Module: check_mk
Branch: master
Commit: 62e0166ec18db0ea0e9c7592690ff28e3cf81254
URL:
http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=62e0166ec18db0…
Author: Lars Michelsen <lm(a)mathias-kettner.de>
Date: Thu Oct 18 07:45:25 2018 +0200
Fixed LDAP config tests
Change-Id: I5dc40617f64b114bc7bed4e9e1ede7e1d442a996
---
cmk/gui/plugins/userdb/ldap_connector.py | 47 +++++++++++++++++-------
cmk/gui/wato/pages/ldap.py | 25 +++++++------
tests/unit/cmk/gui/test_userdb_ldap_connector.py | 2 +-
3 files changed, 48 insertions(+), 26 deletions(-)
diff --git a/cmk/gui/plugins/userdb/ldap_connector.py
b/cmk/gui/plugins/userdb/ldap_connector.py
index 53c8a60..b93d433 100644
--- a/cmk/gui/plugins/userdb/ldap_connector.py
+++ b/cmk/gui/plugins/userdb/ldap_connector.py
@@ -68,7 +68,7 @@ from cmk.gui.valuespec import *
from cmk.gui.i18n import _
from cmk.gui.globals import html
from cmk.gui.exceptions import MKGeneralException, MKUserError
-from . import UserConnector, user_connector_registry
+from cmk.gui.plugins.userdb.utils import UserConnector, user_connector_registry
if cmk.is_managed_edition():
import cmk.gui.cme.managed as managed
@@ -710,7 +710,7 @@ class LDAPUserConnector(UserConnector):
- def _get_users(self, add_filter = ''):
+ def get_users(self, add_filter = ''):
user_id_attr = self._user_id_attr()
columns = [
@@ -750,6 +750,21 @@ class LDAPUserConnector(UserConnector):
return result
+ def get_groups(self, specific_dn = None):
+ filt = self.ldap_filter('groups')
+ dn = self.get_group_dn()
+
+ if specific_dn:
+ # When using AD, the groups can be filtered by the DN attribute. With
+ # e.g. OpenLDAP this is not possible. In that case, change the DN.
+ if self.is_active_directory():
+ filt = '(&%s(distinguishedName=%s))' % (filt, specific_dn)
+ else:
+ dn = specific_dn
+
+ return self._ldap_search(dn, filt, ['cn'],
self._config['group_scope'])
+
+
# TODO: Use get_group_memberships()?
def _get_filter_group_members(self, filter_group_dn):
member_attr = self._member_attr().lower()
@@ -1072,7 +1087,7 @@ class LDAPUserConnector(UserConnector):
self._logger.info('SYNC STARTED')
self._logger.info(' SYNC PLUGINS: %s' % ',
'.join(self._config['active_plugins'].keys()))
- ldap_users = self._get_users()
+ ldap_users = self.get_users()
import cmk.gui.userdb as userdb # TODO: Cleanup
users = userdb.load_users(lock = True)
@@ -2251,15 +2266,7 @@ ldap_attribute_plugins['groups_to_attributes'] = {
# '----------------------------------------------------------------------'
def ldap_sync_groups_to_roles(connection, plugin, params, user_id, ldap_user, user):
- import cmk.gui.userdb as userdb # TODO: Cleanup
-
- # Load the needed LDAP groups, which match the DNs mentioned in the role sync plugin
config
- ldap_groups = {}
- for connection_id, group_dns in get_groups_to_fetch(connection, params).items():
- conn = userdb.get_connection(connection_id)
- ldap_groups.update(dict(conn.get_group_memberships(group_dns,
- filt_attr = 'distinguishedname',
- nested = params.get('nested', False))))
+ ldap_groups = fetch_needed_groups_for_groups_to_roles(connection, params)
# posixGroup objects use the memberUid attribute to specify the group
# memberships. This is the username instead of the users DN. So the
@@ -2294,7 +2301,21 @@ def ldap_sync_groups_to_roles(connection, plugin, params, user_id,
ldap_user, us
return {'roles': list(roles)}
-def get_groups_to_fetch(connection, params):
+def fetch_needed_groups_for_groups_to_roles(connection, params):
+ import cmk.gui.userdb as userdb # TODO: Cleanup
+
+ # Load the needed LDAP groups, which match the DNs mentioned in the role sync plugin
config
+ ldap_groups = {}
+ for connection_id, group_dns in _get_groups_to_fetch(connection, params).items():
+ conn = userdb.get_connection(connection_id)
+ ldap_groups.update(dict(conn.get_group_memberships(group_dns,
+ filt_attr = 'distinguishedname',
+ nested = params.get('nested', False))))
+
+ return ldap_groups
+
+
+def _get_groups_to_fetch(connection, params):
groups_to_fetch = {}
for group_specs in params.itervalues():
if type(group_specs) == list:
diff --git a/cmk/gui/wato/pages/ldap.py b/cmk/gui/wato/pages/ldap.py
index 638da55..d9ecb9a 100644
--- a/cmk/gui/wato/pages/ldap.py
+++ b/cmk/gui/wato/pages/ldap.py
@@ -31,6 +31,7 @@ import cmk.gui.config as config
import cmk.gui.watolib as watolib
import cmk.gui.userdb as userdb
import cmk.gui.table as table
+import cmk.gui.plugins.userdb.ldap_connector
from cmk.gui.log import logger
from cmk.gui.htmllib import HTML
from cmk.gui.exceptions import MKUserError
@@ -262,7 +263,7 @@ class ModeEditLDAPConnection(LDAPMode):
'href="https://mathias-kettner.com/checkmk_multisite_ldap_integration.html">'
'LDAP Documentation</a>.'))))
else:
- connection = userdb.get_connection(self._connection_id)
+ connection = userdb.get_connection(self._connection_id) # type:
cmk.gui.plugins.userdb.ldap_connector.LDAPUserConnector
for address in connection.servers():
html.h3("%s: %s" % (_('Server'), address))
table.begin('test', searchable = False)
@@ -382,22 +383,22 @@ class ModeEditLDAPConnection(LDAPMode):
if 'groups_to_roles' not in active_plugins:
return True, _('Skipping this test (Plugin is not enabled)')
+ params = active_plugins['groups_to_roles']
connection.connect(enforce_new = True, enforce_server = address)
- num = 0
+
+ ldap_groups =
cmk.gui.plugins.userdb.ldap_connector.fetch_needed_groups_for_groups_to_roles(connection,
params)
+
+ num_groups = 0
for role_id, group_distinguished_names in
active_plugins['groups_to_roles'].items():
if type(group_distinguished_names) != list:
group_distinguished_names = [group_distinguished_names]
- for dn in group_distinguished_names:
- if type(dn) in [ str, unicode ]:
- num += 1
- try:
- ldap_groups = connection.get_groups(dn)
- if not ldap_groups:
- return False, _('Could not find the group specified for
role %s') % role_id
- except Exception, e:
- return False, _('Error while fetching group for role %s:
%s') % (role_id, e)
- return True, _('Found all %d groups.') % num
+ for dn, _search_connection_id in group_distinguished_names:
+ if dn.lower() not in ldap_groups:
+ return False, _('Could not find the group specified for role
%s') % role_id
+
+ num_groups += 1
+ return True, _('Found all %d groups.') % num_groups
def _valuespec(self):
diff --git a/tests/unit/cmk/gui/test_userdb_ldap_connector.py
b/tests/unit/cmk/gui/test_userdb_ldap_connector.py
index e9f8584..6d62510 100644
--- a/tests/unit/cmk/gui/test_userdb_ldap_connector.py
+++ b/tests/unit/cmk/gui/test_userdb_ldap_connector.py
@@ -353,7 +353,7 @@ def test_non_contact_attributes(mocked_ldap):
def test_get_users(mocked_ldap):
- users = mocked_ldap._get_users()
+ users = mocked_ldap.get_users()
assert len(users) == 3
assert u"härry" in users