AlekSIS-App-LDAP issueshttps://edugit.org/AlekSIS/official/AlekSIS-App-LDAP/-/issues2023-03-22T18:53:38Zhttps://edugit.org/AlekSIS/official/AlekSIS-App-LDAP/-/issues/48Write auxiliary data when updating/creating objects2023-03-22T18:53:38ZNik | Klampfradlerdominik.george@teckids.orgWrite auxiliary data when updating/creating objectsSome LDAP implementations rely on special state objects to track IDs. An example is Puavo's ID tracking object:
```ldif
cn=IdPool,o=puavo
objectClass: top
objectClass: puavoIdPool
cn: IdPool
puavoNextRid: 3
puavoNextDatabaseId: 1
puavoN...Some LDAP implementations rely on special state objects to track IDs. An example is Puavo's ID tracking object:
```ldif
cn=IdPool,o=puavo
objectClass: top
objectClass: puavoIdPool
cn: IdPool
puavoNextRid: 3
puavoNextDatabaseId: 1
puavoNextKadminPort: 10004
puavoNextGidNumber: 10007
puavoNextUidNumber: 10005
puavoNextId: 17
```
We need a method to update values in such ID objects when modifying the tree from AlekSIS.magicfelixmagicfelixhttps://edugit.org/AlekSIS/official/AlekSIS-App-LDAP/-/issues/44Write back group memberships on changes2022-12-14T18:47:59ZNik | Klampfradlerdominik.george@teckids.orgWrite back group memberships on changesmagicfelixmagicfelixhttps://edugit.org/AlekSIS/official/AlekSIS-App-LDAP/-/issues/43Write back basic person attributes on change2022-12-14T18:48:04ZNik | Klampfradlerdominik.george@teckids.orgWrite back basic person attributes on changemagicfelixmagicfelixhttps://edugit.org/AlekSIS/official/AlekSIS-App-LDAP/-/issues/42Document LDAP usage with Puavo2022-12-14T18:48:10ZNik | Klampfradlerdominik.george@teckids.orgDocument LDAP usage with PuavoDocument the parameters required or recommende to authenticate and sync (AlekSIS-App-LDAP) users and people from a Puavo school.
All parts can be documented in the handbook of AlekSIS-App-LDAP.
For that, start a new sub chapter in the ...Document the parameters required or recommende to authenticate and sync (AlekSIS-App-LDAP) users and people from a Puavo school.
All parts can be documented in the handbook of AlekSIS-App-LDAP.
For that, start a new sub chapter in the handbook, with a sub-sub chapter for Puavo, and document how to setup the Puavo server for AlekSIS' connection and how to configure all aspects of AlekSIS correctly so it correctly consumes users, persons and groups from Puavo.magicfelixmagicfelix2022-10-21https://edugit.org/AlekSIS/official/AlekSIS-App-LDAP/-/issues/41LDAP Import does not import changes into current groups of the school year bu...2023-02-04T16:30:10ZSupergamerx3000LDAP Import does not import changes into current groups of the school year but creates new ones.If you create a new school year and assign the groups to it, the groups will be completely recreated with the next LDAP import or when an LDAP user logs in. So you can not sycnen correctly changes that happen in the school year.
Can you...If you create a new school year and assign the groups to it, the groups will be completely recreated with the next LDAP import or when an LDAP user logs in. So you can not sycnen correctly changes that happen in the school year.
Can you build a script as a workaround that syncs the changes from the new groups to the school year groups?Nik | Klampfradlerdominik.george@teckids.orgNik | Klampfradlerdominik.george@teckids.org2022-09-09https://edugit.org/AlekSIS/official/AlekSIS-App-LDAP/-/issues/40Detect group types based on some attribute2022-07-20T17:56:09ZNik | Klampfradlerdominik.george@teckids.orgDetect group types based on some attributeWhen integrating with a Linuxmuster.net instance, we found #39 . To make this change work (thinking of groups where teachers actually **are** regular members), we could use the `GroupType` system to record which groups are intended for s...When integrating with a Linuxmuster.net instance, we found #39 . To make this change work (thinking of groups where teachers actually **are** regular members), we could use the `GroupType` system to record which groups are intended for student membership or for teacher membership.https://edugit.org/AlekSIS/official/AlekSIS-App-LDAP/-/issues/39Distinguish group owners/members by base DN or group membership2022-07-20T17:56:09ZNik | Klampfradlerdominik.george@teckids.orgDistinguish group owners/members by base DN or group membershipWhen integrating with a Linuxmuster.net system, we found that (at least in that instance), teachers are members of the class LDAP groups, and no owner information is recorded in LDAP. It seems that the only distinguishung factor for teac...When integrating with a Linuxmuster.net system, we found that (at least in that instance), teachers are members of the class LDAP groups, and no owner information is recorded in LDAP. It seems that the only distinguishung factor for teachers is their membership in a role group.
The import should be able to distinguish group owners based on that.https://edugit.org/AlekSIS/official/AlekSIS-App-LDAP/-/issues/37Implement user and person creation2022-12-14T18:48:28ZmagicfelixImplement user and person creationhttps://edugit.org/AlekSIS/official/AlekSIS-App-LDAP/-/commit/2a553a317451baf748c4a60a6e117515d0e6f82c
Currently, ldap_create_user() just prepares some variables, but does not interact with the LDAP server.
In order to make this work, ...https://edugit.org/AlekSIS/official/AlekSIS-App-LDAP/-/commit/2a553a317451baf748c4a60a6e117515d0e6f82c
Currently, ldap_create_user() just prepares some variables, but does not interact with the LDAP server.
In order to make this work, we also need a new structure and frontend to configure mappings.
## How will this work?
* The administrator visits the data mangement menu, and chooses "LDAP mappings"
* The "LDAP mapping" page lists all kinds of models that have mappings configured
* The adminsitrator can add a new set of mappings for a model class, e.g. for `Person`
* The administrator needs to configure the base DN for new objects
* The administrator needs to configure the `objectClass`es for new objects
* Creating or editing a set of mappings leads to a page listing all mappings for this model
* The mappings are based on the LDAP attributes, with each mapping having the following columns:
* `ldap_attribute`: The name of the LDAP attribute
* `read_regex`: A regular expression for reading the attribute. This should be, for example `(?<first_name>.*) (?<last_name>.*)` to dissect a `cn`
* `write_template`: A Django template fed with the model instance, generating the LDAP value
## Caveats
* A migration is needed to transfer the existing preferences into a mapping set for `Person`magicfelixmagicfelixhttps://edugit.org/AlekSIS/official/AlekSIS-App-LDAP/-/issues/29Allow OR matching in addition to AND matching2022-01-08T18:53:40ZJonathan Wethgit@jonathanweth.deAllow OR matching in addition to AND matchingCurrently, the importer only supports matching persons by a combination of fields. If we use `email` and `import_ref_csv`, the importer will find only persons with the same email **AND** the same import reference. But for use at the Kath...Currently, the importer only supports matching persons by a combination of fields. If we use `email` and `import_ref_csv`, the importer will find only persons with the same email **AND** the same import reference. But for use at the Katharineum, we need an option to find persons with the same email **OR** the same import reference.
Here is a simple patch which removes the AND mode for a OR mode, but there are much better options to solve this:
```diff
--- ldap_sync.py 2021-08-09 19:26:52.140242913 +0200
+++ production/lib/python3.9/site-packages/aleksis/apps/ldap/util/ldap_sync.py 2021-08-09 19:35:55.465769996 +0200
@@ -6,7 +6,7 @@
from django.conf import settings
from django.core.files import File
from django.db import DataError, IntegrityError, transaction
-from django.db.models import fields
+from django.db.models import fields, Q
from django.db.models.fields.files import FileField
from django.utils.text import slugify
from django.utils.translation import gettext as _
@@ -267,11 +267,17 @@
if missing_key not in matches:
defaults[missing_key] = getattr(user, missing_key)
- if get_site_preferences()["ldap__create_missing_persons"]:
- person, created = Person.objects.get_or_create(**matches, defaults=defaults)
- else:
- person = Person.objects.get(**matches)
+ person = None
+ q = Q()
+ for key, value in matches.items():
+ q = q | Q(**{key: value})
+ try:
+ person = Person.objects.get(q)
created = False
+ except Person.DoesNotExist:
+ if get_site_preferences()["ldap__create_missing_persons"]:
+ person = Person.objects.create(**matches, **defaults)
+ created = True
person.user = user
status = "New" if created else "Existing"
```
This has a high priority for @fph.2021.12 — "Bruner"Nik | Klampfradlerdominik.george@teckids.orgNik | Klampfradlerdominik.george@teckids.orghttps://edugit.org/AlekSIS/official/AlekSIS-App-LDAP/-/issues/28Document IServ specifics2022-04-05T17:59:35ZNik | Klampfradlerdominik.george@teckids.orgDocument IServ specifics*This issue tracks some IServ specifics found while beta-testing in such an environment*
* Groups are both `groupOfName` and `posixGroup`, but `groupOfName` was renamed to `groupOfMembers` because the original `groupOfNames` disallows c...*This issue tracks some IServ specifics found while beta-testing in such an environment*
* Groups are both `groupOfName` and `posixGroup`, but `groupOfName` was renamed to `groupOfMembers` because the original `groupOfNames` disallows combination with `posixGroup`. Users should use `posixGroup`https://edugit.org/AlekSIS/official/AlekSIS-App-LDAP/-/issues/22Hook into django-allauth2021-09-24T14:29:56ZNik | Klampfradlerdominik.george@teckids.orgHook into django-allauthdjango-allauth in core will fire a signal on password change. We can leverage django-auth-ldap's mechanism of binding as the authenticating user after being asked to authenticate with the old password to get a context in which we can cal...django-allauth in core will fire a signal on password change. We can leverage django-auth-ldap's mechanism of binding as the authenticating user after being asked to authenticate with the old password to get a context in which we can call the LDAP Modify Password extended operation.
