[checkmk-commits] Check_MK Git: check_mk: Some internal code cleanups

Module: check_mk Branch: master Commit: 435f6169c568acab681a99a1c0ac0db3df8d5f0d URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=435f6169c568ac… Author: Lars Michelsen <lm(a)mathias-kettner.de> Date: Mon Jul 27 12:10:30 2015 +0200 Some internal code cleanups --- web/plugins/userdb/ldap.py | 125 ++++++++++++++++++++++++-------------------- 1 file changed, 68 insertions(+), 57 deletions(-) diff --git a/web/plugins/userdb/ldap.py b/web/plugins/userdb/ldap.py index 6d6225a..390951d 100644 --- a/web/plugins/userdb/ldap.py +++ b/web/plugins/userdb/ldap.py @@ -630,73 +630,84 @@ class LDAPUserConnector(UserConnector): return self.ldap_search(dn, filt, ['cn'], self._config['group_scope']) - def group_members(self, filters, filt_attr = 'cn', nested = False): - cache_key = '%s-%s-%s' % (filters, nested and 'n' or 'f', filt_attr) + def get_group_memberships(self, filters, filt_attr = 'cn', nested = False): + cache_key = (filters, nested, filt_attr) if cache_key in self._group_cache: return self._group_cache[cache_key] - # When not searching for nested memberships, it is easy when using the an AD base LDAP. - # The group objects can be queried using the attribute distinguishedname. Therefor we - # create an alternating match filter to match that attribute when searching by DNs. - # In OpenLDAP the distinguishedname is no user attribute, therefor it can not be used - # as filter expression. We have to do one ldap query per group. Maybe, in the future, - # we change the role sync plugin parameters to snapins to make this part a little easier. if not nested: - groups = {} - filt = self.ldap_filter('groups') - member_attr = self.member_attr().lower() + groups = get_direct_group_memberships(filters, filt_attr) + else: + groups = get_nested_group_memberships(filters, filt_attr) + + self._group_cache[cache_key] = groups + return groups - if self.is_active_directory() or filt_attr != 'distinguishedname': - if filters: - add_filt = '(|%s)' % ''.join([ '(%s=%s)' % (filt_attr, f) for f in filters ]) - filt = '(&%s%s)' % (filt, add_filt) - for dn, obj in self.ldap_search(self.replace_macros(self._config['group_dn']), - filt, ['cn', member_attr], self._config['group_scope']): - groups[dn] = { + # When not searching for nested memberships, it is easy when using the an AD base LDAP. + # The group objects can be queried using the attribute distinguishedname. Therefor we + # create an alternating match filter to match that attribute when searching by DNs. + # In OpenLDAP the distinguishedname is no user attribute, therefor it can not be used + # as filter expression. We have to do one ldap query per group. Maybe, in the future, + # we change the role sync plugin parameters to snapins to make this part a little easier. + def get_direct_group_memberships(filters, filt_attr): + groups = {} + filt = self.ldap_filter('groups') + member_attr = self.member_attr().lower() + + if self.is_active_directory() or filt_attr != 'distinguishedname': + if filters: + add_filt = '(|%s)' % ''.join([ '(%s=%s)' % (filt_attr, f) for f in filters ]) + filt = '(&%s%s)' % (filt, add_filt) + + for dn, obj in self.ldap_search(self.replace_macros(self._config['group_dn']), + filt, ['cn', member_attr], self._config['group_scope']): + groups[dn] = { + 'cn' : obj['cn'][0], + 'members' : [ m.encode('utf-8').lower() for m in obj.get(member_attr,[]) ], + } + else: + # Special handling for OpenLDAP when searching for groups by DN + for f_dn in filters: + for dn, obj in self.ldap_search(self.replace_macros(f_dn), filt, + ['cn', member_attr], 'base'): + groups[f_dn] = { 'cn' : obj['cn'][0], 'members' : [ m.encode('utf-8').lower() for m in obj.get(member_attr,[]) ], } - else: - # Special handling for OpenLDAP when searching for groups by DN - for f_dn in filters: - for dn, obj in self.ldap_search(self.replace_macros(f_dn), filt, - ['cn', member_attr], 'base'): - groups[f_dn] = { - 'cn' : obj['cn'][0], - 'members' : [ m.encode('utf-8').lower() for m in obj.get(member_attr,[]) ], - } - else: - # Nested querying is more complicated. We have no option to simply do a query for group objects - # to make them resolve the memberships here. So we need to query all users with the nested - # memberof filter to get all group memberships of that group. We need one query for each group. - groups = {} - for filter_val in filters: - if filt_attr == 'cn': - result = self.ldap_search(self.replace_macros(self._config['group_dn']), - '(&%s(cn=%s))' % (self.ldap_filter('groups'), filter_val), - ['dn'], self._config['group_scope']) - if not result: - continue # Skip groups which can not be found - dn = result[0][0] - cn = filter_val - else: - dn = filter_val - # in case of asking with DNs in nested mode, the resulting objects have the - # cn set to None for all objects. We do not need it in that case. - cn = None + return groups - filt = '(&%s(memberOf:1.2.840.113556.1.4.1941:=%s))' % (self.ldap_filter('users'), dn) - groups[dn] = { - 'members' : [], - 'cn' : cn, - } - for user_dn, obj in self.ldap_search(self.replace_macros(self._config['user_dn']), - filt, ['dn'], self._config['user_scope']): - groups[dn]['members'].append(user_dn.lower()) - self._group_cache[cache_key] = groups + # Nested querying is more complicated. We have no option to simply do a query for group objects + # to make them resolve the memberships here. So we need to query all users with the nested + # memberof filter to get all group memberships of that group. We need one query for each group. + def get_nested_group_memberships(filters, filt_attr): + groups = {} + for filter_val in filters: + if filt_attr == 'cn': + result = self.ldap_search(self.replace_macros(self._config['group_dn']), + '(&%s(cn=%s))' % (self.ldap_filter('groups'), filter_val), + ['dn'], self._config['group_scope']) + if not result: + continue # Skip groups which can not be found + dn = result[0][0] + cn = filter_val + else: + dn = filter_val + # in case of asking with DNs in nested mode, the resulting objects have the + # cn set to None for all objects. We do not need it in that case. + cn = None + + filt = '(&%s(memberOf:1.2.840.113556.1.4.1941:=%s))' % (self.ldap_filter('users'), dn) + groups[dn] = { + 'members' : [], + 'cn' : cn, + } + for user_dn, obj in self.ldap_search(self.replace_macros(self._config['user_dn']), + filt, ['dn'], self._config['user_scope']): + groups[dn]['members'].append(user_dn.lower()) + return groups @@ -1291,7 +1302,7 @@ def ldap_sync_groups_to_contactgroups(connection, plugin, params, user_id, ldap_ # 2. Load all LDAP groups which have a CN matching one contact # group which exists in WATO - ldap_groups = connection.group_members(cg_names, nested = params.get('nested', False)) + ldap_groups = connection.get_group_memberships(cg_names, nested = params.get('nested', False)) # 3. Only add groups which the user is member of return {'contactgroups': [ g['cn'] for dn, g in ldap_groups.items() if user_cmp_val in g['members']]} @@ -1337,7 +1348,7 @@ def ldap_sync_groups_to_roles(connection, plugin, params, user_id, ldap_user, us elif type(distinguished_names) in [ str, unicode ]: groups_to_fetch.append(distinguished_names.lower()) - ldap_groups = dict(connection.group_members(groups_to_fetch, + ldap_groups = dict(connection.get_group_memberships(groups_to_fetch, filt_attr = 'distinguishedname', nested = params.get('nested', False)))