Module: check_mk
Branch: master
Commit: bd2b2cf970434a2a598705c0dc5990fe615028b2
URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=bd2b2cf970434a…
Author: Bastian Kuhn <bk(a)mathias-kettner.de>
Date: Fri Dec 20 11:33:54 2013 +0100
Fixed typo
---
web/plugins/wato/check_mk_configuration.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/web/plugins/wato/check_mk_configuration.py b/web/plugins/wato/check_mk_configuration.py
index 3d4b34d..efb2a88 100644
--- a/web/plugins/wato/check_mk_configuration.py
+++ b/web/plugins/wato/check_mk_configuration.py
@@ -1865,7 +1865,7 @@ group = "monconf/" + _("Various")
register_rule(group,
"clustered_services_mapping",
TextAscii(
- title = _("Explicit mapping of Clusterd Services"),
+ title = _("Explicit mapping of Clustered Services"),
help = _( "It's possible to have overlaping nodes between multiple clusters."
"With this rule the direct mapping of services from nodes to the "
"favored Cluster can be done."),
Module: check_mk
Branch: master
Commit: 00a1654a397f1ae089792ec4fa48a878df4e094b
URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=00a1654a397f1a…
Author: Bastian Kuhn <bk(a)mathias-kettner.de>
Date: Fri Dec 20 11:19:39 2013 +0100
Explicit mapping of clustered services can now be done with Wato.
---
.werks/112 | 8 ++++++++
ChangeLog | 1 +
web/plugins/wato/check_mk_configuration.py | 7 ++++++-
3 files changed, 15 insertions(+), 1 deletion(-)
diff --git a/.werks/112 b/.werks/112
new file mode 100644
index 0000000..31e4e7c
--- /dev/null
+++ b/.werks/112
@@ -0,0 +1,8 @@
+Title: Explicit mapping of clustered services can now be done with Wato.
+Level: 1
+Component: wato
+Version: 1.2.5i1
+Date: 1387534743
+Class: feature
+
+
diff --git a/ChangeLog b/ChangeLog
index 2f8830e..21f9ab6 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -102,6 +102,7 @@
NOTE: Please refer to the migration notes!
* 0244 New features for WATO page Backup & Restore...
* 0382 Active HTTP check now supports multiline regexp matching...
+ * 0112 Explicit mapping of clustered services can now be done with Wato.
* 0057 FIX: Fix exception in WATO host editor on custom tag without topic...
* 0241 FIX: Improved sorting of WATO folders in dropdown menu...
* 0019 FIX: Fixed wording in WATO rule for MSSQL check
diff --git a/web/plugins/wato/check_mk_configuration.py b/web/plugins/wato/check_mk_configuration.py
index e7f39d0..3d4b34d 100644
--- a/web/plugins/wato/check_mk_configuration.py
+++ b/web/plugins/wato/check_mk_configuration.py
@@ -1864,7 +1864,12 @@ group = "monconf/" + _("Various")
register_rule(group,
"clustered_services_mapping",
- TextAscii( title = _("Clustered services of") ),
+ TextAscii(
+ title = _("Explicit mapping of Clusterd Services"),
+ help = _( "It's possible to have overlaping nodes between multiple clusters."
+ "With this rule the direct mapping of services from nodes to the "
+ "favored Cluster can be done."),
+ ),
itemtype = "service",
)
Module: check_mk
Branch: master
Commit: ff84fdbd6285878d38d2058a8a9811e41929f240
URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=ff84fdbd628587…
Author: Lars Michelsen <lm(a)mathias-kettner.de>
Date: Fri Dec 20 09:17:37 2013 +0100
FIX LDAP: Roles/Groups are now synced even if case of DNs do not match
Most LDAP related filters are case insentive. To match user expectations
the distinguished name matching used during group / role sync has been
changed to be case insensitive.
