128 lines
4.9 KiB
128 lines
4.9 KiB
# -*- coding: utf-8 -*-
|
|
##############################################################################
|
|
#
|
|
# OpenERP, Open Source Management Solution
|
|
# This module copyright (C) 2012 Therp BV (<http://therp.nl>).
|
|
#
|
|
# This program is free software: you can redistribute it and/or modify
|
|
# it under the terms of the GNU Affero General Public License as
|
|
# published by the Free Software Foundation, either version 3 of the
|
|
# License, or (at your option) any later version.
|
|
#
|
|
# This program is distributed in the hope that it will be useful,
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
# GNU Affero General Public License for more details.
|
|
#
|
|
# You should have received a copy of the GNU Affero General Public License
|
|
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
#
|
|
##############################################################################
|
|
|
|
from openerp import models
|
|
from openerp import fields
|
|
from openerp import api
|
|
import logging
|
|
from string import Template
|
|
|
|
|
|
class LDAPOperator(models.AbstractModel):
|
|
_name = "res.company.ldap.operator"
|
|
|
|
def operators(self):
|
|
return ('contains', 'equals', 'query')
|
|
|
|
def contains(self, ldap_entry, attribute, value, ldap_config, company,
|
|
logger):
|
|
return (attribute in ldap_entry[1]) and \
|
|
(value in ldap_entry[1][attribute])
|
|
|
|
def equals(self, ldap_entry, attribute, value, ldap_config, company,
|
|
logger):
|
|
return attribute in ldap_entry[1] and \
|
|
unicode(value) == unicode(ldap_entry[1][attribute])
|
|
|
|
def query(self, ldap_entry, attribute, value, ldap_config, company,
|
|
logger):
|
|
query_string = Template(value).safe_substitute(dict(
|
|
[(attr, ldap_entry[1][attribute][0]) for attr in ldap_entry[1]]
|
|
)
|
|
)
|
|
logger.debug('evaluating query group mapping, filter: %s' %
|
|
query_string)
|
|
results = company.query(ldap_config, query_string)
|
|
logger.debug(results)
|
|
return bool(results)
|
|
|
|
|
|
class CompanyLDAPGroupMapping(models.Model):
|
|
_name = 'res.company.ldap.group_mapping'
|
|
_rec_name = 'ldap_attribute'
|
|
_order = 'ldap_attribute'
|
|
|
|
def _get_operators(self):
|
|
op_obj = self.env['res.company.ldap.operator']
|
|
operators = [(op, op) for op in op_obj.operators()]
|
|
return tuple(operators)
|
|
|
|
ldap_id = fields.Many2one('res.company.ldap', 'LDAP server', required=True)
|
|
ldap_attribute = fields.Char(
|
|
'LDAP attribute',
|
|
help='The LDAP attribute to check.\n'
|
|
'For active directory, use memberOf.')
|
|
operator = fields.Selection(
|
|
_get_operators, 'Operator',
|
|
help='The operator to check the attribute against the value\n'
|
|
'For active directory, use \'contains\'', required=True)
|
|
value = fields.Char(
|
|
'Value',
|
|
help='The value to check the attribute against.\n'
|
|
'For active directory, use the dn of the desired group',
|
|
required=True)
|
|
group = fields.Many2one(
|
|
'res.groups', 'OpenERP group',
|
|
help='The OpenERP group to assign', required=True)
|
|
|
|
|
|
class CompanyLDAP(models.Model):
|
|
_inherit = 'res.company.ldap'
|
|
|
|
group_mappings = fields.One2many(
|
|
'res.company.ldap.group_mapping',
|
|
'ldap_id', 'Group mappings',
|
|
help='Define how OpenERP groups are assigned to ldap users')
|
|
only_ldap_groups = fields.Boolean(
|
|
'Only ldap groups',
|
|
help='If this is checked, manual changes to group membership are '
|
|
'undone on every login (so OpenERP groups are always synchronous '
|
|
'with LDAP groups). If not, manually added groups are preserved.')
|
|
|
|
_default = {
|
|
'only_ldap_groups': False,
|
|
}
|
|
|
|
@api.model
|
|
def get_or_create_user(self, conf, login, ldap_entry):
|
|
op_obj = self.env['res.company.ldap.operator']
|
|
id_ = conf['id']
|
|
this = self.browse(id_)
|
|
user_id = super(CompanyLDAP, self).get_or_create_user(
|
|
conf, login, ldap_entry)
|
|
if not user_id:
|
|
return user_id
|
|
userobj = self.env['res.users']
|
|
user = userobj.browse(user_id)
|
|
logger = logging.getLogger('users_ldap_groups')
|
|
if self.only_ldap_groups:
|
|
logger.debug('deleting all groups from user %d' % user_id)
|
|
user.write({'groups_id': [(5, )]})
|
|
|
|
for mapping in this.group_mappings:
|
|
operator = getattr(op_obj, mapping.operator)
|
|
logger.debug('checking mapping %s' % mapping)
|
|
if operator(ldap_entry, mapping['ldap_attribute'],
|
|
mapping['value'], conf, self, logger):
|
|
logger.debug('adding user %d to group %s' %
|
|
(user_id, mapping.group.name))
|
|
user.write({'groups_id': [(4, mapping.group.id)]})
|
|
return user_id
|