From 4e6653e299e8ae3ab935d4930965272b83af4b60 Mon Sep 17 00:00:00 2001 From: Jens Langhammer Date: Thu, 10 Oct 2019 17:36:09 +0200 Subject: [PATCH 1/4] ldap(major): start rewrite --- passbook/core/templates/overview/base.html | 12 -- passbook/sources/ldap/auth.py | 4 +- .../ldap/{ldap_connector.py => connector.py} | 120 ++---------------- passbook/sources/ldap/forms.py | 45 ++++--- .../sources/ldap/migrations/0001_initial.py | 41 +++--- passbook/sources/ldap/models.py | 43 +++---- .../sources/ldap/templates/ldap/settings.html | 33 ----- passbook/sources/ldap/urls.py | 9 -- passbook/sources/ldap/views.py | 38 ------ passbook/sources/oauth/clients.py | 5 +- 10 files changed, 79 insertions(+), 271 deletions(-) rename passbook/sources/ldap/{ldap_connector.py => connector.py} (59%) delete mode 100644 passbook/sources/ldap/templates/ldap/settings.html delete mode 100644 passbook/sources/ldap/urls.py delete mode 100644 passbook/sources/ldap/views.py diff --git a/passbook/core/templates/overview/base.html b/passbook/core/templates/overview/base.html index 5b80a7f3f..04982586d 100644 --- a/passbook/core/templates/overview/base.html +++ b/passbook/core/templates/overview/base.html @@ -141,18 +141,6 @@ {% trans 'Audit Log' %} -
  • - - - {% trans 'Django' %} - -
    • -
  • - - - {% trans 'Debug' %} - -
    • {% endif %} diff --git a/passbook/sources/ldap/auth.py b/passbook/sources/ldap/auth.py index 86508b2b3..ea4402c47 100644 --- a/passbook/sources/ldap/auth.py +++ b/passbook/sources/ldap/auth.py @@ -2,7 +2,7 @@ from django.contrib.auth.backends import ModelBackend from structlog import get_logger -from passbook.sources.ldap.ldap_connector import LDAPConnector +from passbook.sources.ldap.connector import Connector from passbook.sources.ldap.models import LDAPSource LOGGER = get_logger() @@ -16,7 +16,7 @@ class LDAPBackend(ModelBackend): if 'password' not in kwargs: return None for source in LDAPSource.objects.filter(enabled=True): - _ldap = LDAPConnector(source) + _ldap = Connector(source) user = _ldap.auth_user(**kwargs) if user: return user diff --git a/passbook/sources/ldap/ldap_connector.py b/passbook/sources/ldap/connector.py similarity index 59% rename from passbook/sources/ldap/ldap_connector.py rename to passbook/sources/ldap/connector.py index 925652c83..6d100f786 100644 --- a/passbook/sources/ldap/ldap_connector.py +++ b/passbook/sources/ldap/connector.py @@ -11,16 +11,16 @@ from passbook.sources.ldap.models import LDAPSource LOGGER = get_logger() -USERNAME_FIELD = CONFIG.y('ldap.username_field', 'sAMAccountName') -LOGIN_FIELD = CONFIG.y('ldap.login_field', 'userPrincipalName') +# USERNAME_FIELD = CONFIG.y('ldap.username_field', 'sAMAccountName') +# LOGIN_FIELD = CONFIG.y('ldap.login_field', 'userPrincipalName') -class LDAPConnector: +class Connector: """Wrapper for ldap3 to easily manage user authentication and creation""" - _server = None - _connection = None - _source = None + _server: ldap3.Server + _connection = ldap3.Connection + _source: LDAPSource def __init__(self, source: LDAPSource): self._source = source @@ -28,68 +28,17 @@ class LDAPConnector: if not self._source.enabled: LOGGER.debug("LDAP not Enabled") - # if not con_args: - # con_args = {} - # if not server_args: - # server_args = {} - # Either use mock argument or test is in argv - # if mock or any('test' in arg for arg in sys.argv): - # self.mock = True - # self.create_users_enabled = True - # con_args['client_strategy'] = ldap3.MOCK_SYNC - # server_args['get_info'] = ldap3.OFFLINE_AD_2012_R2 - # if self.mock: - # json_path = os.path.join(os.path.dirname(__file__), 'tests', 'ldap_mock.json') - # self._connection.strategy.entries_from_json(json_path) - self._server = ldap3.Server(source.server_uri) # Implement URI parsing self._connection = ldap3.Connection(self._server, raise_exceptions=True, user=source.bind_cn, password=source.bind_password) self._connection.bind() - # if CONFIG.y('ldap.server.use_tls'): - # self._connection.start_tls() - - # @staticmethod - # def cleanup_mock(): - # """Cleanup mock files which are not this PID's""" - # pid = os.getpid() - # json_path = os.path.join(os.path.dirname(__file__), 'test', 'ldap_mock_%d.json' % pid) - # os.unlink(json_path) - # LOGGER.debug("Cleaned up LDAP Mock from PID %d", pid) - - # def apply_db(self): - # """Check if any unapplied LDAPModification's are left""" - # to_apply = LDAPModification.objects.filter(_purgeable=False) - # for obj in to_apply: - # try: - # if obj.action == LDAPModification.ACTION_ADD: - # self._connection.add(obj.dn, obj.data) - # elif obj.action == LDAPModification.ACTION_MODIFY: - # self._connection.modify(obj.dn, obj.data) - - # # Object has been successfully applied to LDAP - # obj.delete() - # except ldap3.core.exceptions.LDAPException as exc: - # LOGGER.error(exc) - # LOGGER.debug("Recovered %d Modifications from DB.", len(to_apply)) - - # @staticmethod - # def handle_ldap_error(object_dn, action, data): - # """Custom Handler for LDAP methods to write LDIF to DB""" - # LDAPModification.objects.create( - # dn=object_dn, - # action=action, - # data=data) - - # @property - # def enabled(self): - # """Returns whether LDAP is enabled or not""" - # return CONFIG.y('ldap.enabled') + if source.start_tls: + self._connection.start_tls() @staticmethod - def encode_pass(password): + def encode_pass(password: str) -> str: """Encodes a plain-text password so it can be used by AD""" return '"{}"'.format(password).encode('utf-16-le') @@ -128,7 +77,7 @@ class LDAPConnector: return None # Create the user data. field_map = { - 'username': '%(' + USERNAME_FIELD + ')s', + 'username': '%(' + ')s', 'name': '%(givenName)s %(sn)s', 'email': '%(mail)s', } @@ -168,7 +117,7 @@ class LDAPConnector: # FIXME: Adapt user_uid # email = filters.pop(CONFIG.y('passport').get('ldap').get, '') email = filters.pop('email') - user_dn = self.lookup(self.generate_filter(**{LOGIN_FIELD: email})) + user_dn = self.lookup(self.generate_filter(**{'email': email})) if not user_dn: return None # Try to bind as new user @@ -179,7 +128,7 @@ class