From ff38d125b132e396b8ed3e723e3b759c2bba6c41 Mon Sep 17 00:00:00 2001 From: Tim Abbott Date: Mon, 17 Jun 2019 13:11:29 -0700 Subject: [PATCH] settings: Configure LDAP avatar synchronization in dev environment. This should make it a lot more convenient to do manual testing of these common LDAP configuration options. --- docs/subsystems/auth.md | 29 +++++++++++++++++++++++++++++ zproject/dev_settings.py | 19 +++++++++++++++++++ 2 files changed, 48 insertions(+) diff --git a/docs/subsystems/auth.md b/docs/subsystems/auth.md index aa93912b34..0e209d9b33 100644 --- a/docs/subsystems/auth.md +++ b/docs/subsystems/auth.md @@ -99,3 +99,32 @@ information on these modes, refer to - `FAKE_LDAP_NUM_USERS` in `zproject/dev_settings.py` can be used to specify the number of LDAP users to be added. The default value for the number of LDAP users is 8. + +### Testing avatar and custom profile field synchronization + +The fakeldap LDAP directories we use in the development environment +are generated by the code in `zerver/lib/dev_ldap_directory.py`, and +contain data one might want to sync, including avatars and custom +profile fields. + +We also have configured `AUTH_LDAP_USER_ATTR_MAP` in +`zproject/dev_settings.py` to sync several of those fields. For +example: + +* Modes `a` and `b` will set the user's avatar on account creation and + update it when `manage.py sync_ldap_user_data` is run. +* Mode `b` is configured to automatically have the `birthday` and + `Phone number` custom profile fields populated/synced. +* Mode `a` is configured to deactivate/reactivate users whose accounts + are disabled in LDAP when `manage.py sync_ldap_user_data` is run. + (Note that you'll likely need to edit + `zerver/lib/dev_ldap_directory.py` to ensure there are some accounts + configured to be disabled). + +### Automated testing + +For our automated tests, we generally configure custom LDAP data for +each individual test, because that generally means one can understand +exactly what data is being used in the test without looking at other +resources. It also gives us more freedom to edit the development +environment directory without worrying about tests. diff --git a/zproject/dev_settings.py b/zproject/dev_settings.py index 4f1e24a0e5..169d54352e 100644 --- a/zproject/dev_settings.py +++ b/zproject/dev_settings.py @@ -107,6 +107,8 @@ FAKE_LDAP_MODE = None # type: Optional[str] # FAKE_LDAP_NUM_USERS = 8 if FAKE_LDAP_MODE: + # To understand these parameters, read the docs in + # prod_settings_template.py and on ReadTheDocs. LDAP_APPEND_DOMAIN = None AUTH_LDAP_USER_DN_TEMPLATE = 'uid=%(user)s,ou=users,dc=zulip,dc=com' @@ -115,10 +117,27 @@ if FAKE_LDAP_MODE: from django_auth_ldap.config import LDAPSearch AUTH_LDAP_USER_SEARCH = LDAPSearch("ou=users,dc=zulip,dc=com", ldap.SCOPE_SUBTREE, "(email=%(user)s)") + AUTH_LDAP_USER_ATTR_MAP = { + "full_name": "cn", + "avatar": "thumbnailPhoto", + # This won't do much unless one changes the fact that + # all users have LDAP_USER_ACCOUNT_CONTROL_NORMAL in + # zerver/lib/dev_ldap_directory.py + "userAccountControl": "userAccountControl", + } elif FAKE_LDAP_MODE == 'b': LDAP_APPEND_DOMAIN = 'zulip.com' + AUTH_LDAP_USER_ATTR_MAP = { + "full_name": "cn", + "avatar": "jpegPhoto", + "custom_profile_field__birthday": "birthDate", + "custom_profile_field__phone_number": "phoneNumber", + } elif FAKE_LDAP_MODE == 'c': LDAP_EMAIL_ATTR = 'email' # type: Optional[str] + AUTH_LDAP_USER_ATTR_MAP = { + "full_name": "cn", + } AUTHENTICATION_BACKENDS += ('zproject.backends.ZulipLDAPAuthBackend',) # type: ignore # tuple hackery THUMBOR_URL = 'http://127.0.0.1:9995'