0001-ldap-add-an-option-to-indicate-provisionning-only-pu.patch
| src/authentic2/backends/ldap_backend.py | ||
|---|---|---|
| 517 | 517 |
# https://www.python-ldap.org/en/python-ldap-3.3.0/reference/ldap.html#ldap-controls |
| 518 | 518 |
'use_controls': False, |
| 519 | 519 |
'ppolicy_dn': '', |
| 520 |
# used to indicated that this directory serves provisionning purposes only (no direct authn) |
|
| 521 |
'provisionning_only': False, |
|
| 520 | 522 |
} |
| 521 | 523 |
_REQUIRED = ('url', 'basedn')
|
| 522 | 524 |
_TO_ITERABLE = ('url', 'groupsu', 'groupstaff', 'groupactive')
|
| ... | ... | |
| 603 | 605 | |
| 604 | 606 |
# Now we can try to authenticate |
| 605 | 607 |
for block in config: |
| 608 |
if block.get('provisionning_only', False):
|
|
| 609 |
continue |
|
| 606 | 610 |
uid = username |
| 607 | 611 |
# if ou is provided, ignore LDAP server for other OU |
| 608 | 612 |
if ou: |
| ... | ... | |
| 1458 | 1462 |
yield from cls.normalize_ldap_results(data) |
| 1459 | 1463 | |
| 1460 | 1464 |
@classmethod |
| 1461 |
def get_users(cls, realm=None): |
|
| 1465 |
def get_users(cls, realm=None, provisionning=False):
|
|
| 1462 | 1466 |
blocks = cls.get_config() |
| 1463 | 1467 |
if not blocks: |
| 1464 | 1468 |
log.info('No LDAP server configured.')
|
| ... | ... | |
| 1466 | 1470 |
for block in blocks: |
| 1467 | 1471 |
if realm and realm != block['realm']: |
| 1468 | 1472 |
continue |
| 1473 |
if block.get('provisionning_only', False) and not provisionning:
|
|
| 1474 |
continue |
|
| 1469 | 1475 | |
| 1470 | 1476 |
log.info('Synchronising users from realm "%s"', block['realm'])
|
| 1471 | 1477 |
conn = cls.get_connection(block) |
| ... | ... | |
| 1820 | 1826 |
for user_external_id in user.userexternalid_set.all(): |
| 1821 | 1827 |
external_id = user_external_id.external_id |
| 1822 | 1828 |
for block in config: |
| 1829 |
if block.get('provisionning_only', False):
|
|
| 1830 |
continue |
|
| 1823 | 1831 |
if user_external_id.source != force_text(block['realm']): |
| 1824 | 1832 |
continue |
| 1825 | 1833 |
for external_id_tuple in map_text(block['external_id_tuples']): |
| src/authentic2/management/commands/sync-ldap-users.py | ||
|---|---|---|
| 58 | 58 |
elif verbosity == 3: |
| 59 | 59 |
ldap_logger.setLevel(logging.DEBUG) |
| 60 | 60 | |
| 61 |
for dummy in LDAPBackend.get_users(realm=kwargs['realm']): |
|
| 61 |
for dummy in LDAPBackend.get_users(realm=kwargs['realm'], provisionning=True):
|
|
| 62 | 62 |
continue |
| tests/test_ldap.py | ||
|---|---|---|
| 2208 | 2208 | |
| 2209 | 2209 |
assert 'Base ldapsearch command' not in ldap_config_text |
| 2210 | 2210 |
assert 'Error while attempting to connect to LDAP server' in ldap_config_text |
| 2211 | ||
| 2212 | ||
| 2213 |
def test_provisionning_only(slapd, settings, client, db): |
|
| 2214 |
settings.LDAP_AUTH_SETTINGS = [ |
|
| 2215 |
{
|
|
| 2216 |
'url': [slapd.ldap_url], |
|
| 2217 |
'basedn': 'o=ôrga', |
|
| 2218 |
'use_tls': False, |
|
| 2219 |
'attributes': ['jpegPhoto'], |
|
| 2220 |
'provisionning_only': True, |
|
| 2221 |
} |
|
| 2222 |
] |
|
| 2223 |
result = client.post( |
|
| 2224 |
'/login/', {'login-password-submit': '1', 'username': USERNAME, 'password': PASS}, follow=True
|
|
| 2225 |
) |
|
| 2226 |
assert result.status_code == 200 |
|
| 2227 |
assert force_bytes('Étienne Michu') not in result.content
|
|
| 2228 |
assert User.objects.count() == 0 |
|
| 2211 |
- |
|