-
Notifications
You must be signed in to change notification settings - Fork 20
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat(external-domain): add scripts for validating and altering extern…
…al LDAP domains
- Loading branch information
Showing
3 changed files
with
267 additions
and
0 deletions.
There are no files selected for viewing
59 changes: 59 additions & 0 deletions
59
...ageroot/var/lib/nethserver/cluster/actions/alter-external-domain/10validate_ldap_provider
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,59 @@ | ||
| #!/usr/bin/env python3 | ||
|
|
||
| # | ||
| # Copyright (C) 2021 Nethesis S.r.l. | ||
| # http://www.nethesis.it - [email protected] | ||
| # | ||
| # This script is part of NethServer. | ||
| # | ||
| # NethServer is free software: you can redistribute it and/or modify | ||
| # it under the terms of the GNU General Public License as published by | ||
| # the Free Software Foundation, either version 3 of the License, | ||
| # or any later version. | ||
| # | ||
| # NethServer is distributed in the hope that it will be useful, | ||
| # but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
| # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
| # GNU General Public License for more details. | ||
| # | ||
| # You should have received a copy of the GNU General Public License | ||
| # along with NethServer. If not, see COPYING. | ||
| # | ||
|
|
||
| import sys | ||
| import json | ||
| import agent | ||
| import os | ||
| import cluster.userdomains | ||
|
|
||
| # | ||
| # Sample request: | ||
| # { | ||
| # "domain":"example.com", | ||
| # "protocol": "ldap", | ||
| # "host":"18.19.20.21", | ||
| # "port": 636, | ||
| # "schema": "rfc2307", | ||
| # "bind_dn": "cn=ldapservice,dc=example,dc=com", | ||
| # "bind_password": "s3cret", | ||
| # "base_dn": "dc=example,dc=com", | ||
| # "tls": true, | ||
| # "tls_verify": true | ||
| # } | ||
| request = json.load(sys.stdin) | ||
|
|
||
| domain = request['domain'] | ||
| protocol = request['protocol'] | ||
|
|
||
| agent.set_weight(os.path.basename(__file__), 0) # Validation step, no task progress at all | ||
|
|
||
| if protocol == 'ldap': | ||
| errors, logex = cluster.userdomains.validate_ldap(request) | ||
|
|
||
| if logex: | ||
| print(agent.SD_ERR + f"{logex.__class__.__name__}: {logex}", file=sys.stderr) | ||
|
|
||
| if errors: | ||
| agent.set_status('validation-failed') | ||
| json.dump(errors, fp=sys.stdout) | ||
| sys.exit(3) |
68 changes: 68 additions & 0 deletions
68
core/imageroot/var/lib/nethserver/cluster/actions/alter-external-domain/50add_ldap_domain
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,68 @@ | ||
| #!/usr/bin/env python3 | ||
|
|
||
| # | ||
| # Copyright (C) 2021 Nethesis S.r.l. | ||
| # http://www.nethesis.it - [email protected] | ||
| # | ||
| # This script is part of NethServer. | ||
| # | ||
| # NethServer is free software: you can redistribute it and/or modify | ||
| # it under the terms of the GNU General Public License as published by | ||
| # the Free Software Foundation, either version 3 of the License, | ||
| # or any later version. | ||
| # | ||
| # NethServer is distributed in the hope that it will be useful, | ||
| # but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
| # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
| # GNU General Public License for more details. | ||
| # | ||
| # You should have received a copy of the GNU General Public License | ||
| # along with NethServer. If not, see COPYING. | ||
| # | ||
|
|
||
| import sys | ||
| import json | ||
| import agent | ||
| import cluster.userdomains | ||
| import os | ||
|
|
||
| # | ||
| # Sample request: | ||
| # { | ||
| # "domain":"example.com", | ||
| # "protocol": "ldap", | ||
| # "host":"18.19.20.21", | ||
| # "port": 636, | ||
| # "schema": "rfc2307", | ||
| # "bind_dn": "cn=ldapservice,dc=example,dc=com", | ||
| # "bind_password": "s3cret", | ||
| # "base_dn": "dc=example,dc=com", | ||
| # "tls": true, | ||
| # "tls_verify": true | ||
| # } | ||
| request = json.load(sys.stdin) | ||
| domain = request['domain'] | ||
| protocol = request['protocol'] | ||
|
|
||
| rdb = agent.redis_connect(privileged=True) | ||
|
|
||
| if protocol == 'ldap': | ||
| trx = rdb.pipeline() | ||
