Module: check_mk
Branch: master
Commit: 51dea9a4dc31b0d8a4cb014cd5a41feb89bfeb73
URL:
http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=51dea9a4dc31b0…
Author: Lars Michelsen <lm(a)mathias-kettner.de>
Date: Thu Mar 26 10:15:14 2015 +0100
#2166 LDAP: Multiple LDAP groups can be configured for assigning single roles to users
In previous versions only one LDAP group per role could be configured to assign this
role the the members of the LDAP group. It's now possible to use multiple ldap groups
for a single role.
---
.werks/2166 | 11 +++++++++
ChangeLog | 1 +
web/plugins/userdb/ldap.py | 54 ++++++++++++++++++++++++++++++--------------
3 files changed, 49 insertions(+), 17 deletions(-)
diff --git a/.werks/2166 b/.werks/2166
new file mode 100644
index 0000000..47f3445
--- /dev/null
+++ b/.werks/2166
@@ -0,0 +1,11 @@
+Title: LDAP: Multiple LDAP groups can be configured for assigning single roles to users
+Level: 1
+Component: multisite
+Compatible: compat
+Version: 1.2.7i1
+Date: 1427361208
+Class: feature
+
+In previous versions only one LDAP group per role could be configured to assign this
+role the the members of the LDAP group. It's now possible to use multiple ldap
groups
+for a single role.
diff --git a/ChangeLog b/ChangeLog
index 70f79e2..f1bf387 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -302,6 +302,7 @@
* 2042 Services are now sorted in a natural way, this affects services containing
numbers...
* 2140 Remove PNP Timeranges from range selection, put these ranges directly into the
list...
* 1239 Fixed /treasures/downtime script to work with the new visuals
+ * 2166 LDAP: Multiple LDAP groups can be configured for assigning single roles to
users...
* 1781 FIX: Fix broken grouping by host/service group in availability
* 1783 FIX: Finish the view "History of Scheduled Downtimes"...
* 1206 FIX: Hostname not longer shown as column in host views
diff --git a/web/plugins/userdb/ldap.py b/web/plugins/userdb/ldap.py
index e0c0ae0..54ef6f6 100644
--- a/web/plugins/userdb/ldap.py
+++ b/web/plugins/userdb/ldap.py
@@ -904,8 +904,16 @@ ldap_attribute_plugins['groups_to_contactgroups'] = {
def ldap_convert_groups_to_roles(plugin, params, user_id, ldap_user, user):
# Load the needed LDAP groups, which match the DNs mentioned in the role sync plugin
config
- ldap_groups = dict(ldap_group_members([ dn.lower() for role_id, dn in params.items()
if isinstance(dn, str) ],
- filt_attr = 'distinguishedname', nested =
params.get('nested', False)))
+ groups_to_fetch = []
+ for role_id, distinguished_names in params.items():
+ if type(distinguished_names) == list:
+ groups_to_fetch += [ dn.lower() for dn in distinguished_names ]
+ elif type(distinguished_names) == str:
+ groups_to_fetch.append(distinguished_names.lower())
+
+ ldap_groups = dict(ldap_group_members(groups_to_fetch,
+ filt_attr = 'distinguishedname',
+ nested = params.get('nested', False)))
# posixGroup objects use the memberUid attribute to specify the group
# memberships. This is the username instead of the users DN. So the
@@ -915,14 +923,18 @@ def ldap_convert_groups_to_roles(plugin, params, user_id, ldap_user,
user):
roles = set([])
# Loop all roles mentioned in params (configured to be synchronized)
- for role_id, dn in params.items():
- if not isinstance(dn, str):
- continue # skip non configured ones
- dn = dn.lower() # lower case matching for DNs!
+ for role_id, distinguished_names in params.items():
+ if type(distinguished_names) != list:
+ distinguished_names = [distinguished_names]
+
+ for dn in distinguished_names:
+ if not isinstance(dn, str):
+ continue # skip non configured ones (old valuespecs allowed None)
+ dn = dn.lower() # lower case matching for DNs!
- # if group could be found and user is a member, add the role
- if dn in ldap_groups and user_cmp_val in ldap_groups[dn]['members']:
- roles.add(role_id)
+ # if group could be found and user is a member, add the role
+ if dn in ldap_groups and user_cmp_val in ldap_groups[dn]['members']:
+ roles.add(role_id)
# Load default roles from default user profile when the user got no role
# by the role sync plugin
@@ -934,14 +946,22 @@ def ldap_convert_groups_to_roles(plugin, params, user_id, ldap_user,
user):
def ldap_list_roles_with_group_dn():
elements = []
for role_id, role in load_roles().items():
- elements.append((role_id, LDAPDistinguishedName(
- title = role['alias'] + ' - ' + _("Specify the Group
DN"),
- help = _("Distinguished Name of the LDAP group to add users this role.
"
- "e. g.
<tt>CN=cmk-users,OU=groups,DC=example,DC=com</tt><br> "
- "This group must be defined within the scope of the "
- "<a
href=\"wato.py?mode=ldap_config&varname=ldap_groupspec\">LDAP Group
Settings</a>."),
- size = 80,
- enforce_suffix = ldap_replace_macros(config.ldap_groupspec.get('dn',
'')),
+ elements.append((role_id, Transform(
+ ListOf(
+ LDAPDistinguishedName(
+ size = 80,
+ enforce_suffix =
ldap_replace_macros(config.ldap_groupspec.get('dn', '')),
+ allow_empty = False,
+ ),
+ title = role['alias'] + ' - ' + _("Specify the Group
DN"),
+ help = _("Distinguished Names of the LDAP groups to add users this
role. "
+ "e. g.
<tt>CN=cmk-users,OU=groups,DC=example,DC=com</tt><br> "
+ "This group must be defined within the scope of the
"
+ "<a
href=\"wato.py?mode=ldap_config&varname=ldap_groupspec\">LDAP Group
Settings</a>."),
+ movable = False,
+ ),
+ # Convert old single distinguished names to list of :Ns
+ forth = lambda v: type(v) != list and [v] or v,
)))
elements.append(