@@ -39,7 +39,7 @@ OpenShift `Group`'s `Labels` will also be used to store metadata regarding the s

   * Populate new OpenShift `Group`'s `Users` from resulting OpenShift `UserIdentityMappings`, update OpenShift `Group` metadata fields tied to LDAP attributes, leave other OpenShift `Group` fields unchanged

 ##  Determining Ordered List of LDAP Groups To Sync

-An `LDAPGroupLister` determines what LDAP groups needs to be synced and outputs the result as a set of unique identifier strings (called "LDAP group UIDs" in this document). The other objects that take LDAP group UIDs need to understand the format of this string (e.g. these objects will be tightly coupled). For example, an `LDAPGroupLister` for schema 1 above cannot be used with a `LDAPGroupDataExtractor` for schema 2. The four `LDAPGroupLister` implementations that are necessary are:

+An `LDAPGroupLister` determines what LDAP groups needs to be synced and outputs the result as a set of unique identifier strings (called "LDAP group UIDs" in this document). The other objects that take LDAP group UIDs need to understand the format of this string (e.g. these objects will be tightly coupled). For example, an `LDAPGroupLister` for schema 1 above cannot be used with a `LDAPGroupMemberExtractor` for schema 2. The four `LDAPGroupLister` implementations that are necessary are:

 1. List LDAP group UIDs for all OpenShift `Groups` matching a `Label` selector identifying them as pertaining to the sync job, minus a blacklist

 * List LDAP group UIDs for some whitelist of OpenShift `Groups`

@@ -48,7 +48,7 @@ An `LDAPGroupLister` determines what LDAP groups needs to be synced and outputs

 ```go

 // LDAPGroupLister lists the LDAP groups that need to be synced by a job. The LDAPGroupLister needs to

-// be paired with an LDAPGroupDataExtractor that understands the format of the unique identifiers

+// be paired with an LDAPGroupMemberExtractor that understands the format of the unique identifiers

 // returned to represent the LDAP groups to be synced.

 type LDAPGroupLister interface {

 	ListGroups() (groupUIDs []string, err error)

@@ -56,11 +56,11 @@ type LDAPGroupLister interface {

 ```

 ## Collecting LDAP Members and Metadata

-An `LDAPGroupDataExtractor` gathers information on an LDAP group based on an LDAP group UID. It may cache LDAP responses for responsivity. The approach to implementing this structure will vary with LDAP schema as well as sync job request.

+An `LDAPGroupMemberExtractor` gathers information on an LDAP group based on an LDAP group UID. It may cache LDAP responses for responsivity. The approach to implementing this structure will vary with LDAP schema as well as sync job request.

 ```go

-// LDAPGroupDataExtractor retrieves data about an LDAP group from the LDAP server.

-type LDAPGroupDataExtractor interface {

+// LDAPGroupMemberExtractor retrieves data about an LDAP group from the LDAP server.

+type LDAPGroupMemberExtractor interface {

 	// ExtractMembers returns the list of LDAP first-class user entries that are members of the LDAP

 	// group specified by the groupUID

 	ExtractMembers(groupUID string) (members []*ldap.Entry, err error)

@@ -68,7 +68,7 @@ type LDAPGroupDataExtractor interface {

 ```

 ## Determining OpenShift `User` Names for LDAP Members

-The mapping of a LDAP member entry to an OpenShift `User` Name will be deterministic and simple: whatever LDAP entry attribute is used for the OpenShift `User` Name field upon creation of OpenShift `Users` will be used as the OpenShift `User` Name. As long as the `DeterministicUserIdentityMapper` is used to introduce LDAP member entries to OpenShift `User` records and the `LDAPUserToIdentityMapping` used for the sync job and `DeterministicUserIdentityMapper` is the same, the mappings created by the `LDAPUserNameMapper` will be correct.

