def _group_elements(self):
group_elements = [
(
"group_dn",
LDAPDistinguishedName(
title=_("Group base DN"),
help=_(
"Give a base distinguished name here, e. g. <tt>OU=groups,DC=example,DC=com</tt><br> "
"All groups used must be located below this one."),
size=80,
),
),
(
"group_scope",
DropdownChoice(
title=_("Search scope"),
help=
_("Scope to be used in group related LDAP searches. In most cases "
"<i>Search whole subtree below the base DN</i> "
"is the best choice. It searches for matching objects in the given base "
"recursively."),
choices=[
("sub", _("Search whole subtree below the base DN")),
("base", _("Search only the entry at the base DN")),
("one",
_("Search all entries one level below the base DN")),
],
default_value="sub",
),
),
(
"group_filter",
TextInput(
title=_("Search filter"),
help=
_("Using this option you can define an optional LDAP filter which is used "
"during group related LDAP searches. It can be used to only handle a "
"subset of the groups below the given base DN.<br><br>"
"e.g. <tt>(objectclass=group)</tt>"),
size=80,
default_value=lambda: ldap_filter_of_connection(
self._connection_id, "groups", False),
),
),
(
"group_member",
TextInput(
title=_("Member attribute"),
help=
_("The attribute used to identify users group memberships."
),
default_value=lambda: ldap_attr_of_connection(
self._connection_id, "member"),
),
),
]
return group_elements
def _user_elements(self):
user_elements = [
(
"user_dn",
LDAPDistinguishedName(
title=_("User base DN"),
help=
_("Give a base distinguished name here, e. g. <tt>OU=users,DC=example,DC=com</tt><br> "
"All user accounts to synchronize must be located below this one."
),
size=80,
),
),
(
"user_scope",
DropdownChoice(
title=_("Search scope"),
help=_(
"Scope to be used in LDAP searches. In most cases <i>Search whole subtree below "
"the base DN</i> is the best choice. "
"It searches for matching objects recursively."),
choices=[
("sub", _("Search whole subtree below the base DN")),
("base", _("Search only the entry at the base DN")),
("one",
_("Search all entries one level below the base DN")),
],
default_value="sub",
),
),
(
"user_filter",
TextInput(
title=_("Search filter"),
help=
_("Using this option you can define an optional LDAP filter which is used during "
"LDAP searches. It can be used to only handle a subset of the users below the given "
"base DN.<br><br>Some common examples:<br><br> "
"All user objects in LDAP:<br> "
"<tt>(&(objectclass=user)(objectcategory=person))</tt><br> "
"Members of a group:<br> "
"<tt>(&(objectclass=user)(objectcategory=person)(memberof=CN=cmk-users,OU=groups,DC=example,DC=com))</tt><br> "
"Members of a nested group:<br> "
"<tt>(&(objectclass=user)(objectcategory=person)(memberof:1.2.840.113556.1.4.1941:=CN=cmk-users,OU=groups,DC=example,DC=com))</tt><br>"
),
size=80,
default_value=lambda: ldap_filter_of_connection(
self._connection_id, "users", False),
),
),
(
"user_filter_group",
LDAPDistinguishedName(
title=_("Filter group (see help)"),
help=
_("Using this option you can define the DN of a group object which is used to filter the users. "
"Only members of this group will then be synchronized. This is a filter which can be "
'used to extend capabilities of the regular "Search Filter". Using the search filter '
"you can only define filters which directly apply to the user objects. To filter by "
"group memberships, you can use the <tt>memberOf</tt> attribute of the user objects in some "
"directories. But some directories do not have such attributes because the memberships "
"are stored in the group objects as e.g. <tt>member</tt> attributes. You should use the "
"regular search filter whenever possible and only use this filter when it is really "
"neccessary. Finally you can say, you should not use this option when using Active Directory. "
"This option is neccessary in OpenLDAP directories when you like to filter by group membership.<br><br>"
"If using, give a plain distinguished name of a group here, e. g. "
"<tt>CN=cmk-users,OU=groups,DC=example,DC=com</tt>"),
size=80,
),
),
(
"user_id",
TextInput(
title=_("User-ID attribute"),
help=
_("The attribute used to identify the individual users. It must have "
"unique values to make an user identifyable by the value of this "
"attribute."),
default_value=lambda: ldap_attr_of_connection(
self._connection_id, "user_id"),
),
),
(
"lower_user_ids",
FixedValue(
title=_("Lower case User-IDs"),
help=
_("Convert imported User-IDs to lower case during synchronization."
