From abe9ac53f0d240a867d499f184866603143756cf Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Mon, 29 Nov 2010 14:10:26 +1100 Subject: s4-ldapcmp: make ldapcmp a samba-tool command The ldapcmp tool is very useful, and should be available to Samba admins, not just developers. This makes it a samba-tool command, which also gives it the nicer command line handling that samba-tool has --- source4/scripting/devel/ldapcmp | 818 ---------------------------------------- 1 file changed, 818 deletions(-) delete mode 100755 source4/scripting/devel/ldapcmp (limited to 'source4/scripting/devel') diff --git a/source4/scripting/devel/ldapcmp b/source4/scripting/devel/ldapcmp deleted file mode 100755 index 8e40877a22..0000000000 --- a/source4/scripting/devel/ldapcmp +++ /dev/null @@ -1,818 +0,0 @@ -#!/usr/bin/env python -# -# Unix SMB/CIFS implementation. -# A script to compare differences of objects and attributes between -# two LDAP servers both running at the same time. It generally compares -# one of the three pratitions DOMAIN, CONFIGURATION or SCHEMA. Users -# that have to be provided sheould be able to read objects in any of the -# above partitions. - -# Copyright (C) Zahari Zahariev 2009, 2010 -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation; either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . -# - -import os -import re -import sys -from optparse import OptionParser - -sys.path.insert(0, "bin/python") - -import samba -import samba.getopt as options -from samba import Ldb -from samba.ndr import ndr_pack, ndr_unpack -from samba.dcerpc import security -from ldb import SCOPE_SUBTREE, SCOPE_ONELEVEL, SCOPE_BASE, ERR_NO_SUCH_OBJECT, LdbError - -global summary -summary = {} - -class LDAPBase(object): - - def __init__(self, host, cmd_opts, creds, lp): - ldb_options = [] - samdb_url = host - if not "://" in host: - if os.path.isfile(host): - samdb_url = "tdb://%s" % host - else: - samdb_url = "ldap://%s:389" % host - # use 'paged_search' module when connecting remotely - if samdb_url.lower().startswith("ldap://"): - ldb_options = ["modules:paged_searches"] - self.ldb = Ldb(url=samdb_url, - credentials=creds, - lp=lp, - options=ldb_options) - self.two_domains = cmd_opts.two - self.quiet = cmd_opts.quiet - self.descriptor = cmd_opts.descriptor - self.view = cmd_opts.view - self.verbose = cmd_opts.verbose - self.host = host - self.base_dn = self.find_basedn() - self.domain_netbios = self.find_netbios() - self.server_names = self.find_servers() - self.domain_name = re.sub("[Dd][Cc]=", "", self.base_dn).replace(",", ".") - self.domain_sid = self.find_domain_sid() - self.get_guid_map() - self.get_sid_map() - # - # Log some domain controller specific place-holers that are being used - # when compare content of two DCs. Uncomment for DEBUG purposes. - if self.two_domains and not self.quiet: - print "\n* Place-holders for %s:" % self.host - print 4*" " + "${DOMAIN_DN} => %s" % self.base_dn - print 4*" " + "${DOMAIN_NETBIOS} => %s" % self.domain_netbios - print 4*" " + "${SERVER_NAME} => %s" % self.server_names - print 4*" " + "${DOMAIN_NAME} => %s" % self.domain_name - - def find_domain_sid(self): - res = self.ldb.search(base=self.base_dn, expression="(objectClass=*)", scope=SCOPE_BASE) - return ndr_unpack(security.dom_sid,res[0]["objectSid"][0]) - - def find_servers(self): - """ - """ - res = self.ldb.search(base="OU=Domain Controllers,%s" % self.base_dn, \ - scope=SCOPE_SUBTREE, expression="(objectClass=computer)", attrs=["cn"]) - assert len(res) > 0 - srv = [] - for x in res: - srv.append(x["cn"][0]) - return srv - - def find_netbios(self): - res = self.ldb.search(base="CN=Partitions,CN=Configuration,%s" % self.base_dn, \ - scope=SCOPE_SUBTREE, attrs=["nETBIOSName"]) - assert len(res) > 0 - for x in res: - if "nETBIOSName" in x.keys(): - return x["nETBIOSName"][0] - - def find_basedn(self): - res = self.ldb.search(base="", expression="(objectClass=*)", scope=SCOPE_BASE, - attrs=["defaultNamingContext"]) - assert len(res) == 1 - return res[0]["defaultNamingContext"][0] - - def object_exists(self, object_dn): - res = None - try: - res = self.ldb.search(base=object_dn, scope=SCOPE_BASE) - except LdbError, (enum, estr): - if enum == ERR_NO_SUCH_OBJECT: - return False - raise - return len(res) == 1 - - def delete_force(self, object_dn): - try: - self.ldb.delete(object_dn) - except Ldb.LdbError, e: - assert "No such object" in str(e) - - def get_attributes(self, object_dn): - """ Returns dict with all default visible attributes - """ - res = self.ldb.search(base=object_dn, scope=SCOPE_BASE, attrs=["*"]) - assert len(res) == 1 - res = dict(res[0]) - # 'Dn' element is not iterable and we have it as 'distinguishedName' - del res["dn"] - for key in res.keys(): - res[key] = list(res[key]) - return res - - def get_descriptor_sddl(self, object_dn): - res = self.ldb.search(base=object_dn, scope=SCOPE_BASE, attrs=["nTSecurityDescriptor"]) - desc = res[0]["nTSecurityDescriptor"][0] - desc = ndr_unpack(security.descriptor, desc) - return desc.as_sddl(self.domain_sid) - - def guid_as_string(self, guid_blob): - """ Translate binary representation of schemaIDGUID to standard string representation. - @gid_blob: binary schemaIDGUID - """ - blob = "%s" % guid_blob - stops = [4, 2, 2, 2, 6] - index = 0 - res = "" - x = 0 - while x < len(stops): - tmp = "" - y = 0 - while y < stops[x]: - c = hex(ord(blob[index])).replace("0x", "") - c = [None, "0" + c, c][len(c)] - if 2 * index < len(blob): - tmp = c + tmp - else: - tmp += c - index += 1 - y += 1 - res += tmp + " " - x += 1 - assert index == len(blob) - return res.strip().replace(" ", "-") - - def get_guid_map(self): - """ Build dictionary that maps GUID to 'name' attribute found in Schema or Extended-Rights. - """ - self.guid_map = {} - res = self.ldb.search(base="cn=schema,cn=configuration,%s" % self.base_dn, \ - expression="(schemaIdGuid=*)", scope=SCOPE_SUBTREE, attrs=["schemaIdGuid", "name"]) - for item in res: - self.guid_map[self.guid_as_string(item["schemaIdGuid"]).lower()] = item["name"][0] - # - res = self.ldb.search(base="cn=extended-rights,cn=configuration,%s" % self.base_dn, \ - expression="(rightsGuid=*)", scope=SCOPE_SUBTREE, attrs=["rightsGuid", "name"]) - for item in res: - self.guid_map[str(item["rightsGuid"]).lower()] = item["name"][0] - - def get_sid_map(self): - """ Build dictionary that maps GUID to 'name' attribute found in Schema or Extended-Rights. - """ - self.sid_map = {} - res = self.ldb.search(base="%s" % self.base_dn, \ - expression="(objectSid=*)", scope=SCOPE_SUBTREE, attrs=["objectSid", "sAMAccountName"]) - for item in res: - try: - self.sid_map["%s" % ndr_unpack(security.dom_sid, item["objectSid"][0])] = item["sAMAccountName"][0] - except KeyError: - pass - -class Descriptor(object): - def __init__(self, connection, dn): - self.con = connection - self.dn = dn - self.sddl = self.con.get_descriptor_sddl(self.dn) - self.dacl_list = self.extract_dacl() - - def extract_dacl(self): - """ Extracts the DACL as a list of ACE string (with the brakets). - """ - try: - res = re.search("D:(.*?)(\(.*?\))S:", self.sddl).group(2) - except AttributeError: - return [] - return re.findall("(\(.*?\))", res) - - def fix_guid(self, ace): - res = "%s" % ace - guids = re.findall("[a-z0-9]+?