Package omero :: Package plugins :: Module ldap
[hide private]
[frames] | no frames]

Source Code for Module omero.plugins.ldap

  1  #!/usr/bin/env python 
  2  """ 
  3     User administration plugin (LDAP extension) 
  4   
  5     Copyright 2011 Glencoe Software, Inc. All rights reserved. 
  6     Use is subject to license terms supplied in LICENSE.txt 
  7   
  8  """ 
  9   
 10  import os 
 11  import sys 
 12   
 13  from omero.cli import BaseControl, CLI, ExceptionHandler 
 14  from omero.rtypes import unwrap as _ 
 15   
 16  HELP = """Administrative support for managing users' LDAP settings. 
 17   
 18  Most of these commands should be run as an OMERO administrator such 
 19  as root. 
 20   
 21  Examples: 
 22   
 23    bin/omero login root 
 24    bin/omero ldap active 
 25    bin/omero ldap active     || echo "Not active!" 
 26    bin/omero ldap list 
 27    bin/omero ldap getdn jack 
 28    bin/omero ldap getdn beth || echo "No DN" 
 29    bin/omero ldap setdn jack uid=me,ou=example,o=com 
 30    bin/omero ldap setdn jack ""                        # Disables LDAP login. 
 31    bin/omero ldap discover --commands                  # Requires "ldap" module 
 32   
 33  """ 
 34   
 35   
36 -class LdapControl(BaseControl):
37
38 - def _configure(self, parser):
39 40 self.exc = ExceptionHandler() 41 42 sub = parser.sub() 43 44 active = parser.add(sub, self.active, \ 45 help = "Return code shows if LDAP is configured (admins-only)") 46 47 list = parser.add(sub, self.list, help = "List all OMERO users with DNs") 48 49 getdn = parser.add(sub, self.getdn, help = "Get DN for user on stdout") 50 setdn = parser.add(sub, self.setdn, help = """Set DN for user (admins only) 51 52 Once the DN is set for a user, the password set via OMERO is 53 ignored, and any attempt to change it will result in an error. When 54 you remove the DN, the previous password will be in effect, but if the 55 user never had a password, one will need to be set!""") 56 57 for x in (getdn, setdn): 58 x.add_argument("username", help = "User's OMERO login name") 59 setdn.add_argument("dn", help = "User's LDAP distinguished name. If empty, LDAP will be disabled for the user") 60 61 discover = parser.add(sub, self.discover, help = "Discover distinguished names for existing OMERO users") 62 discover.add_argument("--commands", action="store_true", default=False, help = "Print setdn commands on standard out") 63 discover.add_argument("--urls", help = "Override OMERO omero.ldap.urls setting") 64 discover.add_argument("--base", help = "Override OMERO omero.ldap.base setting")
65
66 - def __import_ldap__(self):
67 try: 68 import ldap 69 except: 70 self.ctx.die(155, """Python "ldap" module is not installed""") 71 return ldap
72
73 - def active(self, args):
74 c = self.ctx.conn(args) 75 ildap= c.sf.getLdapService() 76 77 import omero 78 try: 79 if ildap.getSetting(): 80 self.ctx.out("Yes") 81 else: 82 self.ctx.die(1, "No") 83 except omero.SecurityViolation, sv: 84 self.ctx.die(111, "SecurityViolation: Admins only!")
