Flaschengeist/flaschengeist
Flaschengeist
/
flaschengeist
7
0
Fork 0
Code Issues 20 Pull Requests Packages Projects Releases 2 Wiki Activity

[LDAP] Neue Rollen werden hinzugefügt

This commit is contained in:
Tim Gröger 2020-11-12 23:42:03 +01:00
parent 65af9ab367
commit 96765ee932
2 changed files with 19 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
flaschengeist.example.toml
View File

@ -27,10 +27,12 @@ enabled = true
# URL = # URL =
# PORT = # PORT =
# BINDDN = # BINDDN =
# BASEDN =
# SECRET = # SECRET =
# USE_SSL = # USE_SSL =
## ADMIN_DN: # ADMIN_DN =
## ADMIN_SECRET: # ADMIN_SECRET =
# gidNumber =
#[users] #[users]
# allways enabled # allways enabled

17
flaschengeist/plugins/auth_ldap/__init__.py
View File

@ -34,6 +34,7 @@ class AuthLDAP(AuthPlugin):
app.config["LDAP_SECRET"] = (config["SECRET"],) app.config["LDAP_SECRET"] = (config["SECRET"],)
self.ldap = LDAPConn(app) self.ldap = LDAPConn(app)
self.dn = config["BASEDN"] self.dn = config["BASEDN"]
self.gidNumber = config['gidNumber']
# TODO: might not be set if modify is called # TODO: might not be set if modify is called
if "ADMIN_DN" in config: if "ADMIN_DN" in config:
self.admin_dn = config["ADMIN_DN"] self.admin_dn = config["ADMIN_DN"]
@ -75,7 +76,7 @@ class AuthLDAP(AuthPlugin):
attributes = { attributes = {
'sn': user.firstname, 'sn': user.firstname,
'givenName': user.lastname, 'givenName': user.lastname,
'gidNumber': 15000, 'gidNumber': self.gidNumber,
'homeDirectory': f'/home/{user.userid}', 'homeDirectory': f'/home/{user.userid}',
'loginShell': '/bin/bash', 'loginShell': '/bin/bash',
'uid': user.userid, 'uid': user.userid,
@ -121,12 +122,24 @@ class AuthLDAP(AuthPlugin):
ldap_conn = self.ldap.connect(self.admin_dn, self.admin_secret) ldap_conn = self.ldap.connect(self.admin_dn, self.admin_secret)
self.ldap.connection.search(f"ou=group,{self.dn}", "(cn=*)", SUBTREE, attributes=["cn", "gidNumber"]) self.ldap.connection.search(f"ou=group,{self.dn}", "(cn=*)", SUBTREE, attributes=["cn", "gidNumber"])
ldap_roles = self.ldap.response() ldap_roles = self.ldap.response()
gidNumbers = sorted(ldap_roles, key=lambda i: i['attributes']['gidNumber'], reverse=True)
gidNumber = gidNumbers[0]['attributes']['gidNumber'] + 1
for user_role in user.roles:
if user_role not in [role["attributes"]["cn"][0] for role in ldap_roles]:
ldap_conn.add(f"cn={user_role},ou=group,{self.dn}", ["posixGroup"], attributes={"gidNumber": gidNumber})
ldap_conn = self.ldap.connect(self.admin_dn, self.admin_secret)
self.ldap.connection.search(f"ou=group,{self.dn}", "(cn=*)", SUBTREE, attributes=["cn", "gidNumber"])
ldap_roles = self.ldap.response()
for ldap_role in ldap_roles: for ldap_role in ldap_roles:
if ldap_role["attributes"]["cn"][0] in user.roles: if ldap_role["attributes"]["cn"][0] in user.roles:
modify = {'memberUid': [(MODIFY_ADD, [user.userid])]} modify = {'memberUid': [(MODIFY_ADD, [user.userid])]}
else: else:
modify = {'memberUid': [(MODIFY_DELETE, [user.userid])]} modify = {'memberUid': [(MODIFY_DELETE, [user.userid])]}
test = ldap_conn.modify(ldap_role["dn"], modify) ldap_conn.modify(ldap_role["dn"], modify)
except (LDAPPasswordIsMandatoryError, LDAPBindError): except (LDAPPasswordIsMandatoryError, LDAPBindError):
raise BadRequest raise BadRequest