def _execute_sync_action(
self, job_interface: background_job.BackgroundProcessInterface,
add_to_changelog: bool, enforce_sync: bool,
load_users_func: Callable, save_users_func: Callable) -> bool:
for connection_id, connection in active_connections():
try:
if not enforce_sync and not connection.sync_is_needed():
continue
job_interface.send_progress_update(
_("[%s] Starting sync for connection") % connection_id)
connection.do_sync(add_to_changelog=add_to_changelog,
only_username=False,
load_users_func=load_users,
save_users_func=save_users)
job_interface.send_progress_update(
_("[%s] Finished sync for connection") % connection_id)
except Exception as e:
job_interface.send_exception(
_("[%s] Exception: %s") % (connection_id, e))
logger.error('Exception (%s, userdb_job): %s', connection_id,
traceback.format_exc())
job_interface.send_progress_update(_("Finalizing synchronization"))
general_userdb_job()
return True
def hook_login(username, password):
# type: (UserId, str) -> Union[UserId, bool]
for connection_id, connection in active_connections():
result = connection.check_credentials(username, password)
# None -> User unknown, means continue with other connectors
# '<user_id>' -> success
# False -> failed
if result not in [False, None]:
username = result
if not isinstance(username, six.string_types):
raise MKInternalError(
_("The username returned by the %s "
"connector is not of type string (%r).") % (connection_id, username))
# Check whether or not the user exists (and maybe create it)
create_non_existing_user(connection_id, username)
if not is_customer_user_allowed_to_login(username):
# A CME not assigned with the current sites customer
# is not allowed to login
auth_logger.debug("User '%s' is not allowed to login: Invalid customer" % username)
return False
# Now, after successfull login (and optional user account creation), check whether or
# not the user is locked.
if _user_locked(username):
auth_logger.debug("User '%s' is not allowed to login: Account locked" % username)
return False # The account is locked
return result
if result is False:
return False
return False
def hook_save(users: Users) -> None:
"""Hook function can be registered here to be executed during saving of the
new user construct"""
for connection_id, connection in active_connections():
try:
connection.save_users(users)
except Exception as e:
if config.debug:
raise
show_exception(connection_id, _("Error during saving"), e)
def check_credentials(username: UserId,
password: str) -> Union[UserId, Literal[False]]:
"""Verify the credentials given by a user using all auth connections"""
for connection_id, connection in active_connections():
# None -> User unknown, means continue with other connectors
# '<user_id>' -> success
# False -> failed
result = connection.check_credentials(username, password)
if result is False:
return False
if result is None:
continue
user_id: UserId = result
if not isinstance(user_id, str):
raise MKInternalError(
_("The username returned by the %s "
"connector is not of type string (%r).") %
(connection_id, user_id))
# Check whether or not the user exists (and maybe create it)
#
# We have the cases where users exist "partially"
# a) The htpasswd file of the site may have a username:pwhash data set
# and Checkmk does not have a user entry yet
# b) LDAP authenticates a user and Checkmk does not have a user entry yet
#
# In these situations a user account with the "default profile" should be created
create_non_existing_user(connection_id, user_id)
if not is_customer_user_allowed_to_login(user_id):
# A CME not assigned with the current sites customer
# is not allowed to login
auth_logger.debug(
"User '%s' is not allowed to login: Invalid customer" %
user_id)
return False
# Now, after successfull login (and optional user account creation), check whether or
# not the user is locked.
if user_locked(user_id):
auth_logger.debug(
"User '%s' is not allowed to login: Account locked" % user_id)
return False # The account is locked
return user_id
return False
def sync_possible() -> bool:
return any(connection.type() == "ldap"
for _connection_id, connection in active_connections())