Commit 2ef3e434 by Czémán Arnold

Add LDAP group owner import and small rework

parent 6f558426
Pipeline #369 failed with stage
in 0 seconds
...@@ -651,6 +651,8 @@ if get_env_variable('LDAP_AUTH', 'FALSE') == 'TRUE': ...@@ -651,6 +651,8 @@ if get_env_variable('LDAP_AUTH', 'FALSE') == 'TRUE':
) )
# org_id attribute # org_id attribute
if get_env_variable('LDAP_ORG_ID_ATTRIBUTE', False): LDAP_ORG_ID_ATTRIBUTE = (
LDAP_ORG_ID_ATTRIBUTE = get_env_variable( get_env_variable('LDAP_ORG_ID_ATTRIBUTE', "") == "TRUE")
'LDAP_ORG_ID_ATTRIBUTE')
LDAP_GROUP_OWNER_ATTRIBUTE = get_env_variable("LDAP_GROUP_OWNER_ATTRIBUTE",
"owner")
...@@ -401,36 +401,48 @@ if hasattr(settings, 'SAML_ORG_ID_ATTRIBUTE'): ...@@ -401,36 +401,48 @@ if hasattr(settings, 'SAML_ORG_ID_ATTRIBUTE'):
pre_user_save.connect(saml_save_org_id) pre_user_save.connect(saml_save_org_id)
if hasattr(settings, 'LDAP_ORG_ID_ATTRIBUTE'): if (hasattr(settings, 'LDAP_ORG_ID_ATTRIBUTE') and
Please register or sign in to reply
settings.LDAP_ORG_ID_ATTRIBUTE):
logger.debug("Register ldap_save_org_id to django-ldap-auth populate user") logger.debug("Register ldap_save_org_id to django-ldap-auth populate user")
from django_auth_ldap.backend import populate_user from django_auth_ldap.backend import populate_user, LDAPSettings
import ldap
def ldap_connect(ldap_settings):
conn = ldap.initialize(ldap_settings.SERVER_URI)
for opt, value in ldap_settings.CONNECTION_OPTIONS.items():
conn.set_option(opt, value)
conn.simple_bind_s(ldap_settings.BIND_DN, ldap_settings.BIND_PASSWORD)
return conn
def owns(conn, ldap_settings, ownerattr, user_dn, group_name):
group = ldap_settings.GROUP_SEARCH.search_with_additional_term_string(
"(cn=%s)" % group_name).execute(conn)
if len(group) == 0:
return False
group = group[0]
owners = group[1].get(ownerattr, [])
return user_dn in map(unicode.upper, owners)
def ldap_save_org_id(sender, user, ldap_user, **kwargs): def ldap_save_org_id(sender, user, ldap_user, **kwargs):
logger.debug("ldap_save_org_id called by %s", user.username) logger.debug("ldap_save_org_id called by %s", user.username)
attributes = ldap_user.attrs user_dn = ldap_user.dn.upper()
attr = settings.LDAP_ORG_ID_ATTRIBUTE
try:
value = attributes[attr][0].upper()
except Exception as e:
value = None
logger.info("ldap_save_org_id couldn't find attribute. %s",
unicode(e))
if user.pk is None: if user.pk is None:
user.save() user.save()
logger.debug("ldap_save_org_id saved user %s", unicode(user)) logger.debug("ldap_save_org_id saved user %s", unicode(user))
profile, created = Profile.objects.get_or_create(user=user) profile, created = Profile.objects.get_or_create(user=user)
if created or profile.org_id != value: if created or profile.org_id != user_dn:
logger.info("org_id of %s added to user %s's profile", logger.info("org_id of %s added to user %s's profile",
value, user.username) user_dn, user.username)
profile.org_id = value profile.org_id = user_dn
profile.save() profile.save()
else: else:
logger.debug("org_id of %s already added to user %s's profile", logger.debug("org_id of %s already added to user %s's profile",
value, user.username) user_dn, user.username)
logger.error(ldap_user.group_dns)
for group in ldap_user.group_names: group_dns = map(unicode.upper, ldap_user.group_dns)
for group in group_dns:
try: try:
g = GroupProfile.search(group) g = GroupProfile.search(group)
except Group.DoesNotExist: except Group.DoesNotExist:
...@@ -440,10 +452,28 @@ if hasattr(settings, 'LDAP_ORG_ID_ATTRIBUTE'): ...@@ -440,10 +452,28 @@ if hasattr(settings, 'LDAP_ORG_ID_ATTRIBUTE'):
group, unicode(g)) group, unicode(g))
g.user_set.add(user) g.user_set.add(user)
for i in FutureMember.objects.filter(org_id__iexact=value): for i in FutureMember.objects.filter(org_id__iexact=user_dn):
i.group.user_set.add(user) i.group.user_set.add(user)
i.delete() i.delete()
ownerattr = settings.LDAP_GROUP_OWNER_ATTRIBUTE
ldap_settings = LDAPSettings()
# connection will close, when object destroys
# https://www.python-ldap.org/doc/html/ldap.html#ldap-objects
conn = ldap_connect(ldap_settings)
for group in zip(group_dns, ldap_user.group_names):
try:
g = GroupProfile.search(group[0])
except Group.DoesNotExist:
logger.debug('cant find ownergroup %s', group[0])
else:
if owns(conn, ldap_settings, ownerattr, user_dn, group[1]):
logger.debug('could find ownergroup %s (%s)',
group[0], unicode(g))
g.profile.set_level(user, 'owner')
else:
logger.debug('cant find ownergroup %s', group[0])
return False # User did not change return False # User did not change
populate_user.connect(ldap_save_org_id) populate_user.connect(ldap_save_org_id)
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or sign in to comment