-[a-z0-9]+-[a-z0-9]+-[a-z0-9]+-[a-z0-9]+", res) - # If there are not GUIDs to replace return the same ACE - if len(guids) == 0: - return res - for guid in guids: - try: - name = self.con.guid_map[guid.lower()] - res = res.replace(guid, name) - except KeyError: - # Do not bother if the GUID is not found in - # cn=Schema or cn=Extended-Rights - pass - return res - - def fix_sid(self, ace): - res = "%s" % ace - sids = re.findall("S-[-0-9]+", res) - # If there are not SIDs to replace return the same ACE - if len(sids) == 0: - return res - for sid in sids: - try: - name = self.con.sid_map[sid] - res = res.replace(sid, name) - except KeyError: - # Do not bother if the SID is not found in baseDN - pass - return res - - def fixit(self, ace): - """ Combine all replacement methods in one - """ - res = "%s" % ace - res = self.fix_guid(res) - res = self.fix_sid(res) - return res - - def diff_1(self, other): - res = "" - if len(self.dacl_list) != len(other.dacl_list): - res += 4*" " + "Difference in ACE count:\n" - res += 8*" " + "=> %s\n" % len(self.dacl_list) - res += 8*" " + "=> %s\n" % len(other.dacl_list) - # - i = 0 - flag = True - while True: - self_ace = None - other_ace = None - try: - self_ace = "%s" % self.dacl_list[i] - except IndexError: - self_ace = "" - # - try: - other_ace = "%s" % other.dacl_list[i] - except IndexError: - other_ace = "" - if len(self_ace) + len(other_ace) == 0: - break - self_ace_fixed = "%s" % self.fixit(self_ace) - other_ace_fixed = "%s" % other.fixit(other_ace) - if self_ace_fixed != other_ace_fixed: - res += "%60s * %s\n" % ( self_ace_fixed, other_ace_fixed ) - flag = False - else: - res += "%60s | %s\n" % ( self_ace_fixed, other_ace_fixed ) - i += 1 - return (flag, res) - - def diff_2(self, other): - res = "" - if len(self.dacl_list) != len(other.dacl_list): - res += 4*" " + "Difference in ACE count:\n" - res += 8*" " + "=> %s\n" % len(self.dacl_list) - res += 8*" " + "=> %s\n" % len(other.dacl_list) - # - common_aces = [] - self_aces = [] - other_aces = [] - self_dacl_list_fixed = [] - other_dacl_list_fixed = [] - [self_dacl_list_fixed.append( self.fixit(ace) ) for ace in self.dacl_list] - [other_dacl_list_fixed.append( other.fixit(ace) ) for ace in other.dacl_list] - for ace in self_dacl_list_fixed: - try: - other_dacl_list_fixed.index(ace) - except ValueError: - self_aces.append(ace) - else: - common_aces.append(ace) - self_aces = sorted(self_aces) - if len(self_aces) > 0: - res += 4*" " + "ACEs found only in %s:\n" % self.con.host - for ace in self_aces: - res += 8*" " + ace + "\n" - # - for ace in other_dacl_list_fixed: - try: - self_dacl_list_fixed.index(ace) - except ValueError: - other_aces.append(ace) - else: - common_aces.append(ace) - other_aces = sorted(other_aces) - if len(other_aces) > 0: - res += 4*" " + "ACEs found only in %s:\n" % other.con.host - for ace in other_aces: - res += 8*" " + ace + "\n" - # - common_aces = sorted(list(set(common_aces))) - if self.con.verbose: - res += 4*" " + "ACEs found in both:\n" - for ace in common_aces: - res += 8*" " + ace + "\n" - return (self_aces == [] and other_aces == [], res) - -class LDAPObject(object): - def __init__(self, connection, dn, summary): - self.con = connection - self.two_domains = self.con.two_domains - self.quiet = self.con.quiet - self.verbose = self.con.verbose - self.summary = summary - self.dn = dn.replace("${DOMAIN_DN}", self.con.base_dn) - self.dn = self.dn.replace("CN=${DOMAIN_NETBIOS}", "CN=%s" % self.con.domain_netbios) - for x in self.con.server_names: - self.dn = self.dn.replace("CN=${SERVER_NAME}", "CN=%s" % x) - self.attributes = self.con.get_attributes(self.dn) - # Attributes that are considered always to be different e.g based on timestamp etc. - # - # One domain - two domain controllers - self.ignore_attributes = [ - # Default Naming Context - "lastLogon", "lastLogoff", "badPwdCount", "logonCount", "badPasswordTime", "modifiedCount", - "operatingSystemVersion","oEMInformation", - # Configuration Naming Context - "repsFrom", "dSCorePropagationData", "msExchServer1HighestUSN", - "replUpToDateVector", "repsTo", "whenChanged", "uSNChanged", "uSNCreated", - # Schema Naming Context - "prefixMap",] - self.dn_attributes = [] - self.domain_attributes = [] - self.servername_attributes = [] - self.netbios_attributes = [] - self.other_attributes = [] - # Two domains - two domain controllers - - if self.two_domains: - self.ignore_attributes += [ - "objectCategory", "objectGUID", "objectSid", "whenCreated", "pwdLastSet", "uSNCreated", "creationTime", - "modifiedCount", "priorSetTime", "rIDManagerReference", "gPLink", "ipsecNFAReference", - "fRSPrimaryMember", "fSMORoleOwner", "masteredBy", "ipsecOwnersReference", "wellKnownObjects", - "badPwdCount", "ipsecISAKMPReference", "ipsecFilterReference", "msDs-masteredBy", "lastSetTime", - "ipsecNegotiationPolicyReference", "subRefs", "gPCFileSysPath", "accountExpires", "invocationId", - # After Exchange preps - "targetAddress", "msExchMailboxGuid", "siteFolderGUID"] - # - # Attributes that contain the unique DN tail part e.g. 'DC=samba,DC=org' - self.dn_attributes = [ - "distinguishedName", "defaultObjectCategory", "member", "memberOf", "siteList", "nCName", - "homeMDB", "homeMTA", "interSiteTopologyGenerator", "serverReference", - "msDS-HasInstantiatedNCs", "hasMasterNCs", "msDS-hasMasterNCs", "msDS-HasDomainNCs", "dMDLocation", - "msDS-IsDomainFor", "rIDSetReferences", "serverReferenceBL", - # After Exchange preps - "msExchHomeRoutingGroup", "msExchResponsibleMTAServer", "siteFolderServer", "msExchRoutingMasterDN", - "msExchRoutingGroupMembersBL", "homeMDBBL", "msExchHomePublicMDB", "msExchOwningServer", "templateRoots", - "addressBookRoots", "msExchPolicyRoots", "globalAddressList", "msExchOwningPFTree", - "msExchResponsibleMTAServerBL", "msExchOwningPFTreeBL",] - self.dn_attributes = [x.upper() for x in self.dn_attributes] - # - # Attributes that contain the Domain name e.g. 'samba.org' - self.domain_attributes = [ - "proxyAddresses", "mail", "userPrincipalName", "msExchSmtpFullyQualifiedDomainName", - "dnsHostName", "networkAddress", "dnsRoot", "servicePrincipalName",] - self.domain_attributes = [x.upper() for x in self.domain_attributes] - # - # May contain DOMAIN_NETBIOS and SERVER_NAME - self.servername_attributes = [ "distinguishedName", "name", "CN", "sAMAccountName", "dNSHostName", - "servicePrincipalName", "rIDSetReferences", "serverReference", "serverReferenceBL", - "msDS-IsDomainFor", "interSiteTopologyGenerator",] - self.servername_attributes = [x.upper() for x in self.servername_attributes] - # - self.netbios_attributes = [ "servicePrincipalName", "CN", "distinguishedName", "nETBIOSName", "name",] - self.netbios_attributes = [x.upper() for x in self.netbios_attributes] - # - self.other_attributes = [ "name", "DC",] - self.other_attributes = [x.upper() for x in self.other_attributes] - # - self.ignore_attributes = [x.upper() for x in self.ignore_attributes] - - def log(self, msg): - """ - Log on the screen if there is no --quiet oprion set - """ - if not self.quiet: - print msg - - def fix_dn(self, s): - res = "%s" % s - if not self.two_domains: - return res - if res.upper().endswith(self.con.base_dn.upper()): - res = res[:len(res)-len(self.con.base_dn)] + "${DOMAIN_DN}" - return res - - def fix_domain_name(self, s): - res = "%s" % s - if not self.two_domains: - return res - res = res.replace(self.con.domain_name.lower(), self.con.domain_name.upper()) - res = res.replace(self.con.domain_name.upper(), "${DOMAIN_NAME}") - return res - - def fix_domain_netbios(self, s): - res = "%s" % s - if not self.two_domains: - return res - res = res.replace(self.con.domain_netbios.lower(), self.con.domain_netbios.upper()) - res = res.replace(self.con.domain_netbios.upper(), "${DOMAIN_NETBIOS}") - return res - - def fix_server_name(self, s): - res = "%s" % s - if not self.two_domains or len(self.con.server_names) > 1: - return res - for x in self.con.server_names: - res = res.upper().replace(x, "${SERVER_NAME}") - return res - - def __eq__(self, other): - if self.con.descriptor: - return self.cmp_desc(other) - return self.cmp_attrs(other) - - def cmp_desc(self, other): - d1 = Descriptor(self.con, self.dn) - d2 = Descriptor(other.con, other.dn) - if self.con.view == "section": - res = d1.diff_2(d2) - elif