Adding support for modification only of user accounts.

nova/auth/ldapdriver.py

@@ -40,6 +40,8 @@ flags.DEFINE_string('ldap_user_dn', 'cn=Manager,dc=example,dc=com',
 flags.DEFINE_string('ldap_user_unit', 'Users', 'OID for Users')
 flags.DEFINE_string('ldap_user_subtree', 'ou=Users,dc=example,dc=com',
                     'OU for Users')
+flags.DEFINE_boolean('ldap_user_modify_only', False,
+                    'Modify attributes for users instead of creating/deleting')
 flags.DEFINE_string('ldap_project_subtree', 'ou=Groups,dc=example,dc=com',
                     'OU for Projects')
 flags.DEFINE_string('role_project_subtree', 'ou=Groups,dc=example,dc=com',
@@ -89,8 +91,7 @@ class LdapDriver(object):
 
     def get_user(self, uid):
         """Retrieve user by id"""
-        attr = self.__find_object(self.__uid_to_dn(uid),
-                                '(objectclass=novaUser)')
+	attr = self.__get_ldap_user(uid)
         return self.__to_user(attr)
 
     def get_user_from_access_key(self, access):
@@ -110,7 +111,12 @@ class LdapDriver(object):
         """Retrieve list of users"""
         attrs = self.__find_objects(FLAGS.ldap_user_subtree,
                                   '(objectclass=novaUser)')
-        return [self.__to_user(attr) for attr in attrs]
+	users = []
+	for attr in attrs:
+		user = self.__to_user(attr)
+		if user != None:
+			users.append(user)
+        return users
 
     def get_projects(self, uid=None):
         """Retrieve list of projects"""
@@ -125,6 +131,31 @@ class LdapDriver(object):
         """Create a user"""
         if self.__user_exists(name):
             raise exception.Duplicate("LDAP user %s already exists" % name)
+        if FLAGS.ldap_user_modify_only:
+            if self.__ldap_user_exists(name):
+                # Retrieve user by name
+                user = self.__get_ldap_user(name)
+                if user.has_key('accessKey') and user.has_key('secretKey') and user.has_key('isAdmin'):
+                    raise exception.Duplicate("LDAP user %s already exists" % name)
+                else:
+                    # Entry could be malformed, test for missing attrs.
+                    # Malformed entries are useless, replace attributes found.
+                    attr = []
+                    if user.has_key('secretKey'):
+                        attr.append((self.ldap.MOD_REPLACE, 'secretKey', [secret_key]))
+                    else:
+                        attr.append((self.ldap.MOD_ADD, 'secretKey', [secret_key]))
+                    if user.has_key('accessKey'):
+                        attr.append((self.ldap.MOD_REPLACE, 'accessKey', [access_key]))
+                    else:
+                        attr.append((self.ldap.MOD_ADD, 'accessKey', [access_key]))
+                    if user.has_key('isAdmin'):
+                        attr.append((self.ldap.MOD_REPLACE, 'isAdmin', [str(is_admin).upper()]))
+                    else:
+                        attr.append((self.ldap.MOD_ADD, 'isAdmin', [str(is_admin).upper()]))
+                    self.conn.modify_s(self.__uid_to_dn(name), attr)
+                    return self.get_user(name)
+        else:
             attr = [
                 ('objectclass', ['person',
                                  'organizationalPerson',
@@ -256,6 +287,20 @@ class LdapDriver(object):
         if not self.__user_exists(uid):
             raise exception.NotFound("User %s doesn't exist" % uid)
         self.__remove_from_all(uid)
+        if FLAGS.ldap_user_modify_only:
+            # Delete attributes
+            attr = []
+            # Retrieve user by name
+            user = self.__get_ldap_user(uid)
+            if user.has_key('secretKey'):
+                attr.append((self.ldap.MOD_DELETE, 'secretKey', user['secretKey']))
+            if user.has_key('accessKey'):
+                attr.append((self.ldap.MOD_DELETE, 'accessKey', user['accessKey']))
+            if user.has_key('isAdmin'):
+                attr.append((self.ldap.MOD_DELETE, 'isAdmin', user['isAdmin']))
+            self.conn.modify_s(self.__uid_to_dn(uid), attr)
+        else:
+            # Delete entry
             self.conn.delete_s(self.__uid_to_dn(uid))
 
     def delete_project(self, project_id):
@@ -265,7 +310,7 @@ class LdapDriver(object):
         self.__delete_group(project_dn)
 
     def modify_user(self, uid, access_key=None, secret_key=None, admin=None):
-        """Modify an existing project"""
+        """Modify an existing user"""
         if not access_key and not secret_key and admin is None:
             return
         attr = []
@@ -281,10 +326,20 @@ class LdapDriver(object):
         """Check if user exists"""
         return self.get_user(uid) != None
 
+    def __ldap_user_exists(self, uid):
+        """Check if the user exists in ldap"""
+	return self.__get_ldap_user(uid) != None
+
     def __project_exists(self, project_id):
         """Check if project exists"""
         return self.get_project(project_id) != None
 
+    def __get_ldap_user(self, uid):
+	"""Retrieve LDAP user entry by id"""
+        attr = self.__find_object(self.__uid_to_dn(uid),
+                                '(objectclass=novaUser)')
+        return attr
+
     def __find_object(self, dn, query=None, scope=None):
         """Find an object by dn and query"""
         objects = self.__find_objects(dn, query, scope)
@@ -449,12 +504,15 @@ class LdapDriver(object):
         """Convert ldap attributes to User object"""
         if attr == None:
             return None
+	if (attr.has_key('accessKey') and attr.has_key('secretKey') and attr.has_key('isAdmin')):
             return {
                 'id': attr['uid'][0],
                 'name': attr['cn'][0],
                 'access': attr['accessKey'][0],
                 'secret': attr['secretKey'][0],
                 'admin': (attr['isAdmin'][0] == 'TRUE')}
+	else:
+            return None
 
     def __to_project(self, attr):
         """Convert ldap attributes to Project object"""