rezometz
/
re2o
mirror of https://gitlab.federez.net/re2o/re2o
8
0
Fork 0
Code Issues Releases Wiki Activity
Browse Source

Add a Django command to fully rebuild the LDAP

set_password
Maël Kervella 8 years ago
parent
05a53b1c9c
commit
4cbb05d294
2 changed files with 99 additions and 8 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 9
      CHANGELOG.md
  2. 98
      users/management/commands/ldap_rebuild.py

9
CHANGELOG.md
View File

@ -103,14 +103,7 @@ After this modification you need to:
* Double-check your defined groups' unix-name only contain small letters * Double-check your defined groups' unix-name only contain small letters
* Run the following commands to rebuild your ldap's groups: * Run the following commands to rebuild your ldap's groups:
```shell ```shell
# In the LDAP shell : python3 manage.py ldap_rebuild
ou=groups,ou=posix > rm *
```
```python
# In the Django shell
>>> from users.model import ListRight
>>> for lr in ListRight.objects.all():
... lr.ldap_sync()
``` ```
* You may need to force your nslcd cache to be reloaded on some servers (else you will have to wait for the cache to be refreshed): * You may need to force your nslcd cache to be reloaded on some servers (else you will have to wait for the cache to be refreshed):

98
users/management/commands/ldap_rebuild.py
View File

@ -0,0 +1,98 @@
# Copyright © 2018 Maël Kervella
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License along
# with this program; if not, write to the Free Software Foundation, Inc.,
# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
#
import subprocess
from base64 import decodebytes
from django.core.management.base import BaseCommand, CommandError
from django.conf import settings
from users.models import User, ListRight
def flush_ldap(binddn, bindpass, server, usersdn, groupsdn):
"""
Perform the python (and more understandable) equivalent of the following commands:
ldapsearch -A -s one -D $binddn -w $bindpass -H $server -b $usersdn dn \
| grep "dn: " | sed -e 's/dn: //g' \
| ldapdelete -v -D $binddn -w $bindpass -H $server --
ldapsearch -A -s one -D $binddn -w $bindpass -H $server -b $usersdn dn \
| grep "dn:: " | sed -e 's/dn:: //g' \
| while read x; do echo "$x" | base64 -d; echo ""; done \
| ldapdelete -v -D $binddn -w $bindpass -H $server --
ldapsearch -A -s one -D $binddn -w $bindpass -H $server -b $groupsdn dn \
| grep "dn: " | sed -e 's/dn: //g' \
| ldapdelete -v -D $binddn -w $bindpass -H $server --
ldapsearch -A -s one -D $binddn -w $bindpass -H $server -b $groupsdn dn \
| grep "dn:: " | sed -e 's/dn:: //g' \
| while read x; do echo "$x" | base64 -d; echo ""; done \
| ldapdelete -v -D $binddn -w $bindpass -H $server --
"""
to_remove = []
for lookup in (usersdn, groupsdn):
search_cmd = [
'ldapsearch',
'-A',
'-s', 'one',
'-D', binddn,
'-w', bindpass,
'-H', server,
'-b', lookup,
'dn'
]
for line in subprocess.check_output(search_cmd).split(b'\n'):
if line.startswith(b'dn: '):
to_remove.append(line[len(b'dn: '):])
elif line.startswith(b'dn:: '):
# Non ASCII value ares are base64-encoded
to_remove.append(decodebytes(line[len(b'dn:: '):]))
delete_cmd = [
'ldapdelete',
'-D', binddn,
'-w', bindpass,
'-H', server
] + to_remove
subprocess.check_call(delete_cmd)
def sync_ldap():
"""Syncrhonize the whole LDAP with the DB."""
for u in User.objects.all():
u.ldap_sync()
for lr in ListRight.objects.all():
lr.ldap_sync()
class Command(BaseCommand):
help = ('Destroy the current LDAP data and rebuild it from the DB data. '
'Use with caution.')
def handle(self, *args, **options):
usersdn = settings.LDAP['base_user_dn']
groupsdn = settings.LDAP['base_usergroup_dn']
binddn = settings.DATABASES['ldap']['USER']
bindpass = settings.DATABASES['ldap']['PASSWORD']
server = settings.DATABASES['ldap']['NAME']
flush_ldap(binddn, bindpass, server, usersdn, groupsdn)
self.stdout.write("LDAP emptied")
sync_ldap()
self.stdout.write("LDAP rebuilt")
Write Preview
Loading…
Cancel
Save