From 45726b9b01e7df1e2070fef563c9b2322ea1af5e Mon Sep 17 00:00:00 2001
From: Nicolas Grieco <n.grieco@criteo.com>
Date: Mon, 21 May 2018 17:19:31 +0200
Subject: [PATCH] Better handling of the AD auth part  - admin group for human
 users  - admin group for API users  - user group for read-only users  -
 require_groupmembership to true by default

---
 README.md                        | 15 +++++++++++++++
 attributes/default.rb            |  5 +++--
 recipes/default.rb               |  5 +++--
 templates/default/config.php.erb |  6 ++++--
 4 files changed, 25 insertions(+), 6 deletions(-)

diff --git a/README.md b/README.md
index 9cff63d..69296cf 100644
--- a/README.md
+++ b/README.md
@@ -63,6 +63,21 @@ The release is tested on:
     <td>SNMP community</td>
     <td><code>public</code></td>
   </tr>
+  <tr>
+    <td><code>node['librenms']['auth_ad']['admingroup']</code></td>
+    <td>Name of the AD group for admin users</td>
+    <td><code></code></td>
+  </tr>
+  <tr>
+    <td><code>node['librenms']['auth_ad']['apigroup']</code></td>
+    <td>Name of the AD group for api users</td>
+    <td><code></code></td>
+  </tr>
+  <tr>
+    <td><code>node['librenms']['auth_ad']['usergroup']</code></td>
+    <td>Name of the AD group for read-only users</td>
+    <td><code></code></td>
+  </tr>
 </table>
 
 ### Features
diff --git a/attributes/default.rb b/attributes/default.rb
index 5493563..026efde 100644
--- a/attributes/default.rb
+++ b/attributes/default.rb
@@ -100,5 +100,6 @@
 default['librenms']['auth_ad']['debug_enabled'] = 'false'
 default['librenms']['auth_ad']['users_purge'] = '30'
 default['librenms']['auth_ad']['req_member'] = 'false'
-default['librenms']['auth_ad']['admingroup_level'] = '10'
-default['librenms']['auth_ad']['usergroup_level'] = '5'
+default['librenms']['auth_ad']['admingroup'] = 'ad_admingroup'
+default['librenms']['auth_ad']['apigroup'] = 'ad_apigroup'
+default['librenms']['auth_ad']['usergroup'] = 'ad_usergroup'
diff --git a/recipes/default.rb b/recipes/default.rb
index d081dd0..97b8b6d 100644
--- a/recipes/default.rb
+++ b/recipes/default.rb
@@ -302,8 +302,9 @@
     ad_debug:           node['librenms']['auth_ad']['debug_enabled'],
     ad_purge:           node['librenms']['auth_ad']['users_purge'],
     ad_req:             node['librenms']['auth_ad']['req_member'],
-    ad_admlvl:          node['librenms']['auth_ad']['admingroup_level'],
-    ad_usrlvl:          node['librenms']['auth_ad']['usergroup_level'],
+    ad_adm:             node['librenms']['auth_ad']['admingroup'],
+    ad_api:             node['librenms']['auth_ad']['apigroup'],
+    ad_usr:             node['librenms']['auth_ad']['usergroup'],
     add_conf_file_path: node['librenms']['add_config_file']['path'],
     rrddir:             node['librenms']['rrd_dir'],
   )
diff --git a/templates/default/config.php.erb b/templates/default/config.php.erb
index c720cc5..adba7d3 100644
--- a/templates/default/config.php.erb
+++ b/templates/default/config.php.erb
@@ -53,8 +53,9 @@ $config['auth_ad_timeout']                 = <%= @ad_timeout %>;
 $config['auth_ad_debug']                   = <%= @ad_debug %>;
 $config['active_directory']['users_purge'] = <%= @ad_purge %>;
 $config['auth_ad_require_groupmembership'] = <%= @ad_req %>;
-$config['auth_ad_groups']['<ad-admingroup>']['level'] = <%= @ad_admlvl %>;
-$config['auth_ad_groups']['<ad-usergroup>']['level']  = <%= @ad_usrlvl %>;
+$config['auth_ad_groups']['<%= ad_adm %>']['level'] = 10;
+$config['auth_ad_groups']['<%= ad_api %>']['level'] = 10;
+$config['auth_ad_groups']['<%= ad_usr %>']['level']  = 5;
 <% else %>
 $config['auth_mechanism'] = "mysql"; # default, other options: ldap, http-auth
 <% end %>
@@ -63,4 +64,5 @@ $config['auth_mechanism'] = "mysql"; # default, other options: ldap, http-auth
 if(file_exists( __DIR__ . DIRECTORY_SEPARATOR .  '<%= @add_conf_file_path %>')) {
     include __DIR__ . DIRECTORY_SEPARATOR .  '<%= @add_conf_file_path %>';
 }
+A
 <% end %>