Muehlenhoff has submitted this change and it was merged. Change subject: Ship a script to rewrite group memberships after enabling the memberof overlay ......................................................................
Ship a script to rewrite group memberships after enabling the memberof overlay The memberof overlay annotates group memberships on the respective user objects in "memberOf" attributes. This is useful to query group memberships of a user without parsing the members attribute of a group. Enabling the overlay does not amend existing attributes. This script provides a tool which retrieves the membership information of a group, empties the group and readds all users, thus adding the memberOf attribute for all members. Bug: T142817 Change-Id: I4832e6c11c59a64d6a4fb1d46451833767a44563 --- A modules/ldap/files/rewrite-group-for-memberof M modules/ldap/manifests/management.pp 2 files changed, 56 insertions(+), 0 deletions(-) Approvals: Muehlenhoff: Looks good to me, approved Faidon Liambotis: Looks good to me, but someone else must approve jenkins-bot: Verified diff --git a/modules/ldap/files/rewrite-group-for-memberof b/modules/ldap/files/rewrite-group-for-memberof new file mode 100755 index 0000000..ef4fabc --- /dev/null +++ b/modules/ldap/files/rewrite-group-for-memberof @@ -0,0 +1,49 @@ +#!/usr/bin/env python + +import ldap, argparse, sys +from ldap import modlist as modlist + +group_container = "ou=groups,dc=wikimedia,dc=org" +binddn = "cn=admin,dc=wikimedia,dc=org" + +p = argparse.ArgumentParser(usage="rewrite-group-for-memberof -g GROUPNAME") + +p.add_argument("-g", "--group", action="store", type=str, dest="groupname", help="The group which should be rewritten for memberOf attributes (just the base group name, not the entire DN") + +opt = p.parse_args() + +if not opt.groupname: + p.error("You need to provide the group name") + +bindpw = raw_input("Enter password for " + binddn + ": ") + +try: + l = ldap.initialize('ldap://localhost:389') + l.protocol_version = ldap.VERSION3 + l.simple_bind_s(binddn, bindpw) +except ldap.LDAPError, e: + print e + +ldapsearch = l.search_s(group_container, ldap.SCOPE_SUBTREE, "(&(objectclass=groupOfNames)(cn=" + opt.groupname + "))", attrlist=['member'],) + +if not ldapsearch: + print "Group not found, bailing out" + sys.exit(1) + +members = ldapsearch[0][1] +dn = ldapsearch[0][0] + +print "Rewriting group", dn + +empty_group= dict() +empty_group['member'] = [''] + +try: + empty_ldif = modlist.modifyModlist(members, empty_group) + refill_ldif = modlist.modifyModlist(empty_group, members) + l.modify_s(dn, empty_ldif) + l.modify_s(dn, refill_ldif) +except ldap.LDAPError, e: + print e + +l.unbind_s() diff --git a/modules/ldap/manifests/management.pp b/modules/ldap/manifests/management.pp index 41db251..7ae07b9 100644 --- a/modules/ldap/manifests/management.pp +++ b/modules/ldap/manifests/management.pp @@ -51,4 +51,11 @@ owner => 'root', group => 'root', } + + file { '/usr/local/bin/rewrite-group-for-memberof': + source => 'puppet:///modules/ldap/rewrite-group-for-memberof', + mode => '0554', + owner => 'root', + group => 'root', + } } -- To view, visit https://gerrit.wikimedia.org/r/306905 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: merged Gerrit-Change-Id: I4832e6c11c59a64d6a4fb1d46451833767a44563 Gerrit-PatchSet: 2 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Muehlenhoff <mmuhlenh...@wikimedia.org> Gerrit-Reviewer: Alexandros Kosiaris <akosia...@wikimedia.org> Gerrit-Reviewer: Faidon Liambotis <fai...@wikimedia.org> Gerrit-Reviewer: Filippo Giunchedi <fgiunch...@wikimedia.org> Gerrit-Reviewer: Muehlenhoff <mmuhlenh...@wikimedia.org> Gerrit-Reviewer: jenkins-bot <> _______________________________________________ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits