extended attributes is called. This method can be subclassed.
Warning
If this method changes anything in self.info it must call
save()afterwards.Warning
If your are going to do any modifications (such as creating, modifying, moving, removing this object) this method must be called directly after the constructor and before modifying any property.
- classmethod unmapped_lookup_filter() conjunction[source]#
Return a LDAP filter UDM filter expression.
- Returns:
A LDAP filter expression.
See
lookup_filter().
univention.admin.handlers.users.passwd module#
UDM module for password part of the user
univention.admin.handlers.users.self module#
UDM module for the user himself
- class univention.admin.handlers.users.self.object(co: None, lo: access, position: position | None, dn: str = '', superordinate: simpleLdap | None = None, attributes: dict[str, list[bytes]] | None = None)[source]#
Bases:
object- module = 'users/self'#
- classmethod lookup_filter(filter_s: str | None = None, lo: access | None = None) conjunction[source]#
Return a LDAP filter as a UDM filter expression.
- Parameters:
filter_s (str) – LDAP filter string.
lo (univention.admin.uldap.access) – UDM LDAP access object.
- Returns:
A LDAP filter expression.
See
lookup().
- classmethod lookup(co: None, lo: access, filter_s: str, base: str = '', superordinate: simpleLdap | None = None, scope: str = 'sub', unique: bool = False, required: bool = False, timeout: int = -1, sizelimit: int = 0, serverctrls: list | None = None, response: dict | None = None) list[simpleLdap][source]#
Perform a LDAP search and return a list of instances.
- Parameters:
co – obsolete config
lo – UDM LDAP access object.
filter_s – LDAP filter string.
base – LDAP search base distinguished name.
superordinate – Distinguished name of a superordinate object.
scope – Specify the scope of the search to be one of base, base+one, one, sub, or domain to specify a base object, base plus one-level, one-level, subtree, or children search.
unique – Raise an exception if more than one object matches.
required – Raise an exception instead of returning an empty dictionary.
timeout – wait at most timeout seconds for a search to complete. -1 for no limit.
sizelimit – retrieve at most sizelimit entries for a search. 0 for no limit.
serverctrls – a list of
ldap.controls.LDAPControlinstances sent to the server along with the LDAP request.response – An optional dictionary to receive the server controls of the result.
authz – ignore authorization checks (dangerous!)
- Returns:
A list of UDM objects.
- univention.admin.handlers.users.self.lookup(co: None, lo: access, filter_s: str, base: str = '', superordinate: simpleLdap | None = None, scope: str = 'sub', unique: bool = False, required: bool = False, timeout: int = -1, sizelimit: int = 0, serverctrls: list | None = None, response: dict | None = None) list[simpleLdap]#
Perform a LDAP search and return a list of instances.
- Parameters:
co – obsolete config
lo – UDM LDAP access object.
filter_s – LDAP filter string.
base – LDAP search base distinguished name.
superordinate – Distinguished name of a superordinate object.
scope – Specify the scope of the search to be one of base, base+one, one, sub, or domain to specify a base object, base plus one-level, one-level, subtree, or children search.
unique – Raise an exception if more than one object matches.
required – Raise an exception instead of returning an empty dictionary.
timeout – wait at most timeout seconds for a search to complete. -1 for no limit.
sizelimit – retrieve at most sizelimit entries for a search. 0 for no limit.
serverctrls – a list of
ldap.controls.LDAPControlinstances sent to the server along with the LDAP request.response – An optional dictionary to receive the server controls of the result.
authz – ignore authorization checks (dangerous!)
- Returns:
A list of UDM objects.
- univention.admin.handlers.users.self.lookup_filter(filter_s: str | None = None, lo: access | None = None) conjunction#
Return a LDAP filter as a UDM filter expression.
- Parameters:
filter_s (str) – LDAP filter string.
lo (univention.admin.uldap.access) – UDM LDAP access object.
- Returns:
A LDAP filter expression.
