first commit

thorin · thorin · commit 0966525240c0 · 2011-07-06T21:08:20.000+02:00
diff --git a/LICENSE b/LICENSE
diff --git a/README.md b/README.md
@@ -0,0 +1,48 @@
+Redmin Ldap Sync
+================
+
+This plugins extends redmine's ldap authentication to perform group synchronization.
+In addition it provides a rake task to perform full user group synchronization.
+
+The following should be noted:
+
+* The plugin has only been tested with Active Directory.
+* It detects and disables users that have been marked as disabled on LDAP (see [MS KB Article 305144][uacf] for more details).
+* An user will only be removed from groups that exist on LDAP. This means that both ldap and non-ldap groups can coexist.
+* Deleted groups on LDAP will not be deleted on redmine.
+
+Installation
+------------
+
+Follow the plugin installation procedure described at www.redmine.org/wiki/redmine/Plugins
+
+Usage
+-----
+
+### Configuration
+
+Open Administration > Plugins and on the plugin configuration page you'll be able to set for each LDAP authentication:
+
+* *Active* - Enable/Disable user/group synchronization for this LDAP authentication
+* *Group base DN* - The path to where the groups located. Eg, `ou=people,dc=smokeyjoe,dc=com`
+* *Group name* - The ldap attribute from where to fetch the group's name. Eg, `sAMAccountName`
+* *Group regex filter* - (optional) An RegExp that should match up with the name of the groups that should be imported. Eg, `\.team$`.
+* *Domain group* - (optional) A group to wich all the users created from this LDAP authentication will added upon creation. The group should not exist on LDAP.
+
+### Full user/group synchronization with rake
+
+To do the full user synchronization execute the following:
+
+    rake redmine:plugins:redmine_ldap_sync:sync_users RAILS_ENV=production
+
+
+An alternative is to do it periodically with a cron task:
+
+    # Synchronize users with ldap @ every 60 minutes
+    35 *            * * *   root /usr/bin/rake -f /opt/redmine/Rakefile --silent redmine:plugins:redmine_ldap_sync:sync_users RAILS_ENV=production
+
+License
+-------
+This plugin is released under the GPL v3 license. See LICENSE for more information.
+
+[uacf]: http://support.microsoft.com/kb/305144
diff --git a/app/views/settings/_ldap_sync_settings.html.erb b/app/views/settings/_ldap_sync_settings.html.erb
@@ -0,0 +1,30 @@
+<% AuthSourceLdap.all.each do |ldap| -%>
+<fieldset class="collapsible">
+  <legend onclick="toggleFieldset(this);"><%= ldap.name %></legend>
+  <div>
+    <p>
+      <label><%= l(:ldap_domain_label_active)%></label>
+      <%= check_box_tag "settings[#{ldap.name}][active]", 'yes', (@settings[ldap.name][:active] if @settings[ldap.name]) %>
+    </p>
+
+    <p>
+      <label><%= l(:ldap_domain_label_groups_base_dn) %> <span class="required">*</span></label>
+      <%= text_field_tag "settings[#{ldap.name}][groups_base_dn]", (@settings[ldap.name][:groups_base_dn] if @settings[ldap.name]), :size => 60 %>
+    </p>
+
+    <p>
+      <label><%= l(:ldap_domain_label_attr_groupname) %> <span class="required">*</span></label>
+      <%= text_field_tag "settings[#{ldap.name}][attr_groupname]", (@settings[ldap.name][:attr_groupname] if @settings[ldap.name]), :size => 15 %>
+    </p>
+
+    <p>
+      <label><%= l(:ldap_domain_label_groupname_filter) %></label>
+      <%= text_field_tag "settings[#{ldap.name}][groupname_filter]", (@settings[ldap.name][:groupname_filter] if @settings[ldap.name]), :size => 15 %>
+    </p>
+    <p>
+      <label><%= l(:ldap_domain_label_domain_group) %></label>
+      <%= text_field_tag "settings[#{ldap.name}][domain_group]", (@settings[ldap.name][:domain_group] if @settings[ldap.name]), :size => 15 %>
+    </p>
+  </div>
+</fieldset>
+<%- end %>
diff --git a/config/locales/en.yml b/config/locales/en.yml
@@ -0,0 +1,6 @@
+en:
+  ldap_domain_label_active: "Active"
+  ldap_domain_label_groups_base_dn: "Groups base DN"
+  ldap_domain_label_attr_groupname: "Group name"
+  ldap_domain_label_groupname_filter: "Group regex filter" 
+  ldap_domain_label_domain_group: "Domain group" 
diff --git a/config/locales/es.yml b/config/locales/es.yml
@@ -0,0 +1,6 @@
+es:
+  ldap_domain_label_active: "Activo"
+  ldap_domain_label_groups_base_dn: "Base DN de grupos"
+  ldap_domain_label_attr_groupname: "Nombre del grupo"
+  ldap_domain_label_groupname_filter: "Filtro regex de grupos"
+  ldap_domain_label_domain_group: "Grupo del dominio"
diff --git a/config/locales/pt.yml b/config/locales/pt.yml
@@ -0,0 +1,6 @@
