#!/usr/bin/python2.7
# -*- coding: utf-8 -*-
#
# Univention Directory Manager Modules
#  sync posix flags to kerberos flags
#
# Copyright 2004-2014 Univention GmbH
#
# http://www.univention.de/
#
# All rights reserved.
#
# The source code of this program is made available
# under the terms of the GNU Affero General Public License version 3
# (GNU AGPL V3) as published by the Free Software Foundation.
#
# Binary versions of this program provided by Univention to you as
# well as other copyrighted, protected or trademarked materials like
# Logos, graphics, fonts, specific documentations and configurations,
# cryptographic keys etc. are subject to a license agreement between
# you and Univention and not subject to the GNU AGPL V3.
#
# In the case you use this program under the terms of the GNU AGPL V3,
# the program is provided in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Affero General Public License for more details.
#
# You should have received a copy of the GNU Affero General Public
# License with the Debian GNU/Linux or Univention distribution in file
# /usr/share/common-licenses/AGPL-3; if not, see
# <http://www.gnu.org/licenses/>.


# set activation state of kerberos account to same state as posix account
# set password and account exiration date to the same value as shadowExpiry and shadowLastChange

import ldap, re, time

import univention.baseconfig

baseConfig=univention.baseconfig.baseConfig()
baseConfig.load()

baseDN=baseConfig['ldap/base']

print "using baseDN",baseDN

lo=ldap.open('localhost', 7389)
bindpw=open('/etc/ldap.secret').read()
if bindpw[-1] == '\n':
	bindpw=bindpw[0:-1]
lo.simple_bind_s("cn=admin,"+baseDN, bindpw)

count_changes = 0
warning = 0

# passwords will only be found in posixAccount
res_pA=lo.search_s(baseDN, ldap.SCOPE_SUBTREE, 'objectClass=posixAccount')

for i in range(0,len(res_pA)):
	dn_pA=res_pA[i][0]
	print dn_pA

	if res_pA[i][1].has_key('objectClass'):
		if 'krb5KDCEntry' in res_pA[i][1]['objectClass']:
			if res_pA[i][1].has_key('userPassword'):
				_re = re.compile('^\{crypt\}!.*$')
				disabled = _re.match(res_pA[i][1]['userPassword'][0])
				if res_pA[i][1].has_key('krb5KDCFlags'):
					if disabled and  not res_pA[i][1]['krb5KDCFlags'][0] == '254':
						modlist = [(ldap.MOD_REPLACE,'krb5KDCFlags','254')]
						lo.modify_s(dn_pA,modlist)
						print " - kerberos disabled"
					elif not disabled and not res_pA[i][1]['krb5KDCFlags'][0] == '126':
						modlist = [(ldap.MOD_REPLACE,'krb5KDCFlags','126')]
						lo.modify_s(dn_pA,modlist)
						print " - kerberos enabled"
					else:
						print " - enable/disable OK"
				else:
					if disabled:
						modlist = [(ldap.MOD_ADD,'krb5KDCFlags','254')]
						lo.modify_s(dn_pA,modlist)
						print " - kerberos initial disabled"
					else:
						modlist = [(ldap.MOD_ADD,'krb5KDCFlags','126')]
						lo.modify_s(dn_pA,modlist)
						print " - kerberos initial enabled"
			else:
				print " - user password not set"

			if res_pA[i][1].has_key('shadowExpire') and res_pA[i][1]['shadowExpire'][0]:
				userexpiry=time.strftime("%d.%m.%y",time.gmtime((long(res_pA[i][1]['shadowExpire'][0]))*3600*24))
				krb5ValidEnd="%s" % "20"+userexpiry[6:8]+userexpiry[3:5]+userexpiry[0:2]+"000000Z"
				if not res_pA[i][1].has_key('krb5ValidEnd'):
					modlist = [(ldap.MOD_ADD,'krb5ValidEnd',krb5ValidEnd)]
					lo.modify_s(dn_pA,modlist)
					print " - kerberos expiry initial set"
				elif not res_pA[i][1]['krb5ValidEnd'][0] == krb5ValidEnd:
					modlist = [(ldap.MOD_REPLACE,'krb5ValidEnd',krb5ValidEnd)]
					lo.modify_s(dn_pA,modlist)
					print " - kerberos expiry set"
				else:
					print " - kerberos expiry OK"
			else:
				print " - account expire not set"

			if res_pA[i][1].has_key('shadowLastChange') and res_pA[i][1].has_key('shadowMax'):
				passwordexpiry=time.strftime("%d.%m.%y",time.gmtime((long(res_pA[i][1]['shadowLastChange'][0])+long(res_pA[i][1]['shadowMax'][0]))*3600*24))
				krb5PasswordEnd="%s" % "20"+passwordexpiry[6:8]+passwordexpiry[3:5]+passwordexpiry[0:2]+"000000Z"
				if not res_pA[i][1].has_key('krb5PasswordEnd'):
					modlist = [(ldap.MOD_ADD,'krb5PasswordEnd',krb5PasswordEnd)]
					lo.modify_s(dn_pA,modlist)
					print "kerberos password end initial set"
				elif not res_pA[i][1]['krb5PasswordEnd'][0] == krb5PasswordEnd:
					modlist = [(ldap.MOD_REPLACE,'krb5PasswordEnd',krb5PasswordEnd)]
					lo.modify_s(dn_pA,modlist)
					print " - kerberos password end set"
				else:
					print " - kerberos password end OK"
			else:
				print " - Password expire not set"

		else:
			print " - no kerberos account"
	else:
		print " - WARNING: no key objectClass found !"
	


