Muehlenhoff has submitted this change and it was merged.
Change subject: Ship a script to rewrite group memberships after enabling the
memberof overlay
......................................................................
Ship a script to rewrite group memberships after enabling the memberof overlay
The memberof overlay annotates group memberships on the respective user objects
in "memberOf" attributes. This is useful to query group memberships of a user
without parsing the members attribute of a group.
Enabling the overlay does not amend existing attributes. This script provides
a tool which retrieves the membership information of a group, empties the group
and readds all users, thus adding the memberOf attribute for all members.
Bug: T142817
Change-Id: I4832e6c11c59a64d6a4fb1d46451833767a44563
---
A modules/ldap/files/rewrite-group-for-memberof
M modules/ldap/manifests/management.pp
2 files changed, 56 insertions(+), 0 deletions(-)
Approvals:
Muehlenhoff: Looks good to me, approved
Faidon Liambotis: Looks good to me, but someone else must approve
jenkins-bot: Verified
diff --git a/modules/ldap/files/rewrite-group-for-memberof
b/modules/ldap/files/rewrite-group-for-memberof
new file mode 100755
index 0000000..ef4fabc
--- /dev/null
+++ b/modules/ldap/files/rewrite-group-for-memberof
@@ -0,0 +1,49 @@
+#!/usr/bin/env python
+
+import ldap, argparse, sys
+from ldap import modlist as modlist
+
+group_container = "ou=groups,dc=wikimedia,dc=org"
+binddn = "cn=admin,dc=wikimedia,dc=org"
+
+p = argparse.ArgumentParser(usage="rewrite-group-for-memberof -g GROUPNAME")
+
+p.add_argument("-g", "--group", action="store", type=str, dest="groupname",
help="The group which should be rewritten for memberOf attributes (just the
base group name, not the entire DN")
+
+opt = p.parse_args()
+
+if not opt.groupname:
+ p.error("You need to provide the group name")
+
+bindpw = raw_input("Enter password for " + binddn + ": ")
+
+try:
+ l = ldap.initialize('ldap://localhost:389')
+ l.protocol_version = ldap.VERSION3
+ l.simple_bind_s(binddn, bindpw)
+except ldap.LDAPError, e:
+ print e
+
+ldapsearch = l.search_s(group_container, ldap.SCOPE_SUBTREE,
"(&(objectclass=groupOfNames)(cn=" + opt.groupname + "))", attrlist=['member'],)
+
+if not ldapsearch:
+ print "Group not found, bailing out"
+ sys.exit(1)
+
+members = ldapsearch[0][1]
+dn = ldapsearch[0][0]
+
+print "Rewriting group", dn
+
+empty_group= dict()
+empty_group['member'] = ['']
+
+try:
+ empty_ldif = modlist.modifyModlist(members, empty_group)
+ refill_ldif = modlist.modifyModlist(empty_group, members)
+ l.modify_s(dn, empty_ldif)
+ l.modify_s(dn, refill_ldif)
+except ldap.LDAPError, e:
+ print e
+
+l.unbind_s()
diff --git a/modules/ldap/manifests/management.pp
b/modules/ldap/manifests/management.pp
index 41db251..7ae07b9 100644
--- a/modules/ldap/manifests/management.pp
+++ b/modules/ldap/manifests/management.pp
@@ -51,4 +51,11 @@
owner => 'root',
group => 'root',
}
+
+ file { '/usr/local/bin/rewrite-group-for-memberof':
+ source => 'puppet:///modules/ldap/rewrite-group-for-memberof',
+ mode => '0554',
+ owner => 'root',
+ group => 'root',
+ }
}
--
To view, visit https://gerrit.wikimedia.org/r/306905
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: merged
Gerrit-Change-Id: I4832e6c11c59a64d6a4fb1d46451833767a44563
Gerrit-PatchSet: 2
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Muehlenhoff <mmuhlenh...@wikimedia.org>
Gerrit-Reviewer: Alexandros Kosiaris <akosia...@wikimedia.org>
Gerrit-Reviewer: Faidon Liambotis <fai...@wikimedia.org>
Gerrit-Reviewer: Filippo Giunchedi <fgiunch...@wikimedia.org>
Gerrit-Reviewer: Muehlenhoff <mmuhlenh...@wikimedia.org>
Gerrit-Reviewer: jenkins-bot <>
_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
