From f952fd49796f906da65df22de6d2e608bb3a3a03 Mon Sep 17 00:00:00 2001 From: Derek Feichtinger Date: Tue, 16 Feb 2016 17:27:59 +0100 Subject: [PATCH] fixed bug when search pattern only contains dc * bin/ldapuserdir-ctl: improved documentation * ldapuserdir/ldapuserdir.py: fixed error when search ldap base contained only 'dc=d,dc=psi,dc=ch' --- bin/ldapuserdir-ctl | 12 +- ldapuserdir/ldapuserdir.py | 15 +- ldapuserdir/version.py | 2 +- todo.org | 340 ++++++++++++++++++++++++++++++++++++- 4 files changed, 360 insertions(+), 9 deletions(-) diff --git a/bin/ldapuserdir-ctl b/bin/ldapuserdir-ctl index 7f7385b..dd45fe4 100755 --- a/bin/ldapuserdir-ctl +++ b/bin/ldapuserdir-ctl @@ -80,10 +80,15 @@ usage = """%prog [options] groupname [usernames] and a lookup) The configuration is read from a configuration file. Default - locations: + locations for the file: """ usage += "\n\t* " + "\n\t* ".join(cfgfile_loc) + '\n' +usage += """ + Accessing the user information in AD requires an account with + limited permissions that needs to be set in the configuration file's + default_user_dn and default_user_pw options.""" + usage_epilog = """ Examples: List group members @@ -92,7 +97,7 @@ usage_epilog = """ Get group memberships for user mueller (optionally with a group filter) %prog -g mueller - %prog -g mueller 'svc_ra_*' + %prog -g mueller 'svc-ra*' Add/delete users to/from a group (requires access rights!) %prog -a svc_ra_x06sa user1 user2 user3 @@ -101,6 +106,9 @@ usage_epilog = """ List users matching a pattern %prog -u 'mueller*' + List users matching a mail address pattern + %prog -m '*mueller@psi* + """ examplecfg = """# Configuration file example: diff --git a/ldapuserdir/ldapuserdir.py b/ldapuserdir/ldapuserdir.py index f24d515..6002a1d 100644 --- a/ldapuserdir/ldapuserdir.py +++ b/ldapuserdir/ldapuserdir.py @@ -363,7 +363,7 @@ class LdapUserDir(object): Returns ------- dict - dictionary of the matching groups { dn1:list1, ... } + list of the matching groups { (dn1:dict1), ... } """ if ou == None: group_ou = self.group_ou @@ -377,6 +377,11 @@ class LdapUserDir(object): r = self.search_s_reconn(group_ou, ldap.SCOPE_SUBTREE, srch) #except ldap.LDAPError, e: # print e + + # The following filter is necessary, because AD yielded + # some (None,String) fields when searching with + # --group-ou='dc=d,dc=psi,dc=ch'. This led to errors. + r = [el for el in r if el[0] != None] return r def get_memberof(self, dn, recursive=True, mssfu=False): @@ -532,10 +537,12 @@ class LdapUserDir(object): gid = '---' else: gid = entry['msSFU30GidNumber'][0] - print "%s:IGNORE:%s:" % (entry['cn'][0], gid), + sys.stdout.write("%s:IGNORE:%s:" % (entry['cn'][0], gid)) if 'member' in entry: - print ",".join([self.dn_to_cn(dn) for dn in entry['member']]) - + sys.stdout.write(",".join([self.dn_to_cn(dn) for dn in entry['member']]) + "\n") + else: + sys.stdout.write("\n") + def _mod_groupmembers(self, ldapmode, dngroup, usernames): """modifies (adds/deletes) members of an