Adding support for modification only of user accounts.

1 files changed, 84 insertions, 26 deletions

diff --git a/nova/auth/ldapdriver.py b/nova/auth/ldapdriver.py
index ceade1d65..95519d000 100644
--- a/nova/auth/ldapdriver.py
+++ b/nova/auth/ldapdriver.py
@@ -40,6 +40,8 @@ flags.DEFINE_string('ldap_user_dn', 'cn=Manager,dc=example,dc=com',
 flags.DEFINE_string('ldap_user_unit', 'Users', 'OID for Users')
 flags.DEFINE_string('ldap_user_subtree', 'ou=Users,dc=example,dc=com',
                     'OU for Users')
+flags.DEFINE_boolean('ldap_user_modify_only', False,
+                    'Modify attributes for users instead of creating/deleting')
 flags.DEFINE_string('ldap_project_subtree', 'ou=Groups,dc=example,dc=com',
                     'OU for Projects')
 flags.DEFINE_string('role_project_subtree', 'ou=Groups,dc=example,dc=com',
@@ -89,8 +91,7 @@ class LdapDriver(object):
 
     def get_user(self, uid):
         """Retrieve user by id"""
-        attr = self.__find_object(self.__uid_to_dn(uid),
-                                '(objectclass=novaUser)')
+	attr = self.__get_ldap_user(uid)
         return self.__to_user(attr)
 
     def get_user_from_access_key(self, access):
@@ -110,7 +111,12 @@ class LdapDriver(object):
         """Retrieve list of users"""
         attrs = self.__find_objects(FLAGS.ldap_user_subtree,
                                   '(objectclass=novaUser)')
-        return [self.__to_user(attr) for attr in attrs]
+	users = []
+	for attr in attrs:
+		user = self.__to_user(attr)
+		if user != None:
+			users.append(user)
+        return users
 
     def get_projects(self, uid=None):
         """Retrieve list of projects"""
@@ -125,21 +131,46 @@ class LdapDriver(object):
         """Create a user"""
         if self.__user_exists(name):
             raise exception.Duplicate("LDAP user %s already exists" % name)
-        attr = [
-            ('objectclass', ['person',
-                             'organizationalPerson',
-                             'inetOrgPerson',
-                             'novaUser']),
-            ('ou', [FLAGS.ldap_user_unit]),
-            ('uid', [name]),
-            ('sn', [name]),
-            ('cn', [name]),
-            ('secretKey', [secret_key]),
-            ('accessKey', [access_key]),
-            ('isAdmin', [str(is_admin).upper()]),
-        ]
-        self.conn.add_s(self.__uid_to_dn(name), attr)
-        return self.__to_user(dict(attr))
+        if FLAGS.ldap_user_modify_only:
+            if self.__ldap_user_exists(name):
+                # Retrieve user by name
+                user = self.__get_ldap_user(name)
+                if user.has_key('accessKey') and user.has_key('secretKey') and user.has_key('isAdmin'):
+                    raise exception.Duplicate("LDAP user %s already exists" % name)
+                else:
+                    # Entry could be malformed, test for missing attrs.
+                    # Malformed entries are useless, replace attributes found.
+                    attr = []
+                    if user.has_key('secretKey'):
+                        attr.append((self.ldap.MOD_REPLACE, 'secretKey', [secret_key]))
+                    else:
+                        attr.append((self.ldap.MOD_ADD, 'secretKey', [secret_key]))
+                    if user.has_key('accessKey'):
+                        attr.append((self.ldap.MOD_REPLACE, 'accessKey', [access_key]))
+                    else:
+                        attr.append((self.ldap.MOD_ADD, 'accessKey', [access_key]))
+                    if user.has_key('isAdmin'):
+                        attr.append((self.ldap.MOD_REPLACE, 'isAdmin', [str(is_admin).upper()]))
+                    else:
+                        attr.append((self.ldap.MOD_ADD, 'isAdmin', [str(is_admin).upper()]))
+                    self.conn.modify_s(self.__uid_to_dn(name), attr)
+                    return self.get_user(name)
+        else:
+            attr = [
+                ('objectclass', ['person',
+                                 'organizationalPerson',
+                                 'inetOrgPerson',
+                                 'novaUser']),
+                ('ou', [FLAGS.ldap_user_unit]),
+                ('uid', [name]),
+                ('sn', [name]),
+                ('cn', [name]),
+                ('secretKey', [secret_key]),
+                ('accessKey', [access_key]),
+                ('isAdmin', [str(is_admin).upper()]),
+            ]
+            self.conn.add_s(self.__uid_to_dn(name), attr)
+            return self.__to_user(dict(attr))
 
