From 6703b8a9cc40a3fbce48f643f0ad1d5ac9cd0e23 Mon Sep 17 00:00:00 2001
From: Holger Brunn <hbrunn@therp.nl>
Date: Mon, 2 Nov 2015 17:45:13 +0100
Subject: [PATCH] [ADD] users_ldap_push

---
 users_ldap_push/README.rst                    |  84 +++++++++
 users_ldap_push/__init__.py                   |  21 +++
 users_ldap_push/__openerp__.py                |  44 +++++
 users_ldap_push/models/__init__.py            |  23 +++
 users_ldap_push/models/res_company_ldap.py    |  64 +++++++
 .../models/res_company_ldap_field_mapping.py  |  40 ++++
 users_ldap_push/models/res_partner.py         |  31 ++++
 users_ldap_push/models/res_users.py           | 175 ++++++++++++++++++
 users_ldap_push/security/ir.model.access.csv  |   3 +
 users_ldap_push/static/description/icon.png   | Bin 0 -> 9455 bytes
 users_ldap_push/tests/__init__.py             |  20 ++
 users_ldap_push/tests/test_users_ldap_push.py | 104 +++++++++++
 users_ldap_push/views/res_company.xml         |  27 +++
 users_ldap_push/views/res_users.xml           |  44 +++++
 users_ldap_push/wizards/__init__.py           |  20 ++
 .../wizards/change_password_user.py           |  32 ++++
 16 files changed, 732 insertions(+)
 create mode 100644 users_ldap_push/README.rst
 create mode 100644 users_ldap_push/__init__.py
 create mode 100644 users_ldap_push/__openerp__.py
 create mode 100644 users_ldap_push/models/__init__.py
 create mode 100644 users_ldap_push/models/res_company_ldap.py
 create mode 100644 users_ldap_push/models/res_company_ldap_field_mapping.py
 create mode 100644 users_ldap_push/models/res_partner.py
 create mode 100644 users_ldap_push/models/res_users.py
 create mode 100644 users_ldap_push/security/ir.model.access.csv
 create mode 100644 users_ldap_push/static/description/icon.png
 create mode 100644 users_ldap_push/tests/__init__.py
 create mode 100644 users_ldap_push/tests/test_users_ldap_push.py
 create mode 100644 users_ldap_push/views/res_company.xml
 create mode 100644 users_ldap_push/views/res_users.xml
 create mode 100644 users_ldap_push/wizards/__init__.py
 create mode 100644 users_ldap_push/wizards/change_password_user.py

diff --git a/users_ldap_push/README.rst b/users_ldap_push/README.rst
new file mode 100644
index 000000000..f6127f3e4
--- /dev/null
+++ b/users_ldap_push/README.rst
@@ -0,0 +1,84 @@
+.. image:: https://img.shields.io/badge/licence-AGPL--3-blue.svg
+    :alt: License: AGPL-3
+
+==================
+Push users to LDAP
+==================
+
+This module was written in order to use Odoo as a frontend for creating LDAP
+entries by creating user records. Updates to the user record will be propagated
+to the linked LDAP entry afterwards.
+
+When users change their passwords, they will be updated in the LDAP directory
+too.
+
+Configuration
+=============
+
+On the LDAP parameters of your company, check *Create ldap entry* in order to
+activate this functionality. Be sure to configure a bind DN that has
+appropriate permissions to create and modify entries.
+
+Fill in the object classes newly created entries should contain, separated by
+colons. Those classes will determine which mappings from Odoo fields to LDAP
+attributes you need. This is highly dependent on your LDAP setup.
+
+For a standard slapd setup, you might want to use object classes
+`inetOrgPerson,shadowAccount` and the following mapping:
+
+========== ============== ==
+Odoo field LDAP attribute DN
+========== ============== ==
+Login      userid         X
+Name       cn
+Name       sn
+========== ============== ==
+
+Matching is done by the new field *ldap_entry_dn*, so after installing this
+module, you'll probably want to set this field. The module will write it when
+a user logs in via Odoo.
+
+Usage
+=====
+
+When you create or update users, their corresponding LDAP entries will be
+updated too.
+
+When creating users, there's a checkbox 'LDAP user' which allows you to push
+the new user to your LDAP directory. This of course only works if you have
+field mappings for all mandatory fields in your schema.
+
+.. image:: https://odoo-community.org/website/image/ir.attachment/5784_f2813bd/datas
+    :alt: Try me on Runbot
+    :target: https://runbot.odoo-community.org/runbot/149/8.0
+
+Bug Tracker
+===========
+
+Bugs are tracked on `GitHub Issues <https://github.com/OCA/server-tools/issues>`_.
+In case of trouble, please check there if your issue has already been reported.
+If you spotted it first, help us smashing it by providing a detailed and welcomed feedback
+`here <https://github.com/OCA/server-tools/issues/new?body=module:%20users_ldap_push%0Aversion:%208.0%0A%0A**Steps%20to%20reproduce**%0A-%20...%0A%0A**Current%20behavior**%0A%0A**Expected%20behavior**>`_.
+
+Credits
+=======
+
+Contributors
+------------
+
+* Holger Brunn <hbrunn@therp.nl>
+
+Maintainer
+----------
+
+.. image:: https://odoo-community.org/logo.png
+   :alt: Odoo Community Association
+   :target: https://odoo-community.org
+
+This module is maintained by the OCA.
+
+OCA, or the Odoo Community Association, is a nonprofit organization whose
+mission is to support the collaborative development of Odoo features and
+promote its widespread use.
+
+To contribute to this module, please visit http://odoo-community.org.
diff --git a/users_ldap_push/__init__.py b/users_ldap_push/__init__.py
new file mode 100644
index 000000000..b5779b484
--- /dev/null
+++ b/users_ldap_push/__init__.py
@@ -0,0 +1,21 @@
+# -*- coding: utf-8 -*-
+##############################################################################
+#
+#    This module copyright (C) 2015 Therp BV <http://therp.nl>.
+#
+#    This program is free software: you can redistribute it and/or modify
+#    it under the terms of the GNU Affero General Public License as
+#    published by the Free Software Foundation, either version 3 of the
+#    License, or (at your option) any later version.
+#
+#    This program is distributed in the hope that it will be useful,
+#    but WITHOUT ANY WARRANTY; without even the implied warranty of
+#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+#    GNU Affero General Public License for more details.
+#
+#    You should have received a copy of the GNU Affero General Public License
+#    along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+##############################################################################
+from . import models
+from . import wizards
diff --git a/users_ldap_push/__openerp__.py b/users_ldap_push/__openerp__.py
new file mode 100644
index 000000000..6331ee36b
--- /dev/null
+++ b/users_ldap_push/__openerp__.py
@@ -0,0 +1,44 @@
+# -*- coding: utf-8 -*-
+##############################################################################
+#
+#    This module copyright (C) 2015 Therp BV <http://therp.nl>.
+#
+#    This program is free software: you can redistribute it and/or modify
+#    it under the terms of the GNU Affero General Public License as
+#    published by the Free Software Foundation, either version 3 of the
+#    License, or (at your option) any later version.
+#
+#    This program is distributed in the hope that it will be useful,
+#    but WITHOUT ANY WARRANTY; without even the implied warranty of
+#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+#    GNU Affero General Public License for more details.
+#
+#    You should have received a copy of the GNU Affero General Public License
+#    along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+##############################################################################
+{
+    "name": "Push users to LDAP",
+    "version": "8.0.1.0.0",
+    "author": "Therp BV,Odoo Community Association (OCA)",
+    "license": "AGPL-3",
+    "category": "Authentication",
+    "summary": "Creates a ldap entry when you create a user in Odoo",
+    "depends": [
+        'auth_ldap',
+        'mail',
+    ],
+    "data": [
+        "views/res_users.xml",
+        "views/res_company.xml",
+        'security/ir.model.access.csv',
+    ],
+    "qweb": [
+    ],
+    "test": [
+    ],
+    "installable": True,
+    "external_dependencies": {
+        'python': ['ldap'],
+    },
+}
diff --git a/users_ldap_push/models/__init__.py b/users_ldap_push/models/__init__.py
new file mode 100644
index 000000000..32839eb64
--- /dev/null
+++ b/users_ldap_push/models/__init__.py
@@ -0,0 +1,23 @@
+# -*- coding: utf-8 -*-
+##############################################################################
+#
+#    This module copyright (C) 2015 Therp BV <http://therp.nl>.
