Fixes #9494 - Remodel using a single field

Author: adamruzicka

app/controllers/api/v2/auth_source_ldaps_controller.rb

@@ -45,8 +45,7 @@ def show
           param :usergroup_sync, :bool, :desc => N_("sync external user groups on login")
           param :tls, :bool
           param :groups_base, String, :desc => N_("groups base DN")
-          param :use_netgroups, :bool, :desc => N_("use NIS netgroups instead of posix groups, applicable only when server_type is posix or free_ipa")
-          param :use_rfc4519_group_membership, :bool, :desc => N_("use RFC4519 group membership in addition to posix groups, applicable only when server_type is posix")
+          param :ldap_group_membership, AuthSourceLdap::GROUP_MEMBERSHIP_TYPES.keys, :desc => N_("type of group membership to use, applicable only when server_type is posix, free_ipa or netiq. Option rfc4519 is only applicable  when server_type is posix.")
           param :server_type, AuthSourceLdap::SERVER_TYPES.keys, :desc => N_("type of the LDAP server")
           param :ldap_filter, String, :desc => N_("LDAP filter")
           param_group :taxonomies, ::Api::V2::BaseController

app/controllers/concerns/foreman/controller/parameters/auth_source_ldap.rb

@@ -22,8 +22,7 @@ def auth_source_ldap_params_filter
           :server_type,
           :tls,
           :usergroup_sync,
-          :use_netgroups,
-          :use_rfc4519_group_membership
+          :ldap_group_membership
 
         add_taxonomix_params_filter(filter)
       end

app/models/auth_sources/auth_source_ldap.rb

@@ -22,6 +22,8 @@ class AuthSourceLdap < AuthSource
   SERVER_TYPES = { :free_ipa => 'FreeIPA', :active_directory => 'Active Directory',
                    :posix    => 'POSIX', :netiq => "NetIQ"}
 
+  GROUP_MEMBERSHIP_TYPES = { :posix => 'POSIX', :rfc4519 => 'POSIX + RFC4519', :nis_netgroups => 'NIS Netgroups' }
+
   extend FriendlyId
   friendly_id :name
   include Parameterizable::ByIdName
@@ -35,11 +37,13 @@ class AuthSourceLdap < AuthSource
   validates :account_password, :length => {:maximum => 69}, :allow_nil => true
   validates :port, :presence => true, :numericality => {:only_integer => true}
   validates :server_type, :presence => true, :inclusion => { :in => SERVER_TYPES.keys.map(&:to_s) }
+  validates :ldap_group_membership, :presence => true, :inclusion => { :in => GROUP_MEMBERSHIP_TYPES.keys.map(&:to_s) }, :if => proc { |auth| auth.server_type.to_s == 'posix' }
+  validates :ldap_group_membership, :presence => true, :inclusion => { :in => ['posix', 'nis_netgroups'] }, :if => proc { |auth| %w[netiq free_ipa].include?(auth.server_type.to_s) }
+  validates :ldap_group_membership, :absence => true, :if => proc { |auth| auth.server_type.to_s == 'active_directory' }
   validate :validate_ldap_filter, :unless => proc { |auth| auth.ldap_filter.blank? }
 
   before_validation :strip_ldap_attributes
-  before_validation :sanitize_use_netgroups
-  before_validation :sanitize_use_rfc4519_group_membership
+  before_validation :sanitize_group_membership
   after_initialize :set_defaults, if: :new_record?
 
   scoped_search :on => :name, :complete_value => :true
@@ -93,8 +97,8 @@ def to_config(login = nil, password = nil)
       :anon_queries => account.blank?, :service_user => service_user(login),
       :service_pass => use_user_login_for_service? ? password : account_password,
       :instrumentation_service => ActiveSupport::Notifications,
-      :use_netgroups => use_netgroups,
-      :use_rfc4519_group_membership => use_rfc4519_group_membership }
+      :use_netgroups => ldap_group_membership == 'nis_netgroups',
+      :use_rfc4519_group_membership => ldap_group_membership == 'rfc4519' }
   end
 
   def encryption_config
@@ -197,13 +201,8 @@ def strip_ldap_attributes
     end
   end
 
-  def sanitize_use_netgroups
-    self.use_netgroups = false if server_type.to_s == 'active_directory'
-    true
-  end
-
-  def sanitize_use_rfc4519_group_membership
-    self.use_rfc4519_group_membership = false if server_type.to_s != 'posix'
+  def sanitize_group_membership
+    self.ldap_group_membership = nil if server_type.to_s == 'active_directory'
     true
   end
 

app/views/api/v2/auth_source_ldaps/main.json.rabl

@@ -4,4 +4,4 @@ extends "api/v2/auth_source_ldaps/base"
 
 attributes :host, :port, :account, :base_dn, :ldap_filter, :attr_login, :attr_firstname, :attr_lastname,
   :attr_mail, :attr_photo, :onthefly_register, :usergroup_sync, :tls, :server_type, :groups_base,
-  :use_netgroups, :use_rfc4519_group_membership, :created_at, :updated_at
+  :ldap_group_membership, :created_at, :updated_at

