univention.management.console package

class univention.management.console.Translation(namespace, locale_spec=None, localedir=None)[source]

Bases: univention.lib.i18n.NullTranslation

Translation.

locale = <univention.lib.i18n.Locale object>
set_language(language='')[source]

Select language.

Parameters

language (str) – The language code.

Raises

I18N_Error – if the given locale is not valid.

Submodules

univention.management.console.acl module

UMC ACL implementation

This module implements the UMC ACLs used to define the access rights for users and groups to the UMC service.

UMC ACLs are defined by creating UMC operation set objects that are added to UMC policies. These policies can be connected with users or groups.

An UMC operation set consists of a list of UMC command patterns like

udm/* objectType=nagios/*

This specifies that all commands hat match the pattern udm/* can be called if the option objectType is given and the value matches the pattern nagios/*.

Patterns for commands and options may just use the asterik and know no other wildcards. For options there is one additional format allowed to specify that the option may not exist. Therefore the following format is used

udm/* !objectType
class univention.management.console.acl.Rule[source]

Bases: dict

A simple class representing one ACL rule in a form that can be simply serialized.

property fromUser

Returns True if the rule was connected with a user, otherwise False

property host

Returns a hostname pattern. If the pattern matches the hostname the command is allowed on the host

property command

Returns the command pattern this rule describes

property options

Returns the option pattern for the rule

property flavor

Returns the flavor if given otherwise None

class univention.management.console.acl.ACLs(ldap_base=None, acls=None)[source]

Bases: object

Provides methods to determine the access rights of users to specific UMC commands. It defines a cache for ACLs, a parser for command definitions of ACLs and functions for comparison.

MATCH_NONE = 0
MATCH_PART = 1
MATCH_FULL = 2
CACHE_DIR = '/var/cache/univention-management-console/acls'

defines the directory for the cache files

is_command_allowed(command, hostname=None, options={}, flavor=None)[source]

This method verifies if the given command (with options and flavor) is on the named host allowed.

Parameters
  • command (str) – the command to check access for

  • hostname (str) – FQDN of the host

  • options (dict) – the command options given in the UMCP request

  • flavor (str) – the flavor given in the UMCP request

Return type

bool

json()[source]

Returns the ACL definitions in a JSON compatible form.

class univention.management.console.acl.LDAP_ACLs(lo, username, ldap_base)[source]

Bases: univention.management.console.acl.ACLs

Reads ACLs from LDAP directory for the given username. By inheriting the class ACLs the ACL definitions can be cached on the local system. If the LDAP server can not be reached the cache is used if available.

FROM_USER = True
FROM_GROUP = False

univention.management.console.auth module

class univention.management.console.auth.AuthenticationResult(result, locale)[source]

Bases: object

class univention.management.console.auth.AuthHandler[source]

Bases: notifier.signals.Provider

authenticate(msg)[source]

univention.management.console.base module

Python API for UMC modules

The python API for UMC modules primary consists of one base class that must be implemented. As an addition the python API provides some helper functions and classes:

  • exception classes

  • translation support

  • logging functions

  • UCR access

The XML file defining the UMC module specifies functions for the commands provided by the module. These functions must be implemented as methods of a class named Instance that inherits Base.

The following python code example matches the definition in the previous section:

from univention.management.console import Translation
from univention.management.console.config import ucr
from univention.management.console.modules import Base
from univention.management.console.modules.decorators import sanitize
from univention.management.console.modules.sanitizers import IntegerSanitizer
from univention.management.console.log import MODULE

_ = Translation('univention-management-console-modules-udm').translate

class Instance(Base):

        @sanitize(end=IntegerSanitizer(minimum=0),)
        def query(self, request):
                end = request.options['end']
                result = list(range(end))
                self.finished(request.id, result)

Each command methods has one parameter that contains the UMCP request of type Request. Such an object has the following properties:

id

is the unique identifier of the request

options

contains the arguments for the command. For most commands it is a dictionary.

flavor

is the name of the flavor that was used to invoke the command. This might be None

The query method in the example above shows how to retrieve the command parameters and what to do to send the result back to the client. Important is that returning a value in a command function does not send anything back to the client. Therefore the function finished must be invoked. The first parameter is the identifier of the request that will be answered and the second parameter the data structure containing the result. As the result is converted to JSON it must just contain data types that can be converted.

