Only search nested group memberships when LDAP_IS_ACTIVE_DIRECTORY is True

This commit is contained in:
Ronald Moesbergen 2018-11-20 10:37:36 +01:00
parent 61839f4aca
commit da10913045
1 changed files with 22 additions and 13 deletions

View File

@ -41,6 +41,8 @@ class LdapPrincipal():
self.ldap_default_role = current_app.config.get("LEMUR_DEFAULT_ROLE", None) self.ldap_default_role = current_app.config.get("LEMUR_DEFAULT_ROLE", None)
self.ldap_required_group = current_app.config.get("LDAP_REQUIRED_GROUP", None) self.ldap_required_group = current_app.config.get("LDAP_REQUIRED_GROUP", None)
self.ldap_groups_to_roles = current_app.config.get("LDAP_GROUPS_TO_ROLES", None) self.ldap_groups_to_roles = current_app.config.get("LDAP_GROUPS_TO_ROLES", None)
self.ldap_is_active_directory = current_app.config.get("LDAP_IS_ACTIVE_DIRECTORY", False)
self.ldap_attrs = ['memberOf']
self.ldap_client = None self.ldap_client = None
self.ldap_groups = None self.ldap_groups = None
@ -167,6 +169,7 @@ class LdapPrincipal():
except ldap.LDAPError as e: except ldap.LDAPError as e:
raise Exception("ldap error: {0}".format(e)) raise Exception("ldap error: {0}".format(e))
if self.ldap_is_active_directory:
# Lookup user DN, needed to search for group membership # Lookup user DN, needed to search for group membership
userdn = self.ldap_client.search_s(self.ldap_base_dn, userdn = self.ldap_client.search_s(self.ldap_base_dn,
ldap.SCOPE_SUBTREE, ldap_filter, ldap.SCOPE_SUBTREE, ldap_filter,
@ -181,6 +184,12 @@ class LdapPrincipal():
for group in lgroups: for group in lgroups:
(dn, values) = group (dn, values) = group
self.ldap_groups.append(values['cn'][0].decode('ascii')) self.ldap_groups.append(values['cn'][0].decode('ascii'))
else:
lgroups = self.ldap_client.search_s(self.ldap_base_dn,
ldap.SCOPE_SUBTREE, ldap_filter, self.ldap_attrs)[0][1]['memberOf']
# lgroups is a list of utf-8 encoded strings
# convert to a single string of groups to allow matching
self.ldap_groups = b''.join(lgroups).decode('ascii')
self.ldap_client.unbind() self.ldap_client.unbind()