[checkmk-commits] Check_MK Git: check_mk: userdb/ldap: Added option to add custom vars to contacts.mk or multisite users.mk

git version control git at mathias-kettner.de
Wed Nov 21 14:35:05 CET 2012


Module: check_mk
Branch: master
Commit: 049d209bc2193762d16e8f6082896d378598cece
URL:    http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=049d209bc2193762d16e8f6082896d378598cece

Author: Lars Michelsen <lm at mathias-kettner.de>
Date:   Thu Nov 15 11:14:48 2012 +0100

userdb/ldap: Added option to add custom vars to contacts.mk or multisite users.mk

---

 web/htdocs/userdb.py       |   10 ++++++++++
 web/htdocs/wato.py         |    8 ++++++--
 web/plugins/userdb/ldap.py |   34 +++++++++++++++++++++++++++++-----
 3 files changed, 45 insertions(+), 7 deletions(-)

diff --git a/web/htdocs/userdb.py b/web/htdocs/userdb.py
index f64e3c7..a216ec0 100644
--- a/web/htdocs/userdb.py
+++ b/web/htdocs/userdb.py
@@ -74,6 +74,16 @@ def locked_attributes(connector_id):
     connector = get_connector(connector_id)
     return connector.get('locked_attributes', lambda: [])()
 
+# Returns a list of multisite attributes
+def multisite_attributes(connector_id):
+    connector = get_connector(connector_id)
+    return connector.get('multisite_attributes', lambda: [])()
+
+# Returns a list of non contact attributes
+def non_contact_attributes(connector_id):
+    connector = get_connector(connector_id)
+    return connector.get('non_contact_attributes', lambda: [])()
+
 # This is a function needed in WATO and the htpasswd module. This should
 # really be modularized one day. Till this day this is a good place ...
 def encrypt_password(password, salt = None):
diff --git a/web/htdocs/wato.py b/web/htdocs/wato.py
index 746e3bf..2de411c 100644
--- a/web/htdocs/wato.py
+++ b/web/htdocs/wato.py
@@ -8417,6 +8417,8 @@ def save_users(profiles):
         "locked",
         "automation_secret",
         "language",
+        "serial",
+        "connector",
     ] + custom_values
 
     # Keys to put into multisite configuration
@@ -8426,19 +8428,21 @@ def save_users(profiles):
         "automation_secret",
         "alias",
         "language",
+        "serial",
+        "connector",
     ] + custom_values
 
     # Remove multisite keys in contacts.
     contacts = dict(
         e for e in 
-            [ (id, split_dict(user, non_contact_keys, False))
+            [ (id, split_dict(user, non_contact_keys + userdb.non_contact_attributes(user.get('connector')), False))
                for (id, user)
                in profiles.items() ])
 
     # Only allow explicitely defined attributes to be written to multisite config
     users = {}
     for uid, profile in profiles.items():
-        users[uid] = dict([ (p, val) for p, val in profile.items() if p in multisite_keys ])
+        users[uid] = dict([ (p, val) for p, val in profile.items() if p in multisite_keys + userdb.multisite_attributes(user.get('connector'))])
 
     # Check_MK's monitoring contacts
     filename = root_dir + "contacts.mk"
diff --git a/web/plugins/userdb/ldap.py b/web/plugins/userdb/ldap.py
index a6f8669..e605426 100644
--- a/web/plugins/userdb/ldap.py
+++ b/web/plugins/userdb/ldap.py
@@ -270,7 +270,7 @@ ldap_attribute_plugins['email'] = {
     # gathered from ldap
     'convert': ldap_convert_mail,
     # User-Attributes to be written by this plugin and will be locked in WATO
-    'set_attributes': [ 'email' ],
+    'lock_attributes': [ 'email' ],
 }
 
 ldap_attribute_plugins['alias'] = {
@@ -278,7 +278,7 @@ ldap_attribute_plugins['alias'] = {
     'help':  _('Synchronizes the alias of the LDAP user account into Check_MK.'),
     'needed_attributes': lambda: ldap_attrs(['cn']),
     'convert':           lambda user_id, ldap_user, user: ldap_convert_simple(user_id, ldap_user, user, 'alias', 'cn'),
-    'set_attributes':    [ 'alias' ],
+    'lock_attributes':   [ 'alias' ],
 }
 
 # Checks wether or not the user auth must be invalidated (increasing the serial).
@@ -313,7 +313,13 @@ ldap_attribute_plugins['auth_expire'] = {
                'the password has changed in LDAP or the account has been locked.'),
     'needed_attributes': lambda: ldap_attrs(['pw_changed']),
     'convert':           ldap_convert_auth_expire,
-    'set_attributes':    [],
+    'lock_attributes':   [],
+    # When a plugin introduces new user attributes, it should declare the output target for
+    # this attribute. It can either be written to the multisites users.mk or the check_mk
+    # contacts.mk to be forwarded to nagios. Undeclared attributes are stored in the check_mk
+    # contacts.mk file.
+    'multisite_attributes':   ['ldap_pw_last_changed'],
+    'non_contact_attributes': ['ldap_pw_last_changed'],
 }
 
 #   .----------------------------------------------------------------------.
@@ -401,9 +407,25 @@ def ldap_sync(add_to_changelog, only_username):
 def ldap_locked_attributes():
     locked = set([ 'password' ]) # This attributes are locked in all cases!
     for key in config.ldap_active_plugins:
-        locked.update(ldap_attribute_plugins[key]['set_attributes'])
+        locked.update(ldap_attribute_plugins[key]['lock_attributes'])
     return list(locked)
 
+# Calculates the attributes added in this connector which shal be written to
+# the multisites users.mk
+def ldap_multisite_attributes():
+    attrs = set([])
+    for key in config.ldap_active_plugins:
+        attrs.update(ldap_attribute_plugins[key].get('multisite_attributes', []))
+    return list(attrs)
+
+# Calculates the attributes added in this connector which shal NOT be written to
+# the check_mks contacts.mk
+def ldap_non_contact_attributes():
+    attrs = set([])
+    for key in config.ldap_active_plugins:
+        attrs.update(ldap_attribute_plugins[key].get('non_contact_attributes', []))
+    return list(attrs)
+
 # Is called on every multisite http request
 def ldap_page():
     try:
@@ -429,5 +451,7 @@ multisite_user_connectors.append({
                                       # synchronized and the user is enabled in LDAP and disabled
                                       # in Check_MK. When the user is locked in LDAP a login is
                                       # not possible.
-    'locked_attributes': ldap_locked_attributes,
+    'locked_attributes':      ldap_locked_attributes,
+    'multisite_attributes':   ldap_multisite_attributes,
+    'non_contact_attributes': ldap_multisite_attributes,
 })



More information about the checkmk-commits mailing list