didmos2
didmos2-openldap

Repository

"delete": [
  { "dn": "<DN>" }
]
"rename": [
  { "dn": "<OLD_DN>",
    "newdn": "<NEW_DN>" }
]
"add": [
  { "dn": "ou=permissions,@parent.baseDN@",
    "attributes": [
      { "name": "<ATTRIBUTE_1>",
        "value": ["<VALUE_1>", "<VALUE_2>"]
      },
      { "name": "<ATTRIBUTE_2>",
        "value": ["<VALUE_3>", "<VALUE_4>"]
      }
    ]
  }
]
"modify": [
  { "dn": "rbacName=admin-permission,@parent.baseDN@",
    "attributes": [
      { "name": "<ATTRIBUTE_1>",
        "value": ["<VALUE_1>", "<VALUE_2>"],
        "op": "add | delete | modify | replace"
      }
    ]
  }
],
"search": {
  "baseDN": "ou=tenants,ou=data,ou=root-tenant,dc=didmos,dc=de",
  "searchFilter": "(&(objectClass=didmosTenant)(objectClass=organizationalUnit))",
  "scope": "one | base | sub",
  "forEach": {

  },
  "else": {

  }
}
{
	"version": "1",
  "modify": [
    {
      "dn": "rbacName=defaultuser-modify-permission,ou=permissions,ou=pdp,ou=root-tenant,dc=didmos,dc=de",
      "attributes": [
        { "name": "rbacConstraint",
          "value": ["EXISTINGVALUE"],
          "op": "add"
        }
      ],
      "ignoreErrors": true
    },
    {
      "dn": "rbacName=defaultuser-modify-permission,ou=permissions,ou=pdp,ou=root-tenant,dc=didmos,dc=de",
      "attributes": [
        { "name": "rbacConstraint",
          "value": ["NEWVALUE"],
          "op": "add"
        }
      ]
    }
  ]
}
{
  "version": "1",
  "search": {
    "baseDN": "ou=tenants,ou=data,ou=root-tenant,dc=didmos,dc=de",
    "searchFilter": "(&(objectClass=didmosTenant)(objectClass=organizationalUnit))",

    "forEach": {
      "search": {
        "baseDN": "ou=pdp,@forEach@",
        "searchFilter": "(&(ou=permissions)(objectClass=organizationalUnit))",
        "scope": "one",

        "forEach": {
          "functions": [
            { "name": "ext_explode_dn", "args": ["@forEach@", 2], "result": "tenant.DN" },
            { "name": "ext_generate_uuid", "args": "", "result": "UUID1" },
            { "name": "ext_intersection", "result": "rbacResourceDN",
              "args": [
              { "name": "ext_search",
                "args": ["ou=people,ou=data,@tenant.DN@", "(&(objectClass=didmosPerson)(sn=Admin))"] },
              { "name": "ext_search",
                "args": ["ou=roles,@parent.baseDN@", "(rbacName=admin)", "rbacPerformer"] }
              ]
            }
          ],
          "add": [
            {
              "dn": "rbacName=@UUID1@,@forEach@",
              "attributes": [
                { "name": "objectClass", "value": ["rbacPermission"] },
                { "name": "rbacName", "value": "@UUID1@" },
                { "name": "rbacRoleDN", "value": "rbacName=defaultuser,ou=roles,@parent.baseDN@" },
                { "name": "rbacConstraint", "value": "attribute:sn" },
                { "name": "rbacOperation", "value": [ "read" ] },
                { "name": "rbacResourceDN", "value": "@rbacResourceDN@"}
              ]
            }
          ]
        },
        "else": {
          "functions": [
            {
              "name": "ext_generate_uuid",
              "args": "",
              "result": "UUID1"
            },
            {
              "name": "ext_search",
              "args": ["ou=roles,@parent.baseDN@", "(&(objectClass=rbacRole)(rbacDisplayName=defaultuser))"],
              "result": "DEFUALTUSERROLEDN"
            }
          ],
          "add": [
            { "dn": "ou=permissions,@parent.baseDN@",
              "attributes": [
              { "name": "objecClass",
                "value": ["organizationalUnit"],
              },
              { "name": "ou",
                "value": ["permissions"],
              }
            },
            {
              "dn": "rbacName=@UUID1@,ou=permissions,@parent.baseDN@",
              "attributes": [
                { "name": "rbacName",
                  "value": ["@UUID1@"],
                },
                { "name": "objecClass",
                  "value": ["rbacPermission"],
                },
                { "name": "rbacPermissionString",
                  "value": ["self"],
                }
                { "name": "rbacOperations",
                  "value": ["read", "write", "modify-del", "modify-replace", "modify-add"],
                }
                { "name": "rbacRoleDN",
                  "value": ["@DEFUALTUSERROLEDN@"],
                }
              ]
            }
          ]
        }
      }
    }
  }
}
{
  "version": "1",
  "search": {
    "baseDN": "ou=tenants,ou=data,ou=root-tenant,dc=didmos,dc=de",
    "searchFilter": "(&(objectClass=didmosTenant)(objectClass=organizationalUnit))",