+The mapping of a LDAP member entry to an OpenShift `User` Name will be deterministic and simple: whatever LDAP entry attribute is used for the OpenShift `User` Name field upon creation of OpenShift `Users` will be used as the OpenShift `User` Name. As long as the `DeterministicUserIdentityMapper` is used to introduce LDAP member entries to OpenShift `User` records and the `LDAPUserAttributeDefiner` used for the sync job and `DeterministicUserIdentityMapper` is the same, the mappings created by the `LDAPUserNameMapper` will be correct.

 ```go

 // LDAPUserNameMapper maps an LDAP entry representing a user to the OpenShift User Name corresponding to it

@@ -22,11 +22,6 @@ type Options struct {

 	// ClientConfig holds information about connecting with the LDAP server

 	ClientConfig ldaputil.LDAPClientConfig

-	// BindDN is the optional username to bind to for the search phase. If specified, BindPassword must also be set.

-	BindDN string

-	// BindPassword is the optional password to bind to for the search phase.

-	BindPassword string

-

 	// UserAttributeDefiner defines the values corresponding to OpenShift Identities in LDAP entries

 	// by using a deterministic mapping of LDAP entry attributes to OpenShift Identity fields. The first

 	// attribute with a non-empty value is used for all but the latter identity field. If no LDAP attributes

@@ -88,18 +83,15 @@ func (a *Authenticator) getIdentity(username, password string) (authapi.UserIden

 		return nil, false, nil

 	}

-	// Make the connection

+	// Make the connection and bind to it if a bind DN and password were given

 	l, err := a.options.ClientConfig.Connect()

 	if err != nil {

 		return nil, false, err

 	}

 	defer l.Close()

-	// If specified, bind the username/password for search phase

-	if len(a.options.BindDN) > 0 {

-		if err := l.Bind(a.options.BindDN, a.options.BindPassword); err != nil {

-			return nil, false, err

-		}

+	if _, err := a.options.ClientConfig.Bind(l); err != nil {

+		return nil, false, err

 	}

 	// & together the filter specified in the LDAP options with the user-specific filter

@@ -5,25 +5,47 @@ import (

 	"fmt"

 	"net"

+	"k8s.io/kubernetes/pkg/util"

+

 	"github.com/go-ldap/ldap"

 )

 // NewLDAPClientConfig returns a new LDAPClientConfig

-func NewLDAPClientConfig(url LDAPURL, insecure bool, tlsConfig *tls.Config) LDAPClientConfig {

-	return LDAPClientConfig{

-		Scheme:    url.Scheme,

-		Host:      url.Host,

-		Insecure:  insecure,

-		TLSConfig: tlsConfig,

+func NewLDAPClientConfig(URL, bindDN, bindPassword, CA string, insecure bool) (LDAPClientConfig, error) {

+	url, err := ParseURL(URL)

+	if err != nil {

+		return LDAPClientConfig{}, fmt.Errorf("Error parsing URL: %v", err)

 	}

+

+	tlsConfig := &tls.Config{}

+	if len(CA) > 0 {

+		roots, err := util.CertPoolFromFile(CA)

+		if err != nil {

+			return LDAPClientConfig{}, fmt.Errorf("error loading cert pool from ca file %s: %v", CA, err)

+		}

+		tlsConfig.RootCAs = roots

+	}

+

+	return LDAPClientConfig{

+		Scheme:       url.Scheme,

+		Host:         url.Host,

+		BindDN:       bindDN,

+		BindPassword: bindPassword,

+		Insecure:     insecure,

+		TLSConfig:    tlsConfig,

+	}, nil

 }

 // LDAPClientConfig holds information for connecting to an LDAP server

 type LDAPClientConfig struct {

-	// Scheme is ldap or ldaps

+	// Scheme is the LDAP connection scheme, either ldap or ldaps

 	Scheme Scheme

 	// Host is the host:port of the LDAP server

 	Host string

+	// BindDN is an optional DN to bind with during the search phase.

+	BindDN string

+	// BindPassword is an optional password to bind with during the search phase.

+	BindPassword string

 	// Insecure specifies if TLS is required for the connection. If true, either an ldap://... URL or

 	// StartTLS must be supported by the server

 	Insecure bool

@@ -31,9 +53,9 @@ type LDAPClientConfig struct {

 	TLSConfig *tls.Config

 }

-// Connect returns an established LDAP connection, or an error if the connection could not be made

-// (or successfully upgraded to TLS). If no error is returned, the caller is responsible for closing

-// the connection

