Additional changes

Martin · Martin · commit ac0ec87b5754 · 2025-07-14T23:40:08.000+02:00
diff --git a/imageroot/actions/configure-module/10configure_environment_vars b/imageroot/actions/configure-module/10configure_environment_vars
@@ -1,49 +1,48 @@
 #!/usr/bin/env python3
-
 # Copyright (C) 2022 Nethesis S.r.l.
 # SPDX-License-Identifier: GPL-3.0-or-later
 
 import json
 import sys
 import agent
-import secrets
-import base64
 import os
 from agent.ldapproxy import Ldapproxy
 
-# Parse JSON input
+# ------------------------------------------------
+# 0. Parse JSON input
+# ------------------------------------------------
 data = json.load(sys.stdin)
 
-# ------------------------------------------------------------
-# 1. Core application settings (always required)
-# ------------------------------------------------------------
+# ------------------------------------------------
+# 1. Core application settings
+# ------------------------------------------------
 SEMAPHORE_ADMIN_PASSWORD = data.get("SEMAPHORE_ADMIN_PASSWORD", "password")
 SEMAPHORE_ADMIN_NAME     = data.get("SEMAPHORE_ADMIN_NAME",     "admin")
 SEMAPHORE_ADMIN_EMAIL    = data.get("SEMAPHORE_ADMIN_EMAIL",    "admin@admin.com")
 SEMAPHORE_ADMIN          = data.get("SEMAPHORE_ADMIN",          "admin")
 
-# ------------------------------------------------------------
-# 2. Reverse-proxy / TLS settings (NEW)
-# ------------------------------------------------------------
-host             = data.get("host", "")
-lets_encrypt     = data.get("lets_encrypt", False)
-http2https       = data.get("http2https", True)
+# ------------------------------------------------
+# 2. Reverse-proxy / TLS
+# ------------------------------------------------
+host         = data.get("host", "")
+lets_encrypt = data.get("lets_encrypt", False)
+http2https   = data.get("http2https",   True)
 
 agent.set_env("TRAEFIK_HOST", host)
 agent.set_env("TRAEFIK_LETS_ENCRYPT", "True" if lets_encrypt else "False")
 agent.set_env("TRAEFIK_HTTP2HTTPS",   "True" if http2https   else "False")
 
-# ------------------------------------------------------------
-# 3. SMTP via SmartHost (unchanged)
-# ------------------------------------------------------------
-rdb = agent.redis_connect(use_replica=True)
+# ------------------------------------------------
+# 3. SMTP via SmartHost
+# ------------------------------------------------
+rdb  = agent.redis_connect(use_replica=True)
 smtp = agent.get_smarthost_settings(rdb)
 
 MAIL_FROM_NAME = f"SEMAPHORE <{smtp['username']}>"
 
-# ------------------------------------------------------------
-# 4. Optional notification channels (unchanged)
-# ------------------------------------------------------------
+# ------------------------------------------------
+# 4. Optional notification channels
+# ------------------------------------------------
 SEMAPHORE_GOTIFY_ALERT   = data.get("SEMAPHORE_GOTIFY_ALERT",   "False")
 SEMAPHORE_GOTIFY_URL     = data.get("SEMAPHORE_GOTIFY_URL",     "")
 SEMAPHORE_GOTIFY_TOKEN   = data.get("SEMAPHORE_GOTIFY_TOKEN",   "")
@@ -52,25 +51,52 @@ SEMAPHORE_TELEGRAM_ALERT = data.get("SEMAPHORE_TELEGRAM_ALERT", "False")
 SEMAPHORE_TELEGRAM_CHAT  = data.get("SEMAPHORE_TELEGRAM_CHAT",  "")
 SEMAPHORE_TELEGRAM_TOKEN = data.get("SEMAPHORE_TELEGRAM_TOKEN", "")
 