+pt:
+  ldap_domain_label_active: "Activo"
+  ldap_domain_label_groups_base_dn: "Base DN de grupos"
+  ldap_domain_label_attr_groupname: "Nome do grupo"
+  ldap_domain_label_groupname_filter: "Filtro regex de grupos"
+  ldap_domain_label_domain_group: "Grupo do dominio"
diff --git a/init.rb b/init.rb
@@ -0,0 +1,29 @@
+require 'redmine'
+require 'dispatcher'
+
+RAILS_DEFAULT_LOGGER.info 'Starting Redmine Ldap Sync plugin for RedMine'
+
+Redmine::Plugin.register :redmine_ldap_sync do
+  name 'Redmine - Ldap Sync'
+  author 'Ricardo Santos'
+  author_url 'mailto:Ricardo Santos <ricardo.santos@vilt-group.com>?subject=redmine_ldap_sync'
+  description 'Syncs users and groups with ldap'
+  url 'https://github.com/thorin/redmine_ldap_sync'
+  version '1.0.0'
+  requires_redmine :version_or_higher => '1.1.0'
+
+  
+  settings :default => HashWithIndifferentAccess.new(), :partial => 'settings/ldap_sync_settings'
+end
+
+Dispatcher.to_prepare :redmine_ldap_sync do
+  unless AuthSourceLdap.include? RedmineLdapSync::RedmineExt::AuthSourceLdapPatch
+    AuthSourceLdap.send(:include, RedmineLdapSync::RedmineExt::AuthSourceLdapPatch)
+  end
+  unless User.include? RedmineLdapSync::RedmineExt::UserPatch
+    User.send(:include, RedmineLdapSync::RedmineExt::UserPatch)
+  end
+end
+
+# Hooks
+require 'redmine_ldap_sync/redmine_hooks'
diff --git a/lib/redmine_ldap_sync/redmine_ext/auth_source_ldap_patch.rb b/lib/redmine_ldap_sync/redmine_ext/auth_source_ldap_patch.rb
@@ -0,0 +1,140 @@
+module RedmineLdapSync
+  module RedmineExt
+    module AuthSourceLdapPatch
+      def self.included(base)
+        base.class_eval do
+
+          public
+          def member_of?(login, group)
+            ldap_con = initialize_ldap_con(self.account, self.account_password)
+            login_filter = Net::LDAP::Filter.eq( self.attr_login, login )
+            user_filter = Net::LDAP::Filter.eq( 'objectClass', 'user' )
+
+            ldap_con.search(:base => self.base_dn,
+                       :filter => user_filter & login_filter,
+                       :attributes => ['memberof'],
+                       :return_result => false) do |entry|
+              return entry['memberof'].include? group
+            end
+
+          end
+
+
+          def sync_groups(user)
+            return unless ldapsync_active?
+
+            changes = groups_changes(user)
+            changes[:added].each do |groupname|
+              next if user.groups.detect { |g| g.to_s == groupname }
+
+              group = Group.find_by_lastname(groupname)
+              group = Group.create(:lastname => groupname, :auth_source_id => self.id) unless group
+              group.users << user
+            end
+
+            changes[:deleted].each do |groupname|
+              next unless group = user.groups.detect { |g| g.to_s == groupname }
+
+              group.users.delete(user)
+            end
+          end
+
+          def sync_users
+            return unless ldapsync_active?
+
+            ldap_users[:disabled].each do |login|
+              user = User.find_by_login(login)
+
+              user.lock! if user
+            end
+            ldap_users[:enabled].each do |login|
+              user = User.find_by_login(login)
+
+              unless user
+                attrs = get_user_dn(login)    
+                user = User.create(attrs.except(:dn)) do |user|
+                  user.login = login
+                  user.language = Setting.default_language
+                end
+              end
+              
+              sync_groups(user)
+            end
+          end
+
+          protected
+          def ldap_users
+            ldap_con = initialize_ldap_con(self.account, self.account_password)
+            user_filter = Net::LDAP::Filter.eq( 'objectClass', 'user' )
+            attr_enabled = 'userAccountControl'
+            users = {:enabled => [], :disabled => []}
+            
+            ldap_con.search(:base => self.base_dn,
+                            :filter => user_filter,
+                            :attributes => [self.attr_login, attr_enabled],
+                            :return_result => false) do |entry|
+              if entry[attr_enabled][0].to_i & 2 == 0
+                users[:enabled] << entry[self.attr_login][0]
+              else
+                users[:disabled] << entry[self.attr_login][0]
+              end
+            end
+
+            users
+          end
+
+          def groups_changes(user)
+            return unless ldapsync_active?
