# -*- coding: utf-8 -*-
#
# Univention AD Connector
#  this file defines the mapping beetween AD and UCS
#
# Copyright 2004-2014 Univention GmbH
#
# http://www.univention.de/
#
# All rights reserved.
#
# The source code of this program is made available
# under the terms of the GNU Affero General Public License version 3
# (GNU AGPL V3) as published by the Free Software Foundation.
#
# Binary versions of this program provided by Univention to you as
# well as other copyrighted, protected or trademarked materials like
# Logos, graphics, fonts, specific documentations and configurations,
# cryptographic keys etc. are subject to a license agreement between
# you and Univention and not subject to the GNU AGPL V3.
#
# In the case you use this program under the terms of the GNU AGPL V3,
# the program is provided in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Affero General Public License for more details.
#
# You should have received a copy of the GNU Affero General Public
# License with the Debian GNU/Linux or Univention distribution in file
# /usr/share/common-licenses/AGPL-3; if not, see
# <http://www.gnu.org/licenses/>.

import univention.connector.ad
import univention.connector.ad.mapping
import univention.connector.ad.password

global_ignore_subtree=['cn=univention,@%@ldap/base@%@','cn=policies,@%@ldap/base@%@',
			'cn=shares,@%@ldap/base@%@','cn=printers,@%@ldap/base@%@',
			'cn=networks,@%@ldap/base@%@', 'cn=kerberos,@%@ldap/base@%@',
			'cn=dhcp,@%@ldap/base@%@', 'cn=dns,@%@ldap/base@%@',
			'cn=mail,@%@ldap/base@%@',
			'cn=samba,@%@ldap/base@%@','cn=nagios,@%@ldap/base@%@',
			'cn=System,@%@connector/ad/ldap/base@%@',
			'ou=Grp Policy Users,@%@connector/ad/ldap/base@%@',
			'cn=Builtin,@%@connector/ad/ldap/base@%@',
			'cn=ForeignSecurityPrincipals,@%@connector/ad/ldap/base@%@',
			'ou=Domain Controllers,@%@connector/ad/ldap/base@%@',
			'cn=Program Data,@%@connector/ad/ldap/base@%@',
			'cn=Configuration,@%@connector/ad/ldap/base@%@',
			'cn=opsi,@%@ldap/base@%@',
			'cn=Microsoft Exchange System Objects,@%@connector/ad/ldap/base@%@']


ad_mapping = {
	'user': univention.connector.property (
			ucs_default_dn='cn=users,@%@ldap/base@%@',
			con_default_dn='cn=users,@%@connector/ad/ldap/base@%@',

			ucs_module='users/user',

			# read, write, sync, none
			sync_mode='@%@connector/ad/mapping/syncmode@%@',
			scope='sub',

			con_search_filter='(&(objectClass=user)(!objectClass=computer))',
			match_filter='(|(&(objectClass=posixAccount)(objectClass=sambaSamAccount))(objectClass=user))',
@!@
ignore_filter = '(userAccountControl=2080)'
for user in configRegistry.get('connector/ad/mapping/user/ignorelist', '').split(','):
	if user:
		ignore_filter += '(uid=%s)(CN=%s)' % (user, user)
if ignore_filter:
	print "			ignore_filter='(|%s)'," % ignore_filter
@!@

			ignore_subtree = global_ignore_subtree,
			
			con_create_objectclass=['top', 'user', 'person', 'organizationalPerson'],

			dn_mapping_function=[ univention.connector.ad.user_dn_mapping ],

			# from UCS Modul
			attributes= {
					'samAccountName': univention.connector.attribute (
							ucs_attribute='username',
							ldap_attribute='uid',
							con_attribute='sAMAccountName',
							required=1,
							compare_function=univention.connector.compare_lowercase,
						),
					'givenName' : univention.connector.attribute (
							ucs_attribute='firstname',
							ldap_attribute='givenName',
							con_attribute='givenName',
						),
					'sn': univention.connector.attribute (
							ucs_attribute='lastname',
							ldap_attribute='sn',
							con_attribute='sn',
						),
				},

			ucs_create_functions = [ univention.connector.set_ucs_passwd_user,
						 univention.connector.check_ucs_lastname_user,
						 univention.connector.set_primary_group_user
						 ],

			post_con_modify_functions=[ univention.connector.ad.set_userPrincipalName_from_ucr,
@!@
if baseConfig.is_false('connector/ad/mapping/user/password/disabled', True):
	print '						    univention.connector.ad.password.password_sync_ucs,'
@!@
						    univention.connector.ad.primary_group_sync_from_ucs,
						    univention.connector.ad.object_memberships_sync_from_ucs,
						    univention.connector.ad.disable_user_from_ucs,
						    ],

