AlekSIS-App-LDAP issueshttps://biscuit.edugit.org/AlekSIS/official/AlekSIS-App-LDAP/-/issues2023-11-14T20:12:23Zhttps://biscuit.edugit.org/AlekSIS/official/AlekSIS-App-LDAP/-/issues/55AttributeError with mass import2023-11-14T20:12:23ZJonathan Wethgit@jonathanweth.deAttributeError with mass import```
Traceback (most recent call last):
File "/srv/aleksis/envs/production/lib/python3.9/site-packages/celery/app/trace.py", line 477, in trace_task
R = retval = fun(*args, **kwargs)
File "/srv/aleksis/envs/production/lib/pyt...```
Traceback (most recent call last):
File "/srv/aleksis/envs/production/lib/python3.9/site-packages/celery/app/trace.py", line 477, in trace_task
R = retval = fun(*args, **kwargs)
File "/srv/aleksis/envs/production/lib/python3.9/site-packages/celery/app/trace.py", line 760, in __protected_call__
return self.run(*args, **kwargs)
File "/srv/aleksis/envs/production/lib/python3.9/site-packages/aleksis/apps/ldap/tasks.py", line 8, in ldap_import
mass_ldap_import()
File "/usr/lib/python3.9/contextlib.py", line 79, in inner
return func(*args, **kwds)
File "/srv/aleksis/envs/production/lib/python3.9/site-packages/aleksis/apps/ldap/util/ldap_sync.py", line 448, in mass_ldap_import
person = ldap_sync_from_user(user, dn, attrs)
File "/usr/lib/python3.9/contextlib.py", line 79, in inner
return func(*args, **kwds)
File "/srv/aleksis/envs/production/lib/python3.9/site-packages/aleksis/apps/ldap/util/ldap_sync.py", line 258, in ldap_sync_from_user
value = get_ldap_value_for_field(Person, fields_map[field_name], attrs, dn)
File "/srv/aleksis/envs/production/lib/python3.9/site-packages/aleksis/apps/ldap/util/ldap_sync.py", line 173, in get_ldap_value_for_field
value = from_ldap(value, field, dn, ldap_field, instance)
File "/srv/aleksis/envs/production/lib/python3.9/site-packages/aleksis/apps/ldap/util/ldap_sync.py", line 50, in from_ldap
from ldapdb.models.fields import datetime_from_ldap # noqa
File "/srv/aleksis/envs/production/lib/python3.9/site-packages/ldapdb/models/__init__.py", line 5, in <module>
from ldapdb.models.base import Model # noqa
File "/srv/aleksis/envs/production/lib/python3.9/site-packages/ldapdb/models/base.py", line 12, in <module>
from . import fields as ldapdb_fields
File "/srv/aleksis/envs/production/lib/python3.9/site-packages/ldapdb/models/fields.py", line 367, in <module>
EPOCH = timezone.utc.localize(datetime.datetime.utcfromtimestamp(0))
AttributeError: 'datetime.timezone' object has no attribute 'localize'
```2023.12 – "Falk"Nik | Klampfradlerdominik.george@teckids.orgNik | Klampfradlerdominik.george@teckids.orghttps://biscuit.edugit.org/AlekSIS/official/AlekSIS-App-LDAP/-/issues/53Update LDAP on model change/creation2023-03-22T18:33:04ZmagicfelixUpdate LDAP on model change/creationThe general implementation of AlekSIS -> LDAP sync (using signals?), which is currently not implemented and only possile by using `write_model_to_ldap` manually.The general implementation of AlekSIS -> LDAP sync (using signals?), which is currently not implemented and only possile by using `write_model_to_ldap` manually.Nik | Klampfradlerdominik.george@teckids.orgNik | Klampfradlerdominik.george@teckids.orghttps://biscuit.edugit.org/AlekSIS/official/AlekSIS-App-LDAP/-/issues/52Use `modifyTimestamp` and Django counterpart for syncing2023-01-24T19:45:25ZmagicfelixUse `modifyTimestamp` and Django counterpart for syncing`read_model_from_ldap` has a, currently unused, `force` option. If it's `False` the object should only be synced, if the LDAP one is newer than the Django object.`read_model_from_ldap` has a, currently unused, `force` option. If it's `False` the object should only be synced, if the LDAP one is newer than the Django object.https://biscuit.edugit.org/AlekSIS/official/AlekSIS-App-LDAP/-/issues/51Add `ldap_dn` field to all models, not only Group and Person2023-03-20T15:09:11ZmagicfelixAdd `ldap_dn` field to all models, not only Group and Personmagicfelixmagicfelixhttps://biscuit.edugit.org/AlekSIS/official/AlekSIS-App-LDAP/-/issues/50ldap_dn filtering doesn't work due to case differences2022-12-31T15:28:15Zmagicfelixldap_dn filtering doesn't work due to case differencesFor an `LDAPFieldMapping` that uses e.g. `members__ldap_dn`, m2m filtering doesn't find results, because `ldap_dn` is saved lowercase in AlekSIS.For an `LDAPFieldMapping` that uses e.g. `members__ldap_dn`, m2m filtering doesn't find results, because `ldap_dn` is saved lowercase in AlekSIS.Nik | Klampfradlerdominik.george@teckids.orgNik | Klampfradlerdominik.george@teckids.orghttps://biscuit.edugit.org/AlekSIS/official/AlekSIS-App-LDAP/-/issues/49Create related objects on import2023-03-22T18:57:20ZmagicfelixCreate related objects on importSyncable