class LDAPSynchroniser(ldap.LDAPConnectionMixin):
""" This provides complete database synchronisation - either from or to
the LDAP server. This will synchronise every user and group. It's called
by the "ldapsync" management command. """
def __init__(self):
self.conn = self._get_connection()
self.backend = LDAPBackend()
def ldap_users(self):
search = settings.ldap_settings.LDAP_PIXIEDUST_ALL_USERS
for dn, attrs in search.execute(self.conn):
user_id = attrs[settings.ldap_settings.LDAP_PIXIEDUST_USERNAME_DN_ATTRIBUTE][0]
yield _LDAPUser(self.backend, username=user_id)
def model_users(self):
return User.objects.all()
def synchronise_from_ldap(self):
deactivate()
for user in self.ldap_users():
logger.debug("Synchronising %r" % repr(user))
user._get_or_create_user()
activate_fromsettings()
def synchronise_to_ldap(self):
for user in self.model_users():
ldap_user = self.backend.get_user(user.id)
sync = SynchronisingUserAdapter(ldap_user)
logger.debug("Synchronising %r" % repr(user))
sync.synchronise_groups() # must happen first, because it clears groups!
sync.synchronise()
sync.synchronise_profile()
class LDAPSynchroniser(ldap.LDAPConnectionMixin):
""" This provides complete database synchronisation - either from or to
the LDAP server. This will synchronise every user and group. It's called
by the "ldapsync" management command. """
def __init__(self):
self.conn = self._get_connection()
self.backend = LDAPBackend()
def ldap_users(self):
search = settings.ldap_settings.LDAP_PIXIEDUST_ALL_USERS
for dn, attrs in search.execute(self.conn):
user_id = attrs[
settings.ldap_settings.LDAP_PIXIEDUST_USERNAME_DN_ATTRIBUTE][0]
yield _LDAPUser(self.backend, username=user_id)
def model_users(self):
return User.objects.all()
def synchronise_from_ldap(self):
deactivate()
for user in self.ldap_users():
logger.debug("Synchronising %r" % repr(user))
user._get_or_create_user()
activate_fromsettings()
def synchronise_to_ldap(self):
for user in self.model_users():
ldap_user = self.backend.get_user(user.id)
sync = SynchronisingUserAdapter(ldap_user)
logger.debug("Synchronising %r" % repr(user))
sync.synchronise_groups(
) # must happen first, because it clears groups!
sync.synchronise()
sync.synchronise_profile()
def migrate_local_to_ldap(self, request, queryset):
backend = LDAPBackend()
for user in queryset:
# annotate with ldap_user
user = backend.get_user(user.pk)
try:
if user.ldap_user.dn is not None:
# replace local password with an invalid one
user.password = hashers.make_password(None)
user.save(update_fields="password")
# populate local record with LDAP values
user.ldap_user.populate_user()
else:
self.message_user(
request,
_("Did not find matching LDAP record for {user}").
format(user=user.username),
messages.WARNING,
)
except Exception as e:
logger.exception(f"User migration to LDAP account failed {e}")
self.message_user(
request,
_("Failed to migrate {user}").format(user=user.username),
messages.ERROR,
)
def user_sync_handler(sender, **kwargs):
instance = kwargs.pop('instance', None)
created = kwargs.pop('created', None)
backend = LDAPBackend()
if sender == User:
user = backend.get_user(instance.id)
sync = SynchronisingUserAdapter(user)
sync.synchronise(created)
def user_sync_handler(sender, **kwargs):
instance = kwargs.pop('instance', None)
created = kwargs.pop('created', None)
backend = LDAPBackend()
if sender == User:
user = backend.get_user(instance.id)
sync = SynchronisingUserAdapter(user)
sync.synchronise(created)
def update_groups_from_ldap(self, request, queryset):
backend = LDAPBackend()
for user in queryset:
ldap_user = backend.get_user(user.pk)
try:
ldap_user.ldap_user._mirror_groups()
except Exception:
# _mirror_groups fails when ldap_user is not Active, so delete all groups
user.groups.clear()
def reset_ldap_password(username):
""" Set the user's ldap password to something that can never be entered,
effectively locking the account. We do not sync these passwords from
django, because django_auth_ldap sets all new accounts to these
passwords. """
from django_ldap_pixiedust.user import SynchronisingUserAdapter
backend = LDAPBackend()
user = User.objects.get(username=username)
ldap_user = backend.get_user(user.id)
sync = SynchronisingUserAdapter(ldap_user)
sync.reset_ldap_password()
def get_attributes(user, definitions=None, source=None, **kwargs):
'''
Return attributes dictionnary
Dictionnary format:
attributes = dict()
data_from_source = list()
a1 = dict()
a1['oid'] = definition_name
Or
a1['definition'] = definition_name
definition may be the definition name like 'gn'
or an alias like 'givenName'
Or
a1['name'] = attribute_name_in_ns
a1['namespace'] = ns_name
a1['values'] = list_of_values
data_from_source.append(a1)
...
data_from_source.append(a2)
attributes[source_name] = data_from_source
First attempt on 'definition' key.
Else, definition is searched by 'name' and 'namespece' keys.
