porting to v8
Giacomo Spettoli
parent
a509c71228
commit
b1b6d965a2
|
|
@ -19,4 +19,4 @@
|
||||||
#
|
#
|
||||||
##############################################################################
|
##############################################################################
|
||||||
|
|
||||||
import users_ldap_groups
|
import users_ldap_groups # noqa
|
||||||
|
|
|
||||||
|
|
@ -30,13 +30,13 @@ Adds user accounts to groups based on rules defined by the administrator.
|
||||||
|
|
||||||
Usage:
|
Usage:
|
||||||
|
|
||||||
Define mappings in Settings->Companies->[your company]->tab configuration->[your
|
Define mappings in Settings->Companies->[your company]->tab configuration->[
|
||||||
ldap server].
|
your ldap server].
|
||||||
|
|
||||||
Decide whether you want only groups mapped from ldap (Only ldap groups=y) or a
|
Decide whether you want only groups mapped from ldap (Only ldap groups=y) or a
|
||||||
mix of manually set groups and ldap groups (Only ldap groups=n). Setting this to
|
mix of manually set groups and ldap groups (Only ldap groups=n). Setting this
|
||||||
'no' will result in users never losing privileges when you remove them from a
|
to 'no' will result in users never losing privileges when you remove them from
|
||||||
ldap group, so that's a potential security issue. It is still the default to
|
a ldap group, so that's a potential security issue. It is still the default to
|
||||||
prevent losing group information by accident.
|
prevent losing group information by accident.
|
||||||
|
|
||||||
For active directory, use LDAP attribute 'memberOf' and operator 'contains'.
|
For active directory, use LDAP attribute 'memberOf' and operator 'contains'.
|
||||||
|
|
|
||||||
|
|
@ -19,18 +19,20 @@
|
||||||
#
|
#
|
||||||
##############################################################################
|
##############################################################################
|
||||||
|
|
||||||
from openerp.osv import fields, orm
|
from openerp import models
|
||||||
|
from openerp import fields
|
||||||
|
from openerp import api
|
||||||
import logging
|
import logging
|
||||||
import users_ldap_groups_operators
|
import users_ldap_groups_operators
|
||||||
import inspect
|
import inspect
|
||||||
|
|
||||||
|
|
||||||
class CompanyLDAPGroupMapping(orm.Model):
|
class CompanyLDAPGroupMapping(models.Model):
|
||||||
_name = 'res.company.ldap.group_mapping'
|
_name = 'res.company.ldap.group_mapping'
|
||||||
_rec_name = 'ldap_attribute'
|
_rec_name = 'ldap_attribute'
|
||||||
_order = 'ldap_attribute'
|
_order = 'ldap_attribute'
|
||||||
|
|
||||||
def _get_operators(self, cr, uid, context=None):
|
def _get_operators(self):
|
||||||
operators = []
|
operators = []
|
||||||
members = inspect.getmembers(
|
members = inspect.getmembers(
|
||||||
users_ldap_groups_operators,
|
users_ldap_groups_operators,
|
||||||
|
|
@ -41,49 +43,47 @@ class CompanyLDAPGroupMapping(orm.Model):
|
||||||
operators.append((name, name))
|
operators.append((name, name))
|
||||||
return tuple(operators)
|
return tuple(operators)
|
||||||
|
|
||||||
_columns = {
|
ldap_id = fields.Many2one('res.company.ldap', 'LDAP server', required=True)
|
||||||
'ldap_id': fields.many2one('res.company.ldap', 'LDAP server', required=True),
|
ldap_attribute = fields.Char(
|
||||||
'ldap_attribute': fields.char(
|
'LDAP attribute', size=64,
|
||||||
'LDAP attribute', size=64,
|
help='The LDAP attribute to check.\n'
|
||||||
help='The LDAP attribute to check.\n'
|
'For active directory, use memberOf.')
|
||||||
'For active directory, use memberOf.'),
|
operator = fields.Selection(
|
||||||
'operator': fields.selection(
|
_get_operators, 'Operator',
|
||||||
_get_operators, 'Operator',
|
help='The operator to check the attribute against the value\n'
|
||||||
help='The operator to check the attribute against the value\n'
|
'For active directory, use \'contains\'', required=True)
|
||||||
'For active directory, use \'contains\'', required=True),
|
value = fields.Char(
|
||||||
'value': fields.char(
|
'Value', size=1024,
|
||||||
'Value', size=1024,
|
help='The value to check the attribute against.\n'
|
||||||
help='The value to check the attribute against.\n'
|
'For active directory, use the dn of the desired group',
|
||||||
'For active directory, use the dn of the desired group',
|
required=True)
|
||||||
required=True),
|
group = fields.Many2one(
|
||||||
'group': fields.many2one(
|
'res.groups', 'OpenERP group',
|
||||||
'res.groups', 'OpenERP group',
|
help='The OpenERP group to assign', required=True)
|
||||||
help='The OpenERP group to assign', required=True),
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
class CompanyLDAP(orm.Model):
|
class CompanyLDAP(models.Model):
|
||||||
_inherit = 'res.company.ldap'
|
_inherit = 'res.company.ldap'
|
||||||
|
|
||||||
_columns = {
|
group_mappings = fields.One2many(
|
||||||
'group_mappings': fields.one2many(
|
'res.company.ldap.group_mapping',
|
||||||
'res.company.ldap.group_mapping',
|
'ldap_id', 'Group mappings',
|
||||||
'ldap_id', 'Group mappings',
|
help='Define how OpenERP groups are assigned to ldap users')
|
||||||
help='Define how OpenERP groups are assigned to ldap users'),
|
only_ldap_groups = fields.Boolean(
|
||||||
'only_ldap_groups': fields.boolean(
|
'Only ldap groups',
|
||||||
'Only ldap groups',
|
help='If this is checked, manual changes to group membership are '
|
||||||
help='If this is checked, manual changes to group membership are '
|
'undone on every login (so OpenERP groups are always synchronous '
|
||||||
'undone on every login (so OpenERP groups are always synchronous '
|
'with LDAP groups). If not, manually added groups are preserved.')