+#
+#    This program is free software: you can redistribute it and/or modify
+#    it under the terms of the GNU Affero General Public License as
+#    published by the Free Software Foundation, either version 3 of the
+#    License, or (at your option) any later version.
+#
+#    This program is distributed in the hope that it will be useful,
+#    but WITHOUT ANY WARRANTY; without even the implied warranty of
+#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+#    GNU Affero General Public License for more details.
+#
+#    You should have received a copy of the GNU Affero General Public License
+#    along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+##############################################################################
+from . import res_company_ldap
+from . import res_company_ldap_field_mapping
+from . import res_users
+from . import res_partner
diff --git a/users_ldap_push/models/res_company_ldap.py b/users_ldap_push/models/res_company_ldap.py
new file mode 100644
index 000000000..f5782193f
--- /dev/null
+++ b/users_ldap_push/models/res_company_ldap.py
@@ -0,0 +1,64 @@
+# -*- coding: utf-8 -*-
+##############################################################################
+#
+#    This module copyright (C) 2015 Therp BV (<http://therp.nl>).
+#
+#    This program is free software: you can redistribute it and/or modify
+#    it under the terms of the GNU Affero General Public License as
+#    published by the Free Software Foundation, either version 3 of the
+#    License, or (at your option) any later version.
+#
+#    This program is distributed in the hope that it will be useful,
+#    but WITHOUT ANY WARRANTY; without even the implied warranty of
+#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+#    GNU Affero General Public License for more details.
+#
+#    You should have received a copy of the GNU Affero General Public License
+#    along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+##############################################################################
+from openerp import _, models, fields, api, exceptions
+
+
+class ResCompanyLdap(models.Model):
+    _inherit = 'res.company.ldap'
+
+    @api.model
+    def _create_ldap_entry_field_mappings_default(self):
+        return [
+            (0, 0, {
+                'field_id':
+                self.env.ref('base.field_res_users_login').id,
+                'attribute': 'userid',
+                'use_for_dn': True,
+            }),
+        ]
+
+    create_ldap_entry = fields.Boolean('Create ldap entry', default=True)
+    create_ldap_entry_base = fields.Char(
+        'Create ldap entry in subtree',
+        help='Leave empty to use your LDAP base')
+    create_ldap_entry_objectclass = fields.Char(
+        'Object class', default='account',
+        help='Separate object classes by comma if you need more than one')
+    create_ldap_entry_field_mappings = fields.One2many(
+        'res.company.ldap.field_mapping', 'ldap_id', string='Field mappings',
+        default=_create_ldap_entry_field_mappings_default)
+
+    @api.model
+    def get_or_create_user(self, conf, login, ldap_entry):
+        user_id = super(ResCompanyLdap, self).get_or_create_user(
+            conf, login, ldap_entry)
+        if user_id:
+            self.env['res.users'].browse(user_id).write({
+                'ldap_entry_dn': ldap_entry[0],
+            })
+        return user_id
+
+    @api.constrains('create_ldap_entry_field_mappings')
+    def _constrain_create_ldap_entry_field_mappings(self):
+        for this in self:
+            if len(this.create_ldap_entry_field_mappings
+                   .filtered('use_for_dn')) != 1:
+                raise exceptions.ValidationError(
+                    _('You need to set exactly one mapping as DN'))
diff --git a/users_ldap_push/models/res_company_ldap_field_mapping.py b/users_ldap_push/models/res_company_ldap_field_mapping.py
new file mode 100644
index 000000000..99835cf5f
--- /dev/null
+++ b/users_ldap_push/models/res_company_ldap_field_mapping.py
@@ -0,0 +1,40 @@
+# -*- coding: utf-8 -*-
+##############################################################################
+#
+#    This module copyright (C) 2015 Therp BV (<http://therp.nl>).
+#
+#    This program is free software: you can redistribute it and/or modify
+#    it under the terms of the GNU Affero General Public License as
+#    published by the Free Software Foundation, either version 3 of the
+#    License, or (at your option) any later version.
+#
+#    This program is distributed in the hope that it will be useful,
+#    but WITHOUT ANY WARRANTY; without even the implied warranty of
+#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+#    GNU Affero General Public License for more details.
+#
+#    You should have received a copy of the GNU Affero General Public License
+#    along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+##############################################################################
+from openerp import models, fields, api
+
+
+class ResCompanyLdapFieldMapping(models.Model):
+    _name = 'res.company.ldap.field_mapping'
+    _description = 'Mapping from Odoo fields to ldap attributes'
+
+    field_id = fields.Many2one(
+        'ir.model.fields', string='Odoo field', required=True,
+        domain=lambda self: self._field_id_domain())
+    attribute = fields.Char('LDAP attribute', required=True)
+    use_for_dn = fields.Boolean('DN')
+    ldap_id = fields.Many2one(
+        'res.company.ldap', string='LDAP configuration', required=True)
+
+    @api.model
+    def _field_id_domain(self):
+        return [
+            ('model_id', '=', self.env.ref('base.model_res_users').id),
+            ('ttype', 'in', ['selection', 'char', 'text', 'integer', 'float']),
+        ]
diff --git a/users_ldap_push/models/res_partner.py b/users_ldap_push/models/res_partner.py
new file mode 100644
index 000000000..7a87c56de
--- /dev/null
+++ b/users_ldap_push/models/res_partner.py
@@ -0,0 +1,31 @@
+# -*- coding: utf-8 -*-
+##############################################################################
+#
+#    This module copyright (C) 2015 Therp BV (<http://therp.nl>).
+#
+#    This program is free software: you can redistribute it and/or modify
+#    it under the terms of the GNU Affero General Public License as
+#    published by the Free Software Foundation, either version 3 of the
+#    License, or (at your option) any later version.
+#
+#    This program is distributed in the hope that it will be useful,
+#    but WITHOUT ANY WARRANTY; without even the implied warranty of
+#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+#    GNU Affero General Public License for more details.
+#
+#    You should have received a copy of the GNU Affero General Public License
+#    along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+##############################################################################
+from openerp import models, api
+
+
+class ResPartner(models.Model):
+    _inherit = 'res.partner'
+
+    @api.multi
+    def write(self, vals):
+        result = super(ResPartner, self).write(vals)
+        self.filtered('user_ids.is_ldap_user').mapped('user_ids')\
+            .push_to_ldap(vals)
+        return result
diff --git a/users_ldap_push/models/res_users.py b/users_ldap_push/models/res_users.py
new file mode 100644
index 000000000..e163a453d
--- /dev/null
+++ b/users_ldap_push/models/res_users.py
@@ -0,0 +1,175 @@
+# -*- coding: utf-8 -*-
+##############################################################################
+#
+#    This module copyright (C) 2015 Therp BV (<http://therp.nl>).
+#
+#    This program is free software: you can redistribute it and/or modify
+#    it under the terms of the GNU Affero General Public License as
+#    published by the Free Software Foundation, either version 3 of the
+#    License, or (at your option) any later version.
+#
+#    This program is distributed in the hope that it will be useful,
+#    but WITHOUT ANY WARRANTY; without even the implied warranty of
+#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+#    GNU Affero General Public License for more details.
