Merge branch 'Fix_117' into 'master'

Fix #117 : Use unix_name instead of name for ldap groups Closes #117 See merge request federez/re2o!145
8 years ago · 1f4443d857
4 changed files with 126 additions and 11 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -1,7 +1,7 @@
 ## MR 160: Datepicker

 Install libjs-jquery libjs-jquery-ui libjs-jquery-timepicker libjs-bootstrap javascript-common
-```
+```bash
 apt-get -y install \
    libjs-jquery \
    libjs-jquery-ui \
@ -10,12 +10,12 @@ apt-get -y install \
    javascript-common
 ```
 Enable javascript-common conf
-```
+```bash
 a2enconf javascript-common
 ```

 Delete old jquery files :
-```
+```bash
 rm -r static_files/js/jquery-ui-*
 rm static_files/js/jquery-2.2.4.min.js
 rm static/css/jquery-ui-timepicker-addon.css
@ -42,6 +42,7 @@ Refactored install_re2o.sh script.
 ```
 install_re2o.sh help
 ```
+
 * The installation templates (LDIF files and `re2o/settings_locale.example.py`) have been changed to use `example.net` instead of `example.org` (more neutral and generic)


@ -75,7 +76,6 @@ OPTIONAL_APPS = (
 ```


-
 ## MR 177: Add django-debug-toolbar support

 Add the possibility to enable `django-debug-toolbar` in debug mode. First install the APT package:
@ -94,3 +94,19 @@ If you to restrict the IP which can see the debug, use the `INTERNAL_IPS` option
 ```
 INTERNAL_IPS = ["10.0.0.1", "10.0.0.2"]
 ```
+
+
+## MR 145: Fix #117 : Use unix_name instead of name for ldap groups
+
+Fix a mixing between unix_name and name for groups
+After this modification you need to:
+* Double-check your defined groups' unix-name only contain small letters 
+* Run the following commands to rebuild your ldap's groups:
+  ```shell
+  python3 manage.py ldap_rebuild
+  ```
+
+* You may need to force your nslcd cache to be reloaded on some servers (else you will have to wait for the cache to be refreshed):
+  ```bash
+  sudo nslcd -i groups
+  ```
--- a/users/forms.py
+++ b/users/forms.py
@ -501,7 +501,7 @@ class ShellForm(FormRevMixin, ModelForm):

 class ListRightForm(FormRevMixin, ModelForm):
    """Edition, d'un groupe , équivalent à un droit
-    Ne peremet pas d'editer le gid, car il sert de primary key"""
+    Ne permet pas d'editer le gid, car il sert de primary key"""
    permissions = forms.ModelMultipleChoiceField(
        Permission.objects.all().select_related('content_type'),
        widget=forms.CheckboxSelectMultiple,
@ -510,23 +510,24 @@ class ListRightForm(FormRevMixin, ModelForm):

    class Meta:
        model = ListRight
-        fields = ['name', 'unix_name', 'critical', 'permissions', 'details']
+        fields = ('name', 'unix_name', 'critical', 'permissions', 'details')

    def __init__(self, *args, **kwargs):
        prefix = kwargs.pop('prefix', self.Meta.model.__name__)
        super(ListRightForm, self).__init__(*args, prefix=prefix, **kwargs)
-        self.fields['unix_name'].label = 'Nom du droit/groupe'
+        self.fields['unix_name'].label = 'Nom UNIX du groupe'


 class NewListRightForm(ListRightForm):
    """Ajout d'un groupe/list de droit """
    class Meta(ListRightForm.Meta):
-        fields = '__all__'
+        fields = ('name', 'unix_name', 'gid', 'critical', 'permissions',
+                  'details')

    def __init__(self, *args, **kwargs):
        super(NewListRightForm, self).__init__(*args, **kwargs)
-        self.fields['gid'].label = 'Gid, attention, cet attribut ne doit\
-        pas être modifié après création'
+        self.fields['gid'].label = ("Gid, attention, cet attribut ne doit "
+                                    "pas être modifié après création")


 class DelListRightForm(Form):
--- a/users/management/commands/ldap_rebuild.py