|
||||||
'with LDAP groups). If not, manually added groups are preserved.')
|
|
||||||
}
|
|
||||||
|
|
||||||
_default = {
|
_default = {
|
||||||
'only_ldap_groups': False,
|
'only_ldap_groups': False,
|
||||||
}
|
}
|
||||||
|
|
||||||
def get_or_create_user(self, cr, uid, conf, login, ldap_entry, context=None):
|
@api.multi
|
||||||
user_id = super(CompanyLDAP, self).get_or_create_user(cr, uid, conf, login,
|
def get_or_create_user(self, cr, uid, conf, login, ldap_entry,
|
||||||
ldap_entry, context)
|
context=None):
|
||||||
|
user_id = super(CompanyLDAP, self).get_or_create_user(
|
||||||
|
cr, uid, conf, login, ldap_entry, context)
|
||||||
if not user_id:
|
if not user_id:
|
||||||
return user_id
|
return user_id
|
||||||
logger = logging.getLogger('users_ldap_groups')
|
logger = logging.getLogger('users_ldap_groups')
|
||||||
|
|
@ -92,11 +92,13 @@ class CompanyLDAP(orm.Model):
|
||||||
conf_all = self.read(cr, uid, conf['id'], ['only_ldap_groups'])
|
conf_all = self.read(cr, uid, conf['id'], ['only_ldap_groups'])
|
||||||
if(conf_all['only_ldap_groups']):
|
if(conf_all['only_ldap_groups']):
|
||||||
logger.debug('deleting all groups from user %d' % user_id)
|
logger.debug('deleting all groups from user %d' % user_id)
|
||||||
userobj.write(cr, uid, [user_id], {'groups_id': [(5, )]}, context=context)
|
userobj.write(
|
||||||
|
cr, uid, [user_id], {'groups_id': [(5, )]}, context=context)
|
||||||
|
|
||||||
for mapping in mappingobj.read(cr, uid, mappingobj.search(
|
for mapping in mappingobj.read(cr, uid, mappingobj.search(
|
||||||
cr, uid, [('ldap_id', '=', conf['id'])]), []):
|
cr, uid, [('ldap_id', '=', conf['id'])]), []):
|
||||||
operator = getattr(users_ldap_groups_operators, mapping['operator'])()
|
operator = getattr(users_ldap_groups_operators,
|
||||||
|
mapping['operator'])()
|
||||||
logger.debug('checking mapping %s' % mapping)
|
logger.debug('checking mapping %s' % mapping)
|
||||||
if operator.check_value(ldap_entry, mapping['ldap_attribute'],
|
if operator.check_value(ldap_entry, mapping['ldap_attribute'],
|
||||||
mapping['value'], conf, self, logger):
|
mapping['value'], conf, self, logger):
|
||||||
|
|
|
||||||
|
|
@ -26,22 +26,28 @@ class LDAPOperator:
|
||||||
|
|
||||||
|
|
||||||
class contains(LDAPOperator):
|
class contains(LDAPOperator):
|
||||||
def check_value(self, ldap_entry, attribute, value, ldap_config, company, logger):
|
def check_value(self, ldap_entry, attribute, value, ldap_config, company,
|
||||||
return (attribute in ldap_entry[1]) and (value in ldap_entry[1][attribute])
|
logger):
|
||||||
|
return (attribute in ldap_entry[1]) and \
|
||||||
|
(value in ldap_entry[1][attribute])
|
||||||
|
|
||||||
|
|
||||||
class equals(LDAPOperator):
|
class equals(LDAPOperator):
|
||||||
def check_value(self, ldap_entry, attribute, value, ldap_config, company, logger):
|
def check_value(self, ldap_entry, attribute, value, ldap_config, company,
|
||||||
return attribute in ldap_entry[1] and unicode(value) == unicode(ldap_entry[1][attribute])
|
logger):
|
||||||
|
return attribute in ldap_entry[1] and \
|
||||||
|
unicode(value) == unicode(ldap_entry[1][attribute])
|
||||||
|
|
||||||
|
|
||||||
class query(LDAPOperator):
|
class query(LDAPOperator):
|
||||||
def check_value(self, ldap_entry, attribute, value, ldap_config, company, logger):
|
def check_value(self, ldap_entry, attribute, value, ldap_config, company,
|
||||||
|
logger):
|
||||||
query_string = Template(value).safe_substitute(dict(
|
query_string = Template(value).safe_substitute(dict(
|
||||||
[(attr, ldap_entry[1][attribute][0]) for attr in ldap_entry[1]]
|
[(attr, ldap_entry[1][attribute][0]) for attr in ldap_entry[1]]
|
||||||
)
|
)
|
||||||
)
|
)
|
||||||
logger.debug('evaluating query group mapping, filter: %s' % query_string)
|
logger.debug('evaluating query group mapping, filter: %s' %
|
||||||
|
query_string)
|
||||||
results = company.query(ldap_config, query_string)
|
results = company.query(ldap_config, query_string)
|
||||||
logger.debug(results)
|
logger.debug(results)
|
||||||
return bool(results)
|
return bool(results)
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue