Added Feature: Two-Steps lookup

Author: bhunut-adobe

examples/config files - basic/3 connector-ldap.yml

@@ -81,6 +81,23 @@ group_filter_format: "(&(|(objectCategory=group)(objectClass=groupOfNames)(objec
 # group_member_filter_format: "(memberOf:1.2.840.113556.1.4.1941:={group_dn})"
 group_member_filter_format: "(memberOf={group_dn})"
 
+# (optional) two_steps_group_member_lookup (default value given below)
+# two steps group member lookup should only be used for the directory system that
+# does not support memberOf or equivalent virtual attribute. Two steps lookup allows
+# user sync tool pull group membership from group object and does a secondary
+# lookup of user object based on group membership value. When enabled,
+# group_member_filter_format will no longer be used.
+# Depending on the size of your directory, this process might take longer.
+# Set the value to True to enable two-steps lookup.
+#two_steps_group_member_lookup: False
+
+# (optional) two_steps_group_member_attribute_name: (default value given below)
+# two-step group member attribute name is required for two steps lookup to know which
+# attribute within group object contained group membership value.
+# In OpenLDAP, this value can be uniqueMember or member depending on objectClass.
+# the value of the specified attribute should return a distinguishName of a user.
+#two_steps_group_member_attribute_name: "member"
+
 # (optional) string_encoding (default value given below)
 # string_encoding specifies the Unicode string encoding used by the directory.
 # All values retrieved from the directory are converted to Unicode before being

user_sync/connector/directory_ldap.py

@@ -71,6 +71,9 @@ def __init__(self, caller_options):
         builder.set_string_value('group_member_filter_format', six.text_type(
             '(memberOf={group_dn})'))
         builder.set_bool_value('require_tls_cert', False)
+        builder.set_bool_value('two_steps_group_member_lookup', False)
+        builder.set_string_value('two_steps_group_member_attribute_name', 'member')
+        builder.set_string_value('user_identity_type_format', None)
         builder.set_string_value('string_encoding', 'utf8')
         builder.set_string_value('user_identity_type_format', None)
         builder.set_string_value('user_email_format', six.text_type('{mail}'))
@@ -132,28 +135,42 @@ def load_users_and_groups(self, groups, extended_attributes, all_users):
         options = self.options
         all_users_filter = six.text_type(options['all_users_filter'])
         group_member_filter_format = six.text_type(options['group_member_filter_format'])
+        two_steps_group_member_lookup = six.text_type(options['two_steps_group_member_lookup'])
+        two_steps_group_member_attribute_name = six.text_type(options['two_steps_group_member_attribute_name'])
+
+        # save all the users to memory for faster 2-steps lookup process
+        if two_steps_group_member_lookup:
+            all_users_records = dict(self.iter_users(all_users_filter, extended_attributes))
 
         # for each group that's required, do one search for the users of that group
         for group in groups:
-            group_dn = self.find_ldap_group_dn(group)
-            if not group_dn:
-                self.logger.warning("No group found for: %s", group)
-                continue
-            group_member_subfilter = self.format_ldap_query_string(group_member_filter_format, group_dn=group_dn)
-            if not group_member_subfilter.startswith('('):
-                group_member_subfilter = six.text_type('(') + group_member_subfilter + six.text_type(')')
-            user_subfilter = all_users_filter
-            if not user_subfilter.startswith('('):
-                user_subfilter = six.text_type('(') + user_subfilter + six.text_type(')')
-            group_user_filter = six.text_type('(&') + group_member_subfilter + user_subfilter + six.text_type(')')
             group_users = 0
-            try:
-                for user_dn, user in self.iter_users(group_user_filter, extended_attributes):
-                    user['groups'].append(group)
-                    group_users += 1
-                self.logger.debug('Count of users in group "%s": %d', group, group_users)
-            except Exception as e:
-                raise AssertionException('Unexpected LDAP failure reading group members: %s' % e)
+            if not two_steps_group_member_lookup:
+                group_dn = self.find_ldap_group_dn(group)
+                if not group_dn:
+                    self.logger.warning("No group found for: %s", group)
+                    continue
+                group_member_subfilter = self.format_ldap_query_string(group_member_filter_format, group_dn=group_dn)
+                if not group_member_subfilter.startswith('('):
+                    group_member_subfilter = six.text_type('(') + group_member_subfilter + six.text_type(')')
+                user_subfilter = all_users_filter
+                if not user_subfilter.startswith('('):
+                    user_subfilter = six.text_type('(') + user_subfilter + six.text_type(')')
+                group_user_filter = six.text_type('(&') + group_member_subfilter + user_subfilter + six.text_type(')')
+                try:
+                    for user_dn, user in self.iter_users(group_user_filter, extended_attributes):
+                        user['groups'].append(group)
+                        group_users += 1
+                    self.logger.debug('Count of users in group "%s": %d', group, group_users)
+                except Exception as e:
+                    raise AssertionException('Unexpected LDAP failure reading group members: %s' % e)
+            else:
+                members = self.find_ldap_group_member_dn(group, two_steps_group_member_attribute_name)
+                for member in members:
+                    if member in all_users_records:
+                        user = all_users_records[member]
+                        user['groups'].append(group)
+                        group_users += 1
 
         # if all users are requested, do an additional search for all of them
         if all_users:
@@ -197,6 +214,33 @@ def find_ldap_group_dn(self, group):
                 group_dn = current_tuple[0]
         return group_dn
 
+    def find_ldap_group_member_dn(self, group, member_attribute):
+        """
+        :type group: str
+        :type member_attribute: str
+        :rtype list
+        """
+        connection = self.connection
+        options = self.options
+        base_dn = six.text_type(options['base_dn'])
+        group_filter_format = six.text_type(options['group_filter_format'])
+        try:
+            filter_string = self.format_ldap_query_string(group_filter_format, group=group)
+            res = connection.search_s(base_dn, ldap.SCOPE_SUBTREE,
+                                      filterstr=filter_string, attrlist=[member_attribute])
+        except Exception as e:
+            raise AssertionException('Unexpected LDAP failure reading group info: %s' % e)
+        group_members = []
+        group_dn = None
+        for current_tuple in res:
+            if current_tuple[0]:
+                if group_dn:
+                    raise AssertionException("Multiple LDAP groups found for: %s" % group)
+                group_dn = current_tuple[0]
+                if member_attribute in current_tuple[1]:
+                    group_members = current_tuple[1][member_attribute]
+        return group_members
+
     def iter_users(self, users_filter, extended_attributes):
         options = self.options
         base_dn = six.text_type(options['base_dn'])