    "forEach": {
      "search": {
        "baseDN": "ou=pdp,@forEach@",
        "searchFilter": "(&(ou=permissions)(objectClass=organizationalUnit))",
        "scope": "one",

        "forEach": {
          "add": [
            {
              "dn": "rbacName=defaultuser-permission,@forEach@",
              "attributes": [
                { "name": "objectClass", "value": ["rbacPermission"] },
                { "name": "rbacName", "value": "defaultuser-permission" },
                { "name": "rbacRoleDN", "value": "rbacName=defaultuser,ou=roles,@parent.baseDN@" },
                { "name": "rbacOperation", "value": [ "delete", "modify-add", "modify-del", "modify-replace",
                                    "read", "readHistory", "write"
                                  ] },
                { "name": "rbacPermissionString", "value": "self" }
              ]
            },
            {
              "dn": "rbacName=groupMember-permission,@parent.baseDN@",
              "attributes": [
                { "name": "objectClass", "value": ["rbacPermission"] },
                { "name": "rbacName", "value": "groupMember-permission" },
                { "name": "rbacRoleDN",
                  "value": {
                  "search": {
                    "baseDN": "",
                    "searchFilter": "(objectClass=person)",
                    "attributes": ["entryDN"]
                  }
                  }
                },
                { "name": "rbacOperation", "value": ["read"] },
                { "name": "rbacConstraint", "value": ["attribute:cn", "member:self"] },
                { "name": "rbacPermissionFilter", "value": "(&(objectClass=didmosGroup)(member=self))" }
              ]
            }
          ],
          "modify": [
            {
              "dn": "rbacName=admin-permission,@parent.baseDN@",
              "attributes": [
                { "name": "rbacOperation",
                  "value": ["delete", "modify-add", "modify-del", "modify-replace"],
                  "op": "add"
                },
                { "name": "rbacOperation",
                  "value": ["create"],
                  "op": "delete"
                },
                { "name": "description",
                  "op": "delete"
                },
                { "name": "rbacPermissionFilter",
                  "value": ["(objectClass=*)"],
                  "op": "replace"
                }
              ]
            }
          ],
          "delete": [
            { "dn": "rbacName=dummy,@forEach@" }
          ],
          "rename": [
            { "dn": "rbacName=prod,@forEach@",
              "newdn": "rbacName=test,@forEach@" }
          ]
        }
      }
    }
  }
}
usage: migration.py [-h] (-l LDIF_FILE | -j CONFIG_FILE) [-H URI] [-D BIND]
                    [-w PASSWORD OR FILE] [-W] [-d] [-v] [-c]

optional arguments:
  -h, --help            show this help message and exit
  -l LDIF_FILE, --ldif LDIF_FILE
                        The ldif to import
  -j CONFIG_FILE, --json CONFIG_FILE
                        The json configuration file
  -H URI, --uri URI     The connection URI for the server (LDAP or HTTP)
  -D BIND, --bind BIND  The bind DN that is allowed to read the LDAP
                        configuration
  -w PASSWORD, --password PASSWORD
                        The password to authenticate the script for reading
                        the configuration
  -W, --ask-password    Ask for the password to authenticate the script for
                        reading the configuration
  -d, --dryrun          If set to true, planed changes are only shown but
                        changes are made to the LDAP
  -v, --verbose         If set to true, changes are shown
  -c, --continue        Continue processing even if errors occur
usage: migration.sh PASSWORD [FILE|VARIABLES]

required arguments:
  PASSWORD              The ldap password of the system.

optional arguments:
  VARIABLES             A list of Variable Names which are replaced during the migration.
  FILE                  Path to a file containing key-value pairs of variables.