+// Connect returns an established LDAP connection, or an error if the connection could not

+// be made (or successfully upgraded to TLS). If no error is returned, the caller is responsible for

+// closing the connection

 func (l *LDAPClientConfig) Connect() (*ldap.Conn, error) {

 	tlsConfig := l.TLSConfig

@@ -78,3 +100,17 @@ func (l *LDAPClientConfig) Connect() (*ldap.Conn, error) {

 		return nil, fmt.Errorf("unsupported scheme %q", l.Scheme)

 	}

 }

+

+// Bind binds to a given LDAP connection if a bind DN and password were given.

+// Bind returns whether a bind occured and whether an error occurred

+func (l *LDAPClientConfig) Bind(connection *ldap.Conn) (bound bool, err error) {

+	if len(l.BindDN) > 0 {

+		if err := connection.Bind(l.BindDN, l.BindPassword); err != nil {

+			return false, err

+		} else {

+			return true, nil

+		}

+	}

+

+	return false, nil

+}

deleted file mode 100644

@@ -1,71 +0,0 @@

-package ldaputil

-

-import (

-	"testing"

-

-	"github.com/go-ldap/ldap"

-)

-

-func TestGetAttributeValue(t *testing.T) {

-

-	testcases := map[string]struct {

-		Entry         *ldap.Entry

-		Attributes    []string

-		ExpectedValue string

-	}{

-		"empty": {

-			Attributes:    []string{},

-			Entry:         &ldap.Entry{DN: "", Attributes: []*ldap.EntryAttribute{}},

-			ExpectedValue: "",

-		},

-

-		"dn": {

-			Attributes:    []string{"dn"},

-			Entry:         &ldap.Entry{DN: "foo", Attributes: []*ldap.EntryAttribute{}},

-			ExpectedValue: "foo",

-		},

-		"DN": {

-			Attributes:    []string{"DN"},

-			Entry:         &ldap.Entry{DN: "foo", Attributes: []*ldap.EntryAttribute{}},

-			ExpectedValue: "foo",

-		},

-

-		"missing": {

-			Attributes:    []string{"foo", "bar", "baz"},

-			Entry:         &ldap.Entry{DN: "", Attributes: []*ldap.EntryAttribute{}},

-			ExpectedValue: "",

-		},

-

-		"present": {

-			Attributes: []string{"foo"},

-			Entry: &ldap.Entry{DN: "", Attributes: []*ldap.EntryAttribute{

-				{Name: "foo", Values: []string{"fooValue"}},

-			}},

-			ExpectedValue: "fooValue",

-		},

-		"first of multi-value attribute": {

-			Attributes: []string{"foo"},

-			Entry: &ldap.Entry{DN: "", Attributes: []*ldap.EntryAttribute{

-				{Name: "foo", Values: []string{"fooValue", "fooValue2"}},

-			}},

-			ExpectedValue: "fooValue",

-		},

-		"first present attribute": {

-			Attributes: []string{"foo", "bar", "baz"},

-			Entry: &ldap.Entry{DN: "", Attributes: []*ldap.EntryAttribute{

-				{Name: "foo", Values: []string{""}},

-				{Name: "bar", Values: []string{"barValue"}},

-				{Name: "baz", Values: []string{"bazValue"}},

-			}},

-			ExpectedValue: "barValue",

-		},

-	}

-

-	for k, tc := range testcases {

-		v := getAttributeValue(tc.Entry, tc.Attributes)

-		if v != tc.ExpectedValue {

-			t.Errorf("%s: Expected %q, got %q", k, tc.ExpectedValue, v)

-		}

-	}

-

-}

@@ -72,28 +72,28 @@ func (d *LDAPUserAttributeDefiner) AllAttributes() util.StringSet {

 // Email extracts the email value from an LDAP user entry

 func (d *LDAPUserAttributeDefiner) Email(user *ldap.Entry) string {

-	return getAttributeValue(user, d.attributeMapping.Email)

+	return GetAttributeValue(user, d.attributeMapping.Email)

 }

 // Name extracts the name value from an LDAP user entry

 func (d *LDAPUserAttributeDefiner) Name(user *ldap.Entry) string {

-	return getAttributeValue(user, d.attributeMapping.Name)

+	return GetAttributeValue(user, d.attributeMapping.Name)

 }

 // PreferredUsername extracts the preferred username value from an LDAP user entry

 func (d *LDAPUserAttributeDefiner) PreferredUsername(user *ldap.Entry) string {

-	return getAttributeValue(user, d.attributeMapping.PreferredUsername)

+	return GetAttributeValue(user, d.attributeMapping.PreferredUsername)

 }

 // ID extracts the ID value from an LDAP user entry

 func (d *LDAPUserAttributeDefiner) ID(user *ldap.Entry) string {

-	return getAttributeValue(user, d.attributeMapping.ID)

+	return GetAttributeValue(user, d.attributeMapping.ID)

 }

-// getAttributeValue finds the first attribute of those given that the LDAP entry has, and

-// returns it. getAttributeValue is able to query the DN as well as Attributes of the LDAP entry.

