tentative directional work on group creation

We need an issue to hold the spec for this.

Author: adobeDan

examples/config files - basic/1 user-sync-config.yml

@@ -167,13 +167,10 @@ directory_users:
     # is specified as a list of entries, each of which has a directory_group
     # setting (whose value is a single directory group) and an adobe_groups
     # setting (whose value is a list of 0 or more product configuration and
-    # user groups).  All of the values in the adobe_groups settings must
-    # match the name of product configurations and user groups which have
-    # already been created on the Adobe side.  (In this example, we pretend
-    # that "Acrobat DC Pro" is a product configuration and "Copy Editors"
-    # is a user group that the you have already created.  Possibly
-    # the "Copy Editors" user group has been assigned access to appropriate
-    # Adobe products, such as InDesign and InCopy.)
+    # user groups).  In this example, imagine that "Acrobat DC Pro" is a
+    # product configuration and "Copy Editors" is a user group, and that
+    # the "Copy Editors" user group will be assigned access to appropriate
+    # Adobe products, such as InDesign and InCopy.
     # [You will need to edit or remove these examples.]
     - directory_group: "Finance"
       adobe_groups:
@@ -186,6 +183,33 @@ directory_users:
         - "Copy Editors"
         - "Acrobat DC Pro"
 
+  # (optional) additional_groups (no default value)
+  # People who use their directory groups for ACLs on the Adobe side
+  # often have a very large number of groups that they want mapped
+  # over to (user) groups on the Adobe side.  To avoid having to
+  # specify those groups statically in their config file, and to
+  # update their config file when they change, they can instead
+  # use a naming convention for the groups and specify that here.
+  # The value of this attribute is a mapping from Python regular expressions
+  # that specify directory groups of interest to Pythonn replacement expressions
+  # that specify how to construct the name of the target Adobe group
+  # that the directory group should be mapped to.  If a value is
+  # provided, then all users who are (directly) in groups whose
+  # CN matches one of the source regular expressions will be put in a user group
+  # on the Adobe side whose name is given by the target replacement expression.
+  # The simple example here (which should be removed) maps all the
+  # groups that start with "ACL-" or end with "-ACL" to an Adobe
+  # group that starts with "ACL-Grp-".
+  # (All of these regular expressions must match the entire group name.
+  # For details on Python regular expression matching and replacement,
+  # see https://docs.python.org/howto/regex.html )
+  additional_groups:
+    - source: "ACL-(.+)"
+      target: "ACL-Grp-(\1)"
+    - source: "(.+)-ACL"
+      target: "ACL-Grp-(\1)"
+
+
 # The limits section provides processing limits which can help ensure that
 # User Sync jobs do not exceed expected guardrails in their operation
 limits:

examples/config files - basic/3 connector-ldap.yml

@@ -72,14 +72,29 @@ all_users_filter: "(&(objectClass=user)(objectCategory=person)(!(userAccountCont
 group_filter_format: "(&(|(objectCategory=group)(objectClass=groupOfNames)(objectClass=posixGroup))(cn={group}))"
 
 # (optional) group_member_filter_format (default value given below)
-# group_users_filter specifies the query used to find all members of a group,
+# group_member_filter_format specifies the query used to find all members of a group,
 # where the string {group_dn} is replaced with the group distinguished name.
 # The default value just finds users who are immediate members of the group,
 # not those who are "indirectly" members by virtue of membership in a group
 # that is contained in the group.  If you want indirect containment, then
 # use this value instead of the default:
 # group_member_filter_format: "(memberOf:1.2.840.113556.1.4.1941:={group_dn})"
 group_member_filter_format: "(memberOf={group_dn})"
+# Note that this filter is &-combined with the all_users_filter so that
+# only users that would be selected by that filter will be returned as
+# members of the given group.
+
+# (optional) member_group_filter_format (default value given below)
+# member_group_filter_format specifies the query used to find all groups that
+# directly contain a given member.  The string {member_dn} is replaced
+# with the DN of the group member.  The string {member_uid) is replaced with
+# the uid attribute of the group member, if any.  The default value expects
+# groups to refer to members by their DN.  For groups that refer to their
+# members by their UID (e.g., posix groups in many OpenLDAP systems), you
+# probably want to use this value instead: "(memberUid={member_uid})"
+member_group_filter_format: "(member={member_dn})"
+# Note that this filter is &-combined with the group_filter_format query
+# specifying a wildcard for the group name.  So it will only find groups.
 
 # (optional) string_encoding (default value given below)
 # string_encoding specifies the Unicode string encoding used by the directory.
@@ -172,14 +187,9 @@ user_email_format: "{mail}"
 # are already pre-defined attribute names that are used for these fields:
 # - the Adobe first name is set from the LDAP "givenName" attribute
 # - the Adobe last name is set from the LDAP "sn" (surname) attribute
-# - the Adobe country is set from the LDAP "country" attribute
+# - the Adobe country is set from the LDAP "c" (country) attribute
 # If you need to override these values on the Adobe side, you can use the
 # custom extension mechanism (see the docs) to compute and set field values
-# by combining these and any other custom attributes needed.  Seed the
+# by combining these and any other custom attributes needed.  See the
 # User Sync documentation for full details.
-#
-# Finally, some LDAP systems use uids to identify groups, and place users in
-# groups via uid rather than name.  The User Sync implementation always reads
-# the uid attribute on all objects if the directory provides one, so it is
-# able to handle directories which function in this way even though the
-# configuration files always specify groups by name.
+

user_sync/connector/directory_ldap.py

@@ -289,6 +289,10 @@ def iter_users(self, users_filter, extended_attributes):
             elif last_attribute_name:
                 self.logger.warning('No country code attribute (%s) for user with dn: %s', last_attribute_name, dn)
 
+            uid_value = LDAPValueFormatter.get_attribute_value(record, six.text_type('uid'))
+            source_attributes['uid'] = uid_value
+            user['member_groups'] = find_member_groups(dn, uid_value if uid_value else six.text_type(''))
+
             if extended_attributes is not None:
                 for extended_attribute in extended_attributes:
                     extended_attribute_value = LDAPValueFormatter.get_attribute_value(record, extended_attribute)