mirror of
https://gitlab2.federez.net/re2o/re2o
synced 2025-01-10 18:24:29 +00:00
697d1ef7aa
The Entire LDAP infrastructures now relies on signals rather than direct function calls and is in its own app. This means it can be deactivated, but also that we can easily plug new services in addition to LDAP, such as OAuth. Closes issue #270
116 lines
4.1 KiB
Python
116 lines
4.1 KiB
Python
# Copyright © 2018 Maël Kervella
|
|
# Copyright © 2021 Hugo Levy-Falk
|
|
#
|
|
# This program is free software; you can redistribute it and/or modify
|
|
# it under the terms of the GNU General Public License as published by
|
|
# the Free Software Foundation; either version 2 of the License, or
|
|
# (at your option) any later version.
|
|
#
|
|
# This program is distributed in the hope that it will be useful,
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
# GNU General Public License for more details.
|
|
#
|
|
# You should have received a copy of the GNU General Public License along
|
|
# with this program; if not, write to the Free Software Foundation, Inc.,
|
|
# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
|
#
|
|
import subprocess
|
|
from base64 import decodebytes
|
|
|
|
from django.core.management.base import BaseCommand, CommandError
|
|
from django.conf import settings
|
|
|
|
from users.models import User, ListRight
|
|
from ldap_sync.models import synchronise_user, synchronise_serviceuser, synchronise_usergroup
|
|
|
|
|
|
def split_lines(lines):
|
|
"""
|
|
Split LDIF lines. They can span over multiple system lines if the
|
|
following system lines begins with a space.
|
|
"""
|
|
ret = []
|
|
for line in lines.split(b"\n"):
|
|
if line.startswith(b" ") and len(ret) > 1:
|
|
ret[-1] += line[len(b" ") :]
|
|
else:
|
|
ret.append(line)
|
|
return ret
|
|
|
|
|
|
def flush_ldap(binddn, bindpass, server, usersdn, groupsdn):
|
|
"""
|
|
Perform the python (and more understandable) equivalent of the following commands:
|
|
|
|
ldapsearch -LLL -s one -D $binddn -w $bindpass -H $server -b $usersdn dn \
|
|
| grep "dn: " | sed -e 's/dn: //g' \
|
|
| ldapdelete -v -D $binddn -w $bindpass -H $server --
|
|
ldapsearch -LLL -s one -D $binddn -w $bindpass -H $server -b $usersdn dn \
|
|
| grep "dn:: " | sed -e 's/dn:: //g' \
|
|
| while read x; do echo "$x" | base64 -d; echo ""; done \
|
|
| ldapdelete -v -D $binddn -w $bindpass -H $server --
|
|
ldapsearch -LLL -s one -D $binddn -w $bindpass -H $server -b $groupsdn dn \
|
|
| grep "dn: " | sed -e 's/dn: //g' \
|
|
| ldapdelete -v -D $binddn -w $bindpass -H $server --
|
|
ldapsearch -LLL -s one -D $binddn -w $bindpass -H $server -b $groupsdn dn \
|
|
| grep "dn:: " | sed -e 's/dn:: //g' \
|
|
| while read x; do echo "$x" | base64 -d; echo ""; done \
|
|
| ldapdelete -v -D $binddn -w $bindpass -H $server --
|
|
"""
|
|
|
|
to_remove = []
|
|
|
|
for lookup in (usersdn, groupsdn):
|
|
search_cmd = [
|
|
"ldapsearch",
|
|
"-LLL",
|
|
"-s",
|
|
"one",
|
|
"-D",
|
|
binddn,
|
|
"-w",
|
|
bindpass,
|
|
"-H",
|
|
server,
|
|
"-b",
|
|
lookup,
|
|
"dn",
|
|
]
|
|
for line in split_lines(subprocess.check_output(search_cmd)):
|
|
if line.startswith(b"dn: "):
|
|
to_remove.append(line[len(b"dn: ") :])
|
|
elif line.startswith(b"dn:: "):
|
|
# Non ASCII value ares are base64-encoded
|
|
to_remove.append(decodebytes(line[len(b"dn:: ") :]))
|
|
|
|
delete_cmd = ["ldapdelete", "-D", binddn, "-w", bindpass, "-H", server] + to_remove
|
|
subprocess.check_call(delete_cmd)
|
|
|
|
|
|
def sync_ldap():
|
|
"""Syncrhonize the whole LDAP with the DB."""
|
|
for u in User.objects.all():
|
|
synchronise_user(sender=User, instance=u)
|
|
for lr in ListRight.objects.all():
|
|
synchronise_usergroup(sender=ListRight, instance=lr)
|
|
|
|
|
|
class Command(BaseCommand):
|
|
help = (
|
|
"Destroy the current LDAP data and rebuild it from the DB data."
|
|
" Use with caution."
|
|
)
|
|
|
|
def handle(self, *args, **options):
|
|
|
|
usersdn = settings.LDAP["base_user_dn"]
|
|
groupsdn = settings.LDAP["base_usergroup_dn"]
|
|
binddn = settings.DATABASES["ldap"]["USER"]
|
|
bindpass = settings.DATABASES["ldap"]["PASSWORD"]
|
|
server = settings.DATABASES["ldap"]["NAME"]
|
|
|
|
flush_ldap(binddn, bindpass, server, usersdn, groupsdn)
|
|
self.stdout.write("LDAP emptied.")
|
|
sync_ldap()
|
|
self.stdout.write("LDAP rebuilt.")
|