The base class for modules provides some properties and methods that could be useful when writing UMC modules:

Properties * username: The username of the owner of this session * password: The password of the user * auth_type: The authentication method which was used to authenticate this user

Methods * init: Is invoked after the module process has been initialised. At that moment, the settings, like locale and username and password are available. * permitted: Can be used to determine if a specific UMCP command can be invoked by the current user. This method has two parameters: The ‘’command’’ name and the ‘’options’’.

class univention.management.console.base.Base(domain='univention-management-console')[source]

Bases: notifier.signals.Provider, univention.lib.i18n.Translation

The base class for UMC modules of version 2 or higher

update_language(locales)[source]
set_locale(_locale)[source]
property username
property user_dn
property password
property acls
property auth_type
init()[source]

this function is invoked after the initial UMCP SET command that passes the base configuration to the module process

destroy()[source]

this function is invoked before the module process is exiting.

execute(method, request, *args, **kwargs)[source]
security_checks(request, function)[source]
thread_finished_callback(thread, result, request)[source]
error_handling(etype, exc, etraceback)[source]

Translate generic UDM exceptions back to LDAP exceptions.

Parameters
  • etype – The exception class.

  • exc – The exception instance.

  • etraceback – The exception traceback instance; may be None.

default_response_headers()[source]
get_user_ldap_connection(no_cache=False, **kwargs)[source]
bind_user_connection(lo)[source]
require_password()[source]
permitted(command, options, flavor=None)[source]
finished(id, response, message=None, success=True, status=None, mimetype=None, headers=None, error=None, reason=None)[source]

Should be invoked by module to finish the processing of a request. ‘id’ is the request command identifier

result(response)[source]

univention.management.console.category module

Category definitions

The UMC server provides the possibility to define categories used to sort the available UMC modules into groups. Each module can be in as many groups as desired.

The category definitions are stored in XML files that structured as in the following example

<?xml version="1.0" encoding="UTF-8"?>
<umc version="2.0">
        <categories>
                <category id="id1">
                        <name>Category 1</name>
                </category>
                <category id="id2">
                        <name>Category 2 on {hostname}.{domainname}</name>
                </category>
        </categories>
</umc>

Each file can define several categories. For each of these categories an unique identifier and the english description must be specified. The translations are stored in extra po files that are generated by the UMC build tools.

Within the description of a category UCR variable names can be used that will be substituted by the value. Therefore the name of the variables must be given in curly braces {VARIABLE}.

class univention.management.console.category.XML_Definition(root=None, filename=None, domain=None)[source]

Bases: xml.etree.ElementTree.ElementTree

Represents a category definition.

property name

Returns the descriptive name of the category

property id

Returns the unique identifier of the category

property icon
property color
property priority

Returns the priority of the category. If no priority is defined the default priority of -1 is returned. None is returned if the specified priority is not a valid float

Return type

float or None

json()[source]

Returns a JSON compatible representation of the category

Return type

dict

class univention.management.console.category.Manager[source]

Bases: dict

This class manages all available categories.

DIRECTORY = '/usr/share/univention-management-console/categories'
all()[source]
load()[source]

univention.management.console.config module

Configuration

Global configuration variables and objects for the UMC server.

This module provides a global ConfigRegistry instance ucr some constants that are used internally.

univention.management.console.config.get_int(variable, default)[source]

univention.management.console.error module

exception univention.management.console.error.UMC_Error(message=None, status=None, result=None, headers=None, traceback=None, reason=None)[source]

Bases: Exception

include_traceback = False
msg = None
status = 400
exception univention.management.console.error.BadRequest(message=None, status=None, result=None, headers=None, traceback=None, reason=None)[source]

Bases: univention.management.console.error.UMC_Error

msg = 'Bad request'
status = 400
exception univention.management.console.error.Unauthorized(message=None, status=None, result=None, headers=None, traceback=None, reason=None)[source]

Bases: univention.management.console.error.UMC_Error

msg = 'Unauthorized'
status = 401
exception univention.management.console.error.Forbidden(message=None, status=None, result=None, headers=None, traceback=None, reason=None)[source]