+            changes = { :added => [], :deleted => [] }
+
+            ldap_con = initialize_ldap_con(self.account, self.account_password)
+            login_filter = Net::LDAP::Filter.eq( self.attr_login, user.login )
+            user_filter = Net::LDAP::Filter.eq( 'objectClass', 'user' )
+            group_filter = Net::LDAP::Filter.eq( 'objectClass', 'group' )
+            attr_groupname = Setting.plugin_redmine_ldap_sync[self.name][:attr_groupname]
+            groupname_filter = /#{Setting.plugin_redmine_ldap_sync[self.name][:groupname_filter]}/
+            groups_base_dn = Setting.plugin_redmine_ldap_sync[self.name][:groups_base_dn]
+
+            # Faster, but requires all groups to be added to redmine with sync_groups
+            #changes[:deleted] = user.groups.reject{|g| g.auth_source_id != self.id}.map(&:to_s) if user.groups
+            ldap_con.open do |ldap|
+              user_groups = user.groups.select {|g| groupname_filter =~ g.to_s}
+              names_filter = user_groups.map {|g| Net::LDAP::Filter.eq( attr_groupname, g.to_s )}.reduce(:|)
+              ldap.search(:base => groups_base_dn,
+                          :filter => group_filter & names_filter,
+                          :attributes => [attr_groupname],
+                          :return_result => false) do |entry|
+                changes[:deleted] << entry[attr_groupname][0]
+              end if names_filter
+
+              groups = []
+              ldap.search(:base => self.base_dn,
+                          :filter => user_filter & login_filter,
+                          :attributes => ['memberof'],
+                          :return_result => false) do |entry|
+                groups = entry['memberof'].select {|g| g.end_with?(groups_base_dn)}
+              end
+
+              names_filter = groups.map{|g| Net::LDAP::Filter.eq( 'distinguishedName', g )}.reduce(:|)
+              ldap.search(:base => groups_base_dn,
+                          :filter => group_filter & names_filter,
+                          :attributes => [attr_groupname],
+                          :return_result => false) do |entry|
+                group = entry[attr_groupname][0]
+                changes[:added] << group if groupname_filter =~ group
+              end if names_filter
+            end
+
+            changes[:deleted].reject! {|g| changes[:added].include?(g)}
+
+            changes
+          end
+          
+          def ldapsync_active?
+            Setting.plugin_redmine_ldap_sync[self.name].present? && Setting.plugin_redmine_ldap_sync[self.name][:active]
+          end
+        end
+      end
+    end
+  end
+end
diff --git a/lib/redmine_ldap_sync/redmine_ext/user_patch.rb b/lib/redmine_ldap_sync/redmine_ext/user_patch.rb
@@ -0,0 +1,25 @@
+module RedmineLdapSync
+  module RedmineExt
+    module UserPatch
+      def self.included(base)
+        base.class_eval do
+          after_create :add_to_domain_group
+          
+          def add_to_domain_group
+            return unless auth_source && auth_source.auth_method_name == 'LDAP'
+
+            group_name = Setting.plugin_redmine_ldap_sync[auth_source.name][:domain_group]
+            return unless group_name.present?
+
+            domain_group = Group.find_by_lastname(group_name)
+            domain_group = Group.create(:lastname => group_name) unless domain_group
+            domain_group.users << self
+            
+            save
+          end
+
+        end
+      end
+    end
+  end
+end
diff --git a/lib/redmine_ldap_sync/redmine_hooks.rb b/lib/redmine_ldap_sync/redmine_hooks.rb
@@ -0,0 +1,9 @@
+class RedmineLdapSyncRedmineHooks < Redmine::Hook::Listener
+  def controller_account_success_authentication_after(context)
+    user = context[:user]
+
+    if user.auth_source && user.auth_source.auth_method_name == 'LDAP'
+      user.auth_source.sync_groups(user)
+    end
+  end
+end
diff --git a/lib/tasks/sync_users.rake b/lib/tasks/sync_users.rake
@@ -0,0 +1,11 @@
+namespace :redmine do
+  namespace :plugins do
+    namespace :redmine_ldap_sync do
+      desc "Synchronize redmine's users and groups with those on LDAP"
+        task :sync_users => :environment do
+          AuthSourceLdap.all.each {|as| as.sync_users}
+        end
+    end
+  end
+end
+