fields did that, but as they aren't used anymore, e.g. `PersonNisAttrs` for a newly imported `Person` have to be created in `read_model_from_ldap` or `from_ldap`.Syncable fields did that, but as they aren't used anymore, e.g. `PersonNisAttrs` for a newly imported `Person` have to be created in `read_model_from_ldap` or `from_ldap`.Nik | Klampfradlerdominik.george@teckids.orgNik | Klampfradlerdominik.george@teckids.orghttps://biscuit.edugit.org/AlekSIS/official/AlekSIS-App-LDAP/-/issues/48Write auxiliary data when updating/creating objects2023-03-22T18:53:38ZNik | Klampfradlerdominik.george@teckids.orgWrite auxiliary data when updating/creating objectsSome LDAP implementations rely on special state objects to track IDs. An example is Puavo's ID tracking object:
```ldif
cn=IdPool,o=puavo
objectClass: top
objectClass: puavoIdPool
cn: IdPool
puavoNextRid: 3
puavoNextDatabaseId: 1
puavoN...Some LDAP implementations rely on special state objects to track IDs. An example is Puavo's ID tracking object:
```ldif
cn=IdPool,o=puavo
objectClass: top
objectClass: puavoIdPool
cn: IdPool
puavoNextRid: 3
puavoNextDatabaseId: 1
puavoNextKadminPort: 10004
puavoNextGidNumber: 10007
puavoNextUidNumber: 10005
puavoNextId: 17
```
We need a method to update values in such ID objects when modifying the tree from AlekSIS.magicfelixmagicfelixhttps://biscuit.edugit.org/AlekSIS/official/AlekSIS-App-LDAP/-/issues/47Optionally query user fields with its own bind2022-10-21T17:12:14ZmagicfelixOptionally query user fields with its own bindCurrently fields the Bind User cannot access do not get synchronized to AlekSIS.
In such a case it can be useful, in cost of one more LDAP query, to use the user's account to fetch its own data.Currently fields the Bind User cannot access do not get synchronized to AlekSIS.
In such a case it can be useful, in cost of one more LDAP query, to use the user's account to fetch its own data.https://biscuit.edugit.org/AlekSIS/official/AlekSIS-App-LDAP/-/issues/46Sync GroupTypes2023-03-28T17:29:29ZmagicfelixSync GroupTypesIf a similar concept exists in the LDAP directory (like with Puavo groupTypes), those could be synced as well.If a similar concept exists in the LDAP directory (like with Puavo groupTypes), those could be synced as well.magicfelixmagicfelixhttps://biscuit.edugit.org/AlekSIS/official/AlekSIS-App-LDAP/-/issues/45Assign Groups based on LDAP attributes2023-03-28T17:29:28ZmagicfelixAssign Groups based on LDAP attributesIn Puavo, there are "roles" such as teacher, admin...
That LDAP attribute can be translated to AlekSIS groups by a user-configurable matching table.In Puavo, there are "roles" such as teacher, admin...
That LDAP attribute can be translated to AlekSIS groups by a user-configurable matching table.magicfelixmagicfelixhttps://biscuit.edugit.org/AlekSIS/official/AlekSIS-App-LDAP/-/issues/44Write back group memberships on changes2022-12-14T18:47:59ZNik | Klampfradlerdominik.george@teckids.orgWrite back group memberships on changesmagicfelixmagicfelixhttps://biscuit.edugit.org/AlekSIS/official/AlekSIS-App-LDAP/-/issues/43Write back basic person attributes on change2022-12-14T18:48:04ZNik | Klampfradlerdominik.george@teckids.orgWrite back basic person attributes on changemagicfelixmagicfelixhttps://biscuit.edugit.org/AlekSIS/official/AlekSIS-App-LDAP/-/issues/42Document LDAP usage with Puavo2022-12-14T18:48:10ZNik | Klampfradlerdominik.george@teckids.orgDocument LDAP usage with PuavoDocument the parameters required or recommende to authenticate and sync (AlekSIS-App-LDAP) users and people from a Puavo school.
All parts can be documented in the handbook of AlekSIS-App-LDAP.
For that, start a new sub chapter in the ...Document the parameters required or recommende to authenticate and sync (AlekSIS-App-LDAP) users and people from a Puavo school.
All parts can be documented in the handbook of AlekSIS-App-LDAP.
For that, start a new sub chapter in the handbook, with a sub-sub chapter for Puavo, and document how to setup the Puavo server for AlekSIS' connection and how to configure all aspects of AlekSIS correctly so it correctly consumes users, persons and groups from Puavo.magicfelixmagicfelix2022-10-21https://biscuit.edugit.org/AlekSIS/official/AlekSIS-App-LDAP/-/issues/41LDAP Import does not import changes into current groups of the school year bu...2023-02-04T16:30:10ZSupergamerx3000LDAP Import does not import changes into current groups of the school year but creates new ones.If you create a new school year and assign the groups to it, the groups will be completely recreated with the next LDAP import or when an LDAP user logs in. So you can not sycnen correctly changes that happen in the school year.