LDAPConnector: temp_connection.bind() if self._connection.search( search_base=self._source.search_base, - search_filter=self.generate_filter(**{LOGIN_FIELD: email}), + search_filter=self.generate_filter(**{'email': email}), search_scope=ldap3.SUBTREE, attributes=[ldap3.ALL_ATTRIBUTES, ldap3.ALL_OPERATIONAL_ATTRIBUTES], get_operational_attributes=True, @@ -198,47 +147,6 @@ class LDAPConnector: LOGGER.warning(exception) return None - def is_email_used(self, mail): - """Checks whether an email address is already registered in LDAP""" - if self._source.create_user: - return self.lookup(self.generate_filter(mail=mail)) - return False - - def create_ldap_user(self, user, raw_password): - """Creates a new LDAP User from a django user and raw_password. - Returns True on success, otherwise False""" - if self._source.create_user: - LOGGER.debug("User creation not enabled") - return False - # The dn of our new entry/object - username = user.pk.hex # UUID without dashes - # sAMAccountName is limited to 20 chars - # https://msdn.microsoft.com/en-us/library/ms679635.aspx - username_trunk = username[:20] if len(username) > 20 else username - # AD doesn't like sAMAccountName's with . at the end - username_trunk = username_trunk[:-1] if username_trunk[-1] == '.' else username_trunk - user_dn = 'cn=' + username + ',' + self._source.search_base - LOGGER.debug('New DN: %s', user_dn) - attrs = { - 'distinguishedName': str(user_dn), - 'cn': str(username), - 'description': 't=' + str(time()), - 'sAMAccountName': str(username_trunk), - 'givenName': str(user.name), - 'displayName': str(user.username), - 'name': str(user.name), - 'mail': str(user.email), - 'userPrincipalName': str(username + '@' + self._source.domain), - 'objectClass': ['top', 'person', 'organizationalPerson', 'user'], - } - try: - self._connection.add(user_dn, attributes=attrs) - except ldap3.core.exceptions.LDAPException as exception: - LOGGER.warning("Failed to create user ('%s'), saved to DB", exception) - # LDAPConnector.handle_ldap_error(user_dn, LDAPModification.ACTION_ADD, attrs) - LOGGER.debug("Signed up user %s", user.email) - return self.change_password(raw_password, mail=user.email) - def _do_modify(self, diff, **fields): """Do the LDAP modification itself""" user_dn = self.lookup(self.generate_filter(**fields)) @@ -246,7 +154,7 @@ class LDAPConnector: self._connection.modify(user_dn, diff) except ldap3.core.exceptions.LDAPException as exception: LOGGER.warning("Failed to modify %s ('%s'), saved to DB", user_dn, exception) - # LDAPConnector.handle_ldap_error(user_dn, LDAPModification.ACTION_MODIFY, diff) + # Connector.handle_ldap_error(user_dn, LDAPModification.ACTION_MODIFY, diff) LOGGER.debug("modified account '%s' [%s]", user_dn, ','.join(diff.keys())) return 'result' in self._connection.result and self._connection.result['result'] == 0 @@ -270,7 +178,7 @@ class LDAPConnector: """Changes LDAP user's password based on mail or user_dn. Returns True on success, otherwise False""" diff = { - 'unicodePwd': [(ldap3.MODIFY_REPLACE, [LDAPConnector.encode_pass(new_password)])], + 'unicodePwd': [(ldap3.MODIFY_REPLACE, [Connector.encode_pass(new_password)])], } return self._do_modify(diff, **fields) diff --git a/passbook/sources/ldap/forms.py b/passbook/sources/ldap/forms.py index 2a2aad74a..44ab5fc01 100644 --- a/passbook/sources/ldap/forms.py +++ b/passbook/sources/ldap/forms.py @@ -5,8 +5,7 @@ from django.contrib.admin.widgets import FilteredSelectMultiple from django.utils.translation import gettext_lazy as _ from passbook.admin.forms.source import SOURCE_FORM_FIELDS -from passbook.core.forms.policies import GENERAL_FIELDS -from passbook.sources.ldap.models import LDAPGroupMembershipPolicy, LDAPSource +from passbook.sources.ldap.models import LDAPSource class LDAPSourceForm(forms.ModelForm): @@ -15,36 +14,36 @@ class LDAPSourceForm(forms.ModelForm): class Meta: model = LDAPSource - fields = SOURCE_FORM_FIELDS + ['server_uri', 'bind_cn', 'bind_password', - 'type', 'domain', 'base_dn', 'create_user', - 'reset_password'] + fields = SOURCE_FORM_FIELDS + [ + 'server_uri', + 'bind_cn', + 'bind_password', + 'start_tls', + 'base_dn', + 'additional_user_dn', + 'additional_group_dn', + 'user_object_filter', + 'group_object_filter', + 'sync_groups', + 'sync_parent_group', + ] widgets = { 'name': forms.TextInput(), 'server_uri': forms.TextInput(), 'bind_cn': forms.TextInput(), - 'bind_password': forms.TextInput(), - 'domain': forms.TextInput(), + 'bind_password': forms.PasswordInput(), 'base_dn': forms.TextInput(), + 'additional_user_dn': forms.TextInput(), + 'additional_group_dn': forms.TextInput(), + 'user_object_filter': forms.TextInput(), + 'group_object_filter': forms.TextInput(), 'policies': FilteredSelectMultiple(_('policies'), False) } labels = { 'server_uri': _('Server URI'), 'bind_cn': _('Bind CN'), + 'start_tls': _('Enable Start TLS'), 'base_dn': _('Base DN'), - } - - -class LDAPGroupMembershipPolicyForm(forms.ModelForm): - """LDAPGroupMembershipPolicy Form""" - - class Meta: - - model = LDAPGroupMembershipPolicy - fields = GENERAL_FIELDS + ['dn', ] - widgets = { - 'name': forms.TextInput(), - 'dn': forms.TextInput(), - } - labels = { - 'dn': _('DN') + 'additional_user_dn': _('Addition User DN'), + 'additional_group_dn': _('Addition Group DN'), } diff --git a/passbook/sources/ldap/migrations/0001_initial.py b/passbook/sources/ldap/migrations/0001_initial.py index 0226b33da..4cd29ff4b 100644 --- a/passbook/sources/ldap/migrations/0001_initial.py +++ b/passbook/sources/ldap/migrations/0001_initial.py @@ -1,5 +1,6 @@ -# Generated by Django 2.2.6 on 2019-10-07 14:07 +# Generated by Django 2.2.6 on 2019-10-08 20:43 +import django.core.validators import django.db.models.deletion from django.db import migrations, models @@ -13,18 +14,33 @@ class Migration(migrations.Migration): ] operations = [ + migrations.CreateModel( + name='LDAPPropertyMapping', + fields=[ + ('propertymapping_ptr', models.OneToOneField(auto_created=True, on_delete=django.db.models.deletion.CASCADE, parent_link=True, primary_key=True, serialize=False, to='passbook_core.PropertyMapping')), + ('ldap_property', models.TextField()), + ('object_field', models.TextField()), + ], + options={ + 'abstract': False, + }, + bases=('passbook_core.propertymapping',), + ), migrations.CreateModel( name='LDAPSource', fields=[ ('source_ptr', models.OneToOneField(auto_created=True, on_delete=django.db.models.deletion.CASCADE, parent_link=True, primary_key=True, serialize=False, to='passbook_core.Source')), - ('server_uri', models.TextField()), + ('server_uri', models.URLField(validators=[django.core.validators.URLValidator(schemes=['ldap', 'ldaps'])])), ('bind_cn', models.TextField()), ('bind_password', models.TextField()), - ('type', models.CharField(choices=[('ad', 'Active Directory'), ('generic', 'Generic')], max_length=20)), - ('domain', models.TextField()), + ('start_tls', models.BooleanField(default=False)), ('base_dn', models.TextField()), - ('create_user', models.BooleanField(default=False)), - ('reset_password', models.BooleanField(default=True)), + ('additional_user_dn', models.TextField(help_text='Prepended to Base DN for User-queries.')), + ('additional_group_dn', models.TextField(help_text='Prepended to Base DN for Group-queries.')), + ('user_object_filter', models.TextField()), + ('group_object_filter', models.TextField()), + ('sync_groups', models.BooleanField(default=True)), + ('sync_parent_group', models.ForeignKey(blank=True, default=None, on_delete=django.db.models.deletion.SET_DEFAULT, to='passbook_core.Group')), ], options={ 'verbose_name': 'LDAP Source', @@ -32,17 +48,4 @@ class Migration(migrations.Migration): }, bases=('passbook_core.source',), ), - migrations.CreateModel( - name='LDAPGroupMembershipPolicy', - fields=[ - ('policy_ptr', models.OneToOneField(auto_created=True, on_delete=django.db.models.deletion.CASCADE, parent_link=True, primary_key=True, serialize=False, to='passbook_core.Policy')), - ('dn', models.TextField()), - ('source', models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, to='passbook_sources_ldap.LDAPSource')), - ], - options={ - 'verbose_name': 'LDAP Group Membership Policy', - 'verbose_name_plural': 'LDAP Group Membership Policys', - }, - bases=('passbook_core.policy',), - ), ] diff --git a/passbook/sources/ldap/models.py b/passbook/sources/ldap/models.py index a7c6f0b5b..89d043725 100644 --- a/passbook/sources/ldap/models.py +++ b/passbook/sources/ldap/models.py @@ -1,30 +1,30 @@ """passbook LDAP Models""" +from django.core.validators import URLValidator from django.db import models from django.utils.translation import gettext as _ -from passbook.core.models import Policy, Source, User +from passbook.core.models import Group, PropertyMapping, Source class LDAPSource(Source): """LDAP Authentication source""" - TYPE_ACTIVE_DIRECTORY = 'ad' - TYPE_GENERIC = 'generic' - TYPES = ( - (TYPE_ACTIVE_DIRECTORY, _('Active Directory')), - (TYPE_GENERIC, _('Generic')), - ) - - server_uri = models.TextField() + server_uri = models.URLField(validators=[URLValidator(schemes=['ldap', 'ldaps'])]) bind_cn = models.TextField() bind_password = models.TextField() - type = models.CharField(max_length=20, choices=TYPES) + start_tls = models.BooleanField(default=False) - domain = models.TextField() base_dn = models.TextField() - create_user = models.BooleanField(default=False) - reset_password = models.BooleanField(default=True) + additional_user_dn = models.TextField(help_text=_('Prepended to Base DN for User-queries.')) + additional_group_dn = models.TextField(help_text=_('Prepended to Base DN for Group-queries.')) + + user_object_filter = models.TextField() + group_object_filter = models.TextField() + + sync_groups = models.BooleanField(default=True) + sync_parent_group = models.ForeignKey(Group, blank=True, + default=None, on_delete=models.SET_DEFAULT) form = 'passbook.sources.ldap.forms.LDAPSourceForm' @@ -37,19 +37,8 @@ class LDAPSource(Source): verbose_name = _('LDAP Source') verbose_name_plural = _('LDAP Sources') -class LDAPGroupMembershipPolicy(Policy): - """Policy to check if a user is in a certain LDAP Group""" - dn = models.TextField() - source = models.ForeignKey('LDAPSource', on_delete=models.CASCADE) +class LDAPPropertyMapping(PropertyMapping): - form = 'passbook.sources.ldap.forms.LDAPGroupMembershipPolicyForm' - - def passes(self, user: User): - """Check if user instance passes this policy""" - raise NotImplementedError() - - class Meta: - - verbose_name = _('LDAP Group Membership Policy') - verbose_name_plural = _('LDAP Group Membership Policys') + ldap_property = models.TextField() + object_field = models.TextField() diff --git a/passbook/sources/ldap/templates/ldap/settings.html b/passbook/sources/ldap/templates/ldap/settings.html deleted file mode 100644 index 2d3d94320..000000000 --- a/passbook/sources/ldap/templates/ldap/settings.html +++ /dev/null @@ -1,33 +0,0 @@ -{% extends "_admin/module_default.html" %} - -{% load i18n %} -{% load utils %} - -{% block title %} -{% title "Settings" %} -{% endblock %} - -{% block module_content %} -

    {% trans 'LDAP connection' %}

    -
    -
    -
    -
    -
    -

    {% trans 'General settings' %}

    - {% include 'partials/form.html' with form=general %} -

    {% trans 'Connection settings' %}

    - {% include 'partials/form.html' with form=connection %} -

    {% trans 'Authentication backend ' %}

    - {% include 'partials/form.html' with form=authentication %} -

    {% trans 'Create users settings' %}

    - {% include 'partials/form.html' with form=create_users %} -
    -
    - -
    -
    -
    -
    -