See
lookup().
univention.admin.handlers.users.user module#
UDM module for the user objects
- univention.admin.handlers.users.user.check_prohibited_username(lo: access, username: str) None[source]#
check if the username is allowed
- univention.admin.handlers.users.user.case_insensitive_in_list(dn: str, list: Sequence[str]) bool[source]#
- univention.admin.handlers.users.user.sambaWorkstationsMap(workstations: Sequence[str], encoding: Sequence[str] = ()) bytes[source]#
- univention.admin.handlers.users.user.sambaWorkstationsUnmap(workstations: Sequence[bytes], encoding: Sequence[str] = ()) list[str][source]#
- univention.admin.handlers.users.user.logonHoursMap(logontimes: Sequence[int]) bytes | None[source]#
Convert list-of-bit to the respective hex string. >>> logonHoursMap([]) b’000000000000000000000000000000000000000000’ >>> logonHoursMap([0]) # Sun 00 b’010000000000000000000000000000000000000000’ >>> logonHoursMap([23]) # Sun 23 b’000080000000000000000000000000000000000000’ >>> logonHoursMap([24 * 7 - 1]) # Sat 23 b’000000000000000000000000000000000000000080’
- univention.admin.handlers.users.user.logonHoursUnmap(logontimes: list[bytes]) list[int][source]#
Convert hex-string to an array of bits set. >>> logonHoursUnmap([b”000000000000000000000000000000000000000000”]) [] >>> logonHoursUnmap([b”010000000000000000000000000000000000000000”]) [0] >>> logonHoursUnmap([b”000080000000000000000000000000000000000000”]) [23] >>> logonHoursUnmap([b”000000000000000000000000000000000000000080”]) [167]
- univention.admin.handlers.users.user.mapHomePostalAddress(old: Sequence[str], encoding: Sequence[str] = ()) list[bytes][source]#
Map address to LDAP encoding.
>>> mapHomePostalAddress([["a", "b", "c"]]) [b'a$b$c']
- univention.admin.handlers.users.user.unmapHomePostalAddress(old: Sequence[bytes], encoding: Sequence[str] = ()) list[list[str]][source]#
Expand LDAP encoded address. >>> unmapHomePostalAddress([b’foo’]) [[‘foo’, ‘ ‘, ‘ ‘]] >>> unmapHomePostalAddress([b’foo$bar$baz’]) [[‘foo’, ‘bar’, ‘baz’]]
- univention.admin.handlers.users.user.unmapUserExpiry(oldattr: dict[str, list[bytes]]) str | None[source]#
- univention.admin.handlers.users.user.unmapShadowExpireToUserexpiry(oldattr: dict[str, list[bytes]]) str | None[source]#
shadowExpire contains the absolute date to expire the account (not the password!)
- univention.admin.handlers.users.user.unmapKrb5ValidEndToUserexpiry(oldattr: dict[str, list[bytes]]) str | None[source]#
- univention.admin.handlers.users.user.unmapSambaKickoffTimeToUserexpiry(oldattr: dict[str, list[bytes]]) str | None[source]#
- univention.admin.handlers.users.user.unmapPasswordExpiry(oldattr: dict[str, list[bytes]]) str[source]#
The shadowLastChange attribute is the amount of days between 1/1/1970 up to the day that password was modified, (shadowMax + 1) is the number of days a password is valid. So the password will be expired on 1/1/1970 + shadowLastChange + shadowMax + 1. Bug 57681: * setting
shadowMaxto (pwhistoryPolicy.expiryInterval - 1) makes password expiry checking betweenpam_unixandpam_krb5consistent *pam_krb5sees the password as expired at 00:01 on the day of password expiry *pam_unix(and related code we have that checks userPassword expiry like the LDAP overlayshadowbind) sees the password as still valid on the dayshadowLastChange + shadowMax, as it calculates:expired := (now - shadowLastChange > shadowMax)* We want uniform handling for this. The password should be invalid at 00:01 at the day of password expiry.