Bases: univention.management.console.error.UMC_Error

msg = 'Forbidden'
status = 403
exception univention.management.console.error.NotFound(message=None, status=None, result=None, headers=None, traceback=None, reason=None)[source]

Bases: univention.management.console.error.UMC_Error

msg = 'Not found'
status = 404
exception univention.management.console.error.MethodNotAllowed(message=None, status=None, result=None, headers=None, traceback=None, reason=None)[source]

Bases: univention.management.console.error.UMC_Error

msg = 'Method not allowed'
status = 405
exception univention.management.console.error.NotAcceptable(message=None, status=None, result=None, headers=None, traceback=None, reason=None)[source]

Bases: univention.management.console.error.UMC_Error

status = 406
exception univention.management.console.error.UnprocessableEntity(message=None, status=None, result=None, headers=None, traceback=None, reason=None)[source]

Bases: univention.management.console.error.UMC_Error

status = 422
exception univention.management.console.error.ServerError(message=None, status=None, result=None, headers=None, traceback=None, reason=None)[source]

Bases: univention.management.console.error.UMC_Error

msg = 'Internal error'
status = 500
exception univention.management.console.error.BadGateway(message=None, status=None, result=None, headers=None, traceback=None, reason=None)[source]

Bases: univention.management.console.error.UMC_Error

status = 502
exception univention.management.console.error.ServiceUnavailable(message=None, status=None, result=None, headers=None, traceback=None, reason=None)[source]

Bases: univention.management.console.error.UMC_Error

status = 503
exception univention.management.console.error.PasswordRequired[source]

Bases: univention.management.console.error.Unauthorized

exception univention.management.console.error.LDAP_ServerDown[source]

Bases: univention.management.console.error.UMC_Error

exception univention.management.console.error.LDAP_ConnectionFailed(exc)[source]

Bases: univention.management.console.error.LDAP_ServerDown

univention.management.console.ldap module

Decorators for common ldap functionality. Example usage:

@machine_connection(write=True)
def foobar(self, ldap_connection=None, ldap_position=None):
        return ldap_connection.search('uid=Administrator')

def foobar():
        def bind(lo):
                lo.bind('Administrator', 'univention')
        lo, po = get_user_connection(bind=bind, write=True)
        return lo.search('uid=Administrator')
univention.management.console.ldap.user_connection(func=None, bind=None, write=True, loarg='ldap_connection', poarg='ldap_position', no_cache=False, **kwargs)
univention.management.console.ldap.get_user_connection(*args, **kwargs)
univention.management.console.ldap.machine_connection(func=None, write=True, loarg='ldap_connection', poarg='ldap_position', no_cache=False, **kwargs)
univention.management.console.ldap.get_machine_connection(*args, **kwargs)
univention.management.console.ldap.admin_connection(func=None, loarg='ldap_connection', poarg='ldap_position', no_cache=False, **kwargs)
univention.management.console.ldap.get_admin_connection(*args, **kwargs)

univention.management.console.locales module

Locales

The translations provided by the UMC server are technically based on gettext library. As the server needs to provide translations for several different components that deliver their own translation files this module provides a simple way for the UMC server to get the required translations. Components that provide their own translation files:

  • the UMC core — python code directly imported by the UMC server

  • categories

  • module definitions

class univention.management.console.locales.I18N(locale=None, domain=None)[source]

Bases: object

Provides a translation function for a given language and translation domain.

Parameters
  • locale (str) – the locale to provide

  • domain (str) – the translation domain to use

LOCALE_DIR = '/usr/share/univention-management-console/i18n/'
load(locale=None, domain=None)[source]

Tries to load the translation file specified by the given locale and domain. If the given locale could not be found the method tries to find the translation domain for the systems default locale. No translation is provided when this fails too.

Parameters
  • locale (str) – the locale to provide

  • domain (str) – the translation domain to use

exists(message)[source]

Verifies if the translation file contains a translation for the given text.

Parameters

message (str) – the text to search for

Return type

bool

class univention.management.console.locales.I18N_Manager[source]

Bases: dict

This class handles the I18N instances within an UMC session.