+#
+#    You should have received a copy of the GNU Affero General Public License
+#    along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+##############################################################################
+import ldap
+import ldap.modlist
+import logging
+from openerp import _, models, fields, api, exceptions
+_logger = logging.getLogger(__name__)
+
+
+class ResUsers(models.Model):
+    _inherit = 'res.users'
+
+    ldap_entry_dn = fields.Char('LDAP DN', readonly=True)
+    is_ldap_user = fields.Boolean(
+        'LDAP user', compute='_compute_is_ldap_user', default=True)
+
+    @api.model
+    @api.returns('self', lambda record: record.id)
+    def create(self, values):
+        result = super(ResUsers, self).create(values)
+        result.push_to_ldap(values)
+        return result
+
+    @api.multi
+    def write(self, values):
+        result = super(ResUsers, self).write(values)
+        self.push_to_ldap(values)
+        return result
+
+    @api.multi
+    def _push_to_ldap_possible(self, values):
+        return bool(self._get_ldap_configuration())
+
+    @api.multi
+    def _get_ldap_configuration(self):
+        self.ensure_one()
+        return self.sudo().company_id.ldaps.filtered('create_ldap_entry')[:1]
+
+    @api.multi
+    def _get_ldap_values(self, values):
+        self.ensure_one()
+        conf = self._get_ldap_configuration()
+        result = {}
+        for mapping in conf.create_ldap_entry_field_mappings:
+            field_name = mapping.field_id.name
+            if field_name not in values or not values[field_name]:
+                continue
+            result[mapping.attribute] = [str(values[field_name])]
+        if result:
+            result['objectClass'] = conf.create_ldap_entry_objectclass\
+                .encode('utf-8').split(',')
+        return result
+
+    @api.multi
+    def _get_ldap_dn(self, values):
+        self.ensure_one()
+        conf = self._get_ldap_configuration()
+        dn = conf.create_ldap_entry_field_mappings.filtered('use_for_dn')
+        assert dn, 'No DN attribute mapping given!'
+        assert self[dn.field_id.name], 'DN attribute empty!'
+        return '%s=%s,%s' % (
+            dn.attribute,
+            ldap.dn.escape_dn_chars(self[dn.field_id.name].encode('utf-8')),
+            conf.create_ldap_entry_base or conf.ldap_base)
+
+    @api.multi
+    def push_to_ldap(self, values):
+        for this in self:
+            if not values.get('is_ldap_user') and not this.is_ldap_user:
+                continue
+            if not this._push_to_ldap_possible(values):
+                continue
+            ldap_values = this._get_ldap_values(values)
+            if not ldap_values:
+                continue
+            ldap_configuration = this._get_ldap_configuration()
+            ldap_connection = ldap_configuration.connect(
+                ldap_configuration.read()[0])
+            ldap_connection.simple_bind_s(
+                (ldap_configuration.ldap_binddn or '').encode('utf-8'),
+                (ldap_configuration.ldap_password or '').encode('utf-8'))
+
+            try:
+                if not this.ldap_entry_dn:
+                    this._push_to_ldap_create(
+                        ldap_connection, ldap_configuration, values,
+                        ldap_values)
+                if this.ldap_entry_dn:
+                    this._push_to_ldap_write(
+                        ldap_connection, ldap_configuration, values,
+                        ldap_values)
+            except ldap.LDAPError as e:
+                _logger.exception(e)
+                raise exceptions.Warning(_('Error'), e.message)
+            finally:
+                ldap_connection.unbind_s()
+
+    @api.multi
+    def _push_to_ldap_create(self, ldap_connection, ldap_configuration, values,
+                             ldap_values):
+        self.ensure_one()
+        dn = self._get_ldap_dn(values)
+        ldap_connection.add_s(
+            dn,
+            ldap.modlist.addModlist(ldap_values))
+        self.write({'ldap_entry_dn': dn})
+
+    @api.multi
+    def _push_to_ldap_write(self, ldap_connection, ldap_configuration, values,
+                            ldap_values):
+        self.ensure_one()
+        dn = self.ldap_entry_dn.encode('utf-8')
+        dn_mapping = ldap_configuration.create_ldap_entry_field_mappings\
+            .filtered('use_for_dn')
+        if dn_mapping.attribute in ldap_values:
+            ldap_values.pop(dn_mapping.attribute)
+        ldap_entry = ldap_connection.search_s(
+            dn, ldap.SCOPE_BASE, '(objectClass=*)',
+            map(lambda x: x.encode('utf-8'), ldap_values.keys()))
+        assert ldap_entry, '%s not found!' % self.ldap_entry_dn
+        ldap_entry = ldap_entry[0][1]
+        ldap_connection.modify_s(
+            dn,
+            ldap.modlist.modifyModlist(ldap_entry, ldap_values))
+
+    @api.one
+    @api.depends('ldap_entry_dn')
+    def _compute_is_ldap_user(self):
+        self.is_ldap_user = bool(self.ldap_entry_dn)
+
+    @api.one
+    def _change_ldap_password(self, new_passwd, auth_dn=None,
+                              auth_passwd=None):
+        ldap_configuration = self.env.user.sudo()._get_ldap_configuration()
+        ldap_connection = ldap_configuration.connect(
+            ldap_configuration.read()[0])
+        dn = auth_dn or ldap_configuration.ldap_binddn
+        old_passwd = auth_passwd or ldap_configuration.ldap_password
+        ldap_connection.simple_bind_s(
+            dn.encode('utf-8'), old_passwd.encode('utf-8'))
+        self.env['ir.model.access'].check('res.users', 'write')
+        self.env.user.check_access_rule('write')
+        try:
+            ldap_connection.passwd_s(
+                self.ldap_entry_dn, None, new_passwd.encode('utf-8'))
+        except ldap.LDAPError, e:
+            raise exceptions.Warning(_('Error'), e.message)
+        finally:
+            ldap_connection.unbind_s()
+        return True
+
+    @api.model
+    def change_password(self, old_passwd, new_passwd):
+        if self.env.user.is_ldap_user:
+            return self.env.user._change_ldap_password(
+                new_passwd, auth_dn=self.env.user.ldap_entry_dn,
+                auth_passwd=old_passwd)
+        return super(ResUsers, self).change_password(old_passwd, new_passwd)
diff --git a/users_ldap_push/security/ir.model.access.csv b/users_ldap_push/security/ir.model.access.csv
new file mode 100644
index 000000000..06b3350c2
--- /dev/null
+++ b/users_ldap_push/security/ir.model.access.csv
@@ -0,0 +1,3 @@
+"id","name","model_id:id","group_id:id","perm_read","perm_write","perm_create","perm_unlink"
+read_field_mappings,Read field mappings,model_res_company_ldap_field_mapping,,1,0,0,0
+crud_field_mappings,CRUD field mappings,model_res_company_ldap_field_mapping,base.group_system,1,1,1,1
diff --git a/users_ldap_push/static/description/icon.png b/users_ldap_push/static/description/icon.png
new file mode 100644
index 0000000000000000000000000000000000000000..3a0328b516c4980e8e44cdb63fd945757ddd132d
GIT binary patch
literal 9455
zcmW++2RxMjAAjx~&dlBk9S+%}OXg)AGE&Cb*&}<C%<R2Kc9faym6aW`f0Dh5$js*d
z_}}Z!;XIG;_cPz`_vag-p{7Ve$Uq1H00~A(?iu(VaQlMefnU3&OozZXm@69d91cGG
z;O61r&je0NdamH#&)mKsXk?Zb_)B^>d0jUxM@u(PQx^-s)6<jB#=*|j%+$$(&(Xyy
zYgd8+09XKwoa}S2?48%%ZU#L~n^g{fE40h%YEx5by;GuJ(K|vI1uO;0m}=J7R4@Bs
z>97TX<v{QF=s?r`z`m$a0ZvrhBU7}{15RN9M`j!kv_Mp+3~{||YNuFzHNvhMYm3=Q
zo!q+OJ5(%-oNM^I^M%*luKMiVL`lo`bcKGymX7i3MIFWj1i|9+CGNvn`cu-RsK0Qh
zoYlwB>`ehR4?GS^qbkof1cslKgk<Uw6DeIxZyT_?=OwX|lwC*A?ac*gHF7jmS080$
z>U)h65qZ9Oc=ml_0temigYLJfnz{IDzUf>bGs4N!v3=Z3jMq&A#7%rM5eQ#dc?k~!