-# ------------------------------------------------------------
-# 5. LDAP (unchanged – still driven by ldap_domain)
-# ------------------------------------------------------------
+# ------------------------------------------------
+# 5. LDAP
+# ------------------------------------------------
 ldap_domain = data.get("ldap_domain", "")
 agent.set_env("LDAP_DOMAIN", ldap_domain)
 
-agent.bind_user_domains([ldap_domain] if ldap_domain else [])
-
-SEMAPHORE_LDAP_ENABLE        = "True" if ldap_domain else "False"
-SEMAPHORE_LDAP_BIND_DN       = os.getenv("LDAP_SEARCH_BIND_DN",      "")
-SEMAPHORE_LDAP_BIND_PASSWORD = os.getenv("LDAP_SEARCH_BIND_PASSWORD", "")
-SEMAPHORE_LDAP_SERVER        = os.getenv("LDAP_HOSTNAME",            "")
-SEMAPHORE_LDAP_SEARCH_DN     = os.getenv("LDAP_USER_BASE_DN",        "")
-SEMAPHORE_LDAP_SEARCH_FILTER = os.getenv("LDAP_USER_SEARCH_FILTER",  "")
-SEMAPHORE_LDAP_NEEDTLS       = "False"
-
-# ------------------------------------------------------------
-# 6. Build the final env file for Semaphore
-# ------------------------------------------------------------
+# unset stale LDAP env vars
+for var in [
+    "LDAP_HOSTNAME", "LDAP_PORT", "LDAP_SEARCH_BIND_DN",
+    "LDAP_SEARCH_BIND_PASSWORD", "LDAP_USER_BASE_DN",
+    "LDAP_MEMBER_ATTRIBUTE", "LDAP_MEMBER_ATTRIBUTE_TYPE",
+    "LDAP_GROUP_BASE_DN", "LDAP_USERNAME_ATTRIBUTE",
+    "LDAP_USER_SEARCH_FILTER", "LDAP_GROUP_SEARCH_FILTER"
+]:
+    agent.unset_env(var)
+
+if ldap_domain:
+    agent.bind_user_domains([ldap_domain])
+    odom = Ldapproxy().get_domain(ldap_domain)
+    base_dn = odom["base_dn"]
+
+    agent.set_env("LDAP_HOSTNAME", odom["host"])
+    agent.set_env("LDAP_PORT", str(odom["port"]))
+    agent.set_env("LDAP_SEARCH_BIND_DN", odom["bind_dn"])
+    agent.set_env("LDAP_SEARCH_BIND_PASSWORD", odom["bind_password"])
+
+    if odom["schema"] == "rfc2307":
+        agent.set_env("LDAP_USER_BASE_DN",  f"ou=People,{base_dn}")
+        agent.set_env("LDAP_GROUP_BASE_DN", f"ou=Groups,{base_dn}")
+        agent.set_env("LDAP_MEMBER_ATTRIBUTE", "memberUid")
+        agent.set_env("LDAP_MEMBER_ATTRIBUTE_TYPE", "uid")
+
+    elif odom["schema"] == "ad":
+        agent.set_env("LDAP_USER_BASE_DN",  f"cn=Users,{base_dn}")
+        agent.set_env("LDAP_GROUP_BASE_DN", f"cn=Users,{base_dn}")
+        agent.set_env("LDAP_USERNAME_ATTRIBUTE", "samaccountname")
+        agent.set_env("LDAP_USER_SEARCH_FILTER",
+                      "(&(objectClass=top)(objectClass=user)(objectClass=person)(objectClass=organizationalPerson))")
+        agent.set_env("LDAP_GROUP_SEARCH_FILTER",
+                      "(&(objectClass=top)(objectClass=group))")
+else:
+    agent.bind_user_domains([])
+
+# ------------------------------------------------
+# 6. Build final env file
+# ------------------------------------------------
 app_env = {
     # Admin
     "SEMAPHORE_ADMIN_PASSWORD": SEMAPHORE_ADMIN_PASSWORD,
@@ -94,13 +120,13 @@ app_env = {
     "SEMAPHORE_TELEGRAM_TOKEN": SEMAPHORE_TELEGRAM_TOKEN,
 