+// GetAttributeValue finds the first attribute of those given that the LDAP entry has, and

+// returns it. GetAttributeValue is able to query the DN as well as Attributes of the LDAP entry.

 // If no value is found, the empty string is returned.

-func getAttributeValue(entry *ldap.Entry, attributes []string) string {

+func GetAttributeValue(entry *ldap.Entry, attributes []string) string {

 	for _, k := range attributes {

 		// Ignore empty attributes

 		if len(k) == 0 {

new file mode 100644

@@ -0,0 +1,71 @@

+package ldaputil

+

+import (

+	"testing"

+

+	"github.com/go-ldap/ldap"

+)

+

+func TestGetAttributeValue(t *testing.T) {

+

+	testcases := map[string]struct {

+		Entry         *ldap.Entry

+		Attributes    []string

+		ExpectedValue string

+	}{

+		"empty": {

+			Attributes:    []string{},

+			Entry:         &ldap.Entry{DN: "", Attributes: []*ldap.EntryAttribute{}},

+			ExpectedValue: "",

+		},

+

+		"dn": {

+			Attributes:    []string{"dn"},

+			Entry:         &ldap.Entry{DN: "foo", Attributes: []*ldap.EntryAttribute{}},

+			ExpectedValue: "foo",

+		},

+		"DN": {

+			Attributes:    []string{"DN"},

+			Entry:         &ldap.Entry{DN: "foo", Attributes: []*ldap.EntryAttribute{}},

+			ExpectedValue: "foo",

+		},

+

+		"missing": {

+			Attributes:    []string{"foo", "bar", "baz"},

+			Entry:         &ldap.Entry{DN: "", Attributes: []*ldap.EntryAttribute{}},

+			ExpectedValue: "",

+		},

+

+		"present": {

+			Attributes: []string{"foo"},

+			Entry: &ldap.Entry{DN: "", Attributes: []*ldap.EntryAttribute{

+				{Name: "foo", Values: []string{"fooValue"}},

+			}},

+			ExpectedValue: "fooValue",

+		},

+		"first of multi-value attribute": {

+			Attributes: []string{"foo"},

+			Entry: &ldap.Entry{DN: "", Attributes: []*ldap.EntryAttribute{

+				{Name: "foo", Values: []string{"fooValue", "fooValue2"}},

+			}},

+			ExpectedValue: "fooValue",

+		},

+		"first present attribute": {

+			Attributes: []string{"foo", "bar", "baz"},

+			Entry: &ldap.Entry{DN: "", Attributes: []*ldap.EntryAttribute{

+				{Name: "foo", Values: []string{""}},

+				{Name: "bar", Values: []string{"barValue"}},

+				{Name: "baz", Values: []string{"bazValue"}},

+			}},

+			ExpectedValue: "barValue",

+		},

+	}

+

+	for k, tc := range testcases {

+		v := GetAttributeValue(tc.Entry, tc.Attributes)

+		if v != tc.ExpectedValue {

+			t.Errorf("%s: Expected %q, got %q", k, tc.ExpectedValue, v)

+		}

+	}

+

+}

new file mode 100644

@@ -0,0 +1,211 @@

+package ldaputil

+

+import (

+	"fmt"

+	"strings"

+

+	"github.com/go-ldap/ldap"

+	"github.com/golang/glog"

+

+	"k8s.io/kubernetes/pkg/util"

+

+	"github.com/openshift/origin/pkg/cmd/server/api"

+)

+

+// LDAPQuery encodes an LDAP query

+type LDAPQuery struct {

+	// The DN of the branch of the directory where all searches should start from

+	BaseDN string

+

+	// The (optional) scope of the search. Defaults to the entire subtree if not set

+	Scope Scope

+

+	// The (optional) behavior of the search with regards to alisases. Defaults to always

+	// dereferencing if not set

+	DerefAliases DerefAliases

+

+	// TimeLimit holds the limit of time in seconds that any request to the server can remain outstanding

+	// before the wait for a response is given up. If this is 0, no client-side limit is imposed

+	TimeLimit int

+

+	// Filter is a valid LDAP search filter that retrieves all relevant entries from the LDAP server with the base DN

+	Filter string

+}

+

+// NewSearchRequest creates a new search request for the LDAP query and optionally includes more attributes

+func (q *LDAPQuery) NewSearchRequest(additionalAttributes []string) *ldap.SearchRequest {

+	return ldap.NewSearchRequest(

+		q.BaseDN,

+		int(q.Scope),

+		int(q.DerefAliases),

+		0, // allowed return size - indicates no limit

+		q.TimeLimit,

+		false, // not types only

+		q.Filter,

+		additionalAttributes,

+		nil, // no controls

+	)

+}

+

+// LDAPQueryOnAttribute encodes an LDAP query that conjoins two filters to extract a specific LDAP entry

+// This query is not self-sufficient and needs the value of the QueryAttribute to construct the final filter

+type LDAPQueryOnAttribute struct {

