LDAP tree refactoring

2020-09-03 17:19:41 +02:00 · 2020-09-03 17:19:41 +02:00 · ee05ac0e8b
commit ee05ac0e8b
parent 60e6ababa8
3 changed files with 25 additions and 14 deletions
--- a/docker/bootstrap.ldif
+++ b/docker/bootstrap.ldif
@ -2,15 +2,19 @@ dn: ou=users,dc=mydomain,dc=tld
 objectclass: organizationalUnit
 ou: users

-dn: ou=clients,dc=mydomain,dc=tld
+dn: ou=oauth,dc=mydomain,dc=tld
 objectclass: organizationalUnit
 ou: clients

-dn: ou=tokens,dc=mydomain,dc=tld
+dn: ou=clients,ou=oauth,dc=mydomain,dc=tld
+objectclass: organizationalUnit
+ou: clients
+
+dn: ou=tokens,ou=oauth,dc=mydomain,dc=tld
 objectclass: organizationalUnit
 ou: tokens

-dn: ou=groups,dc=mydomain,dc=tld
+dn: ou=groups,ou=oauth,dc=mydomain,dc=tld
 objectclass: organizationalUnit
 ou: groups

--- a/oidc_ldap_bridge/ldaputils.py
+++ b/oidc_ldap_bridge/ldaputils.py
@ -60,14 +60,21 @@ class LDAPObjectHelper:
        cls.ocs_by_name(conn)
        cls.attr_type_by_name(conn)

-        dn = f"{cls.base},{cls.root_dn}"
-        conn.add_s(
-            dn,
-            [
-                ("objectClass", [b"organizationalUnit"]),
-                ("ou", [cls.base.encode("utf-8")]),
-            ],
-        )
+        acc = ""
+        for organizationalUnit in cls.base.split(",")[::-1]:
+            v = organizationalUnit.split("=")[1]
+            dn = f"{organizationalUnit}{acc},{cls.root_dn}"
+            acc = f",{organizationalUnit}"
+            try:
+                conn.add_s(
+                    dn,
+                    [
+                        ("objectClass", [b"organizationalUnit"]),
+                        ("ou", [v.encode("utf-8")]),
+                    ],
+                )
+            except ldap.ALREADY_EXISTS:
+                pass

    @classmethod
    def ocs_by_name(cls, conn=None):
--- a/oidc_ldap_bridge/models.py
+++ b/oidc_ldap_bridge/models.py
@ -70,7 +70,7 @@ class User(LDAPObjectHelper):

 class Client(LDAPObjectHelper, ClientMixin):
    objectClass = ["oauthClient"]
-    base = "ou=clients"
+    base = "ou=clients,ou=oauth"
    id = "oauthClientID"

    @property
@ -139,7 +139,7 @@ class Client(LDAPObjectHelper, ClientMixin):

 class AuthorizationCode(LDAPObjectHelper, AuthorizationCodeMixin):
    objectClass = ["oauthAuthorizationCode"]
-    base = "ou=authorizations"
+    base = "ou=authorizations,ou=oauth"
    id = "oauthCode"

    @property
@ -175,7 +175,7 @@ class AuthorizationCode(LDAPObjectHelper, AuthorizationCodeMixin):

 class Token(LDAPObjectHelper, TokenMixin):
    objectClass = ["oauthToken"]
-    base = "ou=tokens"
+    base = "ou=tokens,ou=oauth"
    id = "oauthAccessToken"

    @property