Can you...If you create a new school year and assign the groups to it, the groups will be completely recreated with the next LDAP import or when an LDAP user logs in. So you can not sycnen correctly changes that happen in the school year.
Can you build a script as a workaround that syncs the changes from the new groups to the school year groups?Nik | Klampfradlerdominik.george@teckids.orgNik | Klampfradlerdominik.george@teckids.org2022-09-09https://biscuit.edugit.org/AlekSIS/official/AlekSIS-App-LDAP/-/issues/40Detect group types based on some attribute2022-07-20T17:56:09ZNik | Klampfradlerdominik.george@teckids.orgDetect group types based on some attributeWhen integrating with a Linuxmuster.net instance, we found #39 . To make this change work (thinking of groups where teachers actually **are** regular members), we could use the `GroupType` system to record which groups are intended for s...When integrating with a Linuxmuster.net instance, we found #39 . To make this change work (thinking of groups where teachers actually **are** regular members), we could use the `GroupType` system to record which groups are intended for student membership or for teacher membership.https://biscuit.edugit.org/AlekSIS/official/AlekSIS-App-LDAP/-/issues/39Distinguish group owners/members by base DN or group membership2022-07-20T17:56:09ZNik | Klampfradlerdominik.george@teckids.orgDistinguish group owners/members by base DN or group membershipWhen integrating with a Linuxmuster.net system, we found that (at least in that instance), teachers are members of the class LDAP groups, and no owner information is recorded in LDAP. It seems that the only distinguishung factor for teac...When integrating with a Linuxmuster.net system, we found that (at least in that instance), teachers are members of the class LDAP groups, and no owner information is recorded in LDAP. It seems that the only distinguishung factor for teachers is their membership in a role group.
The import should be able to distinguish group owners based on that.https://biscuit.edugit.org/AlekSIS/official/AlekSIS-App-LDAP/-/issues/37Implement user and person creation2022-12-14T18:48:28ZmagicfelixImplement user and person creationhttps://edugit.org/AlekSIS/official/AlekSIS-App-LDAP/-/commit/2a553a317451baf748c4a60a6e117515d0e6f82c
Currently, ldap_create_user() just prepares some variables, but does not interact with the LDAP server.
In order to make this work, ...https://edugit.org/AlekSIS/official/AlekSIS-App-LDAP/-/commit/2a553a317451baf748c4a60a6e117515d0e6f82c
Currently, ldap_create_user() just prepares some variables, but does not interact with the LDAP server.
In order to make this work, we also need a new structure and frontend to configure mappings.
## How will this work?
* The administrator visits the data mangement menu, and chooses "LDAP mappings"
* The "LDAP mapping" page lists all kinds of models that have mappings configured
* The adminsitrator can add a new set of mappings for a model class, e.g. for `Person`
* The administrator needs to configure the base DN for new objects
* The administrator needs to configure the `objectClass`es for new objects
* Creating or editing a set of mappings leads to a page listing all mappings for this model
* The mappings are based on the LDAP attributes, with each mapping having the following columns:
* `ldap_attribute`: The name of the LDAP attribute
* `read_regex`: A regular expression for reading the attribute. This should be, for example `(?<first_name>.*) (?<last_name>.*)` to dissect a `cn`
* `write_template`: A Django template fed with the model instance, generating the LDAP value
## Caveats
* A migration is needed to transfer the existing preferences into a mapping set for `Person`magicfelixmagicfelixhttps://biscuit.edugit.org/AlekSIS/official/AlekSIS-App-LDAP/-/issues/28Document IServ specifics2022-04-05T17:59:35ZNik | Klampfradlerdominik.george@teckids.orgDocument IServ specifics*This issue tracks some IServ specifics found while beta-testing in such an environment*
* Groups are both `groupOfName` and `posixGroup`, but `groupOfName` was renamed to `groupOfMembers` because the original `groupOfNames` disallows c...*This issue tracks some IServ specifics found while beta-testing in such an environment*
* Groups are both `groupOfName` and `posixGroup`, but `groupOfName` was renamed to `groupOfMembers` because the original `groupOfNames` disallows combination with `posixGroup`. Users should use `posixGroup`https://biscuit.edugit.org/AlekSIS/official/AlekSIS-App-LDAP/-/issues/8Add more management commands2020-06-26T14:38:43ZNik | Klampfradlerdominik.george@teckids.orgAdd more management commandsAdd some more management commands
* [ ] Import one user by user name
* [ ] Import one group by group name
Also, find a generic pattern for these commands (e.g. let them all start with `ldap_`).Add some more management commands
* [ ] Import one user by user name
* [ ] Import one group by group name
Also, find a generic pattern for these commands (e.g. let them all start with `ldap_`).Tom Teichlertom.teichler@teckids.orgTom Teichlertom.teichler@teckids.org