[LDAP] Neue Rollen werden hinzugefügt

2020-11-12 23:42:03 +01:00 · 2020-11-12 23:42:03 +01:00 · 96765ee932
parent 65af9ab367
commit 96765ee932
2 changed files with 19 additions and 4 deletions
--- a/flaschengeist.example.toml
+++ b/flaschengeist.example.toml
@ -27,10 +27,12 @@ enabled = true
 # URL =
 # PORT =
 # BINDDN =
+# BASEDN =
 # SECRET =
 # USE_SSL =
-## ADMIN_DN:
-## ADMIN_SECRET:
+# ADMIN_DN =
+# ADMIN_SECRET =
+# gidNumber =

 #[users]
 # allways enabled
--- a/flaschengeist/plugins/auth_ldap/init.py
+++ b/flaschengeist/plugins/auth_ldap/init.py
@ -34,6 +34,7 @@ class AuthLDAP(AuthPlugin):
            app.config["LDAP_SECRET"] = (config["SECRET"],)
        self.ldap = LDAPConn(app)
        self.dn = config["BASEDN"]
+        self.gidNumber = config['gidNumber']
        # TODO: might not be set if modify is called
        if "ADMIN_DN" in config:
            self.admin_dn = config["ADMIN_DN"]
@ -75,7 +76,7 @@ class AuthLDAP(AuthPlugin):
            attributes = {
                'sn': user.firstname,
                'givenName': user.lastname,
-                'gidNumber': 15000,
+                'gidNumber': self.gidNumber,
                'homeDirectory': f'/home/{user.userid}',
                'loginShell': '/bin/bash',
                'uid': user.userid,
@ -121,12 +122,24 @@ class AuthLDAP(AuthPlugin):
            ldap_conn = self.ldap.connect(self.admin_dn, self.admin_secret)
            self.ldap.connection.search(f"ou=group,{self.dn}", "(cn=*)", SUBTREE, attributes=["cn", "gidNumber"])
            ldap_roles = self.ldap.response()
+
+            gidNumbers = sorted(ldap_roles, key=lambda i: i['attributes']['gidNumber'], reverse=True)
+            gidNumber = gidNumbers[0]['attributes']['gidNumber'] + 1
+
+            for user_role in user.roles:
+                if user_role not in [role["attributes"]["cn"][0] for role in ldap_roles]:
+                    ldap_conn.add(f"cn={user_role},ou=group,{self.dn}", ["posixGroup"], attributes={"gidNumber": gidNumber})
+
+            ldap_conn = self.ldap.connect(self.admin_dn, self.admin_secret)
+            self.ldap.connection.search(f"ou=group,{self.dn}", "(cn=*)", SUBTREE, attributes=["cn", "gidNumber"])
+            ldap_roles = self.ldap.response()
+
            for ldap_role in ldap_roles:
                if ldap_role["attributes"]["cn"][0] in user.roles:
                    modify = {'memberUid': [(MODIFY_ADD, [user.userid])]}
                else:
                    modify = {'memberUid': [(MODIFY_DELETE, [user.userid])]}
-                test = ldap_conn.modify(ldap_role["dn"], modify)
+                ldap_conn.modify(ldap_role["dn"], modify)

        except (LDAPPasswordIsMandatoryError, LDAPBindError):
            raise BadRequest