Module: check_mk Branch: master Commit: 51dea9a4dc31b0d8a4cb014cd5a41feb89bfeb73 URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=51dea9a4dc31b0… Author: Lars Michelsen &lt;lm(a)mathias-kettner.de&gt; Date: Thu Mar 26 10:15:14 2015 +0100 #2166 LDAP: Multiple LDAP groups can be configured for assigning single roles to users In previous versions only one LDAP group per role could be configured to assign this role the the members of the LDAP group. It's now possible to use multiple ldap groups for a single role. --- .werks/2166 | 11 +++++++++ ChangeLog | 1 + web/plugins/userdb/ldap.py | 54 ++++++++++++++++++++++++++++++-------------- 3 files changed, 49 insertions(+), 17 deletions(-) diff --git a/.werks/2166 b/.werks/2166 new file mode 100644 index 0000000..47f3445 --- /dev/null +++ b/.werks/2166 @@ -0,0 +1,11 @@ +Title: LDAP: Multiple LDAP groups can be configured for assigning single roles to users +Level: 1 +Component: multisite +Compatible: compat +Version: 1.2.7i1 +Date: 1427361208 +Class: feature + +In previous versions only one LDAP group per role could be configured to assign this +role the the members of the LDAP group. It's now possible to use multiple ldap groups +for a single role. diff --git a/ChangeLog b/ChangeLog index 70f79e2..f1bf387 100644 --- a/ChangeLog +++ b/ChangeLog @@ -302,6 +302,7 @@ * 2042 Services are now sorted in a natural way, this affects services containing numbers... * 2140 Remove PNP Timeranges from range selection, put these ranges directly into the list... * 1239 Fixed /treasures/downtime script to work with the new visuals + * 2166 LDAP: Multiple LDAP groups can be configured for assigning single roles to users... * 1781 FIX: Fix broken grouping by host/service group in availability * 1783 FIX: Finish the view "History of Scheduled Downtimes"... * 1206 FIX: Hostname not longer shown as column in host views diff --git a/web/plugins/userdb/ldap.py b/web/plugins/userdb/ldap.py index e0c0ae0..54ef6f6 100644 --- a/web/plugins/userdb/ldap.py +++ b/web/plugins/userdb/ldap.py @@ -904,8 +904,16 @@ ldap_attribute_plugins['groups_to_contactgroups'] = { def ldap_convert_groups_to_roles(plugin, params, user_id, ldap_user, user): # Load the needed LDAP groups, which match the DNs mentioned in the role sync plugin config - ldap_groups = dict(ldap_group_members([ dn.lower() for role_id, dn in params.items() if isinstance(dn, str) ], - filt_attr = 'distinguishedname', nested = params.get('nested', False))) + groups_to_fetch = [] + for role_id, distinguished_names in params.items(): + if type(distinguished_names) == list: + groups_to_fetch += [ dn.lower() for dn in distinguished_names ] + elif type(distinguished_names) == str: + groups_to_fetch.append(distinguished_names.lower()) + + ldap_groups = dict(ldap_group_members(groups_to_fetch, + filt_attr = 'distinguishedname', + nested = params.get('nested', False))) # posixGroup objects use the memberUid attribute to specify the group # memberships. This is the username instead of the users DN. So the @@ -915,14 +923,18 @@ def ldap_convert_groups_to_roles(plugin, params, user_id, ldap_user, user): roles = set([]) # Loop all roles mentioned in params (configured to be synchronized) - for role_id, dn in params.items(): - if not isinstance(dn, str): - continue # skip non configured ones - dn = dn.lower() # lower case matching for DNs! + for role_id, distinguished_names in params.items(): + if type(distinguished_names) != list: + distinguished_names = [distinguished_names] + + for dn in distinguished_names: + if not isinstance(dn, str): + continue # skip non configured ones (old valuespecs allowed None) + dn = dn.lower() # lower case matching for DNs! - # if group could be found and user is a member, add the role - if dn in ldap_groups and user_cmp_val in ldap_groups[dn]['members']: - roles.add(role_id) + # if group could be found and user is a member, add the role + if dn in ldap_groups and user_cmp_val in ldap_groups[dn]['members']: + roles.add(role_id) # Load default roles from default user profile when the user got no role # by the role sync plugin @@ -934,14 +946,22 @@ def ldap_convert_groups_to_roles(plugin, params, user_id, ldap_user, user): def ldap_list_roles_with_group_dn(): elements = [] for role_id, role in load_roles().items(): - elements.append((role_id, LDAPDistinguishedName( - title = role['alias'] + ' - ' + _("Specify the Group DN"), - help = _("Distinguished Name of the LDAP group to add users this role. " - "e. g. <tt>CN=cmk-users,OU=groups,DC=example,DC=com</tt><br> " - "This group must be defined within the scope of the " - "<a href=\"wato.py?mode=ldap_config&varname=ldap_groupspec\">LDAP Group Settings</a>."), - size = 80, - enforce_suffix = ldap_replace_macros(config.ldap_groupspec.get('dn', '')), + elements.append((role_id, Transform( + ListOf( + LDAPDistinguishedName( + size = 80, + enforce_suffix = ldap_replace_macros(config.ldap_groupspec.get('dn', '')), + allow_empty = False, + ), + title = role['alias'] + ' - ' + _("Specify the Group DN"), + help = _("Distinguished Names of the LDAP groups to add users this role. " + "e. g. <tt>CN=cmk-users,OU=groups,DC=example,DC=com</tt><br> " + "This group must be defined within the scope of the " + "<a href=\"wato.py?mode=ldap_config&varname=ldap_groupspec\">LDAP Group Settings</a>."), + movable = False, + ), + # Convert old single distinguished names to list of :Ns + forth = lambda v: type(v) != list and [v] or v, ))) elements.append(