     # LDAP
-    "SEMAPHORE_LDAP_ENABLE":        SEMAPHORE_LDAP_ENABLE,
-    "SEMAPHORE_LDAP_BIND_DN":       SEMAPHORE_LDAP_BIND_DN,
-    "SEMAPHORE_LDAP_BIND_PASSWORD": SEMAPHORE_LDAP_BIND_PASSWORD,
-    "SEMAPHORE_LDAP_SERVER":        SEMAPHORE_LDAP_SERVER,
-    "SEMAPHORE_LDAP_SEARCH_DN":     SEMAPHORE_LDAP_SEARCH_DN,
-    "SEMAPHORE_LDAP_SEARCH_FILTER": SEMAPHORE_LDAP_SEARCH_FILTER,
-    "SEMAPHORE_LDAP_NEEDTLS":       SEMAPHORE_LDAP_NEEDTLS,
+    "SEMAPHORE_LDAP_ENABLE":        "True" if ldap_domain else "False",
+    "SEMAPHORE_LDAP_BIND_DN":       os.getenv("LDAP_SEARCH_BIND_DN", ""),
+    "SEMAPHORE_LDAP_BIND_PASSWORD": os.getenv("LDAP_SEARCH_BIND_PASSWORD", ""),
+    "SEMAPHORE_LDAP_SERVER":        os.getenv("LDAP_HOSTNAME", ""),
+    "SEMAPHORE_LDAP_SEARCH_DN":     os.getenv("LDAP_USER_BASE_DN", ""),
+    "SEMAPHORE_LDAP_SEARCH_FILTER": os.getenv("LDAP_USER_SEARCH_FILTER", ""),
+    "SEMAPHORE_LDAP_NEEDTLS":       "False",
     "SEMAPHORE_LDAP_MAPPING_DN":    "dn",
     "SEMAPHORE_LDAP_MAPPING_MAIL":  "mail",
     "SEMAPHORE_LDAP_MAPPING_UID":   "uid",
@@ -109,15 +135,15 @@ app_env = {
 
 agent.write_envfile("app.env", app_env)
 
-# ------------------------------------------------------------
-# 7. Echo back the whole configuration so the UI can reload it
-# ------------------------------------------------------------
+# ------------------------------------------------
+# 7. Echo back the configuration for the UI
+# ------------------------------------------------
 json.dump({
     "host":         host,
     "lets_encrypt": lets_encrypt,
     "http2https":   http2https,
     "ldap_domain":  ldap_domain,
-    "domains_list": agent.list_user_domains(),   # used by combo-box
+    "domains_list": agent.list_user_domains(),
     "semaphore_admin":      SEMAPHORE_ADMIN,
     "semaphore_admin_name": SEMAPHORE_ADMIN_NAME,
     "semaphore_admin_email": SEMAPHORE_ADMIN_EMAIL,
diff --git a/imageroot/bin/discover-ldap b/imageroot/bin/discover-ldap
@@ -1,46 +1,42 @@
 #!/usr/bin/env python3
-
 import os
-import sys
-import json
 import agent
 from agent.ldapproxy import Ldapproxy
 
-ldap_domain = os.getenv('LDAP_DOMAIN', '')
+ldap_domain = os.getenv("LDAP_DOMAIN", "")
 agent.set_env("LDAP_DOMAIN", ldap_domain)
 
