settings: Configure LDAP avatar synchronization in dev environment.

This should make it a lot more convenient to do manual testing of these common LDAP configuration options.
2019-06-17 13:11:29 -07:00 · 2019-06-17 13:11:29 -07:00 · ff38d125b1
parent 88b77af54f
commit ff38d125b1
2 changed files with 48 additions and 0 deletions
--- a/docs/subsystems/auth.md
+++ b/docs/subsystems/auth.md
@ -99,3 +99,32 @@ information on these modes, refer to
 - `FAKE_LDAP_NUM_USERS` in `zproject/dev_settings.py` can be used to
 specify the number of LDAP users to be added. The default value for
 the number of LDAP users is 8.
+
+### Testing avatar and custom profile field synchronization
+
+The fakeldap LDAP directories we use in the development environment
+are generated by the code in `zerver/lib/dev_ldap_directory.py`, and
+contain data one might want to sync, including avatars and custom
+profile fields.
+
+We also have configured `AUTH_LDAP_USER_ATTR_MAP` in
+`zproject/dev_settings.py` to sync several of those fields.  For
+example:
+
+* Modes `a` and `b` will set the user's avatar on account creation and
+  update it when `manage.py sync_ldap_user_data` is run.
+* Mode `b` is configured to automatically have the `birthday` and
+  `Phone number` custom profile fields populated/synced.
+* Mode `a` is configured to deactivate/reactivate users whose accounts
+  are disabled in LDAP when `manage.py sync_ldap_user_data` is run.
+  (Note that you'll likely need to edit
+  `zerver/lib/dev_ldap_directory.py` to ensure there are some accounts
+  configured to be disabled).
+
+### Automated testing
+
+For our automated tests, we generally configure custom LDAP data for
+each individual test, because that generally means one can understand
+exactly what data is being used in the test without looking at other
+resources.  It also gives us more freedom to edit the development
+environment directory without worrying about tests.
--- a/zproject/dev_settings.py
+++ b/zproject/dev_settings.py
@ -107,6 +107,8 @@ FAKE_LDAP_MODE = None  # type: Optional[str]
 # FAKE_LDAP_NUM_USERS = 8

 if FAKE_LDAP_MODE:
+    # To understand these parameters, read the docs in
+    # prod_settings_template.py and on ReadTheDocs.
    LDAP_APPEND_DOMAIN = None
    AUTH_LDAP_USER_DN_TEMPLATE = 'uid=%(user)s,ou=users,dc=zulip,dc=com'

@ -115,10 +117,27 @@ if FAKE_LDAP_MODE:
        from django_auth_ldap.config import LDAPSearch
        AUTH_LDAP_USER_SEARCH = LDAPSearch("ou=users,dc=zulip,dc=com",
                                           ldap.SCOPE_SUBTREE, "(email=%(user)s)")
+        AUTH_LDAP_USER_ATTR_MAP = {
+            "full_name": "cn",
+            "avatar": "thumbnailPhoto",
+            # This won't do much unless one changes the fact that
+            # all users have LDAP_USER_ACCOUNT_CONTROL_NORMAL in
+            # zerver/lib/dev_ldap_directory.py
+            "userAccountControl": "userAccountControl",
+        }
    elif FAKE_LDAP_MODE == 'b':
        LDAP_APPEND_DOMAIN = 'zulip.com'
+        AUTH_LDAP_USER_ATTR_MAP = {
+            "full_name": "cn",
+            "avatar": "jpegPhoto",
+            "custom_profile_field__birthday": "birthDate",
+            "custom_profile_field__phone_number": "phoneNumber",
+        }
    elif FAKE_LDAP_MODE == 'c':
        LDAP_EMAIL_ATTR = 'email'  # type: Optional[str]
+        AUTH_LDAP_USER_ATTR_MAP = {
+            "full_name": "cn",
+        }
    AUTHENTICATION_BACKENDS += ('zproject.backends.ZulipLDAPAuthBackend',)  # type: ignore # tuple hackery

 THUMBOR_URL = 'http://127.0.0.1:9995'