---
.werks/420 | 12 ++++++++++++
ChangeLog | 1 +
web/plugins/userdb/ldap.py | 9 +++++----
3 files changed, 18 insertions(+), 4 deletions(-)
diff --git a/.werks/420 b/.werks/420
new file mode 100644
index 0000000..ba10886
--- /dev/null
+++ b/.werks/420
@@ -0,0 +1,12 @@
+Title: LDAP: Roles/Groups are now synced even if case of DNs do not match
+Level: 1
+Component: multisite
+Class: fix
+State: unknown
+Version: 1.2.5i1
+Date: 1387527273
+Targetversion: future
+
+Most LDAP related filters are case insentive. To match user expectations
+the distinguished name matching used during group / role sync has been
+changed to be case insensitive.
diff --git a/ChangeLog b/ChangeLog
index 8e7c4fd..2f8830e 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -94,6 +94,7 @@
* 0393 FIX: LDAP: Enabled paged LDAP search by default now with a page size of 1000...
* 0394 FIX: LDAP: Auth expiration plugin now checks users for being disabled (in AD)...
* 0436 FIX: Fix broken Site status switching via sidebar snapin...
+ * 0420 FIX: LDAP: Roles/Groups are now synced even if case of DNs do not match...
WATO:
* 0308 Multisite can now set rotation view permissions for NagVis...
diff --git a/web/plugins/userdb/ldap.py b/web/plugins/userdb/ldap.py
index 8fc4be0..9af7443 100644
--- a/web/plugins/userdb/ldap.py
+++ b/web/plugins/userdb/ldap.py
@@ -332,7 +332,7 @@ def ldap_search(base, filt = '(objectclass=*)', columns = [], scope = None):
for key, val in obj.iteritems():
# Convert all keys to lower case!
new_obj[key.lower().decode('utf-8')] = [ i.decode('utf-8') for i in val ]
- result.append((dn, new_obj))
+ result.append((dn.lower(), new_obj))
success = True
except ldap.NO_SUCH_OBJECT, e:
raise MKLDAPException(_('The given base object "%s" does not exist in LDAP (%s))') % (base, e))
@@ -585,7 +585,7 @@ def ldap_group_members(filters, filt_attr = 'cn', nested = False):
for dn, obj in ldap_search(ldap_replace_macros(config.ldap_groupspec['dn']), filt, ['cn', member_attr]):
groups[dn] = {
'cn' : obj['cn'][0],
- 'members' : [ m.encode('utf-8') for m in obj.get(member_attr,[]) ],
+ 'members' : [ m.encode('utf-8').lower() for m in obj.get(member_attr,[]) ],
}
else:
# Special handling for OpenLDAP when searching for groups by DN
@@ -593,7 +593,7 @@ def ldap_group_members(filters, filt_attr = 'cn', nested = False):
for dn, obj in ldap_search(ldap_replace_macros(f_dn), filt, ['cn', member_attr]):
groups[f_dn] = {
'cn' : obj['cn'][0],
- 'members' : [ m.encode('utf-8') for m in obj.get(member_attr,[]) ],
+ 'members' : [ m.encode('utf-8').lower() for m in obj.get(member_attr,[]) ],
}
else:
@@ -622,7 +622,7 @@ def ldap_group_members(filters, filt_attr = 'cn', nested = False):
'cn' : cn,
}
for user_dn, obj in ldap_search(ldap_replace_macros(config.ldap_userspec['dn']), filt, columns = ['dn']):
- groups[dn]['members'].append(user_dn)
+ groups[dn]['members'].append(user_dn.lower)
g_ldap_group_cache[cache_key] = groups
return groups
@@ -882,6 +882,7 @@ def ldap_convert_groups_to_roles(plugin, params, user_id, ldap_user, user):
for role_id, dn in params.items():
if not isinstance(dn, str):
continue # skip non configured ones
+ dn = dn.lower() # lower case matching for DNs!
