Module: check_mk
Branch: master
Commit: c6047bf7c46fff8571eee4c31e34c0a47c487863
URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=c6047bf7c46fff…
Author: Lars Michelsen <lm(a)mathias-kettner.de>
Date: Thu Aug 1 13:14:25 2013 +0200
ldap: Added filter group option
---
ChangeLog | 5 +++-
web/plugins/userdb/ldap.py | 35 +++++++++++++++++++++++++++-
web/plugins/wato/check_mk_configuration.py | 15 +++++++++++-
3 files changed, 52 insertions(+), 3 deletions(-)
diff --git a/ChangeLog b/ChangeLog
index 32fd745..a179514 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -86,13 +86,16 @@
searches (Can be enabled in connection settings)
* LDAP: It is now possible to provide multiple failover servers, which are
tried when the primary ldap server fails
+ * LDAP: Supporting posixGroup with memberUid as member attribute
+ * LDAP: Added filter_group option to user configuration to make the
+ synchonized users filterable by group memberships in directories without
+ memberof attributes
* Added option to enable browser scrollbar to the multisite sidebar (only
via "sidebar_show_scrollbar = True" in multisite.mk
* Added option to disable automatic userdb synchronizations in multisite
* Implemented search forms for most data tables
* New icons in view footers: export as CSV, export as JSON
* Availability: new columns for shortest, longest, average and count
- * LDAP: Supporting posixGroup with memberUid as member attribute
* Editing localized strings (like the title) is now optional when cloning
views or editing cloned views. If not edited, the views inherit the
localized strings from their ancestors
diff --git a/web/plugins/userdb/ldap.py b/web/plugins/userdb/ldap.py
index 37b707a..500ef2b 100644
--- a/web/plugins/userdb/ldap.py
+++ b/web/plugins/userdb/ldap.py
@@ -365,15 +365,48 @@ def ldap_get_user(username, no_escape = False):
else:
return (dn.replace('\\', '\\\\'), user_id)
-def ldap_get_users(add_filter = None):
+def ldap_get_users(add_filter = ''):
columns = [
ldap_user_id_attr(), # needed in all cases as uniq id
] + ldap_needed_attributes()
filt = ldap_filter('users')
+
+ # Create filter by the optional filter_group
+ filter_group_dn = config.ldap_userspec.get('filter_group', None)
+ member_filter = ''
+ if filter_group_dn:
+ member_attr = ldap_member_attr().lower()
+ # posixGroup objects use the memberUid attribute to specify the group memberships.
+ # This is the username instead of the users DN. So the username needs to be used
+ # for filtering here.
+ user_cmp_attr = member_attr == 'memberuid' and ldap_user_id_attr() or 'distinguishedname'
+
+ # Apply configured group ldap filter
+ try:
+ group = ldap_search(ldap_replace_macros(filter_group_dn),
+ columns = [member_attr],
+ scope = 'base')
+ except MKLDAPException:
+ group = None
+
+ if not group:
+ raise MKLDAPException(_('The configured ldap user filter group could not be found. '
+ 'Please check <a href="%s">your configuration</a>.') %
+ 'wato.py?mode=edit_configvar&varname=ldap_userspec')
+
+ members = group[0][1].values()[0]
+
+ member_filter_items = []
+ for member in members:
+ member_filter_items.append('(%s=%s)' % (user_cmp_attr, member))
+ add_filter += '(|%s)' % ''.join(member_filter_items)
+
if add_filter:
filt = '(&%s%s)' % (filt, add_filter)
+ html.write(repr(filt))
+
result = {}
for dn, ldap_user in ldap_search(ldap_replace_macros(config.ldap_userspec['dn']),
filt, columns = columns):
diff --git a/web/plugins/wato/check_mk_configuration.py b/web/plugins/wato/check_mk_configuration.py
index af3232b..2f76529 100644
--- a/web/plugins/wato/check_mk_configuration.py
+++ b/web/plugins/wato/check_mk_configuration.py
@@ -596,6 +596,19 @@ register_configvar(group,
size = 80,
default_value = lambda: userdb.ldap_filter('users', False),
)),
+ ("filter_group", LDAPDistinguishedName(
+ title = _("Filter Group"),
+ help = _("Using this option you can define the DN of a group object which is used to filter the users. "
+ "Only members of this group will then be synchronized. This is a filter which can be "
+ "used to extend capabilities of the regular \"Search Filter\". Using the search filter "
+ "you can only define filters which directly apply to the user objects. To filter by "
+ "group memberships, you can use the \"memberOf\" attribute of the user objects in some "
+ "directories. But some directories do not have such attributes because the memberships "
+ "are stored in the group objects as e.g. \"member\" attributes. You should use the "
+ "regular search filter whenever possible and only use this filter when it is really "
+ "neccessary."),
+ size = 80,
+ )),
("user_id", TextAscii(
title = _("User-ID Attribute"),
help = _("The attribute used to identify the individual users. It must have "
@@ -610,7 +623,7 @@ register_configvar(group,
totext = _("Enforce lower case User-IDs."),
)),
],
- optional_keys = ['scope', 'filter', 'user_id', 'lower_user_ids'],
+ optional_keys = ['scope', 'filter', 'filter_group', 'user_id', 'lower_user_ids'],
),
domain = "multisite",
)