app/views/auth_source_ldaps/_form.html.erb

@@ -29,8 +29,16 @@
       <%= password_f f, :account_password, :help_inline => _("Use this account to authenticate, <i>optional</i>").html_safe, :unset => action_name == "edit" %>
       <%= text_f f, :base_dn, :label => _("Base DN"), :size => "col-md-8", :label_help => base_dn_help_data[@auth_source_ldap.server_type], :data => { :help => base_dn_help_data } %>
       <%= text_f f, :groups_base, :label => _("Groups base DN"), :size => "col-md-8", :label_help => groups_base_dn_help_data[@auth_source_ldap.server_type], :data => { :help => groups_base_dn_help_data } %>
-      <%= checkbox_f f, :use_netgroups, :help_inline => _("Use NIS netgroups instead of posix groups."), :label_help => _('By default we map user groups to standard LDAP Group objects. FreeIPA and POSIX LDAP server types supports alternative way of grouping users through Netgroups. Enable this checkbox if using Netgroups is preferred instead of standard groups.') %>
-      <%= checkbox_f f, :use_rfc4519_group_membership, :label => _('Use RFC4519 group membership'), :help_inline => _("Use group membership based on the groupOfNames and groupOfUniqueNames attributes as defined in RFC4519 in addition to POSIX groups."), :label_help => _('By default we use the memberuid attribute to map user groups to standard LDAP Group objects. Some POSIX LDAP servers support an alternative way of using the groupOfNames - member and groupOfUniqueNames - uniqueMember attributes to model group membership. Enable this checkbox if your LDAP server uses this instead of plain POSIX groups per RFC2307.') %>
+
+      <%= select_f f, :ldap_group_membership, AuthSourceLdap::GROUP_MEMBERSHIP_TYPES, :first, :last,
+              { :include_blank => _("Choose a group membership type") },
+              { :label => _('Group membership type'),
+                :help_inline => _("Controls which mechanism will be used for looking up users' group membership in LDAP."),
+                :label_help => "<ul>
+                  <li><b>#{_("POSIX")}</b> - #{_("Use the memberuid attribute to map user groups to standard LDAP Group objects.")}</li>
+                  <li><b>#{_("POSIX + RFC4519")}</b> - #{_("Use group membership based on the groupOfNames and groupOfUniqueNames attributes as defined in RFC4519 in addition to POSIX groups. Some POSIX LDAP servers support an alternative way of using the groupOfNames - member and groupOfUniqueNames - uniqueMember attributes to model group membership.")}</li>
+                  <li><b>#{_("NIS Netgroups")}</b> - #{_("Use NIS netgroups instead of posix groups. FreeIPA and POSIX LDAP server types supports alternative way of grouping users through Netgroups.")}</li>
+                </ul>" } %>
 
       <%= textarea_f f, :ldap_filter, :label => _("LDAP filter"), :help_block => _("Custom LDAP search filter, <i>optional</i>").html_safe, :size => "col-md-8" %>
       <%= checkbox_f f, :onthefly_register,

db/migrate/20250422171523_add_use_rfc4519_group_membership_to_ldap_auth_source.rb

@@ -0,0 +1,14 @@
+class ExtendLdapGroupMembershipOptions < ActiveRecord::Migration[7.0]
+  def up
+    add_column :auth_sources, :ldap_group_membership, :string
+    AuthSourceLdap.where.not(server_type: 'active_directory').update_all(ldap_group_membership: 'posix')
+    AuthSourceLdap.where(use_netgroups: true).update_all(use_netgroups: 'nis_netgroups')
+    remove_column :auth_sources, :use_netgroups
+  end
+
+  def down
+    add_column :auth_sources, :use_netgroups, :boolean, :default => false
+    AuthSourceLdap.where(ldap_group_membership: 'nis_netgroups').update_all(use_netgroups: true)
+    remove_column :auth_sources, :ldap_group_membership
+  end
+end

db/migrate/20250528092104_extend_ldap_group_membership_options.rb

@@ -8,6 +8,7 @@
     attr_lastname { 'daho' }
     port { '389' }
     server_type { 'posix' }
+    ldap_group_membership { 'posix' }
   end
 
   trait :posix

test/factories/auth_source_ldap.rb

@@ -58,11 +58,11 @@ def setup
   end
 
   test "it enforces use_netgroups to false for active directory" do
-    auth_source_ldap.use_netgroups = true
+    auth_source_ldap.ldap_group_membership = 'nis_netgroups'
     auth_source_ldap.server_type = :active_directory
 
     assert auth_source_ldap.valid?
-    refute auth_source_ldap.use_netgroups
+    assert_nil auth_source_ldap.ldap_group_membership
   end
 
   test "return nil if login is blank or password is blank" do

test/models/auth_sources/auth_source_ldap_test.rb

@@ -83,17 +83,30 @@ function updateLdapAccountHelp(selectedType) {
 
 export function changeLdapServerType() {
   const type = $('#auth_source_ldap_server_type').val();
-  $('#auth_source_ldap_use_netgroups')
-    .closest('.form-group')
-    .toggle(type !== 'active_directory');
-  $('#auth_source_ldap_use_rfc4519_group_membership')
-    .closest('.form-group')
-    .toggle(type === 'posix');
+  const membershipType = $('#auth_source_ldap_ldap_group_membership');
+
+  membershipType.closest('.form-group').toggle(type !== 'active_directory');
+
+  if (type !== 'active_directory') {
+    const rfc4519 = $(
+      '#auth_source_ldap_ldap_group_membership option[value="rfc4519"]'
+    );
+
+    if (type !== 'posix') {
+      rfc4519.attr('disabled', 'disabled');
+      if (membershipType.find(':selected').val() === 'rfc4519') {
+        membershipType.val(null).trigger('change');
+      }
+    } else {
+      rfc4519.removeAttr('disabled');
+    }
+  }
+
   updateLdapAccountHelp(type);
 }
 
 $(document).ready(() => {
-  if (window.location.pathname.match('auth_source_ldaps/i')) {
+  if (window.location.pathname.match(/auth_source_ldaps/i)) {
     changeLdapServerType();
   }
 });