+	// Query retrieves entries from an LDAP server

+	LDAPQuery

+

+	// QueryAttribute is the attribute for a specific filter that, when conjoined with the common filter,

+	// retrieves the specific LDAP entry from the LDAP server. (e.g. "cn", when formatted with "aGroupName"

+	// and conjoined with "objectClass=groupOfNames", becomes (&(objectClass=groupOfNames)(cn=aGroupName))")

+	QueryAttribute string

+}

+

+// IdentifiyingLDAPQueryOptions holds a query and the attribute that identifies the entries that the query returns

+type IdentifiyingLDAPQueryOptions struct {

+	// Query retrieves entries from an LDAP server

+	LDAPQueryOnAttribute

+

+	// NameAttributes defines the attributes for the LDAP entries returned by the Query that will be interpreted

+	// as their names

+	NameAttributes []string

+}

+

+// NewIdentifiyingLDAPQueryOptions converts a user-provided LDAPQuery into a version we can use by parsing

+// the input and combining it with a set of name attributes

+func NewIdentifiyingLDAPQueryOptions(config api.LDAPQuery,

+	nameAttributes []string) (IdentifiyingLDAPQueryOptions, error) {

+

+	scope, err := DetermineLDAPScope(config.Scope)

+	if err != nil {

+		return IdentifiyingLDAPQueryOptions{}, err

+	}

+

+	derefAliases, err := DetermineDerefAliasesBehavior(config.DerefAliases)

+	if err != nil {

+		return IdentifiyingLDAPQueryOptions{}, err

+	}

+

+	return IdentifiyingLDAPQueryOptions{

+		LDAPQueryOnAttribute: LDAPQueryOnAttribute{

+			LDAPQuery: LDAPQuery{

+				BaseDN:       config.BaseDN,

+				Scope:        scope,

+				DerefAliases: derefAliases,

+				TimeLimit:    config.TimeLimit,

+				Filter:       config.Filter,

+			},

+			QueryAttribute: config.QueryAttribute,

+		},

+		NameAttributes: nameAttributes,

+	}, nil

+}

+

+// NewSearchRequest creates a new search request from the identifying query by internalizing the value of

+// the attribute to be filtered as well as any additional attributest that need to be recovereds

+func (o *IdentifiyingLDAPQueryOptions) NewSearchRequest(attributeValue string,

+	additionalAttributes []string) (*ldap.SearchRequest, error) {

+

+	allAttributes := util.NewStringSet(o.NameAttributes...)

+	allAttributes.Insert(additionalAttributes...)

+

+	if o.QueryAttribute == "DN" || o.QueryAttribute == "dn" {

+		if !strings.Contains(attributeValue, o.BaseDN) {

+			return nil, fmt.Errorf("search for entry with %s=%s would search outside of the base dn specified (dn=%s)",

+				o.QueryAttribute, attributeValue, o.BaseDN)

+		}

+		if _, err := ldap.ParseDN(attributeValue); err != nil {

+			return nil, fmt.Errorf("could not search by dn, invalid dn value: %v", err)

+		}

+		return o.buildDNQuery(attributeValue, allAttributes.List()), nil

+	} else {

+		return o.buildAttributeQuery(attributeValue, allAttributes.List()), nil

+	}

+}

+

+// buildDNQuery builds the query that finds an LDAP entry with the given DN

+// this is done by setting the DN to be the base DN for the search and setting the search scope

+// to only consider the base object found

+func (o *IdentifiyingLDAPQueryOptions) buildDNQuery(dn string,

+	attributes []string) *ldap.SearchRequest {

+	return ldap.NewSearchRequest(

+		dn,

+		ldap.ScopeBaseObject, // over-ride original

+		int(o.DerefAliases),

+		0, // allowed return size - indicates no limit

+		o.TimeLimit,

+		false,           // not types only

+		"objectClass=*", // filter that returns all values

+		attributes,

+		nil, // no controls

+	)

+}

+

+// buildAttributeQuery builds the query containing a filter that conjoins the common filter given

+// in the configuration with the specific attribute filter for which the attribute value is given

+func (o *IdentifiyingLDAPQueryOptions) buildAttributeQuery(attributeValue string,

+	attributes []string) *ldap.SearchRequest {

+	specificFilter := fmt.Sprintf("%s=%s",

+		ldap.EscapeFilter(o.QueryAttribute),

+		ldap.EscapeFilter(attributeValue))

+

+	filter := fmt.Sprintf("(&(%s)(%s))", o.Filter, specificFilter)

+

+	return ldap.NewSearchRequest(

+		o.BaseDN,

+		int(o.Scope),

+		int(o.DerefAliases),

+		0, // allowed return size - indicates no limit