-# Unset existing LDAP vars
 for var in [
-    "LDAP_HOSTNAME", "LDAP_PORT", "LDAP_SEARCH_BIND_DN", "LDAP_SEARCH_BIND_PASSWORD",
-    "LDAP_USER_BASE_DN", "LDAP_MEMBER_ATTRIBUTE", "LDAP_MEMBER_ATTRIBUTE_TYPE",
-    "LDAP_GROUP_BASE_DN", "LDAP_USERNAME_ATTRIBUTE", "LDAP_USER_SEARCH_FILTER", "LDAP_GROUP_SEARCH_FILTER"
+    "LDAP_HOSTNAME", "LDAP_PORT", "LDAP_SEARCH_BIND_DN",
+    "LDAP_SEARCH_BIND_PASSWORD", "LDAP_USER_BASE_DN",
+    "LDAP_MEMBER_ATTRIBUTE", "LDAP_MEMBER_ATTRIBUTE_TYPE",
+    "LDAP_GROUP_BASE_DN", "LDAP_USERNAME_ATTRIBUTE",
+    "LDAP_USER_SEARCH_FILTER", "LDAP_GROUP_SEARCH_FILTER"
 ]:
     agent.unset_env(var)
 
 if ldap_domain:
-    agent.bind_user_domains([ldap_domain])
     odom = Ldapproxy().get_domain(ldap_domain)
-    base_dn = odom['base_dn']
+    base_dn = odom["base_dn"]
 
-    agent.set_env("LDAP_HOSTNAME", "10.0.2.2")
-    agent.set_env("LDAP_PORT", odom["port"])
+    agent.set_env("LDAP_HOSTNAME", odom["host"])
+    agent.set_env("LDAP_PORT", str(odom["port"]))
     agent.set_env("LDAP_SEARCH_BIND_DN", odom["bind_dn"])
     agent.set_env("LDAP_SEARCH_BIND_PASSWORD", odom["bind_password"])
 
     if odom["schema"] == "rfc2307":
-        agent.set_env("LDAP_USER_BASE_DN", f"ou=People,{base_dn}")
+        agent.set_env("LDAP_USER_BASE_DN",  f"ou=People,{base_dn}")
+        agent.set_env("LDAP_GROUP_BASE_DN", f"ou=Groups,{base_dn}")
         agent.set_env("LDAP_MEMBER_ATTRIBUTE", "memberUid")
         agent.set_env("LDAP_MEMBER_ATTRIBUTE_TYPE", "uid")
-        agent.set_env("LDAP_GROUP_BASE_DN", f"ou=Groups,{base_dn}")
 
     elif odom["schema"] == "ad":
-        agent.set_env("LDAP_USER_BASE_DN", f"cn=Users,{base_dn}")
+        agent.set_env("LDAP_USER_BASE_DN",  f"cn=Users,{base_dn}")
         agent.set_env("LDAP_GROUP_BASE_DN", f"cn=Users,{base_dn}")
         agent.set_env("LDAP_USERNAME_ATTRIBUTE", "samaccountname")
-        agent.set_env("LDAP_USER_SEARCH_FILTER", "(&(objectClass=top)(objectClass=user)(objectClass=person)(objectClass=organizationalPerson))")
-        agent.set_env("LDAP_GROUP_SEARCH_FILTER", "(&(objectClass=top)(objectClass=group))")
-else:
-    agent.bind_user_domains([])
+        agent.set_env("LDAP_USER_SEARCH_FILTER",
+                      "(&(objectClass=top)(objectClass=user)(objectClass=person)(objectClass=organizationalPerson))")
+        agent.set_env("LDAP_GROUP_SEARCH_FILTER",
+                      "(&(objectClass=top)(objectClass=group))")
 
-# Persist all
-agent.dump_env()
+agent.dump_env()
diff --git a/imageroot/update-module.d/30bind_user_domain b/imageroot/update-module.d/30bind_user_domain
@@ -10,10 +10,8 @@ import os
 import sys
 import json
 
-if not hasattr(agent, 'get_bound_domain_list'):
-    sys.exit(0) # core version too old, skip and try on next update
-
-user_ldap_domain= os.getenv('LDAP_DOMAIN')
-rdb = agent.redis_connect(use_replica=True)
-if user_ldap_domain and not agent.get_bound_domain_list(rdb):
-    agent.bind_user_domains([user_ldap_domain])
+ldap_domain = os.getenv("LDAP_DOMAIN", "")
+if ldap_domain:
+    agent.bind_user_domains([ldap_domain])
+else:
+    agent.bind_user_domains([])