'''
if not user:
logger.error('get_attributes: No user provided')
return None
logger.debug('get_attributes: Searching attributes for user %s' \
% user)
from authentic2.attribute_aggregator.models import LdapSource
sources = None
if source:
logger.debug('get_attributes: The required source is %s' % source)
try:
sources = [source.ldapsource]
logger.debug('get_attributes: The source is an LDAP source!')
except:
logger.debug('get_attributes: \
The required source is not a LDAP one')
return None
else:
sources = LdapSource.objects.all()
if not sources:
logger.debug('get_attributes: No LDAP source configured')
return None
attributes = dict()
for source in sources:
logger.debug('get_attributes: The LDAP source is known as %s' \
% source.name)
identifier = None
'''
Check if the user is authenticated by LDAP.
If it is, grab the user dn from the LDAPUser object
'''
try:
from django_auth_ldap.backend import LDAPBackend
backend = LDAPBackend()
u = backend.get_user(user.id)
dn = u.ldap_user.dn
if not dn:
logger.debug('get_attributes: \
User not logged with LDAP')
else:
logger.debug('get_attributes: \
User logged with dn %s' % dn)
'''is it logged in that source?'''
logger.debug('get_attributes: \
Is the user logged with the source %s?' % source.name)
try:
l = ldap.open(source.server)
l.protocol_version = ldap.VERSION3
username = source.user
password = source.password
if username and password:
l.simple_bind(username, password)
ldap_result_id = \
l.search(dn, ldap.SCOPE_BASE,
attrlist=['objectClass'])
result_type, result_data = l.result(ldap_result_id, 0)
logger.debug('get_attributes: Yes it is, result %s %s' \
% (result_type, result_data))
identifier = dn
except ldap.LDAPError, err:
logger.debug('get_attributes: \
User dn %s unknown in %s or error %s' \
% (dn, source.name, str(err)))
except Exception, err:
logger.error('get_attributes: \
Error working with the LDAP backend %s' % str(err))
if not identifier:
identifier = get_user_alias_in_source(user, source)
if not identifier:
logger.error('get_attributes: \
No user identifier known into that source')
else:
logger.debug('get_attributes: \
the user is known as %s in source %s' \
% (identifier, source.name))
try:
l = ldap.open(source.server)
l.protocol_version = ldap.VERSION3
username = source.user
password = source.password
if username and password:
l.simple_bind(username, password)
except ldap.LDAPError, err:
logger.error('get_attributes: \
an error occured at binding due to %s' % err)
else:
def get_attributes(user, definitions=None, source=None, **kwargs):
'''
Return attributes dictionnary
Dictionnary format:
attributes = dict()
data_from_source = list()
a1 = dict()
a1['oid'] = definition_name
Or
a1['definition'] = definition_name
definition may be the definition name like 'gn'
or an alias like 'givenName'
Or
a1['name'] = attribute_name_in_ns
a1['namespace'] = ns_name
a1['values'] = list_of_values
data_from_source.append(a1)
...
data_from_source.append(a2)
attributes[source_name] = data_from_source
First attempt on 'definition' key.
Else, definition is searched by 'name' and 'namespece' keys.
'''
if not user:
logger.error('get_attributes: No user provided')
return None
logger.debug('get_attributes: Searching attributes for user %s' \
% user)
from authentic2.attribute_aggregator.models import LdapSource
sources = None
if source:
logger.debug('get_attributes: The required source is %s' % source)
try:
sources = [source.ldapsource]
logger.debug('get_attributes: The source is an LDAP source!')
except:
logger.debug('get_attributes: \
The required source is not a LDAP one')
return None
else:
sources = LdapSource.objects.all()
if not sources:
logger.debug('get_attributes: No LDAP source configured')
return None
attributes = dict()
for source in sources:
logger.debug('get_attributes: The LDAP source is known as %s' \
% source.name)
identifier = None
'''
Check if the user is authenticated by LDAP.
If it is, grab the user dn from the LDAPUser object
'''
try:
from django_auth_ldap.backend import LDAPBackend
backend = LDAPBackend()
u = backend.get_user(user.id)
dn = u.ldap_user.dn
if not dn:
logger.debug('get_attributes: \
User not logged with LDAP')
else:
logger.debug('get_attributes: \
User logged with dn %s' % dn)
'''is it logged in that source?'''
logger.debug('get_attributes: \
Is the user logged with the source %s?' % source.name)
try:
l = ldap.open(source.server)
l.protocol_version = ldap.VERSION3
username = source.user
password = source.password
if username and password:
l.simple_bind(username, password)
ldap_result_id = \
l.search(dn, ldap.SCOPE_BASE,
attrlist=['objectClass'])
result_type, result_data = l.result(ldap_result_id, 0)
logger.debug('get_attributes: Yes it is, result %s %s' \
% (result_type, result_data))
identifier = dn
except ldap.LDAPError, err:
logger.debug('get_attributes: \
User dn %s unknown in %s or error %s' \
% (dn, source.name, str(err)))
except Exception, err:
logger.error('get_attributes: \
Error working with the LDAP backend %s' %str(err))
if not identifier:
identifier = get_user_alias_in_source(user, source)
if not identifier:
logger.error('get_attributes: \
No user identifier known into that source')
else:
logger.debug('get_attributes: \
the user is known as %s in source %s' \
% (identifier, source.name))
try:
l = ldap.open(source.server)
l.protocol_version = ldap.VERSION3
username = source.user
password = source.password
if username and password:
l.simple_bind(username, password)
except ldap.LDAPError, err:
logger.error('get_attributes: \
an error occured at binding due to %s' % err)
else:
