Filter users in LDAP backend (bug 1052925)

Change-Id: I004e569756698098bf073f5516945f356f88bfea
author: Jose Castro Leon <jose.castro.leon@cern.ch> 2012-10-10 08:46:51 +0200
committer: Jose Castro Leon <jose.castro.leon@cern.ch> 2012-10-10 08:50:57 +0200
commit: df8d6cc719d2af514794bfd29bc9eb63271e2079 (patch)
tree: 9bc39af8af513c279b301d0eea095e7dd2729b45 /keystone
parent: 3ec3c7aed1728f0a0b48097cfc472b68dfd902db (diff)
3 files changed, 20 insertions, 9 deletions
diff --git a/keystone/common/ldap/core.py b/keystone/common/ldap/core.py
index 027bc1be..4a80d66a 100644
--- a/keystone/common/ldap/core.py
+++ b/keystone/common/ldap/core.py
@@ -65,6 +65,7 @@ class BaseLdap(object):
     DEFAULT_STRUCTURAL_CLASSES = None
     DEFAULT_ID_ATTR = 'cn'
     DEFAULT_OBJECTCLASS = None
+    DEFAULT_FILTER = None
     DUMB_MEMBER_DN = 'cn=dumb,dc=nonexistent'
     options_name = None
     model = None
@@ -93,6 +94,9 @@ class BaseLdap(object):
             self.object_class = (getattr(conf.ldap, objclass)
                                  or self.DEFAULT_OBJECTCLASS)
 
+            filter = '%s_filter' % self.options_name
+            self.filter = getattr(conf.ldap, filter) or self.DEFAULT_FILTER
+
             allow_create = '%s_allow_create' % self.options_name
             self.allow_create = getattr(conf.ldap, allow_create)
 
@@ -198,9 +202,10 @@ class BaseLdap(object):
     def _ldap_get(self, id, filter=None):
         conn = self.get_connection()
         query = '(objectClass=%s)' % self.object_class
-        if filter is not None:
-            query = '(&%s%s)' % (filter, query)
-
+        if (filter is not None or self.filter is not None):
+            localfilter = self.filter if self.filter is not None else ''
+            paramfilter = filter if filter is not None else ''
+            query = '(&%s%s%s)' % (localfilter, paramfilter, query)
         try:
             res = conn.search_s(self._id_to_dn(id), ldap.SCOPE_BASE, query)
         except ldap.NO_SUCH_OBJECT:
@@ -214,8 +219,10 @@ class BaseLdap(object):
     def _ldap_get_all(self, filter=None):
         conn = self.get_connection()
         query = '(objectClass=%s)' % (self.object_class,)
-        if filter is not None:
-            query = '(&%s%s)' % (filter, query)
+        if (filter is not None or self.filter is not None):
+            localfilter = self.filter if self.filter is not None else ''
+            paramfilter = filter if filter is not None else ''
+            query = '(&%s%s%s)' % (localfilter, paramfilter, query)
         try:
             return conn.search_s(self.tree_dn, ldap.SCOPE_ONELEVEL, query)
         except ldap.NO_SUCH_OBJECT:
diff --git a/keystone/config.py b/keystone/config.py
index a6d5f0c6..dc6c41d2 100644
--- a/keystone/config.py
+++ b/keystone/config.py
@@ -167,6 +167,7 @@ register_str('user_name_attribute', group='ldap', default='sn')
 register_bool('allow_subtree_delete', group='ldap', default=False)
 
 register_str('user_tree_dn', group='ldap', default=None)
+register_str('user_filter', group='ldap', default=None)
 register_str('user_objectclass', group='ldap', default='inetOrgPerson')
 register_str('user_id_attribute', group='ldap', default='cn')
 register_bool('user_allow_create', group='ldap', default=True)
@@ -174,6 +175,7 @@ register_bool('user_allow_update', group='ldap', default=True)
 register_bool('user_allow_delete', group='ldap', default=True)
 
 register_str('tenant_tree_dn', group='ldap', default=None)
+register_str('tenant_filter', group='ldap', default=None)
 register_str('tenant_objectclass', group='ldap', default='groupOfNames')
 register_str('tenant_id_attribute', group='ldap', default='cn')
 register_str('tenant_member_attribute', group='ldap', default='member')
@@ -183,6 +185,7 @@ register_bool('tenant_allow_update', group='ldap', default=True)
 register_bool('tenant_allow_delete', group='ldap', default=True)
 
 register_str('role_tree_dn', group='ldap', default=None)
+register_str('role_filter', group='ldap', default=None)
 register_str('role_objectclass', group='ldap', default='organizationalRole')
 register_str('role_id_attribute', group='ldap', default='cn')
 register_str('role_member_attribute', group='ldap', default='roleOccupant')
diff --git a/keystone/identity/backends/ldap/core.py b/keystone/identity/backends/ldap/core.py
index deb78e43..352abd7d 100644
--- a/keystone/identity/backends/ldap/core.py
+++ b/keystone/identity/backends/ldap/core.py
@@ -357,9 +357,9 @@ class UserApi(common_ldap.BaseLdap, ApiShimMixin):
             raise exception.UserNotFound(user_id=id)
 
     def get_by_name(self, name, filter=None):
-        users = self.get_all('(%s=%s)' %
-                             (self.attribute_mapping['name'],
+        query = ('(%s=%s)' % (self.attribute_mapping['name'],
                               ldap_filter.escape_filter_chars(name)))
+        users = self.get_all(query)
         try:
             return users[0]
         except IndexError:
@@ -411,8 +411,9 @@ class UserApi(common_ldap.BaseLdap, ApiShimMixin):
             self.role_api.rolegrant_delete(ref.id)
 
     def get_by_email(self, email):
-        users = self.get_all('(mail=%s)' %
-                             (ldap_filter.escape_filter_chars(email),))
+        query = ('(%s=%s)' % (self.attribute_mapping['mail'],
+                              ldap_filter.escape_filter_chars(email)))
+        users = self.get_all(query)
         try:
             return users[0]
         except IndexError:
author	Jose Castro Leon <jose.castro.leon@cern.ch>	2012-10-10 08:46:51 +0200
committer	Jose Castro Leon <jose.castro.leon@cern.ch>	2012-10-10 08:50:57 +0200
commit	df8d6cc719d2af514794bfd29bc9eb63271e2079 (patch)
tree	9bc39af8af513c279b301d0eea095e7dd2729b45 /keystone
parent	3ec3c7aed1728f0a0b48097cfc472b68dfd902db (diff)