22 Jun
2015
22 Jun
'15
5:17 a.m.
Module: check_mk
Branch: master
Commit: 74c6620c23b8765a9467cd0683b8276efa198f14
URL:
http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=74c6620c23b876…
Author: Lars Michelsen <lm(a)mathias-kettner.de>
Date: Mon Jun 22 12:17:35 2015 +0200
#2341 LDAP Sync: Automatically syncing credential changes to slave sites in distributed
setups
When using the LDAP sync while having a distributed setup users might not be able to
access
the GUI on the slave sites when their password was changed in LDAP. This could only be
fixed by an admin which performed a manual WATO synchronisation of the current
configuration.
This has now been changed. When the password change has been detected, the master site
tries
to synchronize the profile of the user to the configured and reachable remote site(s). If
this fails, the site is marked as "to be synchronized". Then the admin can
perform the sync
manually once the site is available again.
---
.werks/2341 | 16 +++++++++++
ChangeLog | 1 +
web/plugins/userdb/ldap.py | 66 +++++++++++++++++++++++++++++++++++++++++++-
3 files changed, 82 insertions(+), 1 deletion(-)
diff --git a/.werks/2341 b/.werks/2341
new file mode 100644
index 0000000..5d4a293
--- /dev/null
+++ b/.werks/2341
@@ -0,0 +1,16 @@
+Title: LDAP Sync: Automatically syncing credential changes to slave sites in distributed
setups
+Level: 1
+Component: multisite
+Compatible: compat
+Version: 1.2.7i2
+Date: 1434967888
+Class: feature
+
+When using the LDAP sync while having a distributed setup users might not be able to
access
+the GUI on the slave sites when their password was changed in LDAP. This could only be
+fixed by an admin which performed a manual WATO synchronisation of the current
configuration.
+
+This has now been changed. When the password change has been detected, the master site
tries
+to synchronize the profile of the user to the configured and reachable remote site(s).
If
+this fails, the site is marked as "to be synchronized". Then the admin can
perform the sync
+manually once the site is available again.
diff --git a/ChangeLog b/ChangeLog
index c68a070..dc856e3 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -39,6 +39,7 @@
Multisite:
* 2260 Improved load time of Check_MK GUI...
* 2332 New icon for hosts/services that are out of their service period...
+ * 2341 LDAP Sync: Automatically syncing credential changes to slave sites in
distributed setups...
* 2324 FIX: Add icon for those checks that cannot be rescheduled...
* 2261 FIX: Fixed wrong pnp template cache path in non OMD environments...
* 2262 FIX: Fixed deletion of foreign views/dashboards...
diff --git a/web/plugins/userdb/ldap.py b/web/plugins/userdb/ldap.py
index 54ef6f6..d988855 100644
--- a/web/plugins/userdb/ldap.py
+++ b/web/plugins/userdb/ldap.py
@@ -1025,6 +1025,61 @@ def ldap_login(username, password):
ldap_default_bind(ldap_connection)
return result
+# In case the sync is done on the master of a distributed setup the auth serial
+# is increased on the master, but not on the slaves. The user can not access the
+# slave sites anymore with the master sites cookie since the serials differ. In
+# case the slave sites sync with LDAP on their own this issue will be repaired after
+# the next LDAP sync on the slave, but in case the slaves do not sync, this problem
+# will be repaired automagically once an admin performs the next WATO sync for
+# another reason.
+# Now, to solve this issue, we issue a user profile sync in case the password has
+# been changed. We do this only when only the password has changed.
+# Hopefully we have no large bulks of users changing their passwords at the same
+# time. In this case the implementation does not scale well. We would need to
+# change this to some kind of profile bulk sync per site.
+def synchronize_profile_to_sites(user_id, profile):
+ import wato # FIXME: Cleanup!
+ sites = [(site_id, config.site(site_id))
+ for site_id in config.sitenames()
+ if not wato.site_is_local(site_id) ]
+
+ ldap_log('Credentials changed: %s. Trying to sync to %d sites' % (user_id,
len(sites)))
+
+ num_disabled = 0
+ num_succeeded = 0
+ num_failed = 0
+ for site_id, site in sites:
+ if not site.get("replication"):
+ num_disabled += 1
+ continue
+
+ if site.get("disabled"):
+ num_disabled += 1
+ continue
+
+ status = html.site_status.get(site_id, {}).get("state",
"unknown")
+ if status == "dead":
+ result = "Site is dead"
+ else:
+ try:
+ result = wato.push_user_profile_to_site(site, user_id, profile)
+ except Exception, e:
+ result = str(e)
+
+ if result == True:
+ num_succeeded += 1
+ else:
+ num_failed += 1
+ ldap_log(' FAILED [%s]: %s' % (site_id, result))
+ # Add pending entry to make sync possible later for admins
+ wato.update_replication_status(site_id, {"need_sync": True})
+ wato.log_pending(wato.AFFECTED, None, "edit-users",
+ _('Password changed (sync failed: %s)') % result,
user_id = '')
+
+ ldap_log(' Disabled: %d, Succeeded: %d, Failed: %d' %
+ (num_disabled, num_succeeded, num_failed))
+
+
def ldap_sync(add_to_changelog, only_username):
# Store time of the last sync. Don't store after sync since parallel
# requests to e.g. the page hook would cause duplicate calculations
@@ -1100,11 +1155,20 @@ def ldap_sync(add_to_changelog, only_username):
if removed:
details.append(_('Removed: %s') % ', '.join(removed))
- # Ignore password changes from ldap - do not log them. For now.
+ # Password changes found in LDAP should not be logged as "pending
change".
+ # These changes take effect imediately (pw already changed in AD, auth
serial
+ # is increaed by sync plugin) on the local site, so no one needs to active
this.
+ pw_changed = False
if 'ldap_pw_last_changed' in changed:
changed.remove('ldap_pw_last_changed')
+ pw_changed = True
if 'serial' in changed:
changed.remove('serial')
+ pw_changed = True
+
+ # Synchronize new user profile to remote sites if needed
+ if pw_changed and not changed and wato.is_distributed():
+ synchronize_profile_to_sites(user_id, user)
if changed:
details.append(('Changed: %s') % ', '.join(changed))