As the UMC server handles all sessions opened on a system that may all use a different language it uses one I18N_Manager per session.

set_locale(locale)[source]

Sets the locale to use within the I18N_Manager.

Parameters

locale (str) – locale to use

univention.management.console.log module

Logging

This module provides a wrapper for univention.debug

univention.management.console.log.COMPONENTS = (0, 1, 3, 4, 10, 16, 21, 19, 20, 17, 18, 15)

list of available debugging components

univention.management.console.log.log_init(filename, log_level=2, log_pid=None)[source]

Initializes Univention debug.

Parameters
  • filename (str) – The filename just needs to be a relative name. The directory /var/log/univention/ is prepended and the suffix ‘.log’ is appended.

  • log_level (int) – log level to use (1-4)

  • log_pid (bool) – Prefix log message with process ID

univention.management.console.log.log_set_level(level=0)[source]

Sets the log level for all components.

Parameters

level (int) – log level to set

univention.management.console.log.log_reopen()[source]

Reopenes the logfile and reset the current loglevel

class univention.management.console.log.ILogger(id)[source]

Bases: object

This class provides a simple interface to access the univention debug function for the given component.

Parameters

id (int) – id of the component to use

error(message)[source]

Write a debug message with level ERROR

warn(message)[source]

Write a debug message with level WARN

process(message)[source]

Write a debug message with level PROCESS

info(message)[source]

Write a debug message with level INFO

univention.management.console.module module

Module definitions

The UMC server does not load the python modules to get the details about the modules name, description and functionality. Therefore each UMC module must provide an XML file containing this kind of information.

The following example defines a module with the id udm:

<?xml version="1.0" encoding="UTF-8"?>
<umc version="2.0">
        <module id="udm" icon="udm-module" version="1.0" python="3">
                <name>Univention Directory Manager</name>
                <description>Manages all UDM modules</description>
                <flavor icon="udm-users" id="users/user">
                        <name>Users</name>
                        <description>Managing users</description>
                </flavor>
                <categories>
                        <category name="domain" />
                </categories>
                <requiredCommands>
                        <requiredCommand name="udm/query" />
                </requiredCommands>
                <command name="udm/query" function="query" />
                <command name="udm/containers" function="containers" />
        </module>
</umc>

The module tag defines the basic details of a UMC module

id

This identifier must be unique among the modules of an UMC server. Other files may extend the definition of a module by adding more flavors or categories.

icon

The value of this attribute defines an identifier for the icon that should be used for the module. Details for installing icons can be found in the section Packaging

The child elements name and description define the English human readable name and description of the module. For other translations the build tools will create translation files. Details can be found in the section Packaging.

This example defines a so called flavor. A flavor defines a new name, description and icon for the same UMC module. This can be used to show several”virtual” modules in the overview of the web frontend. Additionally the flavor is passed to the UMC server with each request i.e. the UMC module has the possibility to act differently for a specific flavor.

As the next element categories is defined in the example. The child elements category set the categories wthin the overview where the module should be shown. Each module can be more than one category. The attribute name is to identify the category internally. The UMC server brings a set of pre-defined categories:

favorites

This category is intended to be filled by the user herself.

system

Tools manipulating the system itself (e.g. software installation) should go in here.

At the end of the definition file a list of commands is specified. The UMC server only passes commands to a UMC module that are defined. A command definition has two attributes:

name

is the name of the command that is passed to the UMC module. Within the UMCP message it is the first argument after the UMCP COMMAND.

function

defines the method to be invoked within the python module when the command is called.

keywords

defined keywords for the module to ensure searchability

The translations are stored in extra po files that are generated by the UMC build tools.

class univention.management.console.module.Command(name='', method=None, allow_anonymous=False)[source]

Bases: univention.management.console.tools.JSON_Object

Represents a UMCP command handled by a module

SEPARATOR = '/'
fromJSON(json)[source]
class univention.management.console.module.Flavor(id='', icon='', name='', description='', overwrites=None, deactivated=False, priority=- 1, translationId=None, keywords=None, categories=None, required_commands=None, version=None, hidden=False)[source]

Bases: univention.management.console.tools.JSON_Object

Defines a flavor of a module. This provides another name and icon in the overview and may influence the behavior of the module.

