# HG changeset patch # User Aurelien Campeas # Date 1357738169 -3600 # Node ID 2fddbe32ae8b53f0f762800c38e3db44ca99f93f # Parent 9f95c2368b8b8d85ce08951f45ca513e2952fb93 [ldapfeed] if a deactivated user becomes available again in its source, reactivate it (closes #2542776) * cwusers that see their ldap source counterpart disappear are deactivated * until now they were not activated again on reappearance * note this behaviour in the doc diff -r 9f95c2368b8b -r 2fddbe32ae8b doc/book/en/admin/ldap.rst --- a/doc/book/en/admin/ldap.rst Tue Jan 08 15:53:22 2013 +0100 +++ b/doc/book/en/admin/ldap.rst Wed Jan 09 14:29:29 2013 +0100 @@ -81,13 +81,20 @@ Other notes ----------- -* Yes, cubicweb is able to start if ldap cannot be reached, even on c-c start, - though that will slow down the instance, since it will indefinitly attempt - to connect to the ldap on each query on users. +* Cubicweb is able to start if ldap cannot be reached, even on + cubicweb-ctl start ... If some source ldap server cannot be used + while an instance is running, the corresponding users won't be + authenticated but their status will not change (e.g. they will not + be deactivated) * Changing the name of the ldap server in your script is fine, changing the base DN isn't since it's used to identify already known users from others +* When a user is removed from an LDAP source, it is deactivated in the + CubicWeb instance; when a deactivated user comes back in the LDAP + source, it (automatically) is activated again + + * You can use the :class:`CWSourceHostConfig` to have variants for a source configuration according to the host the instance is running on. To do so go on the source's view from the sources management view. diff -r 9f95c2368b8b -r 2fddbe32ae8b server/test/unittest_ldapuser.py --- a/server/test/unittest_ldapuser.py Tue Jan 08 15:53:22 2013 +0100 +++ b/server/test/unittest_ldapuser.py Wed Jan 09 14:29:29 2013 +0100 @@ -113,7 +113,7 @@ stats = lfsource.pull_data(isession, force=True, raise_on_error=True) isession.commit() - def test_filter_inactivate(self): + def test_a_filter_inactivate(self): """ filtered out people should be deactivated, unable to authenticate """ source = self.session.execute('CWSource S WHERE S type="ldapfeed"').get_entity(0,0) config = source.repo_source.check_config(source) @@ -129,6 +129,17 @@ self.assertEqual(self.execute('Any N WHERE U login "adim", ' 'U in_state S, S name N').rows[0][0], 'activated') + # unfilter, syt should be activated again + config['user-filter'] = u'' + source.repo_source.update_config(source, config) + self.commit() + self._pull() + self.assertEqual(self.execute('Any N WHERE U login "syt", ' + 'U in_state S, S name N').rows[0][0], + 'activated') + self.assertEqual(self.execute('Any N WHERE U login "adim", ' + 'U in_state S, S name N').rows[0][0], + 'activated') def test_delete(self): """ delete syt, pull, check deactivation, repull, @@ -149,10 +160,9 @@ self.tearDownClass() self.setUpClass() self._pull() - # still deactivated, but a warning has been emitted ... self.assertEqual(self.execute('Any N WHERE U login "syt", ' 'U in_state S, S name N').rows[0][0], - 'deactivated') + 'activated') # test reactivating the user isn't enough to authenticate, as the native source # refuse to authenticate user from other sources os.system(deletecmd) diff -r 9f95c2368b8b -r 2fddbe32ae8b sobjects/ldapparser.py --- a/sobjects/ldapparser.py Tue Jan 08 15:53:22 2013 +0100 +++ b/sobjects/ldapparser.py Wed Jan 09 14:29:29 2013 +0100 @@ -90,7 +90,8 @@ if entity.__regid__ == 'CWUser': wf = entity.cw_adapt_to('IWorkflowable') if wf.state == 'deactivated': - self.warning('update on deactivated user %s', entity.login) + wf.fire_transition('activate') + self.warning('user %s reactivated', entity.login) mdate = attrs.get('modification_date') if not mdate or mdate > entity.modification_date: attrs = dict( (k, v) for k, v in attrs.iteritems()