[checkmk-commits] Check_MK Git: check_mk: #2616 LDAP: Improved handling of multiple connections (Name conflicts, cross directory sync)

Module: check_mk Branch: master Commit: 75304fa38f9d216f820e8d0a57558fa43f0c7b93 URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=75304fa38f9d21… Author: Lars Michelsen &lt;lm(a)mathias-kettner.de&gt; Date: Tue Sep 29 11:26:17 2015 +0200 #2616 LDAP: Improved handling of multiple connections (Name conflicts, cross directory sync) Since Check_MK can synchronize with multiple LDAP directories at the same time, new situations could occur which Check_MK did not handle properly for all cases yet. For example it is possible that name conflicts (user id) occur between LDAP connections when different LDAP directories have equal named users. Previous versions did synchronize the user using the first connection to be synchronized (take a look at the configuration to check the connection order) and silently skipped equal named users from other directories. This version intruces so called "LDAP connection suffixes" to solve this situation. This suffix is used identify name conflicting users between directories. You can use whatever you like as suffix, but for better identification it is recommended to use the official domain name as suffix. For example "corp.de" if you domain is identified like this. The connection suffix is appended to the user id for all user accounts having name conflicts during the synchronisation. Additionally, when a user tries to log in with his regular user name, for example <tt>hh</tt>, but the login is refused due to the name conflict, he can add the domain suffix to his username, e.g. &lt;tt&gt;hh(a)corp.de&lt;/tt&gt; to tell Check_MK which directory he is associated to. Addionionally, it is now possible to configure the role and group sync plugins to gather group memberships for the users of a connection from another one. This might be needed when you have multiple LDAP directories somehow connected (Active Directory forest) where the users belong to one LDAP directory and the groups are found in another LDAP directory. Now, when these groups have members of the other LDAP directory, these memberships could not be synchronized to Check_MK in previous versions. This is now possible to be configured. But the default is to gather the group memberships of users from the connection they are associated with. --- .werks/2616 | 33 ++++++ ChangeLog | 1 + web/htdocs/wato.py | 96 ++++++++++------- web/plugins/userdb/ldap.py | 244 +++++++++++++++++++++++++++++++++++++------- 4 files changed, 302 insertions(+), 72 deletions(-) Diff: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commitdiff;h=75304fa38f…