ldap: Add support for two field mapping of full name.

Tests for `sync_full_name_from_ldap()` are pending and will be added in a separate commit. Fixes: #11039.
2025-11-03 13:33:24 +00:00 · 2019-01-10 17:25:34 +00:00
parent 348f370b79
commit 05ad6a357b
3 changed files with 68 additions and 5 deletions
--- a/zproject/backends.py
+++ b/zproject/backends.py
@@ -312,10 +312,40 @@ class ZulipLDAPAuthBackendBase(ZulipAuthMixin, LDAPBackend):
        ldap_disabled = bool(int(account_control_value) & LDAP_USER_ACCOUNT_CONTROL_DISABLED_MASK)
        return ldap_disabled

+    def get_mapped_name(self, ldap_user: _LDAPUser) -> Tuple[str, str]:
+        if "full_name" in settings.AUTH_LDAP_USER_ATTR_MAP:
+            full_name_attr = settings.AUTH_LDAP_USER_ATTR_MAP["full_name"]
+            short_name = full_name = ldap_user.attrs[full_name_attr][0]
+        elif all(key in settings.AUTH_LDAP_USER_ATTR_MAP for key in {"first_name", "last_name"}):
+            first_name_attr = settings.AUTH_LDAP_USER_ATTR_MAP["first_name"]
+            last_name_attr = settings.AUTH_LDAP_USER_ATTR_MAP["last_name"]
+            short_name = ldap_user.attrs[first_name_attr][0]
+            full_name = short_name + ' ' + ldap_user.attrs[last_name_attr][0]
+        else:
+            raise ZulipLDAPException("Missing required mapping for user's full name")
+
+        if "short_name" in settings.AUTH_LDAP_USER_ATTR_MAP:
+            short_name_attr = settings.AUTH_LDAP_USER_ATTR_MAP["short_name"]
+            short_name = ldap_user.attrs[short_name_attr][0]
+
+        return full_name, short_name
+
+    def sync_full_name_from_ldap(self, user_profile: UserProfile,
+                                 ldap_user: _LDAPUser) -> None:  # nocoverage
+        from zerver.lib.actions import do_change_full_name
+        full_name, _ = self.get_mapped_name(ldap_user)
+        if full_name != user_profile.full_name:
+            try:
+                full_name = check_full_name(full_name)
+            except JsonableError as e:
+                raise ZulipLDAPException(e.msg)
+            do_change_full_name(user_profile, full_name, None)
+
    def get_or_build_user(self, username: str,
                          ldap_user: _LDAPUser) -> Tuple[UserProfile, bool]:  # nocoverage
        (user, built) = super().get_or_build_user(username, ldap_user)
        self.sync_avatar_from_ldap(user, ldap_user)
+        self.sync_full_name_from_ldap(user, ldap_user)
        if 'userAccountControl' in settings.AUTH_LDAP_USER_ATTR_MAP:
            user_disabled_in_ldap = self.is_account_control_disabled_user(ldap_user)
            if user_disabled_in_ldap and user.is_active:
@@ -393,15 +423,11 @@ class ZulipLDAPAuthBackend(ZulipLDAPAuthBackendBase):
            raise ZulipLDAPException("Realm has been deactivated")

        # We have valid LDAP credentials; time to create an account.
-        full_name_attr = settings.AUTH_LDAP_USER_ATTR_MAP["full_name"]
-        short_name = full_name = ldap_user.attrs[full_name_attr][0]
+        full_name, short_name = self.get_mapped_name(ldap_user)
        try:
            full_name = check_full_name(full_name)
        except JsonableError as e:
            raise ZulipLDAPException(e.msg)
-        if "short_name" in settings.AUTH_LDAP_USER_ATTR_MAP:
-            short_name_attr = settings.AUTH_LDAP_USER_ATTR_MAP["short_name"]
-            short_name = ldap_user.attrs[short_name_attr][0]

        user_profile = do_create_user(username, None, self._realm, full_name, short_name)
        self.sync_avatar_from_ldap(user_profile, ldap_user)