+		o.TimeLimit,

+		false, // not types only

+		filter,

+		attributes,

+		nil, // no controls

+	)

+}

+

+// QueryForUniqueEntry queries for an LDAP entry on an LDAP server determined from a ClientConfig

+// by creating a search request from the requisite input. The query is expected to return one unqiue

+// result. If this is not the case, errors are raised

+func QueryForUniqueEntry(clientConfig LDAPClientConfig,

+	query *ldap.SearchRequest) (entry *ldap.Entry, err error) {

+

+	result, err := QueryForEntries(clientConfig, query)

+	if err != nil {

+		return nil, err

+	}

+	if len(result) > 1 {

+		return nil, fmt.Errorf("multiple entries found matching %s", query.Filter)

+	}

+	entry = result[0]

+	glog.V(4).Infof("found dn=%q for %s", entry.DN, query.Filter)

+	return entry, nil

+}

+

+// QueryForEntries queries for LDAP entries on an LDAP server determined from a ClientConfig by

+// creating a search request from the requisite input.

+func QueryForEntries(clientConfig LDAPClientConfig,

+	query *ldap.SearchRequest) (result []*ldap.Entry, err error) {

+

+	connection, err := clientConfig.Connect()

+	if err != nil {

+		return nil, err

+	}

+	defer connection.Close()

+

+	glog.V(4).Infof("searching LDAP server for %s", query.Filter)

+	searchResult, err := connection.Search(query)

+	if err != nil {

+		return nil, err

+	}

+

+	entries := searchResult.Entries

+	// No entries returned from the LDAP search request means that the LDAP search was not configured

+	// correctly. The search must return with at least one LDAP entry

+	if len(entries) == 0 {

+		return nil, fmt.Errorf("no LDAP user entry found for filter: %s", query.Filter)

+	}

+

+	for _, entry := range entries {

+		glog.V(4).Infof("found dn=%q for %s", entry.DN, query.Filter)

+	}

+	return entries, nil

+}

new file mode 100644

@@ -0,0 +1,11 @@

+package ldaputil

+

+// These constants contain values for annotations and labels affixed to Groups by the LDAP sync job

+const (

+	// LDAPURLAnnotation is the Annotation value that stores the host:port of the LDAP server

+	LDAPURLAnnotation string = "openshift.io/ldap.url"

+	// LDAPUIDAnnotation is the Annotation value that stores the corresponding LDAP group UID for the Group

+	LDAPUIDAnnotation string = "openshift.io/ldap.uid"

+	// LDAPSyncTime is the Annotation value that stores the last time this Group was synced with LDAP

+	LDAPSyncTimeAnnotation string = "openshift.io/ldap.sync-time"

+)

@@ -242,7 +242,7 @@ func DetermineDerefAliasesBehavior(derefAliasesString string) (DerefAliases, err

 	}

 	derefAliases, exists := mapping[derefAliasesString]

 	if !exists {

-		return -1, fmt.Errorf("not a valid LDAP search scope: %s", derefAliasesString)

+		return -1, fmt.Errorf("not a valid LDAP alias dereferncing behavior: %s", derefAliasesString)

 	}

 	return derefAliases, nil

 }

new file mode 100644

@@ -0,0 +1,124 @@

+package syncgroups

+

+import (

+	"fmt"

+

+	"k8s.io/kubernetes/pkg/fields"

+	"k8s.io/kubernetes/pkg/labels"

+

+	"github.com/openshift/origin/pkg/auth/ldaputil"

+	osclient "github.com/openshift/origin/pkg/client"

+	"github.com/openshift/origin/pkg/cmd/experimental/syncgroups/interfaces"

+	ouserapi "github.com/openshift/origin/pkg/user/api"

+)

+

+// NewAllOpenShiftGroupLister returns a new AllLocalGroupLister

+func NewAllOpenShiftGroupLister(ldapURL string, groupClient osclient.GroupInterface) interfaces.LDAPGroupLister {

+	return &AllLocalGroupLister{

+		client:  groupClient,

+		ldapURL: ldapURL,

+	}

+}

+

+// AllLocalGroupLister lists unique identifiers for LDAP lookup of all local OpenShift Groups that

+// have been marked with an LDAP URL annotation as a result of a previous sync.

+type AllLocalGroupLister struct {

+	client osclient.GroupInterface

+	// ldapURL is the host:port of the LDAP server, used to identify if an OpenShift Group has

+	// been synced with a specific server in order to isolate sync jobs between different servers

+	ldapURL string

+}

+

+func (l *AllLocalGroupLister) ListGroups() (ldapGroupUIDs []string, err error) {

+	allGroups, err := l.client.List(labels.Everything(), fields.Everything())

+	if err != nil {