zVpnB`o+K7|Al`Q_U<UrcmRnh6jExs}l(hZs0%T~Dnpu-NENdhioRv(T{Qmv>;eD$B
zfJtP*jH`siUq~{KE)`jP2|#TUEFGRryE2`i0**z#*^6~AI|YzIWy$Cu#CSLW3q=GA
z6`?GZymC;dCPk~rBS%eCb`5OLr;RUZ;D`}um=H)BfVIq%7VhiMr)_#G0N#zrNH|__
zc+blN2UAB0=617@>_<D4$IPL<k1zq(*VmlDPer&h1n6`AG;9A!_W=N$JthhQWXZ<i
zGURc6f<i*joK3xSWaOOXxAc8ES>u;MPHN;P;N#YoE=)R#i$k_`UAA>WWCcEVMh~L_
zj--gtp&|K1#58Yz*AHCTMziU1Jzt_jG0I@qAOHsk$2}yTmVkBp_eHuY$A9)>P6o~I
z%aQ?!(GqeQ-Y+b0I(m9pwgi(IIZZzsbMv+9w{PFtd_<_(LA~0H(xz<Z(Qt1jC2cC|
z6WbMo9YgON{L#ZDl$sV4*<CP(>{=FhLB@(1&qHA5EJw1>>=%q2f&^X>IQ{!GJ4e9U
z&KlB)z(84HmNgm2hg2C0>WM{E(DdPr+EeU_N@57;PC2&DmGFW_9kP&%?X4}+xWi)(
z;)z%wI5>D4a*5XwD)P--sPkoY(a~WBw;E~AW`Yue4kFa^LM3X`8x|}ZUeMnqr}>kH
zG%WWW>3ml$Yez?i%)2pbKPI7?5o?hydokgQyZsNEr{a|mLdt;X2TX(#B1j35xPnPW
z*bMSSOauW>o;*=kO8ojw91VX!qoOQb)zHJ!odWB}d+*K?#sY_jqPdg{Sm2HdYzdEx
zOGVPhVRTGPtv0o}RfVP;Nd(|CB)<HrC1(%ZOEd8PI?r9b_$Cp-${bh59Z_R7n&YCp
zl8lfMpes*8{FVm;oJH@0LLoWmxD59u?JwHz2iRrAaE0`Hc&g;t5~$P*kdeOZn9OJ3
zRczo@ZkWU)RG+hcfH~{49Vvb3D(W0wRX#|$cA0Iqy^VR~(4hqA2AFI-rK!FM!#fJ_
zGFI@iqJOPXZ!=VjTS3dMuu~9xU3K1&?th;$)cqM#WGxbDEyB$y`#9j%>I;*t&QO8h
zFfekr30S!-LHmV_Su-W+rEwYXJ^;6&3|L$mMC8*bQptyOo9;>Qb9Q9`ySe3%V$A*9
zeKEe+b0{#KWGp$F+tga)0RtI)nhMa-K@JS}2krK~n8vJ=Ngm?R!9G<~RyuU0d?nz#
z-5EK$o(!F?hmX*2Yt6+coY`6jGbb7t<dboft~zeDZwK=+l2bFWs5^+|r{J6GO9Cwl
z&SW58BRs?XdFLuhtzl7WLbQ#~z#`jAB3AbSUg6jW6@qVd2Q~9qN(izT1y*>F#6nHA
zuKk=GGJ;ZwON1iAfG$E#Y7MnZVmrY|j0eVI(DN_MNFJmyZ|;w4tf@=CCDZ#5N_0K=
z$;R~bbk?}TpfDjfB&aiQ$VA}s?P}xPERJG{kxk5~R`iRS(SK5d+Xs9swCozZISbnS
zk!)I0>t=A<-^z(cmSFz3=jZ23u13X><0b)P)^1T_))Kr`e!-pb#q&J*Q`p+B6la%C
zuVl&0duN<;uOsB3%T9Fp8t{ED108<?)`y_~Hnd9AUX7h-H?jVuU|}My+C=TjH(jKz
zqMVr0re3S$H@t{zI95qa)+Crz*5Zj}Ao%4Z><+W(nOZd?gDnfNBC3>M8WE61$So|P
zVvqH0SNtDTcs<xiU1;=a39$d&&l5EwoIH1db#`S9Kw!YC1jhR)VbCWMptlUUkpfif
zMzi-i8)WL?|C$*Q?iqbS{w<lA9XN(rD)VS<zn>UdzaMDpT=Ty0pDHHNL@Z0w$Y`XO
z2M-_r1S+GaH%pz#Uy0*w$Vdl=X=rQXEzO}d6J^R6zjM1u&c9vYLvLp?W7w(?np9x1
zE_0JSAJCPB%i7p*Wvg)pn5T`8k3-uR?*NT|J`eS#_#54p>!p(mLDvmc-3o0mX*mp_
zN*AeS<>#^-{S%W<*mz^!X$w_2dHWpcJ6^j64qFBft-o}o_Vx80o0>}Du;>kLts;$8
zC`7q$QI(dKYG`Wa8#wl@V4jVWBRGQ@1dr-hstpQL)Tl+aqVpGpbSfN>5i&QMXfiZ>
zaA?T1VGe?rpQ@;+pkrVdd{klI&jVS@I5_iz!=UMpTsa~mBga?1r}a<Xwa$pLotZk<
zsykXwQO37I=aXew7x=}YWiW)^p)|C#g+)an!@j?EcY8C0t)BlK#y{YLtkJ6=D6H-5
zp2*ANf@>RBm1WS;TT*s0f0lY=JBl66Upy)-k4J}lh=P^8(SXk~0xW=T9v*B|gzIhN
z>qsO7dFd~mgxAy4V?&)=5ieYq?zi?ZEoj)&2o)RLy=<bK!vY7J*RP!&i_xU}i*o6o
z?xN*1<rEe1L2HBkCSgiYM3a|4w?Bo7CJL7?Eh;9An1m$1t?h1v92<Xg2(#)bjbL|o
zH_H0}!Og=1dOBynXHu>@hbCRcfT5ji<pmK_U*~T(A$I-*rM$8-BCv{=@=7F)2pdtU
z5==tp!}A*&Xgf{F>gwtQGE{L*8<@Yd{zg;CsL5mvzfDY}P-wos_6PfprFVaeqNE%h
zKZhLtcQld;ZD+>=nqN~>GvROfueSzJD&<KAVm#0W>BE*}XfU|H&(FssBqY=hPCt`d
zH?@s2>I(|;fcW&YM6#V<T#ysvE$@4oRO>#!kUIP8$Nkdh0A(bEVj``-AAyYgwY~jB
zT|I7Bf@%;7aL7Wf4dZ%VqF$eiaC38OV6oy3Z#TER2G+fOCd9Iaoy6aLYbPTN{XRPz
z;U!V|vBf%H!}52L2gH_+j;`bTcQRXB+y9onc^wLm5wi3-Be}U>k_u>2Eg$=k!(l@I
zcCg+flakT2Nej3i0yn+g+}%NYb?ta;R<sv-KjYb}UVFjITQ)VAEWu*)Lz7*-f^A*H
