Patch #4755
open
Create and maintain groups from LDAP attributes
80%
Description
- ou (the organisational unit(s) the person is associated with)
- businessCategory (the type of user: employee, guest, …)
I decided to write the following patch to automatically create and update group information for every user whenever she logs in, in order to avoid having to extract all the information regularly from LDAP, keeping in the spirit of on-the-fy creation of user accounts.
Challenges¶
During the implementation, I was facing the following problems:- I wanted to have both attributes available for group creation, both independently and as a cross product (i.e., being able to add all employees or everyone from orgUnit1 to the project, but also have the option to add only the employees of orgUnit1 to some project)
- Our ou names are very long (some approaching 60 characters), but the lastname field of the User (which is where the group names are stored for the Group subclass/subtype of User) is limited to 30 characters. I did not want to change that part of the model, so I am shortening LDAP group names on import.
Functionality implemented¶
There are 5 additional fields inauth_source:
- attr_groups: The name of the attribute containing group information (in our case: ou)
- attr_groups2: The name of an optional second attribute containing other group information (in our case: businessCategory)
- None, either, or both of the above can be empty, if they are not required
- group_prefix: A character sequence you might want to prefix to the group names which are thus automatically generated (default: "_")
- cross_product: When this is false, only the group names based on attr_groups and attr_groups2 are included. When this is set to true, additionally the concatenation of group names derived from
attr_groupsandattr_groups2(separated bygroup_separator) are included - group_separator: The separator to use if cross-products should be created
Groups created like that will have their auth_source set accordingly. Groups with their auth_source set will have an appropriate note attached in the list and edit views, and their name is not editable. LDAP-maintained groups are automatically deleted when they are no longer necessary (triggered on login).
The group list view provides a "Refresh groups" button for each LDAP source with group update activated. It is not strictly necessary, as membership will be updated on the next login of that user anyway, but it might be helpful to see what effect your changes have or make membership updates visible immediately (as opposed to waiting for the next login of this user/these users).
The messages are available in English and German. Feel free to provide other languages as well :-).
Code overview¶
Here is a short run-down of what the code provides:- Two migration files to add the required attributes
auth_source_ldap.rbhas the following new features- a method get_attributes which fetches LDAP attributes for a user specified (does not test for authentication)
- a method build_names to construct the names of the groups that should be associated with
- Two classes,
FakeLdapConandFakeLdapEntrywhich are helpful when trying to experiment with LDAP attributes (do not require an LDAP server)
user.rbhas the following new features:- Can store group_names temporarily (needed to get things working with a consistent implementation for normal login, auto-relogin, and on-the-fly creation of users and to save a few round-trips to LDAP)
- a method refresh_group_memberships to update the group membership information based on what was returned by LDAP
group.rbwas changed as follows:- Contains a new class method, shorten_lastname, to (nicely, IMHO) shorten group names when the names in LDAP exceed the length limit
- Two new methods, size_and_updated_by_string and updated_by_string to simplify the form rendering routines
auth_sources_controller.rbnow includes a method for the "refresh groups" button described aboveauth_sources/list.rhtmlandauth_sources/_form.rhtmldo provide UI for this button and the new group fieldsgroups/index.html.erbandgroups/_form.html.erbdo provide the UI changes for the automatic groupslocales/en.ymlandlocales/de.ymlhave the text elements for the new UImigrate/20100207220329_extend_ldap_groups.rbandmigrate/20100204211355_add_ldap_group_support.rbare the two new migrations (I did the implementation in two stages)
The patch¶
The patch includes a better version of #4643 (Allow on-the-fly creation on member addition), as I was unhappy with the way I originally hacked auth_source_ldap.rb (too much code duplication in my original version). If you do not want that feature, back out the change to members_controller.rb after applying the patch. Also, the change to auth_source.rb (new class methods import and get_data) is only strictly required when on-the-fly project member addition is needed.
The patch does not include #4732 (Make login case-insensitive also for PostgreSQL), although line numbers might reflect that change.
The patch is against 0.9.0rc.
Trunk integration?¶
Jean-Philippe et al.: What is required to get this code integrated into trunk? I think that LDAP integration without something like this is severely limited and thus this should be included.
Files
Related issues
Updated by 
Updated by 
Updated by 
Updated by 
Updated by 
Updated by 
Updated by 
Updated by 
Updated by Toshi MARUYAMA