- univention.admin.handlers.users.user.inconsistentDisabledState(oldattr: dict[str, list[bytes]]) bool[source]#
- univention.admin.handlers.users.user.unmapSambaDisabled(oldattr: dict[str, list[bytes]]) bool[source]#
- univention.admin.handlers.users.user.unmapKerberosDisabled(oldattr: dict[str, list[bytes]]) bool[source]#
- univention.admin.handlers.users.user.unmapPosixDisabled(oldattr: dict[str, list[bytes]]) bool[source]#
- univention.admin.handlers.users.user.inconsistentLockedState(oldattr: dict[str, list[bytes]]) int[source]#
- univention.admin.handlers.users.user.isKerberosLocked(oldattr: dict[str, list[bytes]]) bool[source]#
- univention.admin.handlers.users.user.mapKeyAndValue(old: Sequence[str], encoding: Sequence[str] = ()) list[bytes][source]#
Map (key, value) list to key=value list.
>>> mapKeyAndValue([("a", "b")]) [b'a=b']
- univention.admin.handlers.users.user.unmapKeyAndValue(old: Sequence[bytes], encoding: Sequence[str] = ()) list[list[str]][source]#
Map (key=value) list to (key, value) list.
>>> unmapKeyAndValue([b"a=b"]) [['a', 'b']]
- univention.admin.handlers.users.user.mapWindowsFiletime(old: str, encoding: Sequence[str] = ()) list[bytes][source]#
- univention.admin.handlers.users.user.unmapWindowsFiletime(old: Sequence[bytes], encoding: Sequence[str] = ()) str[source]#
- univention.admin.handlers.users.user.datetime_from_local_datetimetimezone_tuple(local_datetimetimezone_tuple: Sequence[str]) datetime[source]#
- univention.admin.handlers.users.user.mapDateTimeTimezoneTupleToUTCDateTimeString(local_datetimetimezone_tuple: Sequence[str], encoding: Sequence[str] = ()) list[bytes][source]#
- univention.admin.handlers.users.user.unmapUTCDateTimeToLocaltime(attribute_value: Sequence[bytes], encoding: Sequence[str] = ()) list[str][source]#
- class univention.admin.handlers.users.user.object(co: None, lo: access, position: position, dn: str = '', superordinate: simpleLdap | None = None, attributes: dict[str, bytes | list[bytes]] | None = None)[source]#
Bases:
simpleLdap,PKIIntegration,GuardianBase- module = 'users/user'#
- use_performant_ldap_search_filter = True#
- open(loadGroups: object = <object object>) None[source]#
Opens this object.
During the initialization of this object the current set LDAP attributes are mapped into
info. This method makes it possible to e.g. resolve external references to other objects which are not represented in the raw LDAP attributes of this object, for example the group memberships of a user.By default only the open hook for extended attributes is called. This method can be subclassed.
Warning
If this method changes anything in self.info it must call
save()afterwards.Warning
If your are going to do any modifications (such as creating, modifying, moving, removing this object) this method must be called directly after the constructor and before modifying any property.
- modify(*args, **kwargs)[source]#
Modifies the LDAP object by building the difference between the current state and the old state of this object and write this modlist to LDAP.
- Parameters:
modify_childs – Specifies if child objects should be modified as well.
ignore_license – If the license is exceeded the modification may fail. Setting this to True causes license checks to be disabled
- Raises:
univention.admin.uexceptions.invalidOperationif objects of this type do not support to be modified.- Raises:
univention.admin.uexceptions.noObjectif the object does not exists.- Raises:
univention.admin.uexceptions.permissionDeniedif no permissions for modification exists- Raises:
- Returns:
The DN of the modified object.
- hasChanged(key: str | Iterable[str]) bool[source]#
Checks if the given attribute(s) was (were) changed.
- Parameters:
key – The name of a property.
- Returns:
True if the property changed, False otherwise.
- classmethod unmapped_lookup_filter() conjunction[source]#
Return a LDAP filter UDM filter expression.
- Returns:
A LDAP filter expression.
See
lookup_filter().
- classmethod rewrite_filter(filter: expression, mapping: mapping) None[source]#