From 96765ee932374d1af25ecf4ebab62b6d945d3f38 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tim=20Gr=C3=B6ger?= Date: Thu, 12 Nov 2020 23:42:03 +0100 Subject: [PATCH] =?UTF-8?q?[LDAP]=20Neue=20Rollen=20werden=20hinzugef?= =?UTF-8?q?=C3=BCgt?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- flaschengeist.example.toml | 6 ++++-- flaschengeist/plugins/auth_ldap/__init__.py | 17 +++++++++++++++-- 2 files changed, 19 insertions(+), 4 deletions(-) diff --git a/flaschengeist.example.toml b/flaschengeist.example.toml index e0a0cda..c177f23 100644 --- a/flaschengeist.example.toml +++ b/flaschengeist.example.toml @@ -27,10 +27,12 @@ enabled = true # URL = # PORT = # BINDDN = +# BASEDN = # SECRET = # USE_SSL = -## ADMIN_DN: -## ADMIN_SECRET: +# ADMIN_DN = +# ADMIN_SECRET = +# gidNumber = #[users] # allways enabled diff --git a/flaschengeist/plugins/auth_ldap/__init__.py b/flaschengeist/plugins/auth_ldap/__init__.py index b9412b1..0eb27c3 100644 --- a/flaschengeist/plugins/auth_ldap/__init__.py +++ b/flaschengeist/plugins/auth_ldap/__init__.py @@ -34,6 +34,7 @@ class AuthLDAP(AuthPlugin): app.config["LDAP_SECRET"] = (config["SECRET"],) self.ldap = LDAPConn(app) self.dn = config["BASEDN"] + self.gidNumber = config['gidNumber'] # TODO: might not be set if modify is called if "ADMIN_DN" in config: self.admin_dn = config["ADMIN_DN"] @@ -75,7 +76,7 @@ class AuthLDAP(AuthPlugin): attributes = { 'sn': user.firstname, 'givenName': user.lastname, - 'gidNumber': 15000, + 'gidNumber': self.gidNumber, 'homeDirectory': f'/home/{user.userid}', 'loginShell': '/bin/bash', 'uid': user.userid, @@ -121,12 +122,24 @@ class AuthLDAP(AuthPlugin): ldap_conn = self.ldap.connect(self.admin_dn, self.admin_secret) self.ldap.connection.search(f"ou=group,{self.dn}", "(cn=*)", SUBTREE, attributes=["cn", "gidNumber"]) ldap_roles = self.ldap.response() + + gidNumbers = sorted(ldap_roles, key=lambda i: i['attributes']['gidNumber'], reverse=True) + gidNumber = gidNumbers[0]['attributes']['gidNumber'] + 1 + + for user_role in user.roles: + if user_role not in [role["attributes"]["cn"][0] for role in ldap_roles]: + ldap_conn.add(f"cn={user_role},ou=group,{self.dn}", ["posixGroup"], attributes={"gidNumber": gidNumber}) + + ldap_conn = self.ldap.connect(self.admin_dn, self.admin_secret) + self.ldap.connection.search(f"ou=group,{self.dn}", "(cn=*)", SUBTREE, attributes=["cn", "gidNumber"]) + ldap_roles = self.ldap.response() + for ldap_role in ldap_roles: if ldap_role["attributes"]["cn"][0] in user.roles: modify = {'memberUid': [(MODIFY_ADD, [user.userid])]} else: modify = {'memberUid': [(MODIFY_DELETE, [user.userid])]} - test = ldap_conn.modify(ldap_role["dn"], modify) + ldap_conn.modify(ldap_role["dn"], modify) except (LDAPPasswordIsMandatoryError, LDAPBindError): raise BadRequest