LDAP group entry diff --git a/ldapuserdir/version.py b/ldapuserdir/version.py index 9aa3f90..58039f5 100644 --- a/ldapuserdir/version.py +++ b/ldapuserdir/version.py @@ -1 +1 @@ -__version__ = "2.1.0" +__version__ = "2.1.1" diff --git a/todo.org b/todo.org index 6234c94..a189673 100644 --- a/todo.org +++ b/todo.org @@ -1,4 +1,5 @@ #+TITLE: todo for ldapuserdir +#+TODO: BUG(b!) FEATURE(f!) | RESOLVED(r!) WONTFIX(w!) WORKAROUND(W!) #+DATE: <2013-07-22 Mon> #+AUTHOR: Derek Feichtinger #+EMAIL: derek.feichtinger@psi.ch @@ -13,9 +14,344 @@ #+LANGUAGE: en #+SELECT_TAGS: export -* Bugfixes +* Bugs and feature requests +** BUG Handling of ldap server returning slices + :LOGBOOK: + - State "BUG" from [2016-02-16 Tue 16:03] + :END: - [ ] In the case of big groups, ldap returns the results with the attribute name member being extended for the slice information. Need to implement the client to be able to deal with this. - - Dani's docu may help https://intranet.psi.ch/AIT/AdLdapClientConfiguration + - Dani's docu may help https://intranet.psi.ch/AIT/AdLdapClientConfiguration +** WORKAROUND group list returning some elements with dn=None + CLOSED: [2016-02-16 Tue 17:27] + :LOGBOOK: + - State "WORKAROUND" from "BUG" [2016-02-16 Tue 17:27] + - State "BUG" from [2016-02-16 Tue 16:03] + :END: + + Invoking ldapuserdir-ctl in the following way leads to error + #+BEGIN_SRC + ldapuserdir-ctl --debug --group-ou='dc=d,dc=psi,dc=ch' 'p1299*' + #+END_SRC + + #+BEGIN_EXAMPLE + p12990:IGNORE:12990: + p12991:IGNORE:12991: + p12992:IGNORE:12992: + p12993:IGNORE:12993: + p12994:IGNORE:12994: + p12995:IGNORE:12995: + p12996:IGNORE:12996: + p12997:IGNORE:12997: + p12998:IGNORE:12998: + p12999:IGNORE:12999: + Traceback (most recent call last): + File "/home/dfeich/conda-envs/build-test/bin/ldapuserdir-ctl", line 6, in + exec(compile(open(__file__).read(), __file__, 'exec')) + File "/home/dfeich/projects/ldapuserdir/bin/ldapuserdir-ctl", line 341, in + verbose=flag_verbose) + File "/home/dfeich/projects/ldapuserdir/ldapuserdir/ldapuserdir.py", line 537, in list_groups + sys.stdout.write("%s:IGNORE:%s:" % (entry['cn'][0], gid)) + TypeError: list indices must be integers, not str + #+END_EXAMPLE + + + Reason: The search in get_groups_struct + #+BEGIN_SRC python + r = self.search_s_reconn(group_ou, ldap.SCOPE_SUBTREE, srch) + #+END_SRC + + returns a result list which contains (dn, dict) pairs with the exception of the + last 2 entries which are (None, list). + + #+BEGIN_EXAMPLE + [ ... + ('CN=p12999,OU=Groups,OU=Experiment,OU=IT,DC=d,DC=psi,DC=ch', + {'cn': ['p12999'], + 'dSCorePropagationData': ['16010101000000.0Z'], + 'distinguishedName': ['CN=p12999,OU=Groups,OU=Experiment,OU=IT,DC=d,DC=psi,DC=ch'], + 'gidNumber': ['12999'], + 'groupType': ['-2147483646'], + 'instanceType': ['4'], + 'msSFU30GidNumber': ['12999'], + 'name': ['p12999'], + 'objectCategory': ['CN=Group,CN=Schema,CN=Configuration,DC=d,DC=psi,DC=ch'], + 'objectClass': ['top', 'group'], + 'objectGUID': ['jx\xd9\x7f/\x16\xebJ\xb7\x1c\xf3~\n\xd4\x17\x95'], + 'objectSid': ['\x01\x05\x00\x00\x00\x00\x00\x05\x15\x00\x00\x00x.