Module: check_mk
Branch: master
Commit: a7f24c230f67220e9ba7c3eb01f85e750d142027
URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=a7f24c230f6722…
Author: Lars Michelsen <lm(a)mathias-kettner.de>
Date: Wed Oct 17 16:17:24 2018 +0200
5957 FIX LDAP: Locking of users using "Authentication Expiration" plugin was not unlocking users
The LDAP sync can lock users in Check_MK based on their locking property in the Active Directory.
When a user was locked in AD and Check_MK performed the next sync, the user login was disabled.
The inverse operation was not working.
Unlocking previously locked users has now been implemented correctly. Another change is, that
the locking property in Check_MK is now read-only for LDAP users.
Change-Id: I124a45ffde266358b80b55e1414ee0b8c84813f9
---
.werks/5957 | 16 ++++++++++++++++
cmk/gui/plugins/userdb/ldap_connector.py | 10 +++++++++-
2 files changed, 25 insertions(+), 1 deletion(-)
diff --git a/.werks/5957 b/.werks/5957
new file mode 100644
index 0000000..15a69cb
--- /dev/null
+++ b/.werks/5957
@@ -0,0 +1,16 @@
+Title: LDAP: Locking of users using "Authentication Expiration" plugin was not unlocking users
+Level: 1
+Component: multisite
+Class: fix
+Compatible: compat
+Edition: cre
+State: unknown
+Version: 1.6.0i1
+Date: 1523264693
+
+The LDAP sync can lock users in Check_MK based on their locking property in the Active Directory.
+When a user was locked in AD and Check_MK performed the next sync, the user login was disabled.
+The inverse operation was not working.
+
+Unlocking previously locked users has now been implemented correctly. Another change is, that
+the locking property in Check_MK is now read-only for LDAP users.
diff --git a/cmk/gui/plugins/userdb/ldap_connector.py b/cmk/gui/plugins/userdb/ldap_connector.py
index 44fe9e8..0b8e3cd 100644
--- a/cmk/gui/plugins/userdb/ldap_connector.py
+++ b/cmk/gui/plugins/userdb/ldap_connector.py
@@ -1925,11 +1925,18 @@ def ldap_sync_auth_expire(connection, plugin, params, user_id, ldap_user, user):
# Special handling for active directory: Is the user enabled / disabled?
if connection.is_active_directory() and ldap_user.get('useraccountcontrol'):
# see http://www.selfadsi.de/ads-attributes/user-userAccountControl.htm for details
- if int(ldap_user['useraccountcontrol'][0]) & 2 and not user.get("locked", False):
+ locked_in_ad = saveint(ldap_user['useraccountcontrol'][0]) & 2
+ locked_in_cmk = user.get("locked", False)
+
+ if locked_in_ad and not locked_in_cmk:
return {
'locked': True,
'serial': user.get('serial', 0) + 1,
}
+ elif not locked_in_ad and locked_in_cmk:
+ return {
+ 'locked': False,
+ }
changed_attr = params.get('attr', connection.ldap_attr('pw_changed')).lower()
if not changed_attr in ldap_user:
@@ -1969,6 +1976,7 @@ ldap_attribute_plugins['auth_expire'] = {
'the password has changed in LDAP or the account has been locked.'),
'needed_attributes' : ldap_needed_attributes_auth_expire,
'sync_func' : ldap_sync_auth_expire,
+ 'lock_attributes' : ['locked'],
# When a plugin introduces new user attributes, it should declare the output target for
# this attribute. It can either be written to the multisites users.mk or the check_mk
# contacts.mk to be forwarded to nagios. Undeclared attributes are stored in the check_mk
Module: check_mk
Branch: master
Commit: cc8e04f404a8178168f5e26992b088a6ac33fe3f
URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=cc8e04f404a817…
Author: Sven Panne <sp(a)mathias-kettner.de>
Date: Wed Oct 17 15:04:00 2018 +0200
Updated Boost to 1.68.0.
Compared to our previous 1.66.0, we get a new ASIO library among other things.
Change-Id: I58a84d63da5febb7d0a105acbb8fa37b9837d8aa
---
omd/packages/boost/Makefile | 4 ++--
.../{boost_1_66_0.tar.gz => boost_1_68_0.tar.bz2} | Bin 101669839 -> 92155315 bytes
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/omd/packages/boost/Makefile b/omd/packages/boost/Makefile
index 2beb316..f886a21 100644
--- a/omd/packages/boost/Makefile
+++ b/omd/packages/boost/Makefile
@@ -1,7 +1,7 @@
include ../../Makefile.omd
NAME := boost
-VERSION := 1_66_0
+VERSION := 1_68_0
DIR := $(NAME)_$(VERSION)
# For some obscure reason (GCC's dual ABI) we have to link all Boost stuff
@@ -20,7 +20,7 @@ B2_LINK_OPTION := "link=static"
.PHONY: build install skel clean
build: check-python
- tar xzf $(NAME)_$(VERSION).tar.gz
+ tar xjf $(NAME)_$(VERSION).tar.bz2
# basically what part of AC_PROC_CXX does
@CXX="" ; \
for PROG in g++-8 g++-7 clang++-6.0 clang++-5.0 g++-6 clang++-4.0 g++-5 clang++-3.9 clang++-3.8 clang++-3.7 clang++-3.6 clang++-3.5 g++-4.9 g++ clang++; do \
diff --git a/omd/packages/boost/boost_1_66_0.tar.gz b/omd/packages/boost/boost_1_68_0.tar.bz2
similarity index 80%
rename from omd/packages/boost/boost_1_66_0.tar.gz
rename to omd/packages/boost/boost_1_68_0.tar.bz2
index f0881e0..8721965 100644
Binary files a/omd/packages/boost/boost_1_66_0.tar.gz and b/omd/packages/boost/boost_1_68_0.tar.bz2 differ