z<25#Ynt~-Qh?$wWx4$1=T2`j@bKp!)3IXh(LC@)%WGW$+j(tGz(6#bGw&K0j=Np@B
zt}@t$R`z(>?(g5SnwsQ49U8Wng8d|{B+lyRcEDvR3+`O{zfmrmvFrL6acVP%yG98X
zo&+VBg@px@i)%o?dG(`T;n*$S5*rnyiR#=wW}}GsAcfyQpE|>a{=$Hjg=-*_K;UtD
z<sX7(ZJc+Q;#xP8uk`jnF@a^|TWw*55if6@@}%7lOBaGo9Ia-e?`RPQc^w^EWfhe}
zHWHTvDA+r}Xf5Yqpr;QU-88%QC9F_>#z-)AXwSRY?<M%E84!g*1GC?E>OPefw^iI+
z)AXz#PfEjlwTes|_{sB?4(O@fg0AJ^g8gP}ex9Ucf*@_^J(s_5jJV}c)s$`Myn|Kd
z$<h)Fm>6>}#q^n{4vN@+Os$m7KV+`}c%4)4pv@06af4-x5#wj!KKb%caK{A&Y#Rfs
z-po?Dcb1({W=6FKIUirH&(yg=*6aLCekcKwyfK^JN5{wcA3nhO(o}SK#!CINhI`-I
z1)6&n7O&ZmyFMuNwvEic#IiOAwNkR=u5it{B9n2sAJV5pNhar=j5`*N!Na;c7g!l$
z3aYBqUkqqTJ=Re-;)s!EOeij=7SQZ3Hq}ZRds%IM*PtM$wV<GYik+VfZene%bm(n6
z`r@rc^TVw7EN{|O7rORMlw)zt(Z#enc3joE#IIk!M)L8gk^go9E9AxiP9o#OqmvV>
z@;rlc*NRK7i3y5BETSKuumEN`Xu_8<BQ)z0!-JuC8x}?$qo8SEko}oUWNI(4h*VHO
zAi!Egy!f(o9aHs2dhSE6ki(be*&w&+WLOB<(b3T_Hide(NvVvLQV{BN|2?UJFaY*@
z9CXA5B_*8i5Bf6sn~d`R>GP1Ri=OK<SGIb#BCTo3qI#UBUg+dkR+2ilUwIg%XFV;l
z+>Q$@I^ko8>H6)4rjiG5{VBM>B|%`&&s^)jS|-_95&yc=GqjNo{zFkw%%HHhS~e=s
zD#sfS+-?*t|J!+ozP6KvtOl!R)@@-z24}`9{QaVLD^9VCSR2b`b!KC#o;Ki<+wXB6
zx3&O0LOWcg4&rv4QG0)4yb}7BFSEg~=IR5<g6yi=XozU}zReXL{rA%c`$IQAs<ObZ
zep*ITZ0C(~W*`?XH^l1t7&+qigAfY9tVJ5DH!~jY>#ZRj8kg}dS7_V&^%#Do==#`u
zpy6{ox?jWuR(;pg+f@mT>#HGWHAJRRDDDv~@(IDw&R>9643kK<aUZ^OhBu;1e6t#{
zxKehVgz`HT;A`FMivG<tq0OcrXwHUX_<$j<uk%m>#HN`!1vBJHnC+RM&yIh8{gG2q
zA%e*U3|N0XSRa~oX-3EAneep)@{h2vvd3Xvy$7og(sayr@95+e6~Xvi1tUqnIxoIH
zVWo*OwYElb#uyW{Imam6f2<eMTQj#)z8+N&ZY?tSPo%&2eVNU=4=?rlO<*9Twaxco
zEVE=Jh?_x>rGbjR!Y3`#gPqkv57dB6K^wRGxc9B(t|aYDGS=m$&S!NmCtrMMaUg(c
zc2qC=2Z`EEFMW-me5B)24AqF*bV5Dr-M5ig(l-WPS%CgaPzs6p_gnCIvTJ=Y<6!gT
zVt@AfYCzjjsMEGi=rDQHo0yc;HqoRNnNFeWZgcm?f;cp(6CNylj36DoL(?TS7eU#+
z7&mfr#y))+CJOXQKUMZ7QIdS9@#-}7y2K1{8)cCt0~-X0O!O?Qx#E4Og+;A2SjalQ
zs7r?qn0H044=sDN$SRG$arw~n=+T_DNdSrarmu)V6@|?1-ZB#hRn`uilTGPJ@fqEy
zGt(f0B+^JDP&f=r{#Y_wi#AVDf-y!RIXU^0jXsFpf>=Ji*TeqSY!H~AMbJdCGLhC)
zn7Rx+sXw6uYj;WRYrLd^5IZq@6JI1C^YkgnedZEYy<&4(z%Q$5yv#B<pkvWZft^C&
z;+zNo+VJNluxaDF!`gW+F0=MxsCQ~~#CYKa;ULfj5hTa8a6;d*(<eeQ7-ZQgz2et^
zf|7URfj;x*#HiF0wuBCOTEpbeD&kkENqolCm2#cQGHCeEC<&I3j+P6?sX?BPp4~46
zx-S~EJ>oo{AH8n$<d4loB?vL3RqXwK_COrQ6xRoWGOdFnWy(hhzrG8k;2k}8Zj&>a
zhb4Y3PWdr269&?V%uI$xMcUrMzl=;w<_nm*qr=c3Rl@i5wWB;e-`t7D&c-mcQl7x!
zZWB`UGcw=Y2=}~wzrfLx=uet<;m3~=8I~ZRuzvMQUQdr+yTV|ATf1Uuomr__nDf=X
zZ3WYJtHp_ri(}SQAPjv+Y+0=<GD??Na(2AG`s>fH4krOP@S&=zZ-t1jW1o@}z;xk8
z(Nz1co&El^HK^NrhVHa-_;&88vTU>_J33=%{if;BEY*J#1n59=07jrGQ#IP>@u#3A
z;!q+E1Rj3ZJ+!4bq9F8PXJ@yMgZL;>&gYA0%_Kbi8?S=XGM~dnQZQ!yBSgcZhY96H
zrWnU;k)qy`rX&&xlDyA%(a1Hhi5CWkmg(`Gb%m(HKi-7Z!LKGRP_B8@`7&hdDy5n=
z`OIxqxiVfX@OX1p(mQu>0Ai*v_cTMiw4qRt3~N<X{IYiJ3k=4u-u*nJEBnJ<OdI8P
zXmK`OYkO5a{YDhI3PL|H4m=p>Bvr9oBy0)r>w3p~V0SCm=An6@3n)>@z!|o-$HvDK
z|3D2ZMJkLE5loMKl6R^ez@Zz%S$&mbeoqH5`Bb){Ei21q&VP)hWS2tjShfFtGE+$z
zzCR$P#uktu+#!w)cX!<osOkId_HzAT-HD2N`M+v2l+zwdW%GgZbQMuhfE*hHjKXKg
z45hphqVETPDbX6wpTlZqza0gFaRGh`3L~0id)F6#%@9;w(e%PjzuD7@inuToA!B?F
zCMLJc!u{3N)s?lB-!11!GxXsCak8zQomO)gmn02f-5~OkMYnm~#jVwwYNw@LAv!KN