merge(other)[source]
class univention.management.console.module.Module(id='', name='', url='', description='', icon='', categories=None, flavors=None, commands=None, priority=- 1, keywords=None, translationId=None, required_commands=None, version=None)[source]

Bases: univention.management.console.tools.JSON_Object

Represents a command attribute

fromJSON(json)[source]
append_flavors(flavors)[source]
merge_flavors(other_flavors)[source]
merge(other)[source]

merge another Module object into current one

Bases: univention.management.console.module.Module

class univention.management.console.module.XML_Definition(root=None, filename=None)[source]

Bases: xml.etree.ElementTree.ElementTree

container for the interface description of a module

property name
property version
property url
property description
property keywords
property id
property priority
property translationId
property notifier
property python_version
property icon
property deactivated
property flavors

Retrieve list of flavor objects

property categories
commands()[source]

Generator to iterate over the commands

get_module()[source]
get_flavor(name)[source]

Retrieves details of a flavor

get_command(name)[source]

Retrieves details of a command

class univention.management.console.module.Manager[source]

Bases: dict

Manager of all available modules

DIRECTORY = '/usr/share/univention-management-console/modules'
modules()[source]

Returns list of module names

load()[source]

Loads the list of available modules. As the list is cleared before, the method can also be used for reloading

is_command_allowed(acls, command, hostname=None, options={}, flavor=None)[source]
permitted_commands(hostname, acls)[source]

Retrieves a list of all modules and commands available according to the ACLs (instance of LDAP_ACLs)

{ id : Module, … }

module_providing(modules, command)[source]

Searches a dictionary of modules (as returned by permitted_commands) for the given command. If found, the id of the module is returned, otherwise None

univention.management.console.pam module

exception univention.management.console.pam.AuthenticationError[source]

Bases: Exception

exception univention.management.console.pam.AuthenticationFailed[source]

Bases: univention.management.console.pam.AuthenticationError

exception univention.management.console.pam.AuthenticationInformationMissing(message, missing_prompts)[source]

Bases: univention.management.console.pam.AuthenticationError

exception univention.management.console.pam.AccountExpired[source]

Bases: univention.management.console.pam.AuthenticationError

exception univention.management.console.pam.PasswordExpired[source]

Bases: univention.management.console.pam.AuthenticationError

exception univention.management.console.pam.PasswordChangeFailed[source]

Bases: univention.management.console.pam.AuthenticationError

class univention.management.console.pam.PamAuth(locale=None)[source]

Bases: object

known_errors = {'Unable to reach any changepw server  in realm %s': 'Make sure the kerberos service is functioning or inform an Administrator.', re.compile('Password too short, password must be at least (?P<minlen>\\d+) characters long.', re.IGNORECASE): 'The password is too short.', re.compile('^Password too short$'): 'The password is too short.', 'You must choose a longer passwordPassword Too Short': 'The password is too short.', 'Password is too short': 'The password is too short.', ': Es ist zu kurz': 'The password is too short.', ': Es ist VIEL zu kurz': 'The password is too short.', ': it is WAY too short': 'The password is too short.', ': Password is too short': 'The password is too short.', 'BAD PASSWORD: it is WAY too short': 'The password is too short.', 'Schlechtes Passwort: Es ist zu kurz': 'The password is too short.', 'Schlechtes Passwort: Es ist VIEL zu kurz': 'The password is too short.', 'You must choose a shorter password.': 'The password is too long.', 'Sie müssen ein kürzeres Passwort wählen.': 'The password is too long.', ': Es ist zu einfach/systematisch': 'The password is too simple.', ': it is too simplistic/systematic': 'The password is too simple.', 'BAD PASSWORD: is too simple': 'The password is too simple.', ': Password does not meet complexity requirements': 'The password is too simple.', 'Schlechtes Passwort: ist zu einfach': 'The password is too simple.', 'Error: Password does not meet complexity requirements': 'The password is too simple.', 'Bad: new password is too simple': 'The password is too simple.', 'Insufficient Password Quality': 'The password is too simple.', 'Password Insufficient': 'The password is too simple.', 'Password does not meet complexity requirements': 'The password is too simple.', 'is too simple': 'The password is too simple.', "The passwort didn't pass quality check": 'The password is too simple.', "Password doesn't meet complexity requirement.": 'The password is too simple.', 'is a palindrome': 'The password is a palindrome.', 'Bad: new password cannot be a palindrome': 'The password is a palindrome.', ': is a palindrome': 'The password is a palindrome.', 'Schlechtes Passwort: ist ein Palindrome': 'The password is a palindrome.', 'Schlechtes Passwort: wurde gedreht': 'The password is a palindrome.', ': Es basiert auf einem Wörterbucheintrag': 'The password is based on a dictionary word.', ': it is based on a dictionary word': 'The password is based on a dictionary word.', 'Schlechtes Passwort: Es basiert auf einem (umgekehrten) W?rterbucheintrag': 'The password is based on a dictionary word.', 'Schlechtes Passwort: Es basiert auf einem (umgekehrten) Wörterbucheintrag': 'The password is based on a dictionary word.', 'Schlechtes Passwort: Es basiert auf einem W?rterbucheintrag': 'The password is based on a dictionary word.', 'Schlechtes Passwort: Es basiert auf einem Wörterbucheintrag': 'The password is based on a dictionary word.', re.compile('Password is already in password history. New password must not match any of your (?P<history>\\d+) previous passwords.', re.IGNORECASE): 'The password was already used.', re.compile('^Password is already in password history$'): 'The password was already used.', ': Password already used': 'The password was already used.', 'Bad: new password must be different than the old one': 'The password was already used.', 'Password already used': 'The password was already used.', 'Password has been already used.': 'The password was already used.', 'Password has been already used. Choose another.': 'The password was already used.', 'is the same as the old one': 'The password was already used.', 'is rotated': 'The password was already used.', 'password unchanged': 'The password was already used.', 'Passwort nicht geändert': 'The password was already used.', ': Es enthält nicht genug unterschiedliche Zeichen': 'The password does not contain enough different characters.', ': it does not contain enough DIFFERENT characters': 'The password does not contain enough different characters.', 'not enough character classes': 'The password does not contain enough different characters.', 'contains too many same characters consecutively': 'The password does not contain enough different characters.', 'contains too long of a monotonic character sequence': 'The password does not contain enough different characters.', 'case changes only': 'The password is too similar to the old one.', 'Bad: new and old password must differ by more than just case': 'The password is too similar to the old one.', 'is too similar to the old one': 'The password is too similar to the old one.', 'Bad: new and old password are too similar': 'The password is too similar to the old one.', 'Bad: new password is just a wrapped version of the old one': 'The password is too similar to the old one.', 'Schlechtes Passwort: ist dem alten zu ?hnlich': 'The password is too similar to the old one.', 'Schlechtes Passwort: ist dem alten zu ähnlich': 'The password is too similar to the old one.', 'You must wait longer to change your password': 'The minimum password age is not reached yet.', 'Password Too Young': 'The minimum password age is not reached yet.', 'Password change rejected, password changes may not be permitted on this account, or the minimum password age may not have elapsed.': 'The minimum password age is not reached yet.', 'Password does not meet the password complexity requirements.': 'The password does not meet the password complexity requirements.', 'Password contains user account name.': 'The password contains user account name.', 'Password contains parts of the full user name.': 'The password contains parts of the full user name.'}
custom_prompts = ('OTP',)
authenticate(username, password, **answers)[source]
change_password(username, old_password, new_password)[source]
init()[source]
start(username, data)[source]
end()[source]
conversation(auth, query_list, data)[source]
error_message(pam_err)[source]

univention.management.console.resources module

univention.management.console.tools module

class univention.management.console.tools.JSON_Object[source]

Bases: object

Converts Python object into JSON compatible data structures. Types like lists, tuples and dictionary are converted directly. If none of these types matches the method tries to convert the attributes of the object and generate a dict to represent it.

json()[source]
class univention.management.console.tools.JSON_List(iterable=(), /)[source]

Bases: list, univention.management.console.tools.JSON_Object

class univention.management.console.tools.JSON_Dict[source]

Bases: dict, univention.management.console.tools.JSON_Object

univention.management.console.tools.locale_get()[source]

Get locale name for messages. If no specific locale is set for process the default setting is returned.