85
86 - def list(self, args):
87 c = self.ctx.conn(args) 88 iadmin = c.sf.getAdminService() 89 90 import omero 91 from omero.rtypes import unwrap 92 from omero.util.text import TableBuilder 93 try: 94 95 list_of_dn_user_maps = unwrap(iadmin.lookupLdapAuthExperimenters()) 96 if list_of_dn_user_maps is None: 97 return 98 99 count = 0 100 tb = TableBuilder("#") 101 tb.cols(["Id", "OmeName", "DN"]) 102 for map in list_of_dn_user_maps: 103 for dn, id in map.items(): 104 try: 105 exp = iadmin.getExperimenter(id) 106 except: 107 self.ctx.err("Bad experimenter: %s" % id) 108 109 tb.row(count, *(id, exp.omeName.val, dn)) 110 count += 1 111 self.ctx.out(str(tb.build())) 112 113 except omero.SecurityViolation, sv: 114 self.ctx.die(131, "SecurityViolation: Must be an admin to lists DNs")
115
116 - def getdn(self, args):
117 c = self.ctx.conn(args) 118 iadmin = c.sf.getAdminService() 119 120 try: 121 exp = iadmin.lookupExperimenter(args.username) 122 except: 123 self.ctx.die(134, "Unknown user: %s" % args.username) 124 125 dn = iadmin.lookupLdapAuthExperimenter(exp.id.val) 126 if dn is not None and dn.strip(): 127 self.ctx.out(dn) 128 else: 129 self.ctx.die(1, dn, newline=False)
130
131 - def setdn(self, args):
132 c = self.ctx.conn(args) 133 ildap = c.sf.getLdapService() 134 iadmin = c.sf.getAdminService() 135 136 try: 137 exp = iadmin.lookupExperimenter(args.username) 138 except: 139 self.ctx.die(134, "Unknown user: %s" % args.username) 140 141 import omero 142 try: 143 ildap.setDN(exp.id, args.dn) 144 except omero.SecurityViolation, sv: 145 self.ctx.die(135, "SecurityViolation: Admins only!")
146
147 - def discover(self, args):
148 149 import omero 150 ldap = self.__import_ldap__() 151 152 c = self.ctx.conn(args) 153 iconfig = c.sf.getConfigService() 154 iadmin = c.sf.getAdminService() 155 ildap = c.sf.getLdapService() 156 157 LDAP_PROPERTIES = """ 158 omero.ldap.urls 159 omero.ldap.username 160 omero.ldap.password 161 omero.ldap.base 162 omero.ldap.user_filter 163 omero.ldap.user_mapping 164 omero.ldap.group_filter 165 omero.ldap.group_mapping 166 omero.ldap.new_user_group 167 """.split() 168 169 cfg = dict() 170 for key in LDAP_PROPERTIES: 171 cfg[key.split(".")[-1]] = iconfig.getConfigValue(key) 172 173 174 urls = args.urls and args.urls or cfg["urls"] 175 basedn = args.base and args.base or cfg["base"] 176 177 for url in urls.split(","): 178 179 self.ctx.err("Connecting to %s..." % url) 180 181 ld = ldap.initialize(url) 182 ld.simple_bind_s() 183 184 user_filter = cfg["user_filter"] 185 user_mapping = cfg["user_mapping"] 186 user_mapping = user_mapping.split(",") 187 omeName_mapping = None 188 for um in user_mapping: 189 parts = um.split("=") 190 if parts[0] == "omeName": 191 omeName_mapping = parts[1] 192 results = ld.search_s(basedn, ldap.SCOPE_SUBTREE, user_filter) 193 for dn, entry in results: 194 omeName = entry[omeName_mapping] 195 if isinstance(omeName, (list, tuple)): 196 if len(omeName) == 1: 197 omeName = omeName[0] 198 else: 199 self.ctx.err("Failed to unwrap omeName: %s" % omeName) 200 continue 201 try: 202 exp = iadmin.lookupExperimenter(omeName) 203 olddn = iadmin.lookupLdapAuthExperimenter(exp.id.val) 204 except omero.ApiUsageException: 205 continue # Unknown user 206 207 if olddn: 208 if olddn != dn: 209 self.ctx.err("Found different DN for %s: %s" % (omeName, olddn)) 210 else: 211 self.ctx.dbg("DN already set for %s: %s" % (omeName, olddn)) 212 else: 213 if args.commands: 214 self.ctx.out("%s ldap setdn %s %s" % (sys.argv[0], omeName, dn)) 215 else: 216 self.ctx.out("Experimenter:%s\tomeName=%s\t%s" % (exp.id.val, omeName, dn))
217 218 219 try: 220 register("ldap", LdapControl, HELP) 221 except NameError: 222 if __name__ == "__main__": 223 cli = CLI() 224 cli.register("ldap", LdapControl, HELP) 225 cli.invoke(sys.argv[1:]) 226