z-n`q1|AXw*TW>lWN1XU%K-r=s{|j?)Akf@q#3b#{6cZCuJ~gCxuMXRmI$nGtnH+-h
z+GEi!*X=AP<|fG`1>MBdTb?28JYc=fGvAi2I<$B(rs$;eoJCyR6_bc~p!XR@O-+sD
z=eH`-ye})I5ic1eL~TDmtfJ|8`0VJ*Yr=hNCd)G1p2MMz4C3^Mj?7;!w|Ly%JqmuW
zlIEW^Ft%z?*|fpXda>Jr^1noFZEwFgVV%|*XhH@acv8rdGxeEX{M$(vG{Zw+x(ei@
zmfXb22}8-?Fi`vo-YVrTH*C?a8%M=Hv9MqVH7H^J$KsD?>!SFZ;ZsvnHr_gn=7acz
z#W?0eCdVhVMWN12VV^$>WlQ?f;P^{(&pYTops|btm6aj>_Uz+hqpGwB)vWp0Cf5y<
zft8-je~nn?W11plq}N)4A{l8I7$!ks_x$PXW-2XaRFswX_BnF{R#6YIwMhAgd5F9X
zGmwdadS6(a^fjHtXg8=l?Rc0Sm%hk6E9!5cLVloEy4eh(=FwgP`)~I^5~pBEWo+F6
zSf2ncyMurJN91#cJTy_u8Y}@%!bq1RkGC~-bV@SXRd4F{R-*V<h953|jk-C&|3)z%
ze&_30-6q1)a0(!xXqA+_t(WC`HA_yYaW@>`bS+6;W5vZ(&+I<9$;-V|eNfLa5n-6%
z2(}&uGRF;p9<Q%jdNy1%e7XTzyu7EEQT(5LrnvX~T%K!IuDyHY`ZneVJu#k_1T)xA
z*yxB?y4!pOJ$DTZzBm|8OIQq+AtV25aJ+X5EJjAu><tfuiNClI2BSoMgqLnU-5t95
zEnZ(^g~1RgD=UMB({c;$HujG&%DqGF;5jI~roRT+(rOoS$6f6SsURIuAVkAeIVc~{
z5ZxLN%m%Z*Sg;qYCf3<$dE6~&w_!EBx%yl4YC~LH{FCFNRBc_I>2eS*sE*o<YSPrx
z{M(reV{~jKue#Y6ZOnqJia{fQc!UxV4m)l389OmzR6A3|2!i<P{r82jKw+zq4%@ny
znopi6g!1Vx9Bml#a~KdL2lp2C)qSTKIh43vgycQHfQb_I!kQY&p;X@Bz|{^SXsW1K
zP&Ag1CW_r6u5-4=s(W>R$@pexaqr*meB)VhmIg@h{uzkk$9~qh#cHhw#>O%)b@+(|
z^IQgqzuj~Sk(J;swEM-3TrJAPCq9k^^^`q{IItKBRXYe}e0Tdr=Huf7da3$l4<V=<
zfr<*%iOB1EY}w3tF2Cwl7a2OS&~Y-lu<s)T^9=OFU8(CeN|63BiMxf*)5gesGU<eZ
z9DigzL3+quZ1o2T<KAZbCGJx&lrl*e#}Dpv24bZO$B<Yoc5hbeP0y?@P%|Tvw||e%
zV#e^q0D2R_Oq_c+=x5vP&hg4k+df{o7$aNZCM>PdpwWDop%^}n;dD#K4s#DYA8SHZ
z&1!riV4W4R7R#C))JH1~axJ)RYnM$$lIR%6fIVA@zV{XVyx}C+a-Dt8Y9M)^KU0+H
zR4IUb2CJ{Hg>CuaXtD50jB(_Tcx=Z$^W<wsNa}nUDpNk$q{>Yu2u5kubqmwp%drJ6
z?Fo40g!Qd<-l=TQxqHEOuPX0;^z7iX?Ke^a%XT<13TA^5`4Xcw6D@Ur&VT&CUe0d}
z1GjOVF1^L@>O)l@?bD~$wzgf(nxX1OGD8fEV?TdJcZc2KoUe|oP1#=$$7ee|xbY)A
zDZq+cuTpc(fFdj^=!;{k03C69lMQ(|>uhRfRu%+!k&<F<Z7l=VnwB^RA&^APMi=Tn
zNc}%IJL~xB4OP6bJNwAw)~Ma2=UP0dhr%X=kco(it+@F<#$xrIJ8@|{Buh<)h`xg?
z_U}pe=3#zmDfdqE4`Hyn<!?&CfCp#GTeXo8;AYd1Opd&cXER8cBSOF3iFJ#XPgQVp
zZSiQf7V^Dt?ITs8aMF~e1hq0P@^oB)#byh|6q_7F1B%ST%WL~J?ySn>YOi-3|1QKB
z<?_cUy)V3go%%^l)lRa=dmY_XQG3Z{Q?52d$qG}vIe|EZbYEtrR$rh(iS)O#dU-(>
z?n?eq1XP>p-IM$Z^C;2L3itnbJZAip*Zo0aw2bs8@(s^~*8T9go!%dHcAz2lM;`yp
zD=7&xjFV$S&5uDaiScyD?B-i1ze`+CoRtz`Wn+Zl&#<i<Zx(`=7k~{%`w&<EbG}U<
z0%E^8lyw>s4&}MO{@N!ufrzjG$B79)Y2d3tBk&)TxUTw@<TSeYlROCt(gU?O((-qu
zs>QS0TEL_?njX|<LXnSC4TlId(D4W|GQ?L@$3Ue@N8p=l9-sC<=z(lPk;^sT(v2*k
zc~vp#Hp`mXjzhml2NMCh^h5)sqsan+jJ_l<a4w|G&ac02hrz8#6|kFraA~rta0}!q
zB4BE{QWY7MtxHn_xB);Avf#Lf<GG<A?Q3JVyc1p8^H}$8(Gn=_&F1!m8$sKyeue+L
z5&392wm+wO;_oXoTEJ=wxVXk}dt<d~CgUUMW_PPTe(c<7n18#mVaX)vK}-PzZq7<b
zNJbVTFaq(8ZLx|A*G$H3ugT2aVziDEGa66FVt@hr1|D{RWN6yuqlglM!rp^YG;UpG
zrnm?ek079l3VoOU^p%f^A9Yzn8IVX?^rB4LbgJ|PONhzM_0{P?S(V$OI=u5IBjfT#
z0ntLLnhg5$0fAHJaG6HCx4X7;RmvMtE}8C>@vq?Uz(nBFK5Pq7*xj#u*R&i|?7+6#
z+|r_n#SW&LXhtheZdah{ZVoqwyT{D>MC3nkFF#N)xLi{p7J1jXlmVeb;cP5?e(=f#
zuT7fv<Q3o5LspCx-RPkzLw{VsDE>jSbjS781v?7{)-X3*?>tq?)Yd)~|1{BDS(pqC
zC}~H#WXlkUW*H5CDOo<)#x7%RY)A;ShGhI5s*#cRDA8YgqG(HeKDx+#(ZQ?386dv!
