#!/usr/bin/python # -*- coding:utf-8 -*- import ldap #import ldap.sasl from ipalib import api import json try: ldaphostname = raw_input("Enter hostname (ipa.example.com): ") password = raw_input("Enter password cn=directory manager: ") l = ldap.initialize("ldap://"+ldaphostname) #l.set_option(ldap.OPT_X_TLS_DEMAND, True) #l.start_tls_s() #auth = ldap.sasl.gssapi("") #l.sasl_interactive_bind_s("",auth) l.simple_bind_s('cn=directory manager',password) ldaproot = l.search_s("", ldap.SCOPE_BASE,attrlist=['defaultnamingcontext',])[0][1]['defaultnamingcontext'][0] api.bootstrap(context=u'cli') api.finalize() api.Backend.xmlclient.connect() api.Command.group_add(u'g1', description=u'g1') api.Command.group_add(u'g2', description=u'g2') api.Command.group_add(u'g3', description=u'g3') api.Command.group_add(u'g1s1', description=u'g1s1') api.Command.group_add(u'g2s1', description=u'g2s1') api.Command.group_add(u'g3s1', description=u'g3s1') api.Command.group_add_member(u'g1', all=True, group=[u'g1s1']) api.Command.group_add_member(u'g2', all=True, group=[u'g2s1']) api.Command.group_add_member(u'g3', all=True, group=[u'g3s1']) with open('admins', 'r') as a: admins = json.load(a) for admin in admins: api.Command.user_add(admin['login'],givenname=admin['firstname'],sn=admin['lastname']) api.Command.group_add_member(admin['group'],user=admin['login']) api.Command.privilege_add(u'KSA User Administrator', description=u'KSA User Administrator') api.Command.privilege_add_permission(u'KSA User Administrator', all=True, permission=[u'Add user to default group', u'Add Users', u'Change a user password', u'Manage User SSH Public Keys', u'Modify Users', u'Remove Users', u'Unlock user accounts']) api.Command.privilege_add(u'KSA HBAC Administrator', description=u'KSA HBAC Administrator') api.Command.privilege_add_permission(u'KSA HBAC Administrator', all=True, permission=[u'Manage HBAC rule membership']) api.Command.privilege_add(u'KSA Passord Policy Administrator', description=u'KSA Passord Policy Administrator') api.Command.privilege_add_permission(u'KSA Passord Policy Administrator', all=True, permission=[u'Modify Group Password Policy', u'Modify Group Password Policy costemplate']) api.Command.role_add(u'KSA Administrator', description=u'KSA Administrator') api.Command.role_add_privilege(u'KSA Administrator', all=True, privilege=[u'KSA HBAC Administrator', u'KSA Passord Policy Administrator', u'KSA User Administrator']) group_list = [] contur_list = [] for admin in admins: group_list.append(admin['group']) contur_list.append(admin['contur']) mod_attrs=[] for admin in admins: group_filter = '(targetfilter="(!(cn={0}*))")(target="ldap:///{1},{2}")(version 3.0;acl "permission:Read, Search, Compare only {0} groups"; deny(read, search, compare) groupdn = "ldap:///cn={0},{1},{2}";)'.format(admin['contur'],'cn=groups,cn=accounts',ldaproot) filter = str('') for contur in contur_list: if contur!=admin['contur']: filter+='(memberOf=cn={0},{1},{2})'.format(contur,'cn=groups,cn=accounts',ldaproot) user_filter = '(targetfilter="(|(memberOf=cn=*admins,{0},{1})(memberOf=cn=editors,{0},{1}){3})")(target="ldap:///cn=users,cn=accounts,{1}")(version 3.0;acl "permission:Read, Search, Compare only {2} users"; deny(read, search, compare) groupdn="ldap:///cn={2},{0},{1}";)'.format('cn=groups,cn=accounts',ldaproot,admin['contur'],filter) mod_attrs.append((ldap.MOD_ADD,'aci',user_filter)) mod_attrs.append((ldap.MOD_ADD,'aci',group_filter)) l.modify_s(ldaproot,mod_attrs) api.Command.role_add_member(u'KSA Administrator', all=True, group=group_list) except Exception, e: print(u"Error: ", e)