Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(LDAP): implement IIsAdmin interface #41650

Merged
merged 3 commits into from
Dec 1, 2023
Merged

feat(LDAP): implement IIsAdmin interface #41650

merged 3 commits into from
Dec 1, 2023

Conversation

blizzz
Copy link
Member

@blizzz blizzz commented Nov 21, 2023
edited
Loading

Summary

Promotes an LDAP group (per LDAP configuration) to an admin group.

A group can either be promoted via a dedicates occ call whres the group parameter can be a nextcloud group ID or a group name that will be search against – an exact match is required in that case.:

$ php occ ldap:promote-group  --help 2>/dev/null
Description:
  declares the specified group as admin group (only one is possible per LDAP configuration)

Usage:
  ldap:promote-group [options] [--] <group>

Arguments:
  group                 the group ID in Nextcloud or a group name

Options:
  -y, --yes             do not ask for confirmation
…

# Example
$ php occ ldap:promote-group  "Nextcloud Admins"
Promote Nextcloud Admins to the admin group (y|N)? y
Group Nextcloud Admins was promoted

$ php occ ldap:promote-group  "Paramount Court"
Promote Nextcloud Admins to the admin group and demote Nextcloud Admins (Group ID: nextcloud_admins) (y|N)? y
Group Paramount Court was promoted

$ php occ ldap:promote-group  "Paramount Court"
The specified group is already promoted

It is also possible to set the admin group mapping using occ ldap:set-config $configId ldapAdminGroup $groupId but as the Nextcloud group ID might not be known (yet) it is especially recommnded for automatized setups to use this command, that would also pull in the group and determine the group ID.

In order to demote or reset a promotion, an empty string should be set against to the targeted config's ldapAdminGroup:

# Reset an admin group mapping via set-config
occ ldap:set-config $configId ldapAdminGroup ""
# Example
occ ldap:set-config s01 ldapAdminGroup ""

Checklist

@blizzz blizzz added this to the Nextcloud 28 milestone Nov 21, 2023
@blizzz blizzz requested review from juliusknorr, come-nc, a team, icewind1991 and nfebe and removed request for a team November 21, 2023 20:38
@blizzz blizzz changed the title Enh/6428/ldap group admin mapping feat(LDAP): implement IIsAdmin interface Nov 21, 2023
@blizzz

This comment was marked as resolved.

Sign in to view
@blizzz blizzz added 2. developing Work in progress and removed 3. to review Waiting for reviews labels Nov 21, 2023
@blizzz
Copy link
Member Author

blizzz commented Nov 22, 2023
edited
Loading

Apropos group deletion, this is something we could take into account as well and remove the promotion when a group disappears – although this is a bit atypical from what we usually do (like keeping users in place), but actually safer than keeping the entry. Questionable upon unassigned the group id (clearing the mappings), which should not be done in prod though (would keep it in that case).

An addition for later for we do not delete groups yet (i.e. there is not cleanup and nothing that dispatches the GroupDeletedEvent).

@blizzz blizzz force-pushed the enh/6428/ldap-group-admin-mapping branch from 35b843c to dc1520c Compare November 22, 2023 09:58
@blizzz blizzz added 3. to review Waiting for reviews and removed 2. developing Work in progress labels Nov 22, 2023
@blizzz
Copy link
Member Author

blizzz commented Nov 22, 2023

Resetting by a group name or id could fail if the group is deleted, but we may try to guess by comparing stored config – not full proof. I tend to go with documenting how to do with with set-config instead (does not require another command).

Updated the description, that will go into documentation eventually.

@blizzz
Copy link
Member Author

blizzz commented Nov 22, 2023

/backport to stable27

@blizzz blizzz force-pushed the enh/6428/ldap-group-admin-mapping branch from dc1520c to 3e861e3 Compare November 22, 2023 10:28
@blizzz blizzz added the pending documentation This pull request needs an associated documentation update label Nov 22, 2023
@blizzz blizzz mentioned this pull request Nov 22, 2023
Merged
5 tasks
@blizzz blizzz modified the milestones: Nextcloud 28, Nextcloud 29 Nov 23, 2023
@blizzz blizzz force-pushed the enh/6428/ldap-group-admin-mapping branch from 3e861e3 to 5d351ff Compare November 28, 2023 21:07
@blizzz blizzz force-pushed the enh/6428/ldap-group-admin-mapping branch from 5d351ff to 15f8d53 Compare November 28, 2023 21:19
@blizzz blizzz requested a review from come-nc November 28, 2023 21:20
@blizzz blizzz mentioned this pull request Nov 28, 2023
Merged
2 tasks
@blizzz blizzz force-pushed the enh/6428/ldap-group-admin-mapping branch from 15f8d53 to e14a124 Compare November 30, 2023 12:49
@blizzz
Copy link
Member Author

blizzz commented Nov 30, 2023

addressed the php-cs test complaint.

@blizzz blizzz added 4. to release Ready to be released and/or waiting for tests to finish and removed 3. to review Waiting for reviews labels Nov 30, 2023
@blizzz blizzz mentioned this pull request Nov 30, 2023
Merged
blizzz added 3 commits December 1, 2023 12:48
@blizzz
enh(LDAP): implement IIsAdmin interface
d6b356c 
- add configuration to specify one LDAP group acting as admin group (CLI)
- implement `isAdmin()` method, basically relying on inGroup against the
  configured group

Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
@blizzz
enh(LDAP): add occ command to promote an LDAP group to admin
18e6c9f 
Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
@blizzz
feat(LDAP): warn about demoting a group while promoting another
37237dc 
Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
@blizzz blizzz force-pushed the enh/6428/ldap-group-admin-mapping branch from e14a124 to 37237dc Compare December 1, 2023 11:48
@blizzz blizzz merged commit 0fc8c15 into master Dec 1, 2023
50 checks passed
@blizzz blizzz deleted the enh/6428/ldap-group-admin-mapping branch December 1, 2023 12:59
@blizzz
Copy link
Member Author

blizzz commented Dec 4, 2023

/backport to stable28

@backportbot-nextcloud backportbot-nextcloud bot mentioned this pull request Dec 4, 2023
Merged
@blizzz blizzz mentioned this pull request Mar 5, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@come-nc come-nc come-nc approved these changes

@juliusknorr juliusknorr juliusknorr approved these changes

@icewind1991 icewind1991 Awaiting requested review from icewind1991 icewind1991 was automatically assigned from nextcloud/server-backend

@nfebe nfebe Awaiting requested review from nfebe nfebe was automatically assigned from nextcloud/server-backend

Assignees
No one assigned
Labels
4. to release Ready to be released and/or waiting for tests to finish enhancement feature: ldap pending documentation This pull request needs an associated documentation update
Projects
None yet
Milestone
Nextcloud 29
Development

Successfully merging this pull request may close these issues.

Give admin rights to a specific LDAP group
3 participants
@blizzz @juliusknorr @come-nc