[checkmk-commits] Check_MK Git: check_mk: #2157 FIX LDAP: Fixed group-to-role/

group-to-contactgroup sync with OpenLDAP (using posixGroup) Message-ID: <55116378.KdV7x+3Jp+0JvLvL%lm(a)mathias-kettner.de> User-Agent: Heirloom mailx 12.5 6/20/10 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Module: check_mk Branch: master Commit: e0e8a3b11565a6fd3c196d4489df1b3b74c071f6 URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=e0e8a3b11565a6… Author: Lars Michelsen <lm(a)mathias-kettner.de> Date: Tue Mar 24 14:10:56 2015 +0100 #2157 FIX LDAP: Fixed group-to-role/group-to-contactgroup sync with OpenLDAP (using posixGroup) --- .werks/2157 | 9 +++++++++ ChangeLog | 1 + web/plugins/userdb/ldap.py | 12 ++++++++++-- 3 files changed, 20 insertions(+), 2 deletions(-) diff --git a/.werks/2157 b/.werks/2157 new file mode 100644 index 0000000..b73d703 --- /dev/null +++ b/.werks/2157 @@ -0,0 +1,9 @@ +Title: LDAP: Fixed group-to-role/group-to-contactgroup sync with OpenLDAP (using posixGroup) +Level: 1 +Component: multisite +Compatible: compat +Version: 1.2.7i1 +Date: 1427202535 +Class: fix + + diff --git a/ChangeLog b/ChangeLog index 2b2592d..ca85263 100644 --- a/ChangeLog +++ b/ChangeLog @@ -337,6 +337,7 @@ * 2149 FIX: LDAP: The diagnostic log has been changed to use a fixed path... * 2150 FIX: Reworked internal logging mechanism... * 1953 FIX: Fixed processing of html processing in input fields... + * 2157 FIX: LDAP: Fixed group-to-role/group-to-contactgroup sync with OpenLDAP (using posixGroup) WATO: * 1760 Added search form to manual checks page diff --git a/web/plugins/userdb/ldap.py b/web/plugins/userdb/ldap.py index 9e074f6..e0c0ae0 100644 --- a/web/plugins/userdb/ldap.py +++ b/web/plugins/userdb/ldap.py @@ -868,6 +868,9 @@ def register_user_attribute_sync_plugins(): } def ldap_convert_groups_to_contactgroups(plugin, params, user_id, ldap_user, user): + # 0. Figure out how to check group membership. + user_cmp_val = ldap_member_attr().lower() == 'memberuid' and user_id or ldap_user['dn'] + # 1. Fetch all existing group names in WATO cg_names = load_group_information().get("contact", {}).keys() @@ -876,7 +879,7 @@ def ldap_convert_groups_to_contactgroups(plugin, params, user_id, ldap_user, use ldap_groups = ldap_group_members(cg_names, nested = params.get('nested', False)) # 3. Only add groups which the user is member of - return {'contactgroups': [ g['cn'] for dn, g in ldap_groups.items() if ldap_user['dn'] in g['members']]} + return {'contactgroups': [ g['cn'] for dn, g in ldap_groups.items() if user_cmp_val in g['members']]} ldap_attribute_plugins['groups_to_contactgroups'] = { 'title': _('Contactgroup Membership'), @@ -904,6 +907,11 @@ def ldap_convert_groups_to_roles(plugin, params, user_id, ldap_user, user): ldap_groups = dict(ldap_group_members([ dn.lower() for role_id, dn in params.items() if isinstance(dn, str) ], filt_attr = 'distinguishedname', nested = params.get('nested', False))) + # posixGroup objects use the memberUid attribute to specify the group + # memberships. This is the username instead of the users DN. So the + # username needs to be used for filtering here. + user_cmp_val = ldap_member_attr().lower() == 'memberuid' and user_id or ldap_user['dn'] + roles = set([]) # Loop all roles mentioned in params (configured to be synchronized) @@ -913,7 +921,7 @@ def ldap_convert_groups_to_roles(plugin, params, user_id, ldap_user, user): dn = dn.lower() # lower case matching for DNs! # if group could be found and user is a member, add the role - if dn in ldap_groups and ldap_user['dn'] in ldap_groups[dn]['members']: + if dn in ldap_groups and user_cmp_val in ldap_groups[dn]['members']: roles.add(role_id) # Load default roles from default user profile when the user got no role