From d6b595bc7dc82a014e670552eebe75d485a697e5 Mon Sep 17 00:00:00 2001
From: kakwa <carpentier.pf@gmail.com>
Date: Wed, 15 Apr 2015 20:13:56 +0200
Subject: [PATCH] adding a canevas for role definition

---
 conf/ldapcherry.ini | 78 ++++++++-------------------------------------
 conf/roles.yml      | 48 ++++++++++++++++++++++++++++
 2 files changed, 61 insertions(+), 65 deletions(-)
 create mode 100644 conf/roles.yml

diff --git a/conf/ldapcherry.ini b/conf/ldapcherry.ini
index e213d24..8d0f61f 100644
--- a/conf/ldapcherry.ini
+++ b/conf/ldapcherry.ini
@@ -43,16 +43,6 @@ log.access_handler = 'none'
 # log level
 log.level = 'info'
 
-
-#####################################
-#        Form configuration         #
-#####################################
-# redirect to zone page after adding/deleting a record
-# if 'on', redirects to zone page
-# if 'off', stays on a summary page
-form.add.redirect = 'on'
-form.del.redirect = 'on'
-
 # session configuration
 # activate session
 tools.sessions.on = True
@@ -69,66 +59,24 @@ tools.sessions.timeout = 10
 # templates directory
 template_dir = '/usr/share/ldapcherry/templates/'
 
+[backends]
+
+ldap.module = 'ldapcherry.backends.ldap'
+ad.module = 'ldapcherry.backends.ad'
+
 # authentification parameters
 [auth]
 
-######################################
-# parameters for auth module 'none'  #
-######################################
-# this module disable authentification
-# (if you use other means of authentification)
+# Auth mode
+# * and: user must authenticate on all backends
+# * or:  user must authenticate on one of the backend
+# * none: disable authentification
+# * custom: custom authentification module (need auth.module param)
+auth.mode = 'or'
 
-# auth module to load
-auth.module = 'ldapcherry.auth.modNone'
-# optional http header handling.
-# useful if username is transmitted by header
-# (permits nominative logs).
-# if activated, this header presence 
-# in each request is mandatory.
-#auth.none.user_header_name = 'AUTH_USER'
+# custom auth module to load
+#auth.module = 'ldapcherry.auth.modNone'
 
-#######################################
-## parameters for auth module 'ldap'  #
-#######################################
-# This module is used for ldap authentification
-
-## name of the auth module
-#auth.module = 'ldapcherry.auth.modLdap'
-## base dn where to search user
-#auth.ldap.userdn = 'ou=People,dc=example,dc=org'
-## ldap login filter
-#auth.ldap.user.filter.tmpl = '(uid=%(login)s)'
-## base dn for group 
-## (if empty, all user in userdn can access ldapcherry)
-#auth.ldap.groupdn = 'cn=itpeople,ou=Groups,dc=example,dc=org'
-## ldap group filter 
-#auth.ldap.group.filter.tmpl = '(member=%(userdn)s)'
-## bind dn
-#auth.ldap.binddn = 'cn=ldapcherry,dc=example,dc=org' 
-## bind password
-#auth.ldap.bindpassword = 'password'
-## ldap uri
-#auth.ldap.uri = 'ldaps://ldap.ldapcherry.org'
-## ldap CA file (use for ssl/tls)
-#auth.ldap.ca = '/etc/ldapcherry/TEST-cacert.pem'
-## enable starttls (default off)
-##auth.ldap.starttls = 'on'
-## check certificat (default on)
-##auth.ldap.checkcert = 'off'
-
-##########################################
-#  parameters for auth module 'htpasswd' #
-##########################################
-# This module is used for htpasswd file
-# user database
-#
-# name of the auth module
-#auth.module = 'ldapcherry.auth.modHtpasswd'
-# path to htpasswd file
-#auth.htpasswd.file = '/etc/ldapcherry/users.db'
-
-# enable cherrypy static handling
-# to comment if static content are handled otherwise
 [/static]
 tools.staticdir.on = True
 tools.staticdir.dir = '/usr/share/ldapcherry/static/'
diff --git a/conf/roles.yml b/conf/roles.yml
new file mode 100644
index 0000000..fe19ef7
--- /dev/null
+++ b/conf/roles.yml
@@ -0,0 +1,48 @@
+admin-lv3:
+    display_name: Administrators Level 3
+    LC_admins: True
+    backends:
+      - backend_name: ldap
+        groups:
+            - cn=dns admins,ou=group,dc=example,dc=com
+            - cn=nagios admins,ou=group,dc=example,dc=com
+            - cn=puppet admins,ou=group,dc=example,dc=com
+            - cn=users,ou=group,dc=example,dc=com
+     - backend_name: ad
+       groups:
+            - Domain Users
+            - Administrators
+            - Domain Controllers 
+
+admin-lv2:
+    display_name: Administrators Level 2
+    backends:
+      - backend_name: ldap
+        groups:
+            - cn=nagios admins,ou=group,dc=example,dc=com
+            - cn=users,ou=group,dc=example,dc=com
+     - backend_name: ad
+       groups:
+            - Domain Users
+
+developpers:
+    diplay_name: Developpers
+    backends:
+      - backend_name: ldap
+        groups:
+            - cn=nagios user,ou=group,dc=example,dc=com
+            - cn=developpers,ou=group,dc=example,dc=com
+            - cn=users,ou=group,dc=example,dc=com
+     - backend_name: ad
+       groups:
+            - Domain Users
+
+users:
+    diplay_name: Simple Users
+    backends:
+      - backend_name: ldap
+        groups:
+            - cn=users,ou=group,dc=example,dc=com
+     - backend_name: ad
+       groups:
+            - Domain Users