diff --git a/flaschengeist/plugins/auth_ldap/__init__.py b/flaschengeist/plugins/auth_ldap/__init__.py index 3474f44..42e795d 100644 --- a/flaschengeist/plugins/auth_ldap/__init__.py +++ b/flaschengeist/plugins/auth_ldap/__init__.py @@ -1,6 +1,8 @@ """LDAP Authentication Provider Plugin""" import ssl +from typing import Optional + from ldap3.utils.hashed import hashed from ldap3 import SUBTREE, MODIFY_REPLACE, MODIFY_ADD, MODIFY_DELETE, HASHED_SALTED_MD5 from ldap3.core.exceptions import LDAPPasswordIsMandatoryError, LDAPBindError @@ -129,13 +131,6 @@ class AuthLDAP(AuthPlugin): ) return self.ldap.response() - def _delete_unsed_roles(self): - ldap_conn = self.ldap.connect(self.admin_dn, self.admin_secret) - ldap_roles = self._get_all_roles(ldap_conn) - for role in ldap_roles: - if len(role["attributes"]["memberUid"]) == 0: - ldap_conn.delete(role["dn"]) - def _set_roles(self, user: User): try: ldap_conn = self.ldap.connect(self.admin_dn, self.admin_secret) @@ -166,7 +161,25 @@ class AuthLDAP(AuthPlugin): modify = {"memberUid": [(MODIFY_DELETE, [user.userid])]} ldap_conn.modify(ldap_role["dn"], modify) - self._delete_unsed_roles() + except (LDAPPasswordIsMandatoryError, LDAPBindError): + raise BadRequest + + def modify_role(self, old_name: str, new_name: Optional[str]): + if self.admin_dn is None: + logger.error("admin_dn missing in ldap config!") + raise InternalServerError + try: + ldap_conn = self.ldap.connect(self.admin_dn, self.admin_secret) + ldap_conn.search( + f"ou=group,{self.dn}", f"(cn={old_name})", SUBTREE, attributes=["cn"] + ) + if len(ldap_conn.response) >= 0: + dn = ldap_conn.response[0]["dn"] + if new_name: + ldap_conn.modify_dn(dn, f"cn={new_name}") + else: + ldap_conn.delete(dn) + except (LDAPPasswordIsMandatoryError, LDAPBindError): raise BadRequest