0001-ldap-add-options-to-control-authentiction-and-cron-p.patch

Emmanuel Cazenave, 24 juin 2022 15:58

Voir les différences: en ligne côte à côte

Subject: [PATCH] ldap: add options to control authentiction and cron
 provisionning (#60492)

 src/authentic2/backends/ldap_backend.py |  8 +++
 tests/test_ldap.py                      | 96 +++++++++++++++++++++++++
 2 files changed, 104 insertions(+)

             # https://www.python-ldap.org/en/python-ldap-3.3.0/reference/ldap.html#ldap-controls
             'use_controls': False,
             'ppolicy_dn': '',
             'authentication': True,
             'sync_ldap_users': True,
+        }
         _REQUIRED = ('url', 'basedn')
         _TO_ITERABLE = ('url', 'groupsu', 'groupstaff', 'groupactive')
-...
             # Now we can try to authenticate
             for block in config:
                 if block['authentication'] is False:
                     continue
                 uid = username
                 # if ou is provided, ignore LDAP server for other OU
                 if ou:
-...
             for block in blocks:
                 if realm and realm != block['realm']:
                     continue
                 if block['sync_ldap_users'] is False:
                     continue
                 count = 0
                 try:
                     for user in cls.get_users_for_block(block):
-...
                 if not external_id:
                     continue
                 for block in config:
                     if block['authentication'] is False:
                         continue
                     if user_external_id.source != force_text(block['realm']):
                         continue
                     for external_id_tuple in map_text(block['external_id_tuples']):

         user = User.objects.get()
         role = user.roles.get(name='Ambiguous role')
         assert role.ou == default_ou
     def test_authenticate_no_authentication(slapd, settings, client, db):
         settings.LDAP_AUTH_SETTINGS = [
+            {
                 'url': [slapd.ldap_url],
                 'basedn': 'o=ôrga',
                 'use_tls': False,
                 'attributes': ['jpegPhoto'],
                 'authentication': False,
+            }
+        ]
         result = client.post(
             '/login/', {'login-password-submit': '1', 'username': USERNAME, 'password': PASS}, follow=True
+        )
         assert result.status_code == 200
         assert force_bytes('Étienne Michu') not in result.content
         assert User.objects.count() == 0
     def test_get_users_no_sync_ldap_users(slapd, settings, db, monkeypatch, caplog):
         from django.contrib.auth.models import Group
         settings.LDAP_AUTH_SETTINGS = [
+            {
                 'url': [slapd.ldap_url],
                 'basedn': 'o=ôrga',
                 'use_tls': False,
                 'create_group': True,
                 'group_mapping': [
                     ['cn=group2,o=ôrga', ['Group2']],
                 ],
                 'group_filter': '(&(memberUid={uid})(objectClass=posixGroup))',
                 'group_to_role_mapping': [
                     ['cn=unknown,o=dn', ['Role2']],
                 ],
                 'lookups': ['external_id', 'username'],
                 'sync_ldap_users': False,
+            }
+        ]
         assert Group.objects.count() == 0
         assert User.objects.count() == 0
         users = list(ldap_backend.LDAPBackend.get_users())
         assert len(users) == 0
         assert User.objects.count() == 0
         assert Group.objects.count() == 0
     def test_deactivate_orphaned_users_when_no_sync_ldap_users(slapd, settings, client, db, app, superuser):
         settings.LDAP_AUTH_SETTINGS = [
+            {
                 'url': [slapd.ldap_url],
                 'basedn': 'o=ôrga',
                 'use_tls': False,
+            }
+        ]
         utils.login(app, superuser)
         # create users as a side effect
         users = list(ldap_backend.LDAPBackend.get_users())
         block = settings.LDAP_AUTH_SETTINGS[0]
         assert (
             ldap_backend.UserExternalId.objects.filter(user__is_active=False, source=block['realm']).count() == 0
+        )
         resp = app.get('/manage/users/%s/' % users[0].pk)
         assert 'Deactivated' not in resp.text
         conn = slapd.get_connection_admin()
         conn.delete_s(DN)
         settings.LDAP_AUTH_SETTINGS = [
+            {
                 'url': [slapd.ldap_url],
                 'basedn': 'o=ôrga',
                 'use_tls': False,
                 'sync_ldap_users': False,
+            }
+        ]
         ldap_backend.LDAPBackend.deactivate_orphaned_users()
         deactivated_user = ldap_backend.UserExternalId.objects.get(
             user__is_active=False,
             source=block['realm'],
             user__deactivation__isnull=False,
             user__deactivation_reason__startswith='ldap-',
+        )
         utils.assert_event(
             'manager.user.deactivation',
             target_user=deactivated_user.user,
             reason='ldap-not-present',
             origin=slapd.ldap_url,
+        )
         resp = app.get('/manage/users/%s/' % deactivated_user.user.pk)
         assert 'Deactivated' in resp.text
         assert 'associated LDAP account does not exist anymore' in resp.text
+    -

Projet

Général

Profil

Produits Entr'ouvert » Authentic 2

0001-ldap-add-options-to-control-authentiction-and-cron-p.patch