+++ b/users/management/commands/ldap_rebuild.py
@ -0,0 +1,98 @@
+# Copyright © 2018 Maël Kervella
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, write to the Free Software Foundation, Inc.,
+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+import subprocess
+from base64 import decodebytes
+
+from django.core.management.base import BaseCommand, CommandError
+from django.conf import settings
+
+from users.models import User, ListRight
+
+
+def flush_ldap(binddn, bindpass, server, usersdn, groupsdn):
+    """
+    Perform the python (and more understandable) equivalent of the following commands:
+
+    ldapsearch -A -s one -D $binddn -w $bindpass -H $server -b $usersdn dn \
+            | grep "dn: " | sed -e 's/dn: //g' \
+            | ldapdelete -v -D $binddn -w $bindpass -H $server --
+    ldapsearch -A -s one -D $binddn -w $bindpass -H $server -b $usersdn dn \
+            | grep "dn:: " | sed -e 's/dn:: //g' \
+            | while read x; do echo "$x" | base64 -d; echo ""; done \
+            | ldapdelete -v -D $binddn -w $bindpass -H $server --
+    ldapsearch -A -s one -D $binddn -w $bindpass -H $server -b $groupsdn dn \
+            | grep "dn: " | sed -e 's/dn: //g' \
+            | ldapdelete -v -D $binddn -w $bindpass -H $server --
+    ldapsearch -A -s one -D $binddn -w $bindpass -H $server -b $groupsdn dn \
+            | grep "dn:: " | sed -e 's/dn:: //g' \
+            | while read x; do echo "$x" | base64 -d; echo ""; done \
+            | ldapdelete -v -D $binddn -w $bindpass -H $server --
+    """
+
+    to_remove = []
+
+    for lookup in (usersdn, groupsdn):
+        search_cmd = [
+            'ldapsearch',
+            '-A',
+            '-s', 'one',
+            '-D', binddn,
+            '-w', bindpass,
+            '-H', server,
+            '-b', lookup,
+            'dn'
+        ]
+        for line in subprocess.check_output(search_cmd).split(b'\n'):
+            if line.startswith(b'dn: '):
+                to_remove.append(line[len(b'dn: '):])
+            elif line.startswith(b'dn:: '):
+                # Non ASCII value ares are base64-encoded
+                to_remove.append(decodebytes(line[len(b'dn:: '):]))
+
+    delete_cmd = [
+        'ldapdelete',
+        '-D', binddn,
+        '-w', bindpass,
+        '-H', server
+    ] + to_remove
+    subprocess.check_call(delete_cmd)
+
+
+def sync_ldap():
+    """Syncrhonize the whole LDAP with the DB."""
+    for u in User.objects.all():
+        u.ldap_sync()
+    for lr in ListRight.objects.all():
+        lr.ldap_sync()
+
+
+class Command(BaseCommand):
+    help = ('Destroy the current LDAP data and rebuild it from the DB data. '
+            'Use with caution.')
+
+    def handle(self, *args, **options):
+
+        usersdn = settings.LDAP['base_user_dn']
+        groupsdn = settings.LDAP['base_usergroup_dn']
+        binddn = settings.DATABASES['ldap']['USER']
+        bindpass = settings.DATABASES['ldap']['PASSWORD']
+        server = settings.DATABASES['ldap']['NAME']
+
+        flush_ldap(binddn, bindpass, server, usersdn, groupsdn)
+        self.stdout.write("LDAP emptied")
+        sync_ldap()
+        self.stdout.write("LDAP rebuilt")
--- a/users/models.py
+++ b/users/models.py
@ -1175,7 +1175,7 @@ class ListRight(RevMixin, AclMixin, Group):
            group_ldap = LdapUserGroup.objects.get(gid=self.gid)
        except LdapUserGroup.DoesNotExist:
            group_ldap = LdapUserGroup(gid=self.gid)
-        group_ldap.name = self.listright
+        group_ldap.name = self.unix_name
        group_ldap.members = [user.pseudo for user
                              in self.user_set.all()]
        group_ldap.save()