# if group could be found and user is a member, add the role
if dn in ldap_groups and ldap_user['dn'] in ldap_groups[dn]['members']:
Module: check_mk
Branch: master
Commit: 64000bd2db818c8081d38a668b58b198ddf11848
URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=64000bd2db818c…
Author: Lars Michelsen <lm(a)mathias-kettner.de>
Date: Fri Dec 20 08:56:51 2013 +0100
FIX LDAP: Fixed broken role sync plugin with OpenLDAP
The role sync plugin simply did not sync the roles of users even
if the group memberships in the OpenLDAP directory were OK.
---
.werks/418 | 11 ++++++++++
ChangeLog | 1 +
web/plugins/userdb/ldap.py | 51 ++++++++++++++++++++++++++++++--------------
3 files changed, 47 insertions(+), 16 deletions(-)
diff --git a/.werks/418 b/.werks/418
new file mode 100644
index 0000000..444b131
--- /dev/null
+++ b/.werks/418
@@ -0,0 +1,11 @@
+Title: LDAP: Fixed broken role sync plugin with OpenLDAP
+Level: 1
+Component: wato
+Class: fix
+State: unknown
+Version: 1.2.5i1
+Date: 1387526157
+Targetversion: future
+
+The role sync plugin simply did not sync the roles of users even
+if the group memberships in the OpenLDAP directory were OK.
diff --git a/ChangeLog b/ChangeLog
index 060a468..856a34c 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -121,6 +121,7 @@
* 0415 FIX: LDAP: The LDAP Settings dialog is now disabled when the LDAP Connector is disabled
* 0416 FIX: When doing user sync on user page rendering, contact group memberships are shown correctly now...
* 0417 FIX: LDAP: Fixed "Sync-Plugin: Roles" test with OpenLDAP
+ * 0418 FIX: LDAP: Fixed broken role sync plugin with OpenLDAP...
* 0419 FIX: LDAP: The default user profile roles are only assigned to users without roles...
Notifications:
diff --git a/web/plugins/userdb/ldap.py b/web/plugins/userdb/ldap.py
index 5f85267..8fc4be0 100644
--- a/web/plugins/userdb/ldap.py
+++ b/web/plugins/userdb/ldap.py
@@ -566,21 +566,36 @@ def ldap_group_members(filters, filt_attr = 'cn', nested = False):
if cache_key in g_ldap_group_cache:
return g_ldap_group_cache[cache_key]
- # When not searching for nested memberships, it is easy. Simply query the group
- # for the memberships in one single query.
+ # When not searching for nested memberships, it is easy when using the an AD base LDAP.
+ # The group objects can be queried using the attribute distinguishedname. Therefor we
+ # create an alternating match filter to match that attribute when searching by DNs.
+ # In OpenLDAP the distinguishedname is no user attribute, therefor it can not be used
+ # as filter expression. We have to do one ldap query per group. Maybe, in the future,
+ # we change the role sync plugin parameters to snapins to make this part a little easier.