     def create_project(self, name, manager_uid,
                        description=None, member_uids=None):
@@ -256,7 +287,21 @@ class LdapDriver(object):
         if not self.__user_exists(uid):
             raise exception.NotFound("User %s doesn't exist" % uid)
         self.__remove_from_all(uid)
-        self.conn.delete_s(self.__uid_to_dn(uid))
+        if FLAGS.ldap_user_modify_only:
+            # Delete attributes
+            attr = []
+            # Retrieve user by name
+            user = self.__get_ldap_user(uid)
+            if user.has_key('secretKey'):
+                attr.append((self.ldap.MOD_DELETE, 'secretKey', user['secretKey']))
+            if user.has_key('accessKey'):
+                attr.append((self.ldap.MOD_DELETE, 'accessKey', user['accessKey']))
+            if user.has_key('isAdmin'):
+                attr.append((self.ldap.MOD_DELETE, 'isAdmin', user['isAdmin']))
+            self.conn.modify_s(self.__uid_to_dn(uid), attr)
+        else:
+            # Delete entry
+            self.conn.delete_s(self.__uid_to_dn(uid))
 
     def delete_project(self, project_id):
         """Delete a project"""
@@ -265,7 +310,7 @@ class LdapDriver(object):
         self.__delete_group(project_dn)
 
     def modify_user(self, uid, access_key=None, secret_key=None, admin=None):
-        """Modify an existing project"""
+        """Modify an existing user"""
         if not access_key and not secret_key and admin is None:
             return
         attr = []
@@ -281,10 +326,20 @@ class LdapDriver(object):
         """Check if user exists"""
         return self.get_user(uid) != None
 
+    def __ldap_user_exists(self, uid):
+        """Check if the user exists in ldap"""
+	return self.__get_ldap_user(uid) != None
+
     def __project_exists(self, project_id):
         """Check if project exists"""
         return self.get_project(project_id) != None
 
+    def __get_ldap_user(self, uid):
+	"""Retrieve LDAP user entry by id"""
+        attr = self.__find_object(self.__uid_to_dn(uid),
+                                '(objectclass=novaUser)')
+        return attr
+
     def __find_object(self, dn, query=None, scope=None):
         """Find an object by dn and query"""
         objects = self.__find_objects(dn, query, scope)
@@ -449,12 +504,15 @@ class LdapDriver(object):
         """Convert ldap attributes to User object"""
         if attr == None:
             return None
-        return {
-            'id': attr['uid'][0],
-            'name': attr['cn'][0],
-            'access': attr['accessKey'][0],
-            'secret': attr['secretKey'][0],
-            'admin': (attr['isAdmin'][0] == 'TRUE')}
+	if (attr.has_key('accessKey') and attr.has_key('secretKey') and attr.has_key('isAdmin')):
+            return {
+                'id': attr['uid'][0],
+                'name': attr['cn'][0],
+                'access': attr['accessKey'][0],
+                'secret': attr['secretKey'][0],
+                'admin': (attr['isAdmin'][0] == 'TRUE')}
+	else:
+            return None
 
     def __to_project(self, attr):
         """Convert ldap attributes to Project object"""