+		return nil, err

+	}

+

+	var potentialGroups []ouserapi.Group

+	for _, group := range allGroups.Items {

+		val, exists := group.Annotations[ldaputil.LDAPURLAnnotation]

+		if exists && (val == l.ldapURL) {

+			potentialGroups = append(potentialGroups, group)

+		}

+	}

+

+	for _, group := range potentialGroups {

+		if err := validateGroupAnnotations(group); err != nil {

+			return nil, err

+		}

+		ldapGroupUIDs = append(ldapGroupUIDs, group.Annotations[ldaputil.LDAPUIDAnnotation])

+	}

+	return ldapGroupUIDs, nil

+}

+

+// validateGroupAnnotations determines if the appropriate and annotations exist on a group

+func validateGroupAnnotations(group ouserapi.Group) error {

+	_, exists := group.Annotations[ldaputil.LDAPUIDAnnotation]

+	if !exists {

+		return fmt.Errorf("an OpenShift Group marked as having been synced did not have a %s annotation: %v",

+			ldaputil.LDAPUIDAnnotation, group)

+	}

+	return nil

+}

+

+// NewOpenShiftWhitelistGroupLister returns a new LocalGroupLister that divulges the LDAP group unique identifier for

+// each entry in the given whitelist of OpenShift Group names

+func NewOpenShiftWhitelistGroupLister(whitelist []string, client osclient.GroupInterface) interfaces.LDAPGroupLister {

+	return &LocalGroupLister{

+		whitelist: whitelist,

+		client:    client,

+	}

+}

+

+// LocalGroupLister lists unique identifiers for LDAP lookup of all local OpenShift groups that have

+// been given to it upon creation.

+type LocalGroupLister struct {

+	whitelist []string

+	client    osclient.GroupInterface

+}

+

+func (l *LocalGroupLister) ListGroups() (ldapGroupUIDs []string, err error) {

+	groups, err := getOpenShiftGroups(l.whitelist, l.client)

+	if err != nil {

+		return nil, err

+	}

+

+	for _, group := range groups {

+		if err := validateGroupAnnotations(group); err != nil {

+			return nil, err

+		}

+		ldapGroupUIDs = append(ldapGroupUIDs, group.Annotations[ldaputil.LDAPUIDAnnotation])

+	}

+	return ldapGroupUIDs, err

+}

+

+// getOpenShiftGroups uses a client to retrieve all groups from the names given

+func getOpenShiftGroups(names []string, client osclient.GroupInterface) ([]ouserapi.Group, error) {

+	var groups []ouserapi.Group

+	for _, name := range names {

+		group, err := client.Get(name)

+		if err != nil {

+			return nil, err

+		}

+		groups = append(groups, *group)

+	}

+	return groups, nil

+}

+

+// NewLDAPWhitelistGroupLister returns a new WhitelistLDAPGroupLister that divulges the given whitelist

+// of LDAP group unique identifiers

+func NewLDAPWhitelistGroupLister(whitelist []string) interfaces.LDAPGroupLister {

+	return &WhitelistLDAPGroupLister{

+		GroupUIDs: whitelist,

+	}

+}

+

+// LDAPGroupLister lists LDAP groups unique group identifiers given to it upon creation.

+type WhitelistLDAPGroupLister struct {

+	GroupUIDs []string

+}

+

+func (l *WhitelistLDAPGroupLister) ListGroups() (ldapGroupUIDs []string, err error) {

+	return l.GroupUIDs, nil

+}

new file mode 100644

@@ -0,0 +1,59 @@

+package syncgroups

+

+import (

+	"fmt"

+

+	"github.com/openshift/origin/pkg/auth/ldaputil"

+	"github.com/openshift/origin/pkg/cmd/experimental/syncgroups/interfaces"

+)

+

+// NewUserDefinedGroupNameMapper returns a new UserDefinedLDAPGroupNameMapper which maps a ldapGroupUID

+// representing an LDAP group to the OpenShift Group name for the resource

+func NewUserDefinedGroupNameMapper(mapping map[string]string) interfaces.LDAPGroupNameMapper {

+	return &UserDefinedLDAPGroupNameMapper{

+		nameMapping: mapping,

+	}

+}

+

+// UserDefinedLDAPGroupNameMapper maps a ldapGroupUID representing an LDAP group to the OpenShift Group

+// name for the resource by using a pre-defined mapping of ldapGroupUID to name (e.g. from a file)

+type UserDefinedLDAPGroupNameMapper struct {

+	nameMapping map[string]string

+}

+

+func (m *UserDefinedLDAPGroupNameMapper) GroupNameFor(ldapGroupUID string) (string, error) {

+	openShiftGroupName, exists := m.nameMapping[ldapGroupUID]

+	if !exists {

+		return "", fmt.Errorf("no OpenShift Group name defined for LDAP group UID: %s", ldapGroupUID)

+	}

+	return openShiftGroupName, nil

+}

+