			post_ucs_modify_functions=[ @!@
if baseConfig.is_false('connector/ad/mapping/user/password/disabled', True):
	if baseConfig.is_true('connector/ad/mapping/user/password/kinit', False):
		print '						univention.connector.ad.password.password_sync_kinit,'
	else:
		print '						univention.connector.ad.password.password_sync,'
@!@
						    univention.connector.ad.set_univentionObjectFlag_to_synced,
						    univention.connector.ad.primary_group_sync_to_ucs,
						    univention.connector.ad.object_memberships_sync_to_ucs,
						    univention.connector.ad.disable_user_to_ucs,
						    ],

			post_attributes={
					'organisation': univention.connector.attribute (
							ucs_attribute='organisation',
							ldap_attribute='o',
							@!@
print 'con_attribute=\'%s\',' % (baseConfig.get('connector/ad/mapping/organisation', 'company'))
							@!@
						),
						@!@
if baseConfig.has_key('connector/ad/mapping/user/exchange') and baseConfig['connector/ad/mapping/user/exchange'] in ['yes','true']:
	print """
					'Exchange-Homeserver': univention.connector.attribute (
							ucs_attribute='Exchange-Homeserver',
							ldap_attribute='univentionADmsExchHomeServerName',
							con_attribute='msExchHomeServerName',
					),
					'Exchange-homeMDB': univention.connector.attribute (
							ucs_attribute='Exchange-homeMDB',
							ldap_attribute='univentionADhomeMDB',
							con_attribute='homeMDB',
					),
					'Exchange-Nickname': univention.connector.attribute (
							ucs_attribute='Exchange-Nickname',
							ldap_attribute='univentionADmailNickname',
							con_attribute='mailNickname',
					),
					"""
if baseConfig.has_key('connector/ad/mapping/user/primarymail') and baseConfig['connector/ad/mapping/user/primarymail'] in ['yes','true']:
	print """
					'mailPrimaryAddress': univention.connector.attribute (
						ucs_attribute='mailPrimaryAddress',
						ldap_attribute='mailPrimaryAddress',
						con_attribute='mail',
						reverse_attribute_check = True,
					),
					"""
@!@
					'description': univention.connector.attribute (
						ucs_attribute='description',
						ldap_attribute='description',
						con_attribute='description',
					),
					'street': univention.connector.attribute (
							ucs_attribute='street',
							ldap_attribute='street',
							con_attribute='streetAddress',
						),
					'city': univention.connector.attribute (
							ucs_attribute='city',
							ldap_attribute='l',
							con_attribute='l',
						),
					'postcode': univention.connector.attribute (
							ucs_attribute='postcode',
							ldap_attribute='postalCode',
							con_attribute='postalCode',
						),
					'sambaWorkstations': univention.connector.attribute (
							ucs_attribute='sambaUserWorkstations',
							ldap_attribute='sambaUserWorkstations',
							con_attribute='userWorkstations',
						),
					#'sambaLogonHours': univention.connector.attribute (
					#		ucs_attribute='sambaLogonHours',
					#		ldap_attribute='sambaLogonHours',
					#		con_attribute='logonHours',
					#	),
					'profilepath': univention.connector.attribute (
							ucs_attribute='profilepath',
							ldap_attribute='sambaProfilePath',
							con_attribute='profilePath',
						),
					'scriptpath': univention.connector.attribute (
							ucs_attribute='scriptpath',
							ldap_attribute='sambaLogonScript',
							con_attribute='scriptPath',
						),
					'telephoneNumber': univention.connector.attribute (
							ucs_attribute='phone',
							ldap_attribute='telephoneNumber',
							con_attribute='telephoneNumber',
							con_other_attribute='otherTelephone',
						),
					'homePhone': univention.connector.attribute (
							ucs_attribute='homeTelephoneNumber',
							ldap_attribute='homePhone',
							con_attribute='homePhone',
							con_other_attribute='otherHomePhone',
						),
					'mobilePhone': univention.connector.attribute (
							ucs_attribute='mobileTelephoneNumber',
							ldap_attribute='mobile',
							con_attribute='mobile',
							con_other_attribute='otherMobile',
						),
					'pager': univention.connector.attribute (
							ucs_attribute='pagerTelephoneNumber',
							ldap_attribute='pager',
							con_attribute='pager',
							con_other_attribute='otherPager',
						),
					'displayName': univention.connector.attribute (
							ucs_attribute='displayName',
							ldap_attribute='displayName',
							con_attribute='displayName',
						),
			},

