Add optional DN truncating operation

zabbix-tooling · Nov 12, 2023 · fdd4b2c · fdd4b2c
1 parent bcb898d
commit fdd4b2c
Show file tree

Hide file tree

Showing 4 changed files with 9 additions and 1 deletion.
diff --git a/README.md b/README.md
@@ -90,6 +90,7 @@ In order to use the *zabbix-ldap-sync* script we need to create a configuration
 * `filteruser` = The ldap filter to get the users in OpenLDAP mode, by default `(&(objectClass=posixAccount)(uid=%s))`
 * `groupattribute` = The attribute used for membership in a group in OpenLDAP mode, by default `memberUid`
 * `userattribute` = The attribute for users in openldap mode, by default `uid`
+* `truncatedn` - If set to true distinguished name (DN) will be truncated, by default false. Group members usually defined as `full-path-DN` not clear `login` and it's breaks search. Example: `uid=testuser,cn=users,cn=accounts,dc=example,dc=com` cut to `uid=testuser`
 
 #### [zabbix]
 * `server` - Zabbix URL

diff --git a/lib/ldapconn.py b/lib/ldapconn.py
@@ -31,6 +31,7 @@ def __init__(self, config):
         self.user_filter = config.ldap_user_filter
         self.verbose = config.verbose
         self.openldap_type = config.openldap_type
+        self.openldap_truncatedn = config.openldap_truncatedn
 
         self.logger = logging.getLogger(self.__class__.__name__)
         # Log from pyldap
@@ -111,6 +112,10 @@ def get_group_members_ldap(self, result: list):
         for memberid in users[self.group_member_attribute]:
             memberid = memberid.decode("utf-8")
 
+            if self.openldap_truncatedn:
+                self.logger.debug('Distinguished name truncated from %s to %s' % (memberid, memberid.split(',')[0]))
+                memberid = memberid.split(',')[0]
+
             if self.openldap_type == "groupofnames":
                 filter = "(objectClass=*)"
                 # memberid is user dn

diff --git a/lib/zabbixldapconf.py b/lib/zabbixldapconf.py
@@ -73,7 +73,8 @@ def __init__(self, config: str):
                                                   fallback='(&(objectClass=posixAccount)(uid=%s))', raw=True)
             self.openldap_groupattribute = parser.get('openldap', 'groupattribute', fallback='memberUid', raw=True)
             self.openldap_userattribute = parser.get('openldap', 'userattribute', fallback='uid', raw=True)
-
+            self.openldap_truncatedn = ZabbixLDAPConf.try_get_item_bool(parser, 'openldap', 'truncatedn', False)
+
             self.zbx_server = parser.get('zabbix', 'server')
 
             self.zbx_ignore_tls_errors = ZabbixLDAPConf.try_get_item_bool(parser, 'zabbix', 'ignore_tls_errors', False)

diff --git a/zabbix-ldap.conf.example b/zabbix-ldap.conf.example
@@ -25,6 +25,7 @@ filtergroup = (&(objectClass=posixGroup)(cn=%s))
 filteruser = (&(objectClass=posixAccount)(uid=%s))
 groupattribute = memberUid
 userattribute = uid
+truncatedn = false
 
 [zabbix]
 server = http://zabbix.example.org/zabbix