if not nested:
+ groups = {}
filt = ldap_filter('groups')
- if filters:
- add_filt = '(|%s)' % ''.join([ '(%s=%s)' % (filt_attr, f) for f in filters ])
- filt = '(&%s%s)' % (filt, add_filt)
-
member_attr = ldap_member_attr().lower()
- groups = {}
- for dn, obj in ldap_search(ldap_replace_macros(config.ldap_groupspec['dn']), filt, ['cn', member_attr]):
- groups[dn] = {
- 'cn' : obj['cn'][0],
- 'members' : [ m.encode('utf-8') for m in obj.get(member_attr,[]) ],
- }
+
+ if config.ldap_connection['type'] == 'ad' or filt_attr != 'distinguishedname':
+ if filters:
+ add_filt = '(|%s)' % ''.join([ '(%s=%s)' % (filt_attr, f) for f in filters ])
+ filt = '(&%s%s)' % (filt, add_filt)
+
+ for dn, obj in ldap_search(ldap_replace_macros(config.ldap_groupspec['dn']), filt, ['cn', member_attr]):
+ groups[dn] = {
+ 'cn' : obj['cn'][0],
+ 'members' : [ m.encode('utf-8') for m in obj.get(member_attr,[]) ],
+ }
+ else:
+ # Special handling for OpenLDAP when searching for groups by DN
+ for f_dn in filters:
+ for dn, obj in ldap_search(ldap_replace_macros(f_dn), filt, ['cn', member_attr]):
+ groups[f_dn] = {
+ 'cn' : obj['cn'][0],
+ 'members' : [ m.encode('utf-8') for m in obj.get(member_attr,[]) ],
+ }
+
else:
# Nested querying is more complicated. We have no option to simply do a query for group objects
# to make them resolve the memberships here. So we need to query all users with the nested
@@ -861,8 +876,7 @@ def ldap_convert_groups_to_roles(plugin, params, user_id, ldap_user, user):
ldap_groups = dict(ldap_group_members([ dn for role_id, dn in params.items() if isinstance(dn, str) ],
filt_attr = 'distinguishedname', nested = params.get('nested', False)))
- # Load default roles from default user profile
- roles = config.default_user_profile['roles'][:]
+ roles = set([])
# Loop all roles mentioned in params (configured to be synchronized)
for role_id, dn in params.items():
@@ -871,9 +885,14 @@ def ldap_convert_groups_to_roles(plugin, params, user_id, ldap_user, user):
# if group could be found and user is a member, add the role
if dn in ldap_groups and ldap_user['dn'] in ldap_groups[dn]['members']:
- roles.append(role_id)
+ roles.add(role_id)
+
+ # Load default roles from default user profile when the user got no role
+ # by the role sync plugin
+ if not roles:
+ roles = config.default_user_profile['roles'][:]
- return {'roles': roles}
+ return {'roles': list(roles)}
def ldap_list_roles_with_group_dn():
elements = []
Module: check_mk
Branch: master
Commit: 88b5b03fb10dfdbf3f2b6a213b711fb059a2157a
URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=88b5b03fb10dfd…
Author: Lars Michelsen <lm(a)mathias-kettner.de>
Date: Fri Dec 20 08:58:04 2013 +0100
FIX LDAP: The default user profile roles are only assigned to users without roles
In previous releases the roles of the default user profile were assigned to all
users synced with LDAP. This was not correct and has now been changed. Only users
which do not get a role assigned by the role sync plugin get the default role(s).
---
.werks/419 | 12 ++++++++++++
ChangeLog | 1 +
2 files changed, 13 insertions(+)
diff --git a/.werks/419 b/.werks/419
new file mode 100644
index 0000000..7387eac
--- /dev/null
+++ b/.werks/419
@@ -0,0 +1,12 @@
+Title: LDAP: The default user profile roles are only assigned to users without roles
+Level: 1
+Component: wato
+Class: fix
+State: unknown
+Version: 1.2.5i1
+Date: 1387526213
+Targetversion: future
+
+In previous releases the roles of the default user profile were assigned to all
+users synced with LDAP. This was not correct and has now been changed. Only users
+which do not get a role assigned by the role sync plugin get the default role(s).
diff --git a/ChangeLog b/ChangeLog
index ba499b9..060a468 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -121,6 +121,7 @@
* 0415 FIX: LDAP: The LDAP Settings dialog is now disabled when the LDAP Connector is disabled
* 0416 FIX: When doing user sync on user page rendering, contact group memberships are shown correctly now...
* 0417 FIX: LDAP: Fixed "Sync-Plugin: Roles" test with OpenLDAP
+ * 0419 FIX: LDAP: The default user profile roles are only assigned to users without roles...
Notifications:
* 0362 sms: now searching PATH for sendsms and smssend commands...