\x9d\x13\x931\xda\x1cC\x17\n2\xa9\x1a\x01\x00'], + 'sAMAccountName': ['p12999'], + 'sAMAccountType': ['268435456'], + 'uSNChanged': ['817289847'], + 'uSNCreated': ['817289847'], + 'whenChanged': ['20160215133759.0Z'], + 'whenCreated': ['20160215133757.0Z']}), + (None, ['ldaps://d.psi.ch/CN=Configuration,DC=d,DC=psi,DC=ch']), + (None, ['ldaps://d.psi.ch/CN=Schema,CN=Configuration,DC=d,DC=psi,DC=ch'])] + + #+END_EXAMPLE + + Not clear how these entries come to pass. It does not happen if I use the additional + classification 'ou=IT'. + + #+BEGIN_SRC sh + ldapuserdir-ctl --debug --group-ou='ou=IT,dc=d,dc=psi,dc=ch' 'p1299*' + #+END_SRC + + The corresponding ldapsearch yields no clue abou these additional elements. Probably + it filters them out. Discussing with Björn and looking it up in AD, we can see that + these CN paths exist for the config information. + + #+BEGIN_SRC sh :results output + ldapsearch -x -w 'TBVsK5zOfqMyxVmXco7y' \ + -D 'CN=linux_ldap,OU=Services,OU=IT,DC=d,DC=psi,DC=ch' \ + -H "ldaps://d.psi.ch:636" -b "dc=d,dc=PSI,dc=ch" \ + '(&(objectClass=Group)(msSFU30GidNumber=*)(cn=p1299*))' + #+END_SRC + + #+RESULTS: + #+begin_example + # extended LDIF + # + # LDAPv3 + # base with scope subtree + # filter: (&(objectClass=Group)(msSFU30GidNumber=*)(cn=p1299*)) + # requesting: ALL + # + + # p12990, Groups, Experiment, IT, d.psi.ch + dn: CN=p12990,OU=Groups,OU=Experiment,OU=IT,DC=d,DC=psi,DC=ch + objectClass: top + objectClass: group + cn: p12990 + distinguishedName: CN=p12990,OU=Groups,OU=Experiment,OU=IT,DC=d,DC=psi,DC=ch + instanceType: 4 + whenCreated: 20160215133748.0Z + whenChanged: 20160215133757.0Z + uSNCreated: 817286825 + uSNChanged: 817286825 + name: p12990 + objectGUID:: e0ffV/01TEOscX9xFanuew== + objectSid:: AQUAAAAAAAUVAAAAeC6dE5Mx2hxDFwoy+w4BAA== + sAMAccountName: p12990 + sAMAccountType: 268435456 + groupType: -2147483646 + objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=d,DC=psi,DC=ch + dSCorePropagationData: 16010101000000.0Z + msSFU30GidNumber: 12990 + gidNumber: 12990 + + # p12991, Groups, Experiment, IT, d.psi.ch + dn: CN=p12991,OU=Groups,OU=Experiment,OU=IT,DC=d,DC=psi,DC=ch + objectClass: top + objectClass: group + cn: p12991 + distinguishedName: CN=p12991,OU=Groups,OU=Experiment,OU=IT,DC=d,DC=psi,DC=ch + instanceType: 4 + whenCreated: 20160215133751.0Z + whenChanged: 20160215133758.0Z + uSNCreated: 817287915 + uSNChanged: 817287915 + name: p12991 + objectGUID:: 9+o2BvtkMkK3pDPbQrTyPw== + objectSid:: AQUAAAAAAAUVAAAAeC6dE5Mx2hxDFwoyLRMBAA== + sAMAccountName: p12991 + sAMAccountType: 268435456 + groupType: -2147483646 + objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=d,DC=psi,DC=ch + dSCorePropagationData: 16010101000000.0Z + msSFU30GidNumber: 12991 + gidNumber: 12991 + + # p12992, Groups, Experiment, IT, d.psi.ch + dn: CN=p12992,OU=Groups,OU=Experiment,OU=IT,DC=d,DC=psi,DC=ch + objectClass: top + objectClass: group + cn: p12992 + distinguishedName: CN=p12992,OU=Groups,OU=Experiment,OU=IT,DC=d,DC=psi,DC=ch + instanceType: 4 + whenCreated: 20160215133755.0Z + whenChanged: 20160215133758.0Z + uSNCreated: 817289293 + uSNChanged: 817289293 + name: p12992 + objectGUID:: llozR0I690u3dIbXoLFdpg== + objectSid:: AQUAAAAAAAUVAAAAeC6dE5Mx2hxDFwoyhBgBAA== + sAMAccountName: p12992 + sAMAccountType: 268435456 + groupType: -2147483646 + objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=d,DC=psi,DC=ch + dSCorePropagationData: 16010101000000.0Z + msSFU30GidNumber: 12992 + gidNumber: 12992 + + # p12993, Groups, Experiment, IT, d.psi.ch + dn: CN=p12993,OU=Groups,OU=Experiment,OU=IT,DC=d,DC=psi,DC=ch + objectClass: top + objectClass: group + cn: p12993 + distinguishedName: CN=p12993,OU=Groups,OU=Experiment,OU=IT,DC=d,DC=psi,DC=ch + instanceType: 4 + whenCreated: 20160215133755.0Z + whenChanged: 20160215133758.0Z + uSNCreated: 817289294 + uSNChanged: 817289294 + name: p12993 + objectGUID:: QY8deD1SsUaP+G9ShR3+5A== + objectSid:: AQUAAAAAAAUVAAAAeC6dE5Mx2hxDFwoyhRgBAA== + sAMAccountName: p12993 + sAMAccountType: 268435456 + groupType: -2147483646 + objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=d,DC=psi,DC=ch + dSCorePropagationData: 16010101000000.0Z + msSFU30GidNumber: 12993 + gidNumber: 12993 + + # p12994, Groups, Experiment, IT, d.psi.ch + dn: CN=p12994,OU=Groups,OU=Experiment,OU=IT,DC=d,DC=psi,DC=ch + objectClass: top + objectClass: group + cn: p12994 + distinguishedName: CN=p12994,OU=Groups,OU=Experiment,OU=IT,DC=d,DC=psi,DC=ch + instanceType: 4 + whenCreated: 20160215133757.0Z + whenChanged: 20160215133759.0Z + uSNCreated: 817289842 + uSNChanged: 817289842 + name: p12994 + objectGUID:: rsAueF9W2kaQ2VW/Qtp1wg== + objectSid:: AQUAAAAAAAUVAAAAeC6dE5Mx2hxDFwoypBoBAA== + sAMAccountName: p12994 + sAMAccountType: 268435456 + groupType: -2147483646 + objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=d,DC=psi,DC=ch + dSCorePropagationData: 16010101000000.0Z + msSFU30GidNumber: 12994 + gidNumber: 12994 + + # p12995, Groups, Experiment, IT, d.psi.ch + dn: CN=p12995,OU=Groups,OU=Experiment,OU=IT,DC=d,DC=psi,DC=ch + objectClass: top + objectClass: group + cn: p12995 + distinguishedName: CN=p12995,OU=Groups,OU=Experiment,OU=IT,DC=d,DC=psi,DC=ch + instanceType: 4 + whenCreated: 20160215133757.0Z + whenChanged: 20160215133759.0Z + uSNCreated: 817289843 + uSNChanged: 817289843 + name: p12995 + objectGUID:: xEDgBQTscEennB8f7HnrJg== + objectSid:: AQUAAAAAAAUVAAAAeC6dE5Mx2hxDFwoypRoBAA== + sAMAccountName: p12995 + sAMAccountType: 268435456 + groupType: -2147483646 + objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=d,DC=psi,DC=ch + dSCorePropagationData: 16010101000000.0Z + msSFU30GidNumber: 12995 + gidNumber: 12995 + + # p12996, Groups, Experiment, IT, d.psi.ch + dn: CN=p12996,OU=Groups,OU=Experiment,OU=IT,DC=d,DC=psi,DC=ch + objectClass: top + objectClass: group + cn: p12996 + distinguishedName: CN=p12996,OU=Groups,OU=Experiment,OU=IT,DC=d,DC=psi,DC=ch + instanceType: 4 + whenCreated: 20160215133757.0Z + whenChanged: 20160215133759.0Z + uSNCreated: 817289844 + uSNChanged: 817289844 + name: p12996 + objectGUID:: rzV1wOhoZ0GgI9B9Of+oFA== + objectSid:: AQUAAAAAAAUVAAAAeC6dE5Mx2hxDFwoyphoBAA== + sAMAccountName: p12996 + sAMAccountType: 268435456 + groupType: -2147483646 + objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=d,DC=psi,DC=ch + dSCorePropagationData: 16010101000000.0Z + msSFU30GidNumber: 12996 + gidNumber: 12996 + + # p12997, Groups, Experiment, IT, d.psi.ch + dn: CN=p12997,OU=Groups,OU=Experiment,OU=IT,DC=d,DC=psi,DC=ch + objectClass: top + objectClass: group + cn: p12997 + distinguishedName: CN=p12997,OU=Groups,OU=Experiment,OU=IT,DC=d,DC=psi,DC=ch + instanceType: 4 + whenCreated: 20160215133757.0Z + whenChanged: 20160215133759.0Z + uSNCreated: 817289845 + uSNChanged: 817289845 + name: p12997 + objectGUID:: 15jnQe7x7kubD0LVnwGhWA== + objectSid:: AQUAAAAAAAUVAAAAeC6dE5Mx2hxDFwoypxoBAA== + sAMAccountName: p12997 + sAMAccountType: 268435456 + groupType: -2147483646 + objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=d,DC=psi,DC=ch + dSCorePropagationData: 16010101000000.0Z + msSFU30GidNumber: 12997 + gidNumber: 12997 + + # p12998, Groups, Experiment, IT, d.psi.ch + dn: CN=p12998,OU=Groups,OU=Experiment,OU=IT,DC=d,DC=psi,DC=ch + objectClass: top + objectClass: group + cn: p12998 + distinguishedName: CN=p12998,OU=Groups,OU=Experiment,OU=IT,DC=d,DC=psi,DC=ch + instanceType: 4 + whenCreated: 20160215133757.0Z + whenChanged: 20160215133759.0Z + uSNCreated: 817289846 + uSNChanged: 817289846 + name: p12998 + objectGUID:: K0QCSvfKY0+8xBfUx/sp1A== + objectSid:: AQUAAAAAAAUVAAAAeC6dE5Mx2hxDFwoyqBoBAA== + sAMAccountName: p12998 + sAMAccountType: 268435456 + groupType: -2147483646 + objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=d,DC=psi,DC=ch + dSCorePropagationData: 16010101000000.0Z + msSFU30GidNumber: 12998 + gidNumber: 12998 + + # p12999, Groups, Experiment, IT, d.psi.ch + dn: CN=p12999,OU=Groups,OU=Experiment,OU=IT,DC=d,DC=psi,DC=ch + objectClass: top + objectClass: group + cn: p12999 + distinguishedName: CN=p12999,OU=Groups,OU=Experiment,OU=IT,DC=d,DC=psi,DC=ch + instanceType: 4 + whenCreated: 20160215133757.0Z + whenChanged: 20160215133759.0Z + uSNCreated: 817289847 + uSNChanged: 817289847 + name: p12999 + objectGUID:: anjZfy8W60q3HPN+CtQXlQ== + objectSid:: AQUAAAAAAAUVAAAAeC6dE5Mx2hxDFwoyqRoBAA== + sAMAccountName: p12999 + sAMAccountType: 268435456 + groupType: -2147483646 + objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=d,DC=psi,DC=ch + dSCorePropagationData: 16010101000000.0Z + msSFU30GidNumber: 12999 + gidNumber: 12999 + + # search reference + ref: ldaps://d.psi.ch/CN=Configuration,DC=d,DC=psi,DC=ch + + # search result + search: 2 + result: 0 Success + + # numResponses: 12 + # numEntries: 10 + # numReferences: 1 + #+end_example + + I implemented a workaround by filtering out the None elements. + +