On registration, we can act as well.2021.12 — "Bruner"Nik | Klampfradlerdominik.george@teckids.orgNik | Klampfradlerdominik.george@teckids.orghttps://edugit.org/AlekSIS/official/AlekSIS-App-LDAP/-/issues/21Support syncing fields across foreign keys2020-11-15T21:40:02ZNik | Klampfradlerdominik.george@teckids.orgSupport syncing fields across foreign keysIt should be possible to sync fields across foreign keys (reverse ones, even).It should be possible to sync fields across foreign keys (reverse ones, even).Nik | Klampfradlerdominik.george@teckids.orgNik | Klampfradlerdominik.george@teckids.orghttps://edugit.org/AlekSIS/official/AlekSIS-App-LDAP/-/issues/19Allow match of users to persons by other fields in AlekSIS and LDAP2020-11-13T17:47:03ZJonathan Wethgit@jonathanweth.deAllow match of users to persons by other fields in AlekSIS and LDAPExample:
Match field `import_ref-<xy>` (AlekSIS) against `employeeNumber` (LDAP)Example:
Match field `import_ref-<xy>` (AlekSIS) against `employeeNumber` (LDAP)2021.12 — "Bruner"Nik | Klampfradlerdominik.george@teckids.orgNik | Klampfradlerdominik.george@teckids.orghttps://edugit.org/AlekSIS/official/AlekSIS-App-LDAP/-/issues/12Make LDAP sync on login configurable2020-05-02T22:10:22ZNik | Klampfradlerdominik.george@teckids.orgMake LDAP sync on login configurable2.0a2Tom Teichlertom.teichler@teckids.orgTom Teichlertom.teichler@teckids.org2020-05-01https://edugit.org/AlekSIS/official/AlekSIS-App-LDAP/-/issues/9Support jpegPhoto2020-03-31T09:28:22ZNik | Klampfradlerdominik.george@teckids.orgSupport jpegPhotoAllow syncing of a photo fieldsAllow syncing of a photo fields2.0a2Nik | Klampfradlerdominik.george@teckids.orgNik | Klampfradlerdominik.george@teckids.orghttps://edugit.org/AlekSIS/official/AlekSIS-App-LDAP/-/issues/8Add more management commands2020-06-26T14:38:43ZNik | Klampfradlerdominik.george@teckids.orgAdd more management commandsAdd some more management commands
* [ ] Import one user by user name
* [ ] Import one group by group name
Also, find a generic pattern for these commands (e.g. let them all start with `ldap_`).Add some more management commands
* [ ] Import one user by user name
* [ ] Import one group by group name
Also, find a generic pattern for these commands (e.g. let them all start with `ldap_`).Tom Teichlertom.teichler@teckids.orgTom Teichlertom.teichler@teckids.orghttps://edugit.org/AlekSIS/official/AlekSIS-App-LDAP/-/issues/7Mass import of users2020-03-31T08:27:29ZNik | Klampfradlerdominik.george@teckids.orgMass import of usersUse the current approach to syncing users on login to provide a mass import. It should reuse the existing code, and be available both as a celery task and as a management command.Use the current approach to syncing users on login to provide a mass import. It should reuse the existing code, and be available both as a celery task and as a management command.2.0a2Tom Teichlertom.teichler@teckids.orgTom Teichlertom.teichler@teckids.orghttps://edugit.org/AlekSIS/official/AlekSIS-App-LDAP/-/issues/5Translation of LDAP fields by pattern2020-03-28T20:36:25ZNik | Klampfradlerdominik.george@teckids.orgTranslation of LDAP fields by pattern2.0a2Nik | Klampfradlerdominik.george@teckids.orgNik | Klampfradlerdominik.george@teckids.orghttps://edugit.org/AlekSIS/official/AlekSIS-App-LDAP/-/issues/4Sync user groups after login2020-03-27T21:39:41ZNik | Klampfradlerdominik.george@teckids.orgSync user groups after loginAfter login, the groups a user belongs to should be updated to be reflected on the Person object. This must be configurable. Groups should also be auto-created if configured.After login, the groups a user belongs to should be updated to be reflected on the Person object. This must be configurable. Groups should also be auto-created if configured.2.0a2Tom Teichlertom.teichler@teckids.orgTom Teichlertom.teichler@teckids.orghttps://edugit.org/AlekSIS/official/AlekSIS-App-LDAP/-/issues/3Sync additional LDAP fields after login2020-03-28T14:14:53ZNik | Klampfradlerdominik.george@teckids.orgSync additional LDAP fields after loginAfter login, additional LDAP fields from the logged-in user should be synced from LDAP. This must be a configurable map.After login, additional LDAP fields from the logged-in user should be synced from LDAP. This must be a configurable map.2.0a2Tom Teichlertom.teichler@teckids.orgTom Teichlertom.teichler@teckids.org