def __init__(self):
self.servers=LDAPServerStorage()
self.schema=LDAPSchema()
self.schema.addItem(LDAPProperty(
ldap_name="uid", description=u"User id"))
self.schema.addItem(LDAPProperty(
ldap_name="mail", plone_name="email",
description=u"Email address"))
self.schema.addItem(LDAPProperty(
ldap_name="cn", plone_name="fullname",
description=u"Canonical Name"))
self.schema.addItem(LDAPProperty(
ldap_name="sn", description=u"Surname (unused)"))
def connectLDAP(portal):
'''Set up LDAP parameters.'''
try:
ldapConfig = getUtility(ILDAPConfiguration)
except ComponentLookupError:
return
if ldapConfig.user_object_classes == 'edrnPerson':
# Already configured
return
ldapConfig.user_object_classes = 'edrnPerson'
ldapConfig.ldap_type = u'LDAP'
ldapConfig.user_scope = 1
ldapConfig.user_base = 'dc=edrn,dc=jpl,dc=nasa,dc=gov'
for i in ldapConfig.servers.keys():
del ldapConfig.servers[i]
ldapConfig.servers['ldapserver-1'] = LDAPServer('edrn.jpl.nasa.gov',
connection_type=1,
connection_timeout=5,
operation_timeout=15,
enabled=True)
p = ldapConfig.schema['uid']
p.ldap_name, p.plone_name, p.description, p.multi_valued = 'uid', '', u'User ID', False
p = ldapConfig.schema['mail']
p.ldap_name, p.plone_name, p.description, p.multi_valued = 'mail', 'email', u'Email Address', False
p = ldapConfig.schema['cn']
p.ldap_name, p.plone_name, p.description, p.multi_valued = 'cn', 'fullname', u'Full Name', False
p = ldapConfig.schema['sn']
p.ldap_name, p.plone_name, p.description, p.multi_valued = 'sn', '', u'Surname', False
ldapConfig.schema['description'] = LDAPProperty('description',
'description',
u'Description', False)
ldapConfig.userid_attribute = 'uid'
ldapConfig.rdn_attribute = 'uid'
ldapConfig.login_attribute = 'uid'
ldapConfig.group_scope = 1
ldapConfig.group_base = 'dc=edrn,dc=jpl,dc=nasa,dc=gov'
ldapConfig.bind_password = '******'
ldapConfig.bind_dn = 'uid=admin,ou=system'
guaranteePluginExists()
# To enable accurate counts of failed attempts by LoginLockout:
portal.acl_users['ldap-plugin'].acl_users.setCacheTimeout('negative', 0)
# plone.app.ldap doesn't provide an API to set the encryption type (CA-1231):
portal.acl_users['ldap-plugin'].acl_users._pwd_encryption = 'SHA'
# plone.app.ldap doesn't associate acl_users & acl_users/ldap-plugin with the RAMCache (CA-1231):
ramCache = getToolByName(portal, 'RAMCache')
ramCache.ZCacheManager_setAssociations({
'associate_acl_users': 1,
'associate_acl_users/ldap-plugin': 1
})
# Strangely, the "Super User" (LDAP group) to "Manager" (Zope role) mapping doesn't appear in the
# operational EDRN portal, even though it somehow works. But in a newly stripped-down portal,
# we definitely need it in there
portal.acl_users['ldap-plugin'].acl_users.manage_addGroupMapping(
'Super User', 'Manager')
def addMandatorySchemaItems():
config=getUtility(ILDAPConfiguration)
if config.ldap_type==u"AD":
required = [("dn", {'description': "Distinguished Name"}),
("objectGUID", {'description': "AD Object GUID",
'multi_valued': False, 'binary': True}),
("cn", {'description': "Canonical Name"}),
("sAMAccountName", {'description': "AD User Name"}),
("memberOf", {'description': "Group DNs",
'multi_valued': True, 'plone_name': "memberOf"})]
else:
required = []
for attr, args in required:
if attr not in config.schema:
config.schema.addItem(LDAPProperty(ldap_name=attr, **args))
if attr not in config.required_attributes:
config.required_attributes.append(attr)
def extractData(self, root, pas, out):
plug_id = str(root.getAttribute('id'))
update = root.getAttribute('update') == 'True'
settings = {}
interfaces = []
plugin_props = []
for prop in root.getElementsByTagName('plugin_property'):
p_type = prop.getAttribute('type')
p_id = prop.getAttribute('id')
value = prop.getAttribute('value')
if p_type == 'int':
value = int(value)
if p_type == 'string':
value = str(value)
plugin_props.append({'id': p_id, 'type': p_type, 'value': value})
for iface in root.getElementsByTagName('interface'):
interfaces.append(iface.getAttribute('value'))
caches = list()
for node in root.getElementsByTagName('cache'):
caches.append(node.getAttribute('value'))
if len(caches) > 1:
raise ValueError('You can not define multiple <cache> properties')
cache = ''
if len(caches):
cache = caches[0]
for prop in root.getElementsByTagName('property'):
type = prop.getAttribute('type')
values = []
for v in prop.getElementsByTagName('item'):
values.append(v.getAttribute('value'))
id = prop.getAttribute('id')
if type == 'list':
value = values
else:
value = values[0]
if type == 'int':
value = int(value)
if type == 'bool':
value = (value.lower() != 'false' and 1 or 0)
settings[id] = value
schema = {}
for schemanode in root.getElementsByTagName('schema'):
for attr in schemanode.getElementsByTagName('attr'):
c_id = attr.getAttribute('id')
c_attr = {}
for item in attr.getElementsByTagName('item'):
if item.getAttribute('value') != 'False':
c_attr[str(item.getAttribute('id'))] = str(
item.getAttribute('value'))
else:
c_attr[str(item.getAttribute('id'))] = False
schema[str(c_id)] = c_attr
servers = []
for server in root.getElementsByTagName('server'):
c_server = {
'update': (server.getAttribute('update') == 'True'),
'delete': (server.getAttribute('delete') == 'True')
}
for item in server.getElementsByTagName('item'):
value = item.getAttribute('value')
type = item.getAttribute('type')
id = item.getAttribute('id')
if type == 'int':
value = int(value)
c_server[id] = value
servers.append(c_server)
# always update if it doesn't exist
if plug_id not in pas.objectIds():
update = True
if update:
# delete existing LDAP plug-in
if plug_id in pas.objectIds():
try:
plugin = getLDAPPlugin()
pas = getPAS()
pas.manage_delObjects([plugin.getId()])
except KeyError:
# pass
"""
There are two reasons to not pass here. First, if we pass
and go to recreate later and both plugins have the same it, it
will error out for the id already existing. Second, if they
don't have the same id but have the same settings, they will then
in practice (if its set up correct) have duplicate users, which
will subsequently break any group or role lookups which assert
on the duplicate users. I don't see any tests on this so if there
is an argument to leave this as a pass let me know.
"""
logging.error(
"There is an ldap multi plugin in your " +
"system (%s) that is not managed " % plug_id +
"by this generic setup script. To have everything " +
"managed by GS, please delete and " +
"reinstall or set update=False in your ldap_plugin.xml"
+ " root.")
logging.error("Installing LDAP Plugin with GS failed")
return
# base configuration
config = getUtility(ILDAPConfiguration)
config.login_attribute = settings['_login_attr']
config.userid_attribute = settings['_uid_attr']
config.rdn_attribute = settings['_rdnattr']
config.user_base = settings['users_base']
config.user_scope = settings['users_scope']
config.group_base = settings['groups_base']
config.group_scope = settings['groups_scope']
config.bind_dn = settings['_binduid']
config.bind_password = settings['_bindpwd']
config.user_object_classes = ','.join(settings['_user_objclasses'])
config.password_encryption = settings['_pwd_encryption']
config.default_user_roles = ','.join(settings['_roles'])
config.read_only = settings['read_only']
config.activated_plugins = interfaces
config.cache = cache
# servers
config.servers = LDAPServerStorage()
for server in servers:
obj = LDAPServer(
server=server['host'],
connection_type=(server['protocol'] == 'ldaps'),
connection_timeout=server['conn_timeout'],
operation_timeout=server['op_timeout'],
enabled=True)
config.servers.addItem(obj)
# schema
config.schema = LDAPSchema()
for property in schema.itervalues():
obj = LDAPProperty(
ldap_name=property.get('ldap_name', ''),
plone_name=property.get('public_name', ''),
description=property.get('friendly_name', ''),
multi_valued=property.get('multivalued', False),
binary=property.get('binary', False))
config.schema.addItem(obj)
# recreate new LDAP plug-in
createLDAPPlugin(plug_id)
configureLDAPServers()
configureLDAPSchema()
def create(self, data):
property = LDAPProperty()
applyChanges(property, self.form_fields, data)
return property