),
value=True,
totext=_("Enforce lower case User-IDs."),
),
),
(
"user_id_umlauts",
Transform(
DropdownChoice(
title=_("Umlauts in User-IDs (deprecated)"),
help=
_("Checkmk was not not supporting special characters (like Umlauts) in "
"User-IDs. To deal with LDAP users having umlauts in their User-IDs "
"you had the choice to replace umlauts with other characters. This option "
"is still available for compatibility reasons, but you are adviced to use "
'the "keep" option for new installations.'),
choices=[
("keep", _("Keep special characters")),
("replace",
_('Replace umlauts like "ü" with "ue"')),
],
default_value="keep",
),
forth=lambda x: "keep" if (x == "skip") else x,
),
),
(
"create_only_on_login",
FixedValue(
title=_("Create users only on login"),
value=True,
totext=_(
"Instead of creating the user accounts during the regular sync, create "
"the user on the first login."),
),
),
]
return user_elements
def _connection_elements(self):
connection_elements = [
(
"directory_type",
CascadingDropdown(
title=_("Directory type"),
help=
_("Select the software the LDAP directory is based on. Depending on "
"the selection e.g. the attribute names used in LDAP queries will "
"be altered."),
choices=[
("ad", _("Active Directory"),
self._vs_directory_options("ad")),
("openldap", _("OpenLDAP"),
self._vs_directory_options("openldap")),
(
"389directoryserver",
_("389 Directory Server"),
self._vs_directory_options("389directoryserver"),
),
],
),
),
(
"bind",
Tuple(
title=_("Bind credentials"),
help=
_("Set the credentials to be used to connect to the LDAP server. The "
"used account must not be allowed to do any changes in the directory "
"the whole connection is read only. "
"In some environment an anonymous connect/bind is allowed, in this "
"case you don't have to configure anything here."
"It must be possible to list all needed user and group objects from the "
"directory."),
elements=[
LDAPDistinguishedName(
title=_("Bind DN"),
help=
_("Specify the distinguished name to be used to bind to "
"the LDAP directory, e. g. <tt>CN=ldap,OU=users,DC=example,DC=com</tt>"
),
size=63,
),
IndividualOrStoredPassword(
title=_("Bind password"),
help=_(
"Specify the password to be used to bind to "
"the LDAP directory."),
),
],
),
),
(
"port",
Integer(
title=_("TCP port"),
help=_("This variable allows to specify the TCP port to "
"be used to connect to the LDAP server. "),
minvalue=1,
maxvalue=65535,
default_value=389,
),
),
(
"use_ssl",
FixedValue(
title=_("Use SSL"),
help=
_("Connect to the LDAP server with a SSL encrypted connection. The "
'<a href="wato.py?mode=edit_configvar&site=&varname=trusted_certificate_authorities">trusted '
"certificates authorities</a> configured in Check_MK will be used to validate the "
"certificate provided by the LDAP server."),
value=True,
totext=_("Encrypt the network connection using SSL."),
),
),
(
"connect_timeout",
Float(
title=_("Connect timeout"),
help=
_("Timeout for the initial connection to the LDAP server in seconds."
),
unit=_("Seconds"),
minvalue=1.0,
default_value=2.0,
),
),
(
"version",
DropdownChoice(
title=_("LDAP version"),
help=_(
"Select the LDAP version the LDAP server is serving. Most modern "
"servers use LDAP version 3."),
choices=[(2, "2"), (3, "3")],
default_value=3,
),
),
(
"page_size",
Integer(
title=_("Page size"),
help=
_("LDAP searches can be performed in paginated mode, for example to improve "
"the performance. This enables pagination and configures the size of the pages."
),
minvalue=1,
default_value=1000,
),
),
(
"response_timeout",
Integer(
title=_("Response timeout"),
unit=_("Seconds"),
help=_("Timeout for LDAP query responses."),
minvalue=0,
default_value=5,
),
),
(
"suffix",
TextInput(
allow_empty=False,
title=_("LDAP connection suffix"),
help=
_("The LDAP connection suffix can be used to distinguish equal named objects "
"(name conflicts), for example user accounts, from different LDAP connections.<br>"
"It is used in the following situations:<br><br>"
"During LDAP synchronization, the LDAP sync might discover that a user to be "
"synchronized from from the current LDAP is already being synchronized from "
"another LDAP connection. Without the suffix configured this results in a name "
"conflict and the later user not being synchronized. If the connection has a "
"suffix configured, this suffix is added to the later username in case of the name "
"conflict to resolve it. The user will then be named <tt>[username]@[suffix]</tt> "
"instead of just <tt>[username]</tt>.<br><br>"
"In the case a user which users name is existing in multiple LDAP directories, "
"but associated to different persons, your user can insert <tt>[username]@[suffix]</tt>"
" during login instead of just the plain <tt>[username]</tt> to tell which LDAP "
"directory he is assigned to. Users without name conflict just need to provide their "
"regular username as usual."),
regex=re.compile(r"^[A-Z0-9.-]+(?:\.[A-Z]{2,24})?$", re.I),
validate=self._validate_ldap_connection_suffix,
),
),
]
return connection_elements