zlXCO)w91~Vw4AmOcATuV653fa9R$fyK8<JV*@W33SMHM;w!OmUXar{O;_8j>ul%rG
z-<zwGD)!Y{+(T{%ob~79zpXX%zulyiy1_UHWvu@YqxKAK3e9GO6Os4R0Naujn>wfS
zihugoZyr38Im?Zuh6@RcF~t1anQu7>#lPpb#}4cOA!EM11`%f*07RqOVkmX{p~KJ9
z^zP;K#|)$`^Rb{rnH<AdQ^(;gQMcF>GH{~>1(fawV0*Z#)}M`m8-?ZJV<+e}s9wE#
z)l&az?w^5{)`S(%MRzxdNqrs1n*-=jS^_jqE*5XDrA0+VE`5^*p3CuM<&dZEeCjoz
zR;uu_H9ZPZV|fQq`Cyw4nscrVwi!fE6ciMmX$!_hN7uF;jjKG)d2@aC4ropY)8<!P
zAOHj?oPbjQ%hh|vE_1IMB)43eQpeLi&)R>etW=xJvni)8eHi`H$%#zn^WJ<U7gogJ
z?A^!2J~rI78JH|Ml2EldmKY5K8;Zx(FGcBdM<5oe#G+nd6dObqz@Af%%M*aBE_pn8
zXQo2`Bw*IwvP3#1Ev<%YocpBodO9+Rw~`5*CY3{L;qf1PxV!r%NI+#Q1f8GU7$~#U
zAA9$4&g-k=8BYi*3i@0^UX}nTQVyOf)8T(}G^Ti?Vqvk~bJRR#EAQ?u`dClPxk@{;
zxvO?%jSX`2{8|^z0*C5DR1Z^>5NLc-rqk|u&&4Z6fD_m&JfSI1Bvb?b<*n&sfl0^t
z=HnmRl`XrFvMKB%9}>PaA`m-fK6a0(8=qPkWS5bb4=v?XcWi&hRY?O5HdulRi4?fN
zlsJ*N-0Qw+Yic@s0(2uy%F@ib;GjXt01F<S%GT3P{Ck&Y*^gWuie`o_g+ZNDNIV|F
z)zEe|Ij*4$H1(<RLz0($;AD3VsUJwI@liw^?fh(V?VC`Sz7h`*Q<VYlhbHJ?&h+!W
zAJC)U;Lx_QRaSNFYbyi|7+MeNTgA+Znh}qFzf>mx5XbRo6+n|pP(&nodMoap^z{~q
ziEeaUT@Mxe3vJSfI6?uLND(CNr=#^W<1b}jzW58bIfyWTDle$mmS(|x-0|2UlX+9k
zQ<WB5+u#`K#~J$81)#?BuTOKLk|+S>^EX7Nw}?EzVoBfT(-LT|=9N@^hcn-_p&sqG
z&*oVs2JSU+N4ZD`FhCAWaS;>|wH2G*Id|?pa#@>tyxX`+4HyIArWDvVrX)2WAOQff
z0qyHu&-S@i^MS-+j--!pr4fPBj~_8({~e1bfcl0wI1kaoN>mJL6KUPQm5N7lB(ui1
zE-o%kq)&djzWJ}ob<-GfDlkB;F31j-VHKvQUGQ3sp`CwyGJk_i!y^sD0fqC@$9|jO
zOqN!r!8-p==F@ZVP=U$qSpY(gQ0)59P1&t@y?5rvg<}E+GB}2<F#{*|k0E{$&_`~)
zkzDcsi#!7r<a8lPUCMj?{CK;e|9#-xj>6NYPp4f2YFQrQtot5mn3wu_qprZ=>Ig-$
zbW26Ws~IgY>}^5w`vTB(G`PTZaDiGBo5o(tp)qli|NeV(<Rzgqw(Ze!7hEGKKx((>
z@H_=R8V39rt5J5YB2Ky?4eJJ#b`_iBe2ot~6%7mLt5t8Vwi^Jy7|jWXqa3amOIoRb
zOr}WVFP--DsS`1WpN%~)t3R!arKF^Q$e12KEqU36AWwnCBICpH4XCsfnyrHr>$I$4
z!DpKX$OKLWarN7nv@!uIA+~RNO)l$$w}p(;b>mx8pwYvu;dD_unryX_N<mojSrG!`
zgkqx4t<XLL6ZUppvjeV9PJ6dG>hT8*Tj>BTrTTL&!?O+%Rv;b?B??gSzdp?6Uug9{
zd@V08Z$BdI?fpoCS$)t4mg4rT8Q_I}h`0d-vYZ^|dOB*Q^S|xqTV*<bTMtKO;_Z)R
zRSOJrd5TFO0aO%#%-sNa{`SiQ^$$1^@oUd&^lB{MKZ>vIg?@fVFSmMpaw0qtTRbx}
z({Pg?#{2`sc9)M5N$*N|4;^t$+Q<Wh^yJ?FzJ*$wiB{j;CMy+?m1MbsJo0ubR==f9
z>P?#mo<zt1E6=Ilm*nbmYmpxfAj7*m*Wh@=7|;!%(-pviW`nuCktLveet9^$*y^>v
zGVC@I*lBVrOU-%2y!7%)fAKjpEFsgQc4{amtiHb95KQEwvf<(3T<9-Zm$xIew#P22
zc2Ix|App^>v6(3L_MCU0d3W##AB<Fxl*nmny6_RsCu%1a)so}}uCXSzwY70Y@uTxK
z=5nu(N*2HDbrIcL)t_*{*84mvmV_Y9<vxHJJ;0gUdNjyW)jDb|@|j*qR8;gsMa5Ir
z02fHv=%xyN9VLv_ZLL4y|F*p$S^^T47m{aok5{rmM{$s7^Xu2!_fo1$IG6kkG_Tgx
zFfjPm3;g>0M~3D00EWoKZqsJYT(#@w$Y_H7G22M~ApVFTRHMI_3be)Lkn#0F*V8Pq
zc}`Cjy$bE;FJ6H7p=0y#R>`}-m4(0F>%@P|?7fx{=R^uFdISRnZ2W_xQhD{YuR3t<
z{6yxu=4~JkeA;|(J6_nv#>Nvs&FuLA&PW^he@t(UwFFE8)|a!R{`E`K`i^ZnyE4$k
z;(749Ix|oi$c3QbEJ3b~D_kQsPz~fIUKym($a_7dJ?o+40*OLl^{=&oq$<#Q(yyrp
z{J-FAniyAw9tPbe&IhQ|a`DqFTVQGQ&Gq3!C2==4x{6EJwiPZ8zub-iXoUtkJiG{}
zPaR&}_fn8_z~(=;5lD-aPWD3z8PZS@AaUiomF!G8I}Mf>e~0g#BelA-5#`cj;O5>N
Xviia!U7SGha1wx#SCgwmn*{w2TRX*I

literal 0
HcmV?d00001

diff --git a/users_ldap_push/tests/__init__.py b/users_ldap_push/tests/__init__.py
new file mode 100644
index 000000000..e72d7ea8d
--- /dev/null
+++ b/users_ldap_push/tests/__init__.py
@@ -0,0 +1,20 @@
+# -*- coding: utf-8 -*-
+##############################################################################
+#
+#    This module copyright (C) 2015 Therp BV <http://therp.nl>.
+#
+#    This program is free software: you can redistribute it and/or modify
+#    it under the terms of the GNU Affero General Public License as
+#    published by the Free Software Foundation, either version 3 of the
+#    License, or (at your option) any later version.
+#
+#    This program is distributed in the hope that it will be useful,
+#    but WITHOUT ANY WARRANTY; without even the implied warranty of
+#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+#    GNU Affero General Public License for more details.
+#
+#    You should have received a copy of the GNU Affero General Public License
+#    along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+##############################################################################
+from . import test_users_ldap_push
diff --git a/users_ldap_push/tests/test_users_ldap_push.py b/users_ldap_push/tests/test_users_ldap_push.py
new file mode 100644
index 000000000..cf2c0685e
--- /dev/null
+++ b/users_ldap_push/tests/test_users_ldap_push.py
@@ -0,0 +1,104 @@
+# -*- coding: utf-8 -*-
+##############################################################################
+#
+#    This module copyright (C) 2015 Therp BV <http://therp.nl>.
+#
+#    This program is free software: you can redistribute it and/or modify
+#    it under the terms of the GNU Affero General Public License as
+#    published by the Free Software Foundation, either version 3 of the
+#    License, or (at your option) any later version.
+#
+#    This program is distributed in the hope that it will be useful,
+#    but WITHOUT ANY WARRANTY; without even the implied warranty of
+#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+#    GNU Affero General Public License for more details.