		),

	'group': univention.connector.property (
			ucs_default_dn='cn=groups,@%@ldap/base@%@',
			con_default_dn='cn=Users,@%@connector/ad/ldap/base@%@',

			ucs_module='groups/group',

			sync_mode='@%@connector/ad/mapping/syncmode@%@',
			scope='sub',

@!@
ignore_filter = ''
ignore_filter += '(groupType=-2147483643)(groupType=4)(univentionGroupType=-2147483643)(univentionGroupType=4)'
if configRegistry.is_false('connector/ad/mapping/group/grouptype', False):
	ignore_filter += '(sambaGroupType=5)(groupType=5)'
for group in configRegistry.get('connector/ad/mapping/group/ignorelist', '').split(','):
	if group:
		ignore_filter += '(cn=%s)' % (group)
print "			ignore_filter='(|%s)'," % ignore_filter
@!@

			ignore_subtree = global_ignore_subtree,
			
			con_search_filter='objectClass=group',

			con_create_objectclass=['top', 'group'],

			post_con_modify_functions=[ univention.connector.ad.group_members_sync_from_ucs, univention.connector.ad.object_memberships_sync_from_ucs ],

			post_ucs_modify_functions=[ 
						    univention.connector.ad.set_univentionObjectFlag_to_synced,
							univention.connector.ad.group_members_sync_to_ucs,
							univention.connector.ad.object_memberships_sync_to_ucs
						],

			dn_mapping_function=[ univention.connector.ad.group_dn_mapping ],

			attributes= {
					'cn': univention.connector.attribute (
							ucs_attribute='name',
							ldap_attribute='cn',
							con_attribute='sAMAccountName',
							required=1,
							compare_function=univention.connector.compare_lowercase,
						),
@!@
if configRegistry.is_true('connector/ad/mapping/group/grouptype', True):
	print "					'groupType': univention.connector.attribute ("
	print "							ucs_attribute='adGroupType',"
	print "							ldap_attribute='univentionGroupType',"
	print "							con_attribute='groupType',"
	print "					),"
@!@
					'description': univention.connector.attribute (
							ucs_attribute='description',
							ldap_attribute='description',
							con_attribute='description',
						),
						@!@
if baseConfig.has_key('connector/ad/mapping/group/primarymail') and baseConfig['connector/ad/mapping/group/primarymail'] in ['yes','true']:
	print """
					'mailAddress': univention.connector.attribute (
						ucs_attribute='mailAddress',
						ldap_attribute='mailPrimaryAddress',
						con_attribute='mail',
						reverse_attribute_check = True,
					),
					"""
if baseConfig.has_key('connector/ad/mapping/group/exchange') and baseConfig['connector/ad/mapping/group/exchange'] in ['yes','true']:
	print """
					'Exchange-Nickname': univention.connector.attribute (
						ucs_attribute='Exchange-Nickname',
						ldap_attribute='univentionADmailNickname',
						con_attribute='mailNickname',
					),
					"""
					@!@
				},

			mapping_table = {
						@!@
if baseConfig.has_key('connector/ad/mapping/group/language') and baseConfig['connector/ad/mapping/group/language'] in ['de','DE']:
	print """
				'cn': [( u'Domain Users' , u'Domänen-Benutzer'), ( u'Domain Users' , u'Domain Users'),
						(u'Domain Admins', u'Domänen-Admins'), (u'Domain Admins', u'Domain Admins'),
						(u'Windows Hosts', u'Domänencomputer'), (u'Windows Hosts', u'Windows Hosts'),
						(u'Domain Guests', u'Domänen-Gäste'), (u'Domain Guests', u'Domain Guests')]
					"""
					@!@
			},

		),

	'windowscomputer': univention.connector.property (
			ucs_default_dn='cn=computers,@%@ldap/base@%@',
			con_default_dn='cn=computers,@%@connector/ad/ldap/base@%@',
			ucs_module='computers/windows',
			ucs_module_others=['computers/memberserver', 'computers/ucc', 'computers/linux', 'computers/ubuntu', 'computers/macos' ],

