Module: check_mk
Branch: master
Commit: 00f19dd9091c62486979a40aa3181096ab5260eb
URL:
http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=00f19dd9091c62…
Author: Lars Michelsen <lm(a)mathias-kettner.de>
Date: Thu Dec 19 14:25:01 2013 +0100
FIX LDAP: Auth expiration plugin now checks users for being disabled (in AD)
The authentication expiration ldap sync plugin now also checks wether or not
a user has been disabled in LDAP. This only works with Active Directory based
LDAPs at the moment.
---
.werks/394 | 12 ++++++++++++
ChangeLog | 1 +
web/plugins/userdb/ldap.py | 19 ++++++++++++++++++-
3 files changed, 31 insertions(+), 1 deletion(-)
diff --git a/.werks/394 b/.werks/394
new file mode 100644
index 0000000..2276933
--- /dev/null
+++ b/.werks/394
@@ -0,0 +1,12 @@
+Title: LDAP: Auth expiration plugin now checks users for being disabled (in AD)
+Level: 1
+Component: multisite
+Class: fix
+State: unknown
+Version: 1.2.5i1
+Date: 1387459423
+Targetversion: future
+
+The authentication expiration ldap sync plugin now also checks wether or not
+a user has been disabled in LDAP. This only works with Active Directory based
+LDAPs at the moment.
diff --git a/ChangeLog b/ChangeLog
index 880c76d..fe0c1a4 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -88,6 +88,7 @@
* 0374 FIX: Fixed syntax error in exception handler of LDAP search code...
* 0375 FIX: LDAP: Now handling user-ids with umlauts...
* 0393 FIX: LDAP: Enabled paged LDAP search by default now with a page size of
1000...
+ * 0394 FIX: LDAP: Auth expiration plugin now checks users for being disabled (in
AD)...
WATO:
* 0308 Multisite can now set rotation view permissions for NagVis...
diff --git a/web/plugins/userdb/ldap.py b/web/plugins/userdb/ldap.py
index 24dd484..43c04e3 100644
--- a/web/plugins/userdb/ldap.py
+++ b/web/plugins/userdb/ldap.py
@@ -709,6 +709,15 @@ ldap_attribute_plugins['alias'] = {
# In first instance, it must parse the pw-changed field, then check wether or not
# a date has been stored in the user before and then maybe increase the serial.
def ldap_convert_auth_expire(plugin, params, user_id, ldap_user, user):
+ # Special handling for active directory: Is the user enabled / disabled?
+ if config.ldap_connection['type'] == 'ad' and
ldap_user.get('useraccountcontrol'):
+ # see
http://www.selfadsi.de/ads-attributes/user-userAccountControl.htm for
details
+ if saveint(ldap_user['useraccountcontrol'][0]) & 2:
+ return {
+ 'locked': True,
+ 'serial': user.get('serial', 0) + 1,
+ }
+
changed_attr = params.get('attr', ldap_attr('pw_changed'))
if not changed_attr in ldap_user:
raise MKLDAPException(_('The "Authentication Expiration" attribute
(%s) could not be fetched '
@@ -730,12 +739,20 @@ def ldap_convert_auth_expire(plugin, params, user_id, ldap_user,
user):
return {}
+def ldap_attrs_auth_expire(params):
+ attrs = [ params.get('attr', ldap_attr('pw_changed')) ]
+
+ # Fetch user account flags to check locking
+ if config.ldap_connection['type'] == 'ad':
+ attrs.append('useraccountcontrol')
+ return attrs
+
ldap_attribute_plugins['auth_expire'] = {
'title': _('Authentication Expiration'),
'help': _('This plugin fetches all information which are needed to check
wether or '
'not an already authenticated user should be deauthenticated, e.g.
because '
'the password has changed in LDAP or the account has been
locked.'),
- 'needed_attributes': lambda params: [ params.get('attr',
ldap_attr('pw_changed')) ],
+ 'needed_attributes': ldap_attrs_auth_expire,
'convert': ldap_convert_auth_expire,
# When a plugin introduces new user attributes, it should declare the output target
for
# this attribute. It can either be written to the multisites users.mk or the
check_mk