    -{% endblock %} diff --git a/passbook/sources/ldap/urls.py b/passbook/sources/ldap/urls.py deleted file mode 100644 index b643ba6bc..000000000 --- a/passbook/sources/ldap/urls.py +++ /dev/null @@ -1,9 +0,0 @@ -# """passbook LDAP Urls""" - -# from django.conf.urls import url - -# from passbook.mod.auth.ldap import views - -# urlpatterns = [ -# url(r'^settings/$', views.admin_settings, name='admin_settings'), -# ] diff --git a/passbook/sources/ldap/views.py b/passbook/sources/ldap/views.py deleted file mode 100644 index 7e3e2c6a5..000000000 --- a/passbook/sources/ldap/views.py +++ /dev/null @@ -1,38 +0,0 @@ -# """passbook LDAP Views""" - - -# from django.contrib import messages -# from django.contrib.auth.decorators import login_required, user_passes_test -# from django.http import HttpRequest, HttpResponse -# from django.shortcuts import redirect, render -# from django.urls import reverse -# from django.utils.translation import ugettext as _ - -# from passbook.sources.ldap.forms import (AuthenticationBackendSettings, -# ConnectionSettings, -# CreateUsersSettings, -# GeneralSettingsForm) - - -# @login_required -# @user_passes_test(lambda u: u.is_superuser) -# def admin_settings(request: HttpRequest) -> HttpResponse: -# """Default view for modules without admin view""" -# form_classes = { -# 'general': GeneralSettingsForm, -# 'connection': ConnectionSettings, -# 'authentication': AuthenticationBackendSettings, -# 'create_users': CreateUsersSettings, -# } -# render_data = {} -# for form_key, form_class in form_classes.items(): -# render_data[form_key] = form_class(request.POST if request.method == 'POST' else None) -# if request.method == 'POST': -# update_count = 0 -# for form_key, form_class in form_classes.items(): -# form = form_class(request.POST) -# if form.is_valid(): -# update_count += form.save() -# messages.success(request, _('Successfully updated %d settings.' % update_count)) -# return redirect(reverse('passbook_ldap:admin_settings')) -# return render(request, 'ldap/settings.html', render_data) diff --git a/passbook/sources/oauth/clients.py b/passbook/sources/oauth/clients.py index cbbdb57ae..01e15b5c4 100644 --- a/passbook/sources/oauth/clients.py +++ b/passbook/sources/oauth/clients.py @@ -3,7 +3,6 @@ import json from urllib.parse import parse_qs, urlencode -from django.conf import settings from django.utils.crypto import constant_time_compare, get_random_string from django.utils.encoding import force_text from requests import Session @@ -11,6 +10,8 @@ from requests.exceptions import RequestException from requests_oauthlib import OAuth1 from structlog import get_logger +from passbook import __version__ + LOGGER = get_logger() @@ -23,7 +24,7 @@ class BaseOAuthClient: self.source = source self.token = token self._session = Session() - self._session.headers.update({'User-Agent': 'web:passbook:%s' % settings.VERSION}) + self._session.headers.update({'User-Agent': 'web:passbook:%s' % __version__}) def get_access_token(self, request, callback=None): "Fetch access token from callback request." From 22c4fb141464c30c8794ffe9da7e49a11306c134 Mon Sep 17 00:00:00 2001 From: "Langhammer, Jens" Date: Fri, 11 Oct 2019 12:53:48 +0200 Subject: [PATCH 2/4] sources/ldap(major): add sync_users and sync_groups, rewrite auth_user method --- passbook/sources/ldap/auth.py | 4 +- passbook/sources/ldap/connector.py | 231 ++++++------------ passbook/sources/ldap/forms.py | 20 +- .../migrations/0002_auto_20191011_0825.py | 17 ++ .../migrations/0003_auto_20191011_0825.py | 32 +++ .../migrations/0004_auto_20191011_0839.py | 25 ++ passbook/sources/ldap/models.py | 15 +- passbook/sources/ldap/settings.py | 8 + passbook/sources/ldap/tasks.py | 30 +++ 9 files changed, 222 insertions(+), 160 deletions(-) create mode 100644 passbook/sources/ldap/migrations/0002_auto_20191011_0825.py create mode 100644 passbook/sources/ldap/migrations/0003_auto_20191011_0825.py create mode 100644 passbook/sources/ldap/migrations/0004_auto_20191011_0839.py create mode 100644 passbook/sources/ldap/tasks.py diff --git a/passbook/sources/ldap/auth.py b/passbook/sources/ldap/auth.py index ea4402c47..f314e7c07 100644 --- a/passbook/sources/ldap/auth.py +++ b/passbook/sources/ldap/auth.py @@ -1,5 +1,6 @@ """passbook LDAP Authentication Backend""" from django.contrib.auth.backends import ModelBackend +from django.http import HttpRequest from structlog import get_logger from passbook.sources.ldap.connector import Connector @@ -11,11 +12,12 @@ LOGGER = get_logger() class LDAPBackend(ModelBackend): """Authenticate users against LDAP Server""" - def authenticate(self, **kwargs): + def authenticate(self, request: HttpRequest, **kwargs): """Try to authenticate a user via ldap""" if 'password' not in kwargs: return None for source in LDAPSource.objects.filter(enabled=True): + LOGGER.debug("LDAP Auth attempt", source=source) _ldap = Connector(source) user = _ldap.auth_user(**kwargs) if user: diff --git a/passbook/sources/ldap/connector.py b/passbook/sources/ldap/connector.py index 6d100f786..02725ab37 100644 --- a/passbook/sources/ldap/connector.py +++ b/passbook/sources/ldap/connector.py @@ -1,19 +1,15 @@ """Wrapper for ldap3 to easily manage user""" -from time import time +from typing import Any, Dict, Optional import ldap3 import ldap3.core.exceptions from structlog import get_logger -from passbook.core.models import User -from passbook.lib.config import CONFIG +from passbook.core.models import Group, User from passbook.sources.ldap.models import LDAPSource LOGGER = get_logger() -# USERNAME_FIELD = CONFIG.y('ldap.username_field', 'sAMAccountName') -# LOGIN_FIELD = CONFIG.y('ldap.login_field', 'userPrincipalName') - class Connector: """Wrapper for ldap3 to easily manage user authentication and creation""" @@ -24,178 +20,103 @@ class Connector: def __init__(self, source: LDAPSource): self._source = source - - if not self._source.enabled: - LOGGER.debug("LDAP not Enabled") - self._server = ldap3.Server(source.server_uri) # Implement URI parsing + + def bind(self): + """Bind using Source's Credentials""" self._connection = ldap3.Connection(self._server, raise_exceptions=True, - user=source.bind_cn, - password=source.bind_password) + user=self._source.bind_cn, + password=self._source.bind_password) self._connection.bind() - if source.start_tls: + if self._source.start_tls: self._connection.start_tls() @staticmethod - def encode_pass(password: str) -> str: + def encode_pass(password: str) -> bytes: """Encodes a plain-text password so it can be used by AD""" return '"{}"'.format(password).encode('utf-16-le') - def