Customizing LDAP mapping

Pavche · November 6, 2019, 2:50pm

Hi.
I have the following LDAP configuration in indico.conf:

_ldap_config = {
    'uri': 'ldaps://our_server.cz:636',
    'starttls': False,
    'bind_dn': 'cn=sync,dc=domain,dc=eu',
    'bind_password': '********',
    'timeout': 30,
    'verify_cert': False,
    'page_size': 5000,

    'uid': 'uid',
    'user_base': 'ou=People,dc=domain,dc=eu',
    'user_filter': '(objectClass=inetOrgPerson)',

    'gid': 'cn',
    'group_base': 'ou=groups,dc=domain,DC=eu',
    'group_filter': '(objectClass=groupOfNames)',
    'member_of_attr': 'member',
    'ad_group_style': False # for OpenLDAP
}

AUTH_PROVIDERS = {
    'ldap': {
        'type': 'ldap',
        'title': 'LDAP',
        'ldap': _ldap_config,
        'default': True
    }
}


IDENTITY_PROVIDERS = {
    'ldap': {
        'type': 'ldap',
        'title': 'LDAP',
        'ldap': _ldap_config,
        'mapping': {
            'first_name': 'givenName',
            'last_name': 'sn',
            'email': 'mail',
            'affiliation': 'ou',
            'address': 'postalAddress'
        },
        'trusted_email': True,
        'default_group_provider': True,
        'synced_fields': {'first_name', 'last_name', 'affiliation', 'address'}
    }
}

In the arrangement of our LDAP server there is one specific thing.

If an entry (registered user) has attribute ‘ou’ = ‘…’
then the mapping of Indico should be ‘affiliation’: ‘ou’.

If an entry has attribute ‘ou’ = ‘other’
then the mapping of Indico should be ‘affiliation’: ‘o’.

The attribute ‘o’ gives the needed value about a registered user.

How to twist the mapping of LDAP?
How to add a condition of this type?

Thanks.

ThiefMaster · November 6, 2019, 3:07pm

That’s not possible using only the config.

I was going to suggest creating your own flask-multipass LDAP identity provider to handles this, but accessing the ou might be problematic…

Check flask-multipass-ldap-cern for an example on how to register your custom provider. All you need in there is a subclass of the original LDAPIdentityProvider which overrides some methods.

I think the easiest solution is to copy the original _get_identity and search_identities methods and check what you have in user_data right before passing it to the IdentityInfo constructor (IdentityInfo already throws away unused data, so you cannot just call super(...) from your overridden methods and do your checks with the existing IdentityInfo object…)