			@!@
if configRegistry.get('connector/ad/mapping/computer/syncmode'):
	print "sync_mode='%s'," % configRegistry.get('connector/ad/mapping/computer/syncmode')
else:
	print "sync_mode='%s'," % configRegistry.get('connector/ad/mapping/syncmode')
@!@

			post_ucs_modify_functions=[ 
						    univention.connector.ad.set_univentionObjectFlag_to_synced,
						],

			scope='sub',

			dn_mapping_function=[ univention.connector.ad.windowscomputer_dn_mapping ],

			con_search_filter='(&(objectClass=computer)(userAccountControl:1.2.840.113556.1.4.803:=4096))',

			# ignore_filter='userAccountControl=4096',
			match_filter='(|(&(objectClass=univentionWindows)(!(univentionServerRole=windows_domaincontroller)))(objectClass=computer)(objectClass=univentionMemberServer)(objectClass=univentionUbuntuClient)(objectClass=univentionLinuxClient)(objectClass=univentionMacOSClient)(objectClass=univentionCorporateClient))',

			ignore_subtree = global_ignore_subtree,
@!@
ignore_filter = ''
for computer in configRegistry.get('connector/ad/mapping/windowscomputer/ignorelist', '').split(','):
	if computer:
		ignore_filter += '(cn=%s)' % (computer)
if ignore_filter:
	print "			ignore_filter='(|%s)'," % ignore_filter
@!@

			con_create_objectclass=['top', 'computer' ],

			con_create_attributes=[('userAccountControl', ['4096'])],

			attributes= {
					'cn': univention.connector.attribute (
							ucs_attribute='name',
							ldap_attribute='cn',
							con_attribute='cn',
							required=1,
							compare_function=univention.connector.compare_lowercase,
						),
					'samAccountName': univention.connector.attribute (
							ldap_attribute='uid',
							con_attribute='sAMAccountName',
							compare_function=univention.connector.compare_lowercase,
						),
					'description': univention.connector.attribute (
							ucs_attribute='description',
							ldap_attribute='description',
							con_attribute='description'
						),
					'operatingSystem': univention.connector.attribute (
							ucs_attribute='operatingSystem',
							ldap_attribute='univentionOperatingSystem',
							con_attribute='operatingSystem'
						),
					'operatingSystemVersion': univention.connector.attribute (
							ucs_attribute='operatingSystemVersion',
							ldap_attribute='univentionOperatingSystemVersion',
							con_attribute='operatingSystemVersion'
						),
				},

		),
	'container': univention.connector.property (
			ucs_module='container/cn',

			sync_mode='@%@connector/ad/mapping/syncmode@%@',

			scope='sub',

			con_search_filter='(|(objectClass=container)(objectClass=builtinDomain))', # builtinDomain is cn=builtin (with group cn=Administrators)

@!@
ignore_filter = ''
for cn in configRegistry.get('connector/ad/mapping/container/ignorelist', 'mail,kerberos').split(','):
	if cn:
		ignore_filter += '(cn=%s)' % (cn)
if ignore_filter:
	print "			ignore_filter='(|%s)'," % ignore_filter
@!@

			ignore_subtree = global_ignore_subtree,
			
			post_ucs_modify_functions=[ 
						    univention.connector.ad.set_univentionObjectFlag_to_synced,
						],

			con_create_objectclass=['top', 'container' ],

			attributes= {
					'cn': univention.connector.attribute (
							ucs_attribute='name',
							ldap_attribute='cn',
							con_attribute='cn',
							required=1,
							compare_function=univention.connector.compare_lowercase,
						),
					'description': univention.connector.attribute (
							ucs_attribute='description',
							ldap_attribute='description',
							con_attribute='description'
						),
				},

		),

	'ou': univention.connector.property (
			ucs_module='container/ou',

			sync_mode='@%@connector/ad/mapping/syncmode@%@',

			scope='sub',

			con_search_filter='objectClass=organizationalUnit',

@!@
ignore_filter = ''
for ou in configRegistry.get('connector/ad/mapping/ou/ignorelist', '').split(','):
	if ou:
		ignore_filter += '(ou=%s)' % (ou)
if ignore_filter:
	print "			ignore_filter='(|%s)'," % ignore_filter
@!@

			ignore_subtree = global_ignore_subtree,

			post_ucs_modify_functions=[ 
						    univention.connector.ad.set_univentionObjectFlag_to_synced,
						],

			con_create_objectclass=[ 'top', 'organizationalUnit' ],

			attributes= {
					'ou': univention.connector.attribute (
							ucs_attribute='name',
							ldap_attribute='ou',
							con_attribute='ou',
							required=1,
							compare_function=univention.connector.compare_lowercase,
						),
					'description': univention.connector.attribute (
							ucs_attribute='description',
							ldap_attribute='description',
							con_attribute='description'
						),
				},
		),
}