self.con.view == "collision": - res = d1.diff_1(d2) - else: - raise Exception("Unknown --view option value.") - # - self.screen_output = res[1][:-1] - other.screen_output = res[1][:-1] - # - return res[0] - - def cmp_attrs(self, other): - res = "" - self.unique_attrs = [] - self.df_value_attrs = [] - other.unique_attrs = [] - if self.attributes.keys() != other.attributes.keys(): - # - title = 4*" " + "Attributes found only in %s:" % self.con.host - for x in self.attributes.keys(): - if not x in other.attributes.keys() and \ - not x.upper() in [q.upper() for q in other.ignore_attributes]: - if title: - res += title + "\n" - title = None - res += 8*" " + x + "\n" - self.unique_attrs.append(x) - # - title = 4*" " + "Attributes found only in %s:" % other.con.host - for x in other.attributes.keys(): - if not x in self.attributes.keys() and \ - not x.upper() in [q.upper() for q in self.ignore_attributes]: - if title: - res += title + "\n" - title = None - res += 8*" " + x + "\n" - other.unique_attrs.append(x) - # - missing_attrs = [x.upper() for x in self.unique_attrs] - missing_attrs += [x.upper() for x in other.unique_attrs] - title = 4*" " + "Difference in attribute values:" - for x in self.attributes.keys(): - if x.upper() in self.ignore_attributes or x.upper() in missing_attrs: - continue - if isinstance(self.attributes[x], list) and isinstance(other.attributes[x], list): - self.attributes[x] = sorted(self.attributes[x]) - other.attributes[x] = sorted(other.attributes[x]) - if self.attributes[x] != other.attributes[x]: - p = None - q = None - m = None - n = None - # First check if the difference can be fixed but shunting the first part - # of the DomainHostName e.g. 'mysamba4.test.local' => 'mysamba4' - if x.upper() in self.other_attributes: - p = [self.con.domain_name.split(".")[0] == j for j in self.attributes[x]] - q = [other.con.domain_name.split(".")[0] == j for j in other.attributes[x]] - if p == q: - continue - # Attribute values that are list that contain DN based values that may differ - elif x.upper() in self.dn_attributes: - m = p - n = q - if not p and not q: - m = self.attributes[x] - n = other.attributes[x] - p = [self.fix_dn(j) for j in m] - q = [other.fix_dn(j) for j in n] - if p == q: - continue - # Attributes that contain the Domain name in them - if x.upper() in self.domain_attributes: - m = p - n = q - if not p and not q: - m = self.attributes[x] - n = other.attributes[x] - p = [self.fix_domain_name(j) for j in m] - q = [other.fix_domain_name(j) for j in n] - if p == q: - continue - # - if x.upper() in self.servername_attributes: - # Attributes with SERVER_NAME - m = p - n = q - if not p and not q: - m = self.attributes[x] - n = other.attributes[x] - p = [self.fix_server_name(j) for j in m] - q = [other.fix_server_name(j) for j in n] - if p == q: - continue - # - if x.upper() in self.netbios_attributes: - # Attributes with NETBIOS Domain name - m = p - n = q - if not p and not q: - m = self.attributes[x] - n = other.attributes[x] - p = [self.fix_domain_netbios(j) for j in m] - q = [other.fix_domain_netbios(j) for j in n] - if p == q: - continue - # - if title: - res += title + "\n" - title = None - if p and q: - res += 8*" " + x + " => \n%s\n%s" % (p, q) + "\n" - else: - res += 8*" " + x + " => \n%s\n%s" % (self.attributes[x], other.attributes[x]) + "\n" - self.df_value_attrs.append(x) - # - if self.unique_attrs + other.unique_attrs != []: - assert self.unique_attrs != other.unique_attrs - self.summary["unique_attrs"] += self.unique_attrs - self.summary["df_value_attrs"] += self.df_value_attrs - other.summary["unique_attrs"] += other.unique_attrs - other.summary["df_value_attrs"] += self.df_value_attrs # they are the same - # - self.screen_output = res[:-1] - other.screen_output = res[:-1] - # - return res == "" - - -class LDAPBundel(object): - def __init__(self, connection, context, dn_list=None): - self.con = connection - self.two_domains = self.con.two_domains - self.quiet = self.con.quiet - self.verbose = self.con.verbose - self.summary = {} - self.summary["unique_attrs"] = [] - self.summary["df_value_attrs"] = [] - self.summary["known_ignored_dn"] = [] - self.summary["abnormal_ignored_dn"] = [] - if dn_list: - self.dn_list = dn_list - elif context.upper() in ["DOMAIN", "CONFIGURATION", "SCHEMA"]: - self.context = context.upper() - self.dn_list = self.get_dn_list(context) - else: - raise Exception("Unknown initialization data for LDAPBundel().") - counter = 0 - while counter < len(self.dn_list) and self.two_domains: - # Use alias reference - tmp = self.dn_list[counter] - tmp = tmp[:len(tmp)-len(self.con.base_dn)] + "${DOMAIN_DN}" - tmp = tmp.replace("CN=%s" % self.con.domain_netbios, "CN=${DOMAIN_NETBIOS}") - if len(self.con.server_names) == 1: - for x in self.con.server_names: - tmp = tmp.replace("CN=%s" % x, "CN=${SERVER_NAME}") - self.dn_list[counter] = tmp - counter += 1 - self.dn_list = list(set(self.dn_list)) - self.dn_list = sorted(self.dn_list) - self.size = len(self.dn_list) - - def log(self, msg): - """ - Log on the screen if there is no --quiet oprion set - """ - if not self.quiet: - print msg - - def update_size(self): - self.size = len(self.dn_list) - self.dn_list = sorted(self.dn_list) - - def __eq__(self, other): - res = True - if self.size != other.size: - self.log( "\n* DN lists have different size: %s != %s" % (self.size, other.size) ) - res = False - # - title= "\n* DNs found only in %s:" % self.con.host - for x in self.dn_list: - if not x.upper() in [q.upper() for q in other.dn_list]: - if title: - self.log( title ) - title = None - res = False - self.log( 4*" " + x ) - self.dn_list[self.dn_list.index(x)] = "" - self.dn_list = [x for x in self.dn_list if x] - # - title= "\n* DNs found only in %s:" % other.con.host - for x in other.dn_list: - if not x.upper() in [q.upper() for q in self.dn_list]: - if title: - self.log( title ) - title = None - res = False - self.log( 4*" " + x ) - other.dn_list[other.dn_list.index(x)] = "" - other.dn_list = [x for x in other.dn_list if x] - # - self.update_size() - other.update_size() - assert self.size == other.size - assert sorted([x.upper() for x in self.dn_list]) == sorted([x.upper() for x in other.dn_list]) - self.log( "\n* Objects to be compared: %s" % self.size ) - - index = 0 - while index < self.size: - skip = False - try: - object1 = LDAPObject(connection=self.con, - dn=self.dn_list[index], - summary=self.summary) - except LdbError, (enum, estr): - if enum == ERR_NO_SUCH_OBJECT: - self.log( "\n!!! Object not found: %s" % self.dn_list[index] ) - skip = True - raise - try: - object2 = LDAPObject(connection=other.con, - dn=other.dn_list[index], - summary=other.summary) - except LdbError, (enum, estr): - if enum == ERR_NO_SUCH_OBJECT: - self.log( "\n!!! Object not found: %s" % other.dn_list[index] ) - skip = True - raise - if skip: - index += 1 - continue - if object1 == object2: - if self.con.verbose: - self.log( "\nComparing:" ) - self.log( "'%s' [%s]" % (object1.dn, object1.con.host) ) - self.log( "'%s' [%s]" % (object2.dn, object2.con.host) ) - self.log( 4*" " + "OK" ) - else: - self.log( "\nComparing:" ) - self.log( "'%s' [%s]" % (object1.dn, object1.con.host) ) - self.log( "'%s' [%s]" % (object2.dn, object2.con.host) ) - self.log( object1.screen_output ) - self.log( 4*" " + "FAILED" ) - res = False - self.summary = object1.summary - other.summary = object2.summary - index += 1 - # - return res - - def get_dn_list(self, context): - """ Query LDAP server about the DNs of certain naming self.con.ext Domain (or Default), Configuration, Schema. - Parse all DNs and filter those that are 'strange' or abnormal. - """ - if context.upper() == "DOMAIN": - search_base = "%s" % self.con.base_dn - elif context.upper() == "CONFIGURATION": - search_base = "CN=Configuration,%s" % self.con.base_dn - elif context.upper() == "SCHEMA": - search_base = "CN=Schema,CN=Configuration,%s" % self.con.base_dn - - dn_list = [] - res = self.con.ldb.search(base=search_base, scope=SCOPE_SUBTREE, attrs=["dn"]) - for x in res: - dn_list.append(x["dn"].get_linearized()) - - # - global summary - # - return dn_list - - def print_summary(self): - self.summary["unique_attrs"] = list(set(self.summary["unique_attrs"])) - self.summary["df_value_attrs"] = list(set(self.summary["df_value_attrs"])) - # - if self.summary["unique_attrs"]: - self.log( "\nAttributes found only in %s:" % self.con.host ) - self.log( "".join([str("\n" + 4*" " + x) for x in self.summary["unique_attrs"]]) ) - # - if self.summary["df_value_attrs"]: - self.log( "\nAttributes with different values:" ) - self.log( "".join([str("\n" + 4*" " + x) for x in self.summary["df_value_attrs"]]) ) - self.summary["df_value_attrs"] = [] - -### - -if __name__ == "__main__": - parser = OptionParser("ldapcmp [options] domain|configuration|schema") - sambaopts = options.SambaOptions(parser) - parser.add_option_group(sambaopts) - credopts = options.CredentialsOptionsDouble(parser) - parser.add_option_group(credopts) - - parser.add_option("", "--host", dest="host", - help="IP of the first LDAP server",) - parser.add_option("", "--host2", dest="host2", - help="IP of the second LDAP server",) - parser.add_option("-w", "--two", dest="two", action="store_true", default=False, - help="Hosts are in two different domains",) - parser.add_option("-q", "--quiet", dest="quiet", action="store_true", default=False, - help="Do not print anything but relay on just exit code",) - parser.add_option("-v", "--verbose", dest="verbose", action="store_true", default=False, - help="Print all DN pairs that have been compared",) - parser.add_option("", "--sd", dest="descriptor", action="store_true", default=False, - help="Compare nTSecurityDescriptor attibutes only",) - parser.add_option("", "--view", dest="view", default="section", - help="Display mode for nTSecurityDescriptor results. Possible values: section or collision.",) - (opts, args) = parser.parse_args() - - lp = sambaopts.get_loadparm() - creds = credopts.get_credentials(lp) - creds2 = credopts.get_credentials2(lp, False) - if creds2.is_anonymous(): - creds2 = creds - - if creds.is_anonymous(): - parser.error("You must supply at least one username/password pair") - - # make a list of contexts to compare in - contexts = [] - if len(args) == 0: - # if no argument given, we compare all contexts - contexts = ["DOMAIN", "CONFIGURATION", "SCHEMA"] - else: - for context in args: - if not context.upper() in ["DOMAIN", "CONFIGURATION", "SCHEMA"]: - parser.error("Incorrect argument: %s" % context) - contexts.append(context.upper()) - - if opts.verbose and opts.quiet: - parser.error("You cannot set --verbose and --quiet together") - if opts.descriptor and opts.view.upper() not in ["SECTION", "COLLISION"]: - parser.error("Unknown --view option value. Choose from: section or collision.") - - con1 = LDAPBase(opts.host, opts, creds, lp) - assert len(con1.base_dn) > 0 - - con2 = LDAPBase(opts.host2, opts, creds2, lp) - assert len(con2.base_dn) > 0 - - status = 0 - for context in contexts: - if not opts.quiet: - print "\n* Comparing [%s] context..." % context - - b1 = LDAPBundel(con1, context=context) - b2 = LDAPBundel(con2, context=context) - - if b1 == b2: - if not opts.quiet: - print "\n* Result for [%s]: SUCCESS" % context - else: - if not opts.quiet: - print "\n* Result for [%s]: FAILURE" % context - if not opts.descriptor: - assert len(b1.summary["df_value_attrs"]) == len(b2.summary["df_value_attrs"]) - b2.summary["df_value_attrs"] = [] - print "\nSUMMARY" - print "---------" - b1.print_summary() - b2.print_summary() - # mark exit status as FAILURE if a least one comparison failed - status = -1 - - sys.exit(status) -- cgit