[checkmk-commits] Check_MK Git: check_mk: ldap: added sync plugin to add user roles depending on group memberships

git version control git at mathias-kettner.de
Wed Nov 21 14:35:07 CET 2012


Module: check_mk
Branch: master
Commit: 23c81a9db024f87c1ae2db7884daadf447ff22ef
URL:    http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=23c81a9db024f87c1ae2db7884daadf447ff22ef

Author: Lars Michelsen <lm at mathias-kettner.de>
Date:   Mon Nov 19 11:56:57 2012 +0100

ldap: added sync plugin to add user roles depending on group memberships

---

 web/htdocs/wato.py         |   17 ++++++++---------
 web/plugins/userdb/ldap.py |   43 +++++++++++++++++++++++++++++++++++++++++--
 2 files changed, 49 insertions(+), 11 deletions(-)

diff --git a/web/htdocs/wato.py b/web/htdocs/wato.py
index 0bfc779..039186f 100644
--- a/web/htdocs/wato.py
+++ b/web/htdocs/wato.py
@@ -8175,6 +8175,7 @@ def mode_edit_user(phase):
     forms.section(_("Roles"))
     entries = roles.items()
     entries.sort(cmp = lambda a,b: cmp((a[1]["alias"],a[0]), (b[1]["alias"],b[0])))
+    is_member_of_at_least_one = False
     for role_id, role in entries:
         if not is_locked('roles'):
             html.checkbox("role_" + role_id, role_id in user.get("roles", []))
@@ -8182,17 +8183,15 @@ def mode_edit_user(phase):
             html.write("<a href='%s'>%s</a><br>" % (url, role["alias"]))
         else:
             is_member = role_id in user.get("roles", [])
-            html.hidden_field("role_" + role_id, is_member and '1' or '')
-            if not is_member:
-                html.write('<i>%s</i>' % _('No roles assigned.'))
-            else:
+            if is_member:
+                is_member_of_at_least_one = True
+
                 url = make_link([("mode", "edit_role"), ("edit", role_id)])
                 html.write("<a href='%s'>%s</a><br>" % (url, role["alias"]))
-    html.help(_("By assigning roles to a user he obtains permissions. "
-                "If a user has more than one role, he gets the maximum of all "
-                "permissions of his roles. "
-                "Users without any role have no permissions to use Multisite at all "
-                "but still can be monitoring contacts and receive notifications."))
+
+            html.hidden_field("role_" + role_id, is_member and '1' or '')
+    if not is_member_of_at_least_one:
+        html.write('<i>%s</i>' % _('No roles assigned.'))
 
     # Contact groups
     forms.header(_("Contact Groups"), isopen=False)
diff --git a/web/plugins/userdb/ldap.py b/web/plugins/userdb/ldap.py
index 284fdee..9a31d96 100644
--- a/web/plugins/userdb/ldap.py
+++ b/web/plugins/userdb/ldap.py
@@ -248,7 +248,7 @@ def ldap_get_users(add_filter = None):
 
     return result
 
-def ldap_user_groups(username):
+def ldap_user_groups(username, attr = 'cn'):
     user_dn = ldap_get_user_dn(username)
 
     # Apply configured group ldap filter and only reply with groups
@@ -259,7 +259,11 @@ def ldap_user_groups(username):
     groups = []
     for dn, group in ldap_search(ldap_replace_macros(config.ldap_groupspec['dn']),
                                  filt, ['cn']):
-        groups.append(group['cn'][0])
+        if attr == 'cn':
+            groups.append(group['cn'][0])
+
+        elif attr == 'dn':
+            groups.append(dn)
 
     return groups
 
@@ -440,6 +444,41 @@ ldap_attribute_plugins['groups_to_contactgroups'] = {
     'lock_attributes':   ['contactgroups'],
 }
 
+def ldap_convert_groups_to_roles(params, user_id, ldap_user, user):
+    groups = []
+    # 1. Fetch DNs of all LDAP groups of the user
+    ldap_groups = [ g.lower() for g in ldap_user_groups(user_id, 'dn') ]
+
+    # 2. Loop all roles mentioned in params (configured to be synchronized)
+    roles = []
+    for role_id, dn in params.items():
+        if dn.lower() in ldap_groups:
+            roles.append(role_id)
+
+    return {'roles': roles}
+
+def ldap_list_roles_with_group_dn():
+    import wato
+    roles = wato.load_roles()
+
+    elements = []
+    for role_id, role in wato.load_roles().items():
+        elements.append((role_id, LDAPDistinguishedName(
+            title = role['alias'] + ' - ' + _("Specify the Group DN"),
+            help  = _("Distinguished Name of the LDAP group to add users this role."),
+            size  = 80,
+        )))
+    return elements
+
+ldap_attribute_plugins['groups_to_roles'] = {
+    'title': _('Roles'),
+    'help':  _('Configures the roles of the user depending on its group memberships '
+               'in LDAP.'),
+    'convert':           ldap_convert_groups_to_roles,
+    'lock_attributes':   ['roles'],
+    'parameters':        ldap_list_roles_with_group_dn,
+}
+
 #   .----------------------------------------------------------------------.
 #   |                     _   _             _                              |
 #   |                    | | | | ___   ___ | | _____                       |



More information about the checkmk-commits mailing list