[checkmk-commits] Check_MK Git: check_mk: FIX LDAP: Auth expiration plugin now checks users for being disabled (in AD)

Module: check_mk Branch: master Commit: 00f19dd9091c62486979a40aa3181096ab5260eb URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=00f19dd9091c62… Author: Lars Michelsen <lm(a)mathias-kettner.de> Date: Thu Dec 19 14:25:01 2013 +0100 FIX LDAP: Auth expiration plugin now checks users for being disabled (in AD) The authentication expiration ldap sync plugin now also checks wether or not a user has been disabled in LDAP. This only works with Active Directory based LDAPs at the moment. --- .werks/394 | 12 ++++++++++++ ChangeLog | 1 + web/plugins/userdb/ldap.py | 19 ++++++++++++++++++- 3 files changed, 31 insertions(+), 1 deletion(-) diff --git a/.werks/394 b/.werks/394 new file mode 100644 index 0000000..2276933 --- /dev/null +++ b/.werks/394 @@ -0,0 +1,12 @@ +Title: LDAP: Auth expiration plugin now checks users for being disabled (in AD) +Level: 1 +Component: multisite +Class: fix +State: unknown +Version: 1.2.5i1 +Date: 1387459423 +Targetversion: future + +The authentication expiration ldap sync plugin now also checks wether or not +a user has been disabled in LDAP. This only works with Active Directory based +LDAPs at the moment. diff --git a/ChangeLog b/ChangeLog index 880c76d..fe0c1a4 100644 --- a/ChangeLog +++ b/ChangeLog @@ -88,6 +88,7 @@ * 0374 FIX: Fixed syntax error in exception handler of LDAP search code... * 0375 FIX: LDAP: Now handling user-ids with umlauts... * 0393 FIX: LDAP: Enabled paged LDAP search by default now with a page size of 1000... + * 0394 FIX: LDAP: Auth expiration plugin now checks users for being disabled (in AD)... WATO: * 0308 Multisite can now set rotation view permissions for NagVis... diff --git a/web/plugins/userdb/ldap.py b/web/plugins/userdb/ldap.py index 24dd484..43c04e3 100644 --- a/web/plugins/userdb/ldap.py +++ b/web/plugins/userdb/ldap.py @@ -709,6 +709,15 @@ ldap_attribute_plugins['alias'] = { # In first instance, it must parse the pw-changed field, then check wether or not # a date has been stored in the user before and then maybe increase the serial. def ldap_convert_auth_expire(plugin, params, user_id, ldap_user, user): + # Special handling for active directory: Is the user enabled / disabled? + if config.ldap_connection['type'] == 'ad' and ldap_user.get('useraccountcontrol'): + # see http://www.selfadsi.de/ads-attributes/user-userAccountControl.htm for details + if saveint(ldap_user['useraccountcontrol'][0]) & 2: + return { + 'locked': True, + 'serial': user.get('serial', 0) + 1, + } + changed_attr = params.get('attr', ldap_attr('pw_changed')) if not changed_attr in ldap_user: raise MKLDAPException(_('The "Authentication Expiration" attribute (%s) could not be fetched ' @@ -730,12 +739,20 @@ def ldap_convert_auth_expire(plugin, params, user_id, ldap_user, user): return {} +def ldap_attrs_auth_expire(params): + attrs = [ params.get('attr', ldap_attr('pw_changed')) ] + + # Fetch user account flags to check locking + if config.ldap_connection['type'] == 'ad': + attrs.append('useraccountcontrol') + return attrs + ldap_attribute_plugins['auth_expire'] = { 'title': _('Authentication Expiration'), 'help': _('This plugin fetches all information which are needed to check wether or ' 'not an already authenticated user should be deauthenticated, e.g. because ' 'the password has changed in LDAP or the account has been locked.'), - 'needed_attributes': lambda params: [ params.get('attr', ldap_attr('pw_changed')) ], + 'needed_attributes': ldap_attrs_auth_expire, 'convert': ldap_convert_auth_expire, # When a plugin introduces new user attributes, it should declare the output target for # this attribute. It can either be written to the multisites users.mk or the check_mk