| trx.hset(f"cluster/user_domain/ldap/{domain}/conf", mapping={ | ||
| 'schema': request.get('schema') or cluster.userdomains.probe_ldap_schema(request), | ||
| 'bind_dn': request['bind_dn'], | ||
| 'bind_password': request['bind_password'], | ||
| 'base_dn': request['base_dn'] or cluster.userdomains.probe_ldap_basedn(request), | ||
| 'tls': 'on' if request['tls'] else 'off', | ||
| 'tls_verify': 'on' if request['tls_verify'] else 'off', | ||
| }) | ||
| trx.rpush(f"cluster/user_domain/ldap/{domain}/providers", f"{request['host']}:{request['port']}") | ||
|
|
||
| # | ||
| # Advertise new account provider setup | ||
| # | ||
| trx.publish(os.getenv('AGENT_ID') + '/event/ldap-provider-changed', json.dumps({ | ||
| 'domain': domain, | ||
| 'key': f"cluster/user_domain/ldap/{domain}/providers", | ||
| })) | ||
| trx.execute() |
140 changes: 140 additions & 0 deletions
140
core/imageroot/var/lib/nethserver/cluster/actions/alter-external-domain/validate-input.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,140 @@ | ||
| { | ||
| "$schema": "http://json-schema.org/draft-07/schema#", | ||
| "title": "alter-external-domain input", | ||
| "description": "Configure an external user domain", | ||
| "$id": "http://schema.nethserver.org/cluster/alter-external-domain-input.json", | ||
| "examples": [ | ||
| { | ||
| "domain": "example.com", | ||
| "protocol": "ldap", | ||
| "host": "18.19.20.21", | ||
| "port": 636, | ||
| "schema": "rfc2307", | ||
| "bind_dn": "cn=ldapservice,dc=example,dc=com", | ||
| "bind_password": "s3cret", | ||
| "base_dn": "dc=example,dc=com", | ||
| "tls": true, | ||
| "tls_verify": true | ||
| } | ||
| ], | ||
| "type": "object", | ||
| "required": [ | ||
| "domain", | ||
| "protocol" | ||
| ], | ||
| "properties": { | ||
| "domain": { | ||
| "type": "string", | ||
| "title": "User domain name", | ||
| "minLength": 1 | ||
| }, | ||
| "protocol": { | ||
| "type": "string", | ||
| "title": "Provider protocol", | ||
| "description": "Protocol used to communicate with the domain providers.", | ||
| "enum": [ | ||
| "ldap" | ||
| ] | ||
| } | ||
| }, | ||
| "anyOf": [ | ||
| { | ||
| "not": { | ||
| "type": "object", | ||
| "title": "Protocol property is ldap", | ||
| "properties": { | ||
| "protocol": { | ||
| "type": "string", | ||
| "const": "ldap" | ||
| } | ||
| } | ||
| } | ||
| }, | ||
| { | ||
| "type": "object", | ||
| "title": "LDAP-specific subschemas", | ||
| "allOf": [ | ||
| { | ||
| "$ref": "#/$defs/tcp-service-endpoint" | ||
| }, | ||
| { | ||
| "$ref": "#/$defs/additional-properties-of-ldap" | ||
| } | ||
| ] | ||
| } | ||
| ], | ||
| "$defs": { | ||
| "tcp-service-endpoint": { | ||
| "type": "object", | ||
| "title": "TCP service endpoint", | ||
| "description": "Initial TCP backend endpoint configuration", | ||
| "properties": { | ||
| "host": { | ||
| "type": "string", | ||
| "oneOf": [ | ||
| { | ||
| "format": "hostname" | ||
| }, | ||
| { | ||
| "format": "ipv6" | ||
| } | ||
| ] | ||
| }, | ||
| "port": { | ||
| "type": "integer", | ||
| "minimum": 1, | ||
| "maximum": 65535 | ||
| } | ||
| }, | ||
| "required": [ | ||
| "host", | ||
| "port" | ||
| ] | ||
| }, | ||
| "additional-properties-of-ldap": { | ||
| "type": "object", | ||
| "title": "LDAP domain properties", | ||
| "description": "Additional required properties of LDAP-based domains", | ||
| "properties": { | ||
| "schema": { | ||
| "type": [ | ||
| "string", | ||
| "null" | ||
| ], | ||
| "title": "LDAP database schema", | ||
| "description": "The LDAP schema is probed automatically if the value is `null` or the property is missing", | ||
| "enum": [ | ||
| "ad", | ||
| "rfc2307" | ||
| ] | ||
| }, | ||
| "base_dn": { | ||
| "title": "Base DN", | ||
| "description": "The LDAP base DN is probed automatically if the value is `\"\"` (empty string)", | ||
| "type": "string" | ||
| }, | ||
| "bind_dn": { | ||
| "type": "string", | ||
| "minLength": 1 | ||
| }, | ||
| "bind_password": { | ||
| "type": "string", | ||
| "minLength": 1 | ||
| }, | ||
| "tls": { | ||
| "type": "boolean" | ||
| }, | ||
| "tls_verify": { | ||
| "type": "boolean" | ||
| } | ||
| }, | ||
| "required": [ | ||
| "base_dn", | ||
| "bind_dn", | ||
| "bind_password", | ||
| "tls", | ||
| "tls_verify" | ||
| ] | ||
| } | ||
| } | ||
| } |