#!/usr/bin/python2.7
# -*- coding: utf-8 -*-
#
# Univention Samba
#  helper script: remove samba accounts matching the given filter
#
# Copyright 2004-2014 Univention GmbH
#
# http://www.univention.de/
#
# All rights reserved.
#
# The source code of this program is made available
# under the terms of the GNU Affero General Public License version 3
# (GNU AGPL V3) as published by the Free Software Foundation.
#
# Binary versions of this program provided by Univention to you as
# well as other copyrighted, protected or trademarked materials like
# Logos, graphics, fonts, specific documentations and configurations,
# cryptographic keys etc. are subject to a license agreement between
# you and Univention and not subject to the GNU AGPL V3.
#
# In the case you use this program under the terms of the GNU AGPL V3,
# the program is provided in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Affero General Public License for more details.
#
# You should have received a copy of the GNU Affero General Public
# License with the Debian GNU/Linux or Univention distribution in file
# /usr/share/common-licenses/AGPL-3; if not, see
# <http://www.gnu.org/licenses/>.

import sys, string, ldap, re, codecs, os, copy

import univention.debug
univention.debug.init('/var/log/univention/pdc-takeover.log', 1, 0)

import univention.admin.uldap
import univention.config_registry

if len(sys.argv) != 2:
	print "Expect exactly one argument: LDAP-Filter matching the Objects to modify"
	sys.exit(1)

configRegistry=univention.config_registry.ConfigRegistry()
configRegistry.load()

ldap_base=configRegistry['ldap/base']

secretFile=open('/etc/ldap.secret','r')
pwdLine=secretFile.readline()
pwd=re.sub('\n','',pwdLine)

try:
	lo=univention.admin.uldap.access(host=configRegistry['ldap/master'], base=ldap_base, binddn='cn=admin,'+ldap_base, bindpw=pwd, start_tls=2)
except Exception, e:
	univention.debug.debug(univention.debug.ADMIN, univention.debug.WARN, 'authentication error: %s' % str(e))
	print 'authentication error: %s' % str(e)
	sys.exit(1)

tomod=lo.search(filter=sys.argv[1], base=ldap_base, attr=['objectClass'])

for entry in tomod:
	modlist = ''
	if 'sambaSamAccount' in entry[1]['objectClass']:
		attrs=lo.get(entry[0])
		modlist=[("objectclass","sambaSamAccount","")]

		for key in attrs.keys():
			if key[:5] == 'samba' or key == 'displayName':
				modlist.append((key,attrs[key],''))

	if 'sambaGroupMapping' in entry[1]['objectClass']:
		attrs=lo.get(entry[0])
		if not modlist:
			modlist=[("objectclass","sambaGroupMapping","")]
			for key in attrs.keys():
				if key[:5] == 'samba' or key == 'displayName':
					modlist.append((key,attrs[key],''))
		else:
			modlist.append(("objectclass","sambaGroupMapping",''))


	if modlist:
		#print modlist
		try:
			lo.modify(entry[0],modlist)
		except:
			try:
				print "failed to modify entry: %s"%entry[0]
			except:
				print "failed to modify entry"