+// NewEntryAttributeGroupNameMapper returns a new EntryAttributeLDAPGroupNameMapper

+func NewEntryAttributeGroupNameMapper(nameAttribute []string,

+	groupGetter interfaces.LDAPGroupGetter) interfaces.LDAPGroupNameMapper {

+	return &EntryAttributeLDAPGroupNameMapper{

+		nameAttribute: nameAttribute,

+		groupGetter:   groupGetter,

+	}

+}

+

+// EntryAttributeLDAPGroupNameMapper references the name attribute mapping to determine which attribute

+// of a first-class LDAP group entry should be used as the OpenShift Group name for the resource

+type EntryAttributeLDAPGroupNameMapper struct {

+	nameAttribute []string

+	groupGetter   interfaces.LDAPGroupGetter

+}

+

+func (m *EntryAttributeLDAPGroupNameMapper) GroupNameFor(ldapGroupUID string) (string, error) {

+	group, err := m.groupGetter.GroupEntryFor(ldapGroupUID)

+	if err != nil {

+		return "", err

+	}

+	openShiftGroupName := ldaputil.GetAttributeValue(group, m.nameAttribute)

+	if len(openShiftGroupName) == 0 {

+		return "", fmt.Errorf("the group entry (%v) does not map to an OpenShift Group name with the given name attribute (%v)",

+			group, m.nameAttribute)

+	}

+	return openShiftGroupName, nil

+}

new file mode 100644

@@ -0,0 +1,141 @@

+package syncgroups

+

+import (

+	"fmt"

+	"time"

+

+	"github.com/go-ldap/ldap"

+

+	"github.com/openshift/origin/pkg/auth/ldaputil"

+	"github.com/openshift/origin/pkg/client"

+	"github.com/openshift/origin/pkg/cmd/experimental/syncgroups/interfaces"

+	ouserapi "github.com/openshift/origin/pkg/user/api"

+)

+

+// GroupSyncer runs a Sync job on Groups

+type GroupSyncer interface {

+	Sync() (errors []error)

+}

+

+// LDAPGroupSyncer sync Groups with records on an external LDAP server

+type LDAPGroupSyncer struct {

+	// Lists all groups to be synced

+	GroupLister interfaces.LDAPGroupLister

+	// Fetches a group and extracts object metainformation and membership list from a group

+	GroupMemberExtractor interfaces.LDAPMemberExtractor

+	// Maps an LDAP user entry to an OpenShift User's Name

+	UserNameMapper interfaces.LDAPUserNameMapper

+	// Maps an LDAP group enrty to an OpenShift Group's Name

+	GroupNameMapper interfaces.LDAPGroupNameMapper

+	// Allows the Syncer to search for OpenShift Groups

+	GroupClient client.GroupInterface

+	// Host stores the address:port of the LDAP server

+	Host string

+}

+

+// Sync allows the LDAPGroupSyncer to be a GroupSyncer

+func (s *LDAPGroupSyncer) Sync() []error {

+	var errors []error

+	// determine what to sync

+	ldapGroupUIDs, err := s.GroupLister.ListGroups()

+	if err != nil {

+		errors = append(errors, err)

+		return errors

+	}

+

+	for _, ldapGroupUID := range ldapGroupUIDs {

+		// get membership data

+		memberEntries, err := s.GroupMemberExtractor.ExtractMembers(ldapGroupUID)

+		if err != nil {

+			errors = append(errors, err)

+			continue

+		}

+

+		// determine OpenShift Users' usernames for LDAP group members

+		usernames, err := s.determineUsernames(memberEntries)

+		if err != nil {

+			errors = append(errors, err)

+			continue

+		}

+

+		// update the OpenShift Group corresponding to this record

+		err = s.updateGroup(ldapGroupUID, usernames)

+		if err != nil {

+			errors = append(errors, err)

+		}

+

+	}

+	return errors

+}

+

+// determineUsers determines the OpenShift Users that correspond to a list of LDAP member entries

+func (s *LDAPGroupSyncer) determineUsernames(members []*ldap.Entry) ([]string, error) {

+	var usernames []string

+	for _, member := range members {

+		username, err := s.UserNameMapper.UserNameFor(member)

+		if err != nil {

+			return nil, err

+		}

+		usernames = append(usernames, username)

+	}

+	return usernames, nil

+}

+

+// updateGroup finds or creates the OpenShift Group that needs to be updated, updates its' data, then

+// uses the GroupClient to update the Group record

+func (s *LDAPGroupSyncer) updateGroup(ldapGroupUID string, usernames []string) error {

+	// find OpenShift Group to update

+	group, err := s.findGroup(ldapGroupUID)

+	if err != nil {

+		return err

+	}

+

+	// overwrite Group Users data

+	group.Users = usernames

+

+	// add LDAP-sync-specific annotations