# -*- coding: utf-8 -*- ############################################################################## # # OpenERP, Open Source Management Solution # This module copyright (C) 2012 Therp BV (). # # This program is free software: you can redistribute it and/or modify # it under the terms of the GNU Affero General Public License as # published by the Free Software Foundation, either version 3 of the # License, or (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU Affero General Public License for more details. # # You should have received a copy of the GNU Affero General Public License # along with this program. If not, see . # ############################################################################## import logging import inspect from openerp.osv import fields, orm from . import users_ldap_groups_operators class CompanyLDAPGroupMapping(orm.Model): _name = 'res.company.ldap.group_mapping' _rec_name = 'ldap_attribute' _order = 'ldap_attribute' def _get_operators(self, cr, uid, context=None): operators = [] members = inspect.getmembers( users_ldap_groups_operators, lambda cls: (inspect.isclass(cls) and cls != users_ldap_groups_operators.LDAPOperator)) for name, operator in members: operators.append((name, name)) return tuple(operators) _columns = { 'ldap_id': fields.many2one('res.company.ldap', 'LDAP server', required=True), 'ldap_attribute': fields.char( 'LDAP attribute', size=64, help='The LDAP attribute to check.\n' 'For active directory, use memberOf.'), 'operator': fields.selection( _get_operators, 'Operator', help='The operator to check the attribute against the value\n' 'For active directory, use \'contains\'', required=True), 'value': fields.char( 'Value', size=1024, help='The value to check the attribute against.\n' 'For active directory, use the dn of the desired group', required=True), 'group': fields.many2one( 'res.groups', 'OpenERP group', help='The OpenERP group to assign', required=True), } class CompanyLDAP(orm.Model): _inherit = 'res.company.ldap' _columns = { 'group_mappings': fields.one2many( 'res.company.ldap.group_mapping', 'ldap_id', 'Group mappings', help='Define how OpenERP groups are assigned to ldap users'), 'only_ldap_groups': fields.boolean( 'Only ldap groups', help='If this is checked, manual changes to group membership are ' 'undone on every login (so OpenERP groups are always ' 'synchronous with LDAP groups). If not, manually added ' 'groups are preserved.') } _defaults = { 'only_ldap_groups': False, } def get_or_create_user(self, cr, uid, conf, login, ldap_entry, context=None): _super = super(CompanyLDAP, self) user_id = _super.get_or_create_user(cr, uid, conf, login, ldap_entry, context) if not user_id: return user_id logger = logging.getLogger('users_ldap_groups') mappingobj = self.pool.get('res.company.ldap.group_mapping') userobj = self.pool.get('res.users') conf_all = self.read(cr, uid, conf['id'], ['only_ldap_groups']) if(conf_all['only_ldap_groups']): logger.debug('deleting all groups from user %d', user_id) userobj.write(cr, uid, [user_id], {'groups_id': [(5, )]}, context=context) mapping_ids = mappingobj.search(cr, uid, [('ldap_id', '=', conf['id'])]) for mapping in mappingobj.read(cr, uid, mapping_ids, []): operator = getattr(users_ldap_groups_operators, mapping['operator'])() logger.debug('checking mapping %s', mapping) if operator.check_value(ldap_entry, mapping['ldap_attribute'], mapping['value'], conf, self, logger): logger.debug('adding user %d to group %s', (user_id, mapping['group'][1])) userobj.write(cr, uid, [user_id], {'groups_id': [(4, mapping['group'][0])]}, context=context) return user_id