generate_filter(self, **fields): - """Generate LDAP filter from **fields.""" - filters = [] - for item, value in fields.items(): - filters.append("(%s=%s)" % (item, value)) - ldap_filter = "(&%s)" % "".join(filters) - LOGGER.debug("Constructed filter: '%s'", ldap_filter) - return ldap_filter + @property + def base_dn_users(self) -> str: + """Shortcut to get full base_dn for user lookups""" + return ','.join([self._source.additional_user_dn, self._source.base_dn]) - def lookup(self, ldap_filter: str): - """Search email in LDAP and return the DN. - Returns False if nothing was found.""" - try: - self._connection.search(self._source.search_base, ldap_filter) - results = self._connection.response - if len(results) >= 1: - if 'dn' in results[0]: - return str(results[0]['dn']) - except ldap3.core.exceptions.LDAPNoSuchObjectResult as exc: - LOGGER.warning(exc) - return False - except ldap3.core.exceptions.LDAPInvalidDnError as exc: - LOGGER.warning(exc) - return False - return False + @property + def base_dn_groups(self) -> str: + """Shortcut to get full base_dn for group lookups""" + return ','.join([self._source.additional_group_dn, self._source.base_dn]) - def _get_or_create_user(self, user_data): - """Returns a Django user for the given LDAP user data. - If the user does not exist, then it will be created.""" - attributes = user_data.get("attributes") - if attributes is None: - LOGGER.warning("LDAP user attributes empty") - return None - # Create the user data. - field_map = { - 'username': '%(' + ')s', - 'name': '%(givenName)s %(sn)s', - 'email': '%(mail)s', + def sync_groups(self): + """Iterate over all LDAP Groups and create passbook_core.Group instances""" + attributes = [ + 'objectSid', # Used as unique Identifier + 'name', + 'dn', + ] + groups = self._connection.extend.standard.paged_search( + search_base=self.base_dn_groups, + search_filter=self._source.group_object_filter, + search_scope=ldap3.SUBTREE, + attributes=ldap3.ALL_ATTRIBUTES) + for group in groups: + attributes = group.get('attributes', {}) + _, created = Group.objects.update_or_create( + attributes__objectSid=attributes.get('objectSid', ''), + defaults=self._build_object_properties(attributes), + ) + LOGGER.debug("Synced group", group=attributes.get('name', ''), created=created) + + def sync_users(self): + """Iterate over all LDAP Users and create passbook_core.User instances""" + users = self._connection.extend.standard.paged_search( + search_base=self.base_dn_users, + search_filter=self._source.user_object_filter, + search_scope=ldap3.SUBTREE, + attributes=ldap3.ALL_ATTRIBUTES) + for user in users: + attributes = user.get('attributes', {}) + _, created = User.objects.update_or_create( + attributes__objectSid=attributes.get('objectSid', ''), + defaults=self._build_object_properties(attributes), + ) + LOGGER.debug("Synced User", user=attributes.get('name', ''), created=created) + + def sync_membership(self): + """Iterate over all Users and assign Groups using memberOf Field""" + pass + + def _build_object_properties(self, attributes: Dict[str, Any]) -> Dict[str, Dict[Any, Any]]: + properties = { + 'attributes': {} } - user_fields = {} - for dj_field, ldap_field in field_map.items(): - user_fields[dj_field] = ldap_field % attributes + for mapping in self._source.property_mappings.all().select_subclasses(): + properties[mapping.object_field] = attributes.get(mapping.ldap_property, '') + if 'objectSid' in attributes: + properties['attributes']['objectSid'] = attributes.get('objectSid') + properties['attributes']['distinguishedName'] = attributes.get('distinguishedName') + return properties - # Update or create the user. - user, created = User.objects.update_or_create( - defaults=user_fields, - username=user_fields.pop('username', "") - ) - - # Update groups - # if 'memberOf' in attributes: - # applicable_groups = LDAPGroupMapping.objects.f - # ilter(ldap_dn__in=attributes['memberOf']) - # for group in applicable_groups: - # if group.group not in user.groups.all(): - # user.groups.add(group.group) - # user.save() - - # If the user was created, set them an unusable password. - if created: - user.set_unusable_password() - user.save() - # All done! - LOGGER.debug("LDAP user lookup succeeded") - return user - - def auth_user(self, password, **filters): + def auth_user(self, password: str, **filters: Dict[str, str]) -> Optional[User]: """Try to bind as either user_dn or mail with password. Returns True on success, otherwise False""" - filters.pop('request') - if not self._source.enabled: + users = User.objects.filter(**filters) + if not users.exists(): return None - # FIXME: Adapt user_uid - # email = filters.pop(CONFIG.y('passport').get('ldap').get, '') - email = filters.pop('email') - user_dn = self.lookup(self.generate_filter(**{'email': email})) - if not user_dn: + user = users.first() + if 'distinguishedName' not in user.attributes: + LOGGER.debug("User doesn't have DN set, assuming not LDAP imported.", user=user) return None # Try to bind as new user - LOGGER.debug("Binding as '%s'", user_dn) + LOGGER.debug("Attempting Binding as user", user=user) try: - temp_connection = ldap3.Connection(self._server, user=user_dn, + temp_connection = ldap3.Connection(self._server, + user=user.attributes.get('distinguishedName'), password=password, raise_exceptions=True) temp_connection.bind() - if self._connection.search( - search_base=self._source.search_base, - search_filter=self.generate_filter(**{'email': email}), - search_scope=ldap3.SUBTREE, - attributes=[ldap3.ALL_ATTRIBUTES, ldap3.ALL_OPERATIONAL_ATTRIBUTES], - get_operational_attributes=True, - size_limit=1, - ): - response = self._connection.response[0] - # If user has no email set in AD, use UPN - if 'mail' not in response.get('attributes'): - response['attributes']['mail'] = response['attributes']['userPrincipalName'] - return self._get_or_create_user(response) - LOGGER.warning("LDAP user lookup failed") - return None + return user except ldap3.core.exceptions.LDAPInvalidCredentialsResult as exception: - LOGGER.debug("User '%s' failed to login (Wrong credentials)", user_dn) + LOGGER.debug("LDAPInvalidCredentialsResult", user=user) except ldap3.core.exceptions.LDAPException as exception: LOGGER.warning(exception) return None - - def _do_modify(self, diff, **fields): - """Do the LDAP modification itself""" - user_dn = self.lookup(self.generate_filter(**fields)) - try: - self._connection.modify(user_dn, diff) - except ldap3.core.exceptions.LDAPException as exception: - LOGGER.warning("Failed to modify %s ('%s'), saved to DB", user_dn, exception) - # Connector.handle_ldap_error(user_dn, LDAPModification.ACTION_MODIFY, diff) - LOGGER.debug("modified account '%s' [%s]", user_dn, ','.join(diff.keys())) - return 'result' in self._connection.result and self._connection.result['result'] == 0 - - def disable_user(self, **fields): - """Disables LDAP user based on mail or user_dn. - Returns True on success, otherwise False""" - diff = { - 'userAccountControl': [(ldap3.MODIFY_REPLACE, [str(66050)])], - } - return self._do_modify(diff, **fields) - - def enable_user(self, **fields): - """Enables LDAP user based on mail or user_dn. - Returns True on success, otherwise False""" - diff = { - 'userAccountControl': [(ldap3.MODIFY_REPLACE, [str(66048)])], - } - return self._do_modify(diff, **fields) - - def change_password(self, new_password, **fields): - """Changes LDAP user's password based on mail or user_dn. - Returns True on success, otherwise False""" - diff = { - 'unicodePwd': [(ldap3.MODIFY_REPLACE, [Connector.encode_pass(new_password)])], - } - return self._do_modify(diff, **fields) - - def add_to_group(self, group_dn, **fields): - """Adds mail or user_dn to group_dn - Returns True on success, otherwise False""" - user_dn = self.lookup(**fields) - diff = { - 'member': [(ldap3.MODIFY_ADD), [user_dn]] - } - return self._do_modify(diff, user_dn=group_dn) - - def remove_from_group(self, group_dn, **fields): - """Removes mail or user_dn from group_dn - Returns True on success, otherwise False""" - user_dn = self.lookup(**fields) - diff = { - 'member': [(ldap3.MODIFY_DELETE), [user_dn]] - } - return self._do_modify(diff, user_dn=group_dn) diff --git a/passbook/sources/ldap/forms.py b/passbook/sources/ldap/forms.py index 44ab5fc01..9b3d7bd8e 100644 --- a/passbook/sources/ldap/forms.py +++ b/passbook/sources/ldap/forms.py @@ -5,7 +5,7 @@ from django.contrib.admin.widgets import FilteredSelectMultiple from django.utils.translation import gettext_lazy as _ from passbook.admin.forms.source import SOURCE_FORM_FIELDS -from passbook.sources.ldap.models import LDAPSource +from passbook.sources.ldap.models import LDAPPropertyMapping, LDAPSource class LDAPSourceForm(forms.ModelForm): @@ -26,6 +26,7 @@ class LDAPSourceForm(forms.ModelForm): 'group_object_filter', 'sync_groups', 'sync_parent_group', + 'property_mappings', ] widgets = { 'name': forms.TextInput(), @@ -37,7 +38,8 @@ class LDAPSourceForm(forms.ModelForm): 'additional_group_dn': forms.TextInput(), 'user_object_filter': forms.TextInput(), 'group_object_filter': forms.TextInput(), - 'policies': FilteredSelectMultiple(_('policies'), False) + 'policies': FilteredSelectMultiple(_('policies'), False), + 'property_mappings': FilteredSelectMultiple(_('Property Mappings'), False) } labels = { 'server_uri': _('Server URI'), @@ -47,3 +49,17 @@ class LDAPSourceForm(forms.ModelForm): 'additional_user_dn': _('Addition User DN'), 'additional_group_dn': _('Addition Group DN'), } + + +class LDAPPropertyMappingForm(forms.ModelForm): + """LDAP Property Mapping form""" + + class Meta: + + model = LDAPPropertyMapping + fields = ['name', 'ldap_property', 'object_field'] + widgets = { + 'name': forms.TextInput(), + 'ldap_property': forms.TextInput(), + 'object_field': forms.TextInput(), + } diff --git a/passbook/sources/ldap/migrations/0002_auto_20191011_0825.py b/passbook/sources/ldap/migrations/0002_auto_20191011_0825.py new file mode 100644 index 000000000..9d7467347 --- /dev/null +++ b/passbook/sources/ldap/migrations/0002_auto_20191011_0825.py @@ -0,0 +1,17 @@ +# Generated by Django 2.2.6 on 2019-10-11 08:25 + +from django.db import migrations + + +class Migration(migrations.Migration): + + dependencies = [ + ('passbook_sources_ldap', '0001_initial'), + ] + + operations = [ + migrations.AlterModelOptions( + name='ldappropertymapping', + options={'verbose_name': 'LDAP Property Mapping', 'verbose_name_plural': 'LDAP Property Mappings'}, + ), + ] diff --git a/passbook/sources/ldap/migrations/0003_auto_20191011_0825.py b/passbook/sources/ldap/migrations/0003_auto_20191011_0825.py new file mode 100644 index 000000000..4331d7e2e --- /dev/null +++ b/passbook/sources/ldap/migrations/0003_auto_20191011_0825.py @@ -0,0 +1,32 @@ +# Generated by Django 2.2.6 on 2019-10-11 08:25 + +from django.apps.registry import Apps +from django.db import migrations + + +def create_default_ad_property_mappings(apps: Apps, schema_editor): + LDAPPropertyMapping = apps.get_model('passbook_sources_ldap', 'LDAPPropertyMapping') + mapping = { + 'name': 'name', + 'givenName': 'first_name', + 'sn': 'last_name', + 'sAMAccountName': 'username', + 'mail': 'email' + } + for ldap_property, object_field in mapping.items(): + LDAPPropertyMapping.objects.get_or_create( + ldap_property=ldap_property, + object_field=object_field, + defaults={ + 'name': f"Autogenerated LDAP Mapping: {ldap_property} -> {object_field}" + }) + +class Migration(migrations.Migration): + + dependencies = [ + ('passbook_sources_ldap', '0002_auto_20191011_0825'), + ] + + operations = [ + migrations.RunPython(create_default_ad_property_mappings) + ] diff --git a/passbook/sources/ldap/migrations/0004_auto_20191011_0839.py b/passbook/sources/ldap/migrations/0004_auto_20191011_0839.py new file mode 100644 index 000000000..f1260c2fc --- /dev/null +++ b/passbook/sources/ldap/migrations/0004_auto_20191011_0839.py @@ -0,0 +1,25 @@ +# Generated by Django 2.2.6 on 2019-10-11 08:39 + +import django.core.validators +import django.db.models.deletion +from django.db import migrations, models + + +class Migration(migrations.Migration): + + dependencies = [ + ('passbook_sources_ldap', '0003_auto_20191011_0825'), + ] + + operations = [ + migrations.AlterField( + model_name='ldapsource', + name='server_uri', + field=models.TextField(validators=[django.core.validators.URLValidator(schemes=['ldap', 'ldaps'])]), + ), + migrations.AlterField( + model_name='ldapsource', + name='sync_parent_group', + field=models.ForeignKey(blank=True, default=None, null=True, on_delete=django.db.models.deletion.SET_DEFAULT, to='passbook_core.Group'), + ), + ] diff --git a/passbook/sources/ldap/models.py b/passbook/sources/ldap/models.py index 89d043725..a908cc3dd 100644 --- a/passbook/sources/ldap/models.py +++ b/passbook/sources/ldap/models.py @@ -10,7 +10,7 @@ from passbook.core.models import Group, PropertyMapping, Source class LDAPSource(Source): """LDAP Authentication source""" - server_uri = models.URLField(validators=[URLValidator(schemes=['ldap', 'ldaps'])]) + server_uri = models.TextField(validators=[URLValidator(schemes=['ldap', 'ldaps'])]) bind_cn = models.TextField() bind_password = models.TextField() start_tls = models.BooleanField(default=False) @@ -23,7 +23,7 @@ class LDAPSource(Source): group_object_filter = models.TextField() sync_groups = models.BooleanField(default=True) - sync_parent_group = models.ForeignKey(Group, blank=True, + sync_parent_group = models.ForeignKey(Group, blank=True, null=True, default=None, on_delete=models.SET_DEFAULT) form = 'passbook.sources.ldap.forms.LDAPSourceForm' @@ -39,6 +39,17 @@ class LDAPSource(Source): class LDAPPropertyMapping(PropertyMapping): + """Map LDAP Property to User or Group object""" ldap_property = models.TextField() object_field = models.TextField() + + form = 'passbook.sources.ldap.forms.LDAPPropertyMappingForm' + + def __str__(self): + return f"LDAP Property Mapping {self.ldap_property} -> {self.object_field}" + + class Meta: + + verbose_name = _('LDAP Property Mapping') + verbose_name_plural = _('LDAP Property Mappings') diff --git a/passbook/sources/ldap/settings.py b/passbook/sources/ldap/settings.py index cb69c276b..88492c4bf 100644 --- a/passbook/sources/ldap/settings.py +++ b/passbook/sources/ldap/settings.py @@ -1,5 +1,13 @@ """LDAP Settings""" +from celery.schedules import crontab AUTHENTICATION_BACKENDS = [ 'passbook.sources.ldap.auth.LDAPBackend', ] + +CELERY_BEAT_SCHEDULE = { + 'sync': { + 'task': 'passbook.sources.ldap.tasks.sync', + 'schedule': crontab(minute=0) # Run every hour + } +} diff --git a/passbook/sources/ldap/tasks.py b/passbook/sources/ldap/tasks.py new file mode 100644 index 000000000..b59fe2ce8 --- /dev/null +++ b/passbook/sources/ldap/tasks.py @@ -0,0 +1,30 @@ +from passbook.root.celery import CELERY_APP +from passbook.sources.ldap.connector import Connector +from passbook.sources.ldap.models import LDAPSource + + +@CELERY_APP.task() +def sync_groups(source_pk: int): + """Sync LDAP Groups on background worker""" + source = LDAPSource.objects.get(pk=source_pk) + connector = Connector(source) + connector.bind() + connector.sync_groups() + +@CELERY_APP.task() +def sync_users(source_pk: int): + """Sync LDAP Users on background worker""" + source = LDAPSource.objects.get(pk=source_pk) + connector = Connector(source) + connector.bind() + connector.sync_users() + +@CELERY_APP.task() +def sync(): + """Sync all sources""" + for source in LDAPSource.objects.filter(enabled=True): + connector = Connector(source) + connector.bind() + connector.sync_users() + connector.sync_groups() + connector.sync_membership() From 8478b03892112d466180f282149ff457580e0881 Mon Sep 17 00:00:00 2001 From: "Langhammer, Jens" Date: Fri, 11 Oct 2019 13:41:12 +0200 Subject: [PATCH 3/4] sources/ldap(major): implement membership sync, add more settings --- passbook/sources/ldap/connector.py | 58 +++++++++++++++---- passbook/sources/ldap/forms.py | 6 +- .../migrations/0005_auto_20191011_1059.py | 33 +++++++++++ passbook/sources/ldap/models.py | 10 +++- 4 files changed, 93 insertions(+), 14 deletions(-) create mode 100644 passbook/sources/ldap/migrations/0005_auto_20191011_1059.py diff --git a/passbook/sources/ldap/connector.py b/passbook/sources/ldap/connector.py index 02725ab37..0c09e2af2 100644 --- a/passbook/sources/ldap/connector.py +++ b/passbook/sources/ldap/connector.py @@ -49,11 +49,9 @@ class Connector: def sync_groups(self): """Iterate over all LDAP Groups and create passbook_core.Group instances""" - attributes = [ - 'objectSid', # Used as unique Identifier - 'name', - 'dn', - ] + if not self._source.sync_groups: + LOGGER.debug("Group syncing is disabled for this Source") + return groups = self._connection.extend.standard.paged_search( search_base=self.base_dn_groups, search_filter=self._source.group_object_filter, @@ -62,8 +60,16 @@ class Connector: for group in groups: attributes = group.get('attributes', {}) _, created = Group.objects.update_or_create( - attributes__objectSid=attributes.get('objectSid', ''), - defaults=self._build_object_properties(attributes), + attributes__ldap_uniq=attributes.get(self._source.object_uniqueness_field, ''), + parent=self._source.sync_parent_group, + # defaults=self._build_object_properties(attributes), + defaults={ + 'name': attributes.get('name', ''), + 'attributes': { + 'ldap_uniq': attributes.get(self._source.object_uniqueness_field, ''), + 'distinguishedName': attributes.get('distinguishedName') + } + } ) LOGGER.debug("Synced group", group=attributes.get('name', ''), created=created) @@ -77,14 +83,43 @@ class Connector: for user in users: attributes = user.get('attributes', {}) _, created = User.objects.update_or_create( - attributes__objectSid=attributes.get('objectSid', ''), + attributes__ldap_uniq=attributes.get(self._source.object_uniqueness_field, ''), defaults=self._build_object_properties(attributes), ) LOGGER.debug("Synced User", user=attributes.get('name', ''), created=created) def sync_membership(self): """Iterate over all Users and assign Groups using memberOf Field""" - pass + users = self._connection.extend.standard.paged_search( + search_base=self.base_dn_users, + search_filter=self._source.user_object_filter, + search_scope=ldap3.SUBTREE, + attributes=[ + self._source.user_group_membership_field, + self._source.object_uniqueness_field]) + group_cache: Dict[str, Group] = {} + for user in users: + member_of = user.get('attributes', {}).get(self._source.user_group_membership_field, []) + uniq = user.get('attributes', {}).get(self._source.object_uniqueness_field, []) + for group_dn in member_of: + # Check if group_dn is within our base_dn_groups, and skip if not + if not group_dn.endswith(self.base_dn_groups): + continue + # Check if we fetched the group already, and if not cache it for later + if group_dn not in group_cache: + groups = Group.objects.filter(attributes__distinguishedName=group_dn) + if not groups.exists(): + LOGGER.warning("Group does not exist in our DB yet, run sync_groups first.", + group=group_dn) + return + group_cache[group_dn] = groups.first() + group = group_cache[group_dn] + users = User.objects.filter(attributes__ldap_uniq=uniq) + group.user_set.add(*list(users)) + # Now that all users are added, lets write everything + for _, group in group_cache.items(): + group.save() + LOGGER.debug("Successfully updated group membership") def _build_object_properties(self, attributes: Dict[str, Any]) -> Dict[str, Dict[Any, Any]]: properties = { @@ -92,8 +127,9 @@ class Connector: } for mapping in self._source.property_mappings.all().select_subclasses(): properties[mapping.object_field] = attributes.get(mapping.ldap_property, '') - if 'objectSid' in attributes: - properties['attributes']['objectSid'] = attributes.get('objectSid') + if self._source.object_uniqueness_field in attributes: + properties['attributes']['ldap_uniq'] = \ + attributes.get(self._source.object_uniqueness_field) properties['attributes']['distinguishedName'] = attributes.get('distinguishedName') return properties diff --git a/passbook/sources/ldap/forms.py b/passbook/sources/ldap/forms.py index 9b3d7bd8e..180985e9c 100644 --- a/passbook/sources/ldap/forms.py +++ b/passbook/sources/ldap/forms.py @@ -24,6 +24,8 @@ class LDAPSourceForm(forms.ModelForm): 'additional_group_dn', 'user_object_filter', 'group_object_filter', + 'user_group_membership_field', + 'object_uniqueness_field', 'sync_groups', 'sync_parent_group', 'property_mappings', @@ -32,12 +34,14 @@ class LDAPSourceForm(forms.ModelForm): 'name': forms.TextInput(), 'server_uri': forms.TextInput(), 'bind_cn': forms.TextInput(), - 'bind_password': forms.PasswordInput(), + 'bind_password': forms.TextInput(), 'base_dn': forms.TextInput(), 'additional_user_dn': forms.TextInput(), 'additional_group_dn': forms.TextInput(), 'user_object_filter': forms.TextInput(), 'group_object_filter': forms.TextInput(), + 'user_group_membership_field': forms.TextInput(), + 'object_uniqueness_field': forms.TextInput(), 'policies': FilteredSelectMultiple(_('policies'), False), 'property_mappings': FilteredSelectMultiple(_('Property Mappings'), False) } diff --git a/passbook/sources/ldap/migrations/0005_auto_20191011_1059.py b/passbook/sources/ldap/migrations/0005_auto_20191011_1059.py new file mode 100644 index 000000000..dce40c4dc --- /dev/null +++ b/passbook/sources/ldap/migrations/0005_auto_20191011_1059.py @@ -0,0 +1,33 @@ +# Generated by Django 2.2.6 on 2019-10-11 10:59 + +from django.db import migrations, models + + +class Migration(migrations.Migration): + + dependencies = [ + ('passbook_sources_ldap', '0004_auto_20191011_0839'), + ] + + operations = [ + migrations.AddField( + model_name='ldapsource', + name='object_uniqueness_field', + field=models.TextField(default='objectSid', help_text='Field which contains a unique Identifier.'), + ), + migrations.AddField( + model_name='ldapsource', + name='user_group_membership_field', + field=models.TextField(default='memberOf', help_text='Field which contains Groups of user.'), + ), + migrations.AlterField( + model_name='ldapsource', + name='group_object_filter', + field=models.TextField(default='(objectCategory=Group)', help_text='Consider Objects matching this filter to be Groups.'), + ), + migrations.AlterField( + model_name='ldapsource', + name='user_object_filter', + field=models.TextField(default='(objectCategory=Person)', help_text='Consider Objects matching this filter to be Users.'), + ), + ] diff --git a/passbook/sources/ldap/models.py b/passbook/sources/ldap/models.py index a908cc3dd..93a83bbe0 100644 --- a/passbook/sources/ldap/models.py +++ b/passbook/sources/ldap/models.py @@ -19,8 +19,14 @@ class LDAPSource(Source): additional_user_dn = models.TextField(help_text=_('Prepended to Base DN for User-queries.')) additional_group_dn = models.TextField(help_text=_('Prepended to Base DN for Group-queries.')) - user_object_filter = models.TextField() - group_object_filter = models.TextField() + user_object_filter = models.TextField(default="(objectCategory=Person)", help_text=_( + 'Consider Objects matching this filter to be Users.')) + user_group_membership_field = models.TextField(default="memberOf", help_text=_( + "Field which contains Groups of user.")) + group_object_filter = models.TextField(default="(objectCategory=Group)", help_text=_( + 'Consider Objects matching this filter to be Groups.')) + object_uniqueness_field = models.TextField(default="objectSid", help_text=_( + 'Field which contains a unique Identifier.')) sync_groups = models.BooleanField(default=True) sync_parent_group = models.ForeignKey(Group, blank=True, null=True, From 32abb27e61ac0fd5309493f86cac81bb32b71b4b Mon Sep 17 00:00:00 2001 From: "Langhammer, Jens" Date: Fri, 11 Oct 2019 13:43:35 +0200 Subject: [PATCH 4/4] sources/ldap(minor): fix lint --- passbook/sources/ldap/tasks.py | 1 + 1 file changed, 1 insertion(+) diff --git a/passbook/sources/ldap/tasks.py b/passbook/sources/ldap/tasks.py index b59fe2ce8..138d5ff17 100644 --- a/passbook/sources/ldap/tasks.py +++ b/passbook/sources/ldap/tasks.py @@ -1,3 +1,4 @@ +"""LDAP Sync tasks""" from passbook.root.celery import CELERY_APP from passbook.sources.ldap.connector import Connector from passbook.sources.ldap.models import LDAPSource