21 Nov
2012
21 Nov
'12
2:35 p.m.
Module: check_mk
Branch: master
Commit: 23c81a9db024f87c1ae2db7884daadf447ff22ef
URL:
http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=23c81a9db024f8…
Author: Lars Michelsen <lm(a)mathias-kettner.de>
Date: Mon Nov 19 11:56:57 2012 +0100
ldap: added sync plugin to add user roles depending on group memberships
---
web/htdocs/wato.py | 17 ++++++++---------
web/plugins/userdb/ldap.py | 43 +++++++++++++++++++++++++++++++++++++++++--
2 files changed, 49 insertions(+), 11 deletions(-)
diff --git a/web/htdocs/wato.py b/web/htdocs/wato.py
index 0bfc779..039186f 100644
--- a/web/htdocs/wato.py
+++ b/web/htdocs/wato.py
@@ -8175,6 +8175,7 @@ def mode_edit_user(phase):
forms.section(_("Roles"))
entries = roles.items()
entries.sort(cmp = lambda a,b: cmp((a[1]["alias"],a[0]),
(b[1]["alias"],b[0])))
+ is_member_of_at_least_one = False
for role_id, role in entries:
if not is_locked('roles'):
html.checkbox("role_" + role_id, role_id in
user.get("roles", []))
@@ -8182,17 +8183,15 @@ def mode_edit_user(phase):
html.write("<a href='%s'>%s</a><br>" %
(url, role["alias"]))
else:
is_member = role_id in user.get("roles", [])
- html.hidden_field("role_" + role_id, is_member and '1' or
'')
- if not is_member:
- html.write('<i>%s</i>' % _('No roles
assigned.'))
- else:
+ if is_member:
+ is_member_of_at_least_one = True
+
url = make_link([("mode", "edit_role"),
("edit", role_id)])
html.write("<a href='%s'>%s</a><br>"
% (url, role["alias"]))
- html.help(_("By assigning roles to a user he obtains permissions. "
- "If a user has more than one role, he gets the maximum of all
"
- "permissions of his roles. "
- "Users without any role have no permissions to use Multisite at all
"
- "but still can be monitoring contacts and receive
notifications."))
+
+ html.hidden_field("role_" + role_id, is_member and '1' or
'')
+ if not is_member_of_at_least_one:
+ html.write('<i>%s</i>' % _('No roles assigned.'))
# Contact groups
forms.header(_("Contact Groups"), isopen=False)
diff --git a/web/plugins/userdb/ldap.py b/web/plugins/userdb/ldap.py
index 284fdee..9a31d96 100644
--- a/web/plugins/userdb/ldap.py
+++ b/web/plugins/userdb/ldap.py
@@ -248,7 +248,7 @@ def ldap_get_users(add_filter = None):
return result
-def ldap_user_groups(username):
+def ldap_user_groups(username, attr = 'cn'):
user_dn = ldap_get_user_dn(username)
# Apply configured group ldap filter and only reply with groups
@@ -259,7 +259,11 @@ def ldap_user_groups(username):
groups = []
for dn, group in
ldap_search(ldap_replace_macros(config.ldap_groupspec['dn']),
filt, ['cn']):
- groups.append(group['cn'][0])
+ if attr == 'cn':
+ groups.append(group['cn'][0])
+
+ elif attr == 'dn':
+ groups.append(dn)
return groups
@@ -440,6 +444,41 @@ ldap_attribute_plugins['groups_to_contactgroups'] = {
'lock_attributes': ['contactgroups'],
}
+def ldap_convert_groups_to_roles(params, user_id, ldap_user, user):
+ groups = []
+ # 1. Fetch DNs of all LDAP groups of the user
+ ldap_groups = [ g.lower() for g in ldap_user_groups(user_id, 'dn') ]
+
+ # 2. Loop all roles mentioned in params (configured to be synchronized)
+ roles = []
+ for role_id, dn in params.items():
+ if dn.lower() in ldap_groups:
+ roles.append(role_id)
+
+ return {'roles': roles}
+
+def ldap_list_roles_with_group_dn():
+ import wato
+ roles = wato.load_roles()
+
+ elements = []
+ for role_id, role in wato.load_roles().items():
+ elements.append((role_id, LDAPDistinguishedName(
+ title = role['alias'] + ' - ' + _("Specify the Group
DN"),
+ help = _("Distinguished Name of the LDAP group to add users this
role."),
+ size = 80,
+ )))
+ return elements
+
+ldap_attribute_plugins['groups_to_roles'] = {
+ 'title': _('Roles'),
+ 'help': _('Configures the roles of the user depending on its group
memberships '
+ 'in LDAP.'),
+ 'convert': ldap_convert_groups_to_roles,
+ 'lock_attributes': ['roles'],
+ 'parameters': ldap_list_roles_with_group_dn,
+}
+
# .----------------------------------------------------------------------.
# | _ _ _ |
# | | | | | ___ ___ | | _____ |