+#
+#    You should have received a copy of the GNU Affero General Public License
+#    along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+##############################################################################
+import ldap
+from openerp.tests.common import TransactionCase
+
+
+class FakeLdapConnection(object):
+    def __init__(self):
+        self.entries = {}
+
+    def simple_bind_s(self, dn, passwd):
+        pass
+
+    def add_s(self, dn, modlist):
+        self.entries[dn] = modlist
+
+    def search_s(self, dn, scope, ldap_filter, attributes):
+        if dn in self.entries:
+            return [(dn, dict(self.entries[dn]))]
+        return None
+
+    def modify_s(self, dn, modlist):
+        if dn not in self.entries:
+            raise ldap.NO_SUCH_OBJECT()
+        for operation, attribute, value in modlist:
+            if operation == ldap.MOD_ADD:
+                self.entries[dn].append((attribute, value))
+                continue
+
+    def unbind_s(self):
+        pass
+
+
+class TestUsersLdapPush(TransactionCase):
+    def test_users_ldap_push(self):
+        company = self.env['res.company'].create({
+            'name': 'testcompany',
+            'ldaps': [(0, 0, {
+                'ldap_base': 'dc=test',
+                'ldap_filter': '(uid=%s)',
+                'create_ldap_entry_field_mappings': [
+                    (
+                        0, 0, {
+                            'field_id':
+                            self.env.ref('base.field_res_users_login').id,
+                            'attribute': 'userid',
+                            'use_for_dn': True,
+                        },
+                    ),
+                    (
+                        0, 0, {
+                            'field_id':
+                            self.env.ref('base.field_res_users_name').id,
+                            'attribute': 'sn',
+                        },
+                    ),
+                ],
+            })],
+        })
+        fake_ldap = FakeLdapConnection()
+        self.env['res.company.ldap']._patch_method(
+            'connect', lambda x, y: fake_ldap)
+        user = self.env['res.users'].create({
+            'name': 'testuser',
+            'login': 'testuser',
+            'company_ids': [(6, 0, company.ids)],
+            'company_id': company.id,
+            'is_ldap_user': False,
+        })
+        self.assertFalse(user.ldap_entry_dn)
+        user.unlink()
+        user = self.env['res.users'].create({
+            'name': 'testuser',
+            'login': 'testuser',
+            'company_ids': [(6, 0, company.ids)],
+            'company_id': company.id,
+            'is_ldap_user': True,
+        })
+        self.assertTrue(fake_ldap.entries[user.ldap_entry_dn])
+        self.assertEqual(
+            dict(fake_ldap.entries[user.ldap_entry_dn])['userid'],
+            [user.login])
+        user.partner_id.write({'name': 'testuser2'})
+        self.assertTrue([
+            v for a, v in fake_ldap.entries[user.ldap_entry_dn]
+            if v == ['testuser2']
+        ])
diff --git a/users_ldap_push/views/res_company.xml b/users_ldap_push/views/res_company.xml
new file mode 100644
index 000000000..51eb56e72
--- /dev/null
+++ b/users_ldap_push/views/res_company.xml
@@ -0,0 +1,27 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<openerp>
+    <data>
+        <record id="company_form_view" model="ir.ui.view">
+            <field name="model">res.company</field>
+            <field name="inherit_id" ref="auth_ldap.company_form_view" />
+            <field name="arch" type="xml">
+                <xpath expr="//field[@name='ldaps']/form//field[@name='create_user']" position="after">
+                    <field name="create_ldap_entry" />
+                </xpath>
+                <xpath expr="//field[@name='ldaps']/form/group" position="after">
+                    <group name="users_ldap_push" attrs="{'invisible': [('create_ldap_entry', '!=', True)]}">
+                        <field name="create_ldap_entry_base" />
+                        <field name="create_ldap_entry_objectclass" attrs="{'required': [('create_ldap_entry', '=', True)]}"/>
+                        <field name="create_ldap_entry_field_mappings" attrs="{'required': [('create_ldap_entry', '=', True)]}">
+                            <tree editable="bottom">
+                                <field name="field_id" />
+                                <field name="attribute" />
+                                <field name="use_for_dn" />
+                            </tree>
+                        </field>
+                    </group>
+                </xpath>
+            </field>
+        </record>
+    </data>
+</openerp>
diff --git a/users_ldap_push/views/res_users.xml b/users_ldap_push/views/res_users.xml
new file mode 100644
index 000000000..efc6716d3
--- /dev/null
+++ b/users_ldap_push/views/res_users.xml
@@ -0,0 +1,44 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<openerp>
+    <data>
+        <record id="view_users_simple_form" model="ir.ui.view">
+            <field name="model">res.users</field>
+            <field name="inherit_id" ref="base.view_users_simple_form" />
+            <field name="arch" type="xml">
+                <field name="email" position="after">
+                    <field name="is_ldap_user" invisible="1" readonly="0" />
+                </field>
+            </field>
+        </record>
+        <record id="view_users_form" model="ir.ui.view">
+            <field name="model">res.users</field>
+            <field name="inherit_id" ref="base.view_users_form" />
+            <field name="arch" type="xml">
+                <field name="active" position="after">
+                    <field name="is_ldap_user" attrs="{'readonly': [('id', '!=', False)], 'invisible': [('id', '!=', False)]}" />
+                    <field name="ldap_entry_dn" attrs="{'invisible': [('ldap_entry_dn', '=', False)]}" />
+                </field>
+            </field>
+        </record>
+        <record id="view_users_form_technical" model="ir.ui.view">
+            <field name="model">res.users</field>
+            <field name="inherit_id" ref="users_ldap_push.view_users_form" />
+            <field name="groups_id" eval="[(4, ref('base.group_no_one'))]" />
+            <field name="arch" type="xml">
+                <field name="ldap_entry_dn" position="attributes">
+                    <attribute name="attrs" />
+                    <attribute name="readonly">0</attribute>
+                </field>
+            </field>
+        </record>
+        <record id="view_users_search" model="ir.ui.view">
+            <field name="model">res.users</field>
+            <field name="inherit_id" ref="base.view_users_search" />
+            <field name="arch" type="xml">
+                <search position="inside">
+                    <filter name="is_ldap_user" string="LDAP users" domain="[('ldap_entry_dn', '!=', False)]" />
+                </search>
+            </field>
+        </record>
+    </data>
+</openerp>
diff --git a/users_ldap_push/wizards/__init__.py b/users_ldap_push/wizards/__init__.py
new file mode 100644
index 000000000..5d1c231c5
--- /dev/null
+++ b/users_ldap_push/wizards/__init__.py
@@ -0,0 +1,20 @@
+# -*- coding: utf-8 -*-
+##############################################################################
+#
+#    This module copyright (C) 2015 Therp BV <http://therp.nl>.
+#
+#    This program is free software: you can redistribute it and/or modify
+#    it under the terms of the GNU Affero General Public License as
+#    published by the Free Software Foundation, either version 3 of the
+#    License, or (at your option) any later version.
+#
+#    This program is distributed in the hope that it will be useful,
+#    but WITHOUT ANY WARRANTY; without even the implied warranty of
+#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+#    GNU Affero General Public License for more details.
+#
+#    You should have received a copy of the GNU Affero General Public License
+#    along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+##############################################################################
+from . import change_password_user
diff --git a/users_ldap_push/wizards/change_password_user.py b/users_ldap_push/wizards/change_password_user.py
new file mode 100644
index 000000000..20f6b1065
--- /dev/null
+++ b/users_ldap_push/wizards/change_password_user.py
@@ -0,0 +1,32 @@
+# -*- coding: utf-8 -*-
+##############################################################################
+#
+#    This module copyright (C) 2015 Therp BV (<http://therp.nl>).
+#
+#    This program is free software: you can redistribute it and/or modify
+#    it under the terms of the GNU Affero General Public License as
+#    published by the Free Software Foundation, either version 3 of the
+#    License, or (at your option) any later version.
+#
+#    This program is distributed in the hope that it will be useful,
+#    but WITHOUT ANY WARRANTY; without even the implied warranty of
+#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+#    GNU Affero General Public License for more details.
+#
+#    You should have received a copy of the GNU Affero General Public License
+#    along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+##############################################################################
+from openerp import models, api
+
+
+class ChangePasswordUser(models.TransientModel):
+    _inherit = 'change.password.user'
+
+    @api.multi
+    def change_password_button(self):
+        for user_line in self.filtered('user_id.is_ldap_user'):
+            user_line.user_id._change_ldap_password(user_line.new_passwd)
+            user_line.new_passwd = False
+        return super(ChangePasswordUser, self.filtered(
+            lambda x: not x.user_id.is_ldap_user)).change_password_button()