Only search nested group memberships when LDAP_IS_ACTIVE_DIRECTORY is True
This commit is contained in:
parent
61839f4aca
commit
da10913045
|
@ -41,6 +41,8 @@ class LdapPrincipal():
|
||||||
self.ldap_default_role = current_app.config.get("LEMUR_DEFAULT_ROLE", None)
|
self.ldap_default_role = current_app.config.get("LEMUR_DEFAULT_ROLE", None)
|
||||||
self.ldap_required_group = current_app.config.get("LDAP_REQUIRED_GROUP", None)
|
self.ldap_required_group = current_app.config.get("LDAP_REQUIRED_GROUP", None)
|
||||||
self.ldap_groups_to_roles = current_app.config.get("LDAP_GROUPS_TO_ROLES", None)
|
self.ldap_groups_to_roles = current_app.config.get("LDAP_GROUPS_TO_ROLES", None)
|
||||||
|
self.ldap_is_active_directory = current_app.config.get("LDAP_IS_ACTIVE_DIRECTORY", False)
|
||||||
|
self.ldap_attrs = ['memberOf']
|
||||||
self.ldap_client = None
|
self.ldap_client = None
|
||||||
self.ldap_groups = None
|
self.ldap_groups = None
|
||||||
|
|
||||||
|
@ -167,6 +169,7 @@ class LdapPrincipal():
|
||||||
except ldap.LDAPError as e:
|
except ldap.LDAPError as e:
|
||||||
raise Exception("ldap error: {0}".format(e))
|
raise Exception("ldap error: {0}".format(e))
|
||||||
|
|
||||||
|
if self.ldap_is_active_directory:
|
||||||
# Lookup user DN, needed to search for group membership
|
# Lookup user DN, needed to search for group membership
|
||||||
userdn = self.ldap_client.search_s(self.ldap_base_dn,
|
userdn = self.ldap_client.search_s(self.ldap_base_dn,
|
||||||
ldap.SCOPE_SUBTREE, ldap_filter,
|
ldap.SCOPE_SUBTREE, ldap_filter,
|
||||||
|
@ -181,6 +184,12 @@ class LdapPrincipal():
|
||||||
for group in lgroups:
|
for group in lgroups:
|
||||||
(dn, values) = group
|
(dn, values) = group
|
||||||
self.ldap_groups.append(values['cn'][0].decode('ascii'))
|
self.ldap_groups.append(values['cn'][0].decode('ascii'))
|
||||||
|
else:
|
||||||
|
lgroups = self.ldap_client.search_s(self.ldap_base_dn,
|
||||||
|
ldap.SCOPE_SUBTREE, ldap_filter, self.ldap_attrs)[0][1]['memberOf']
|
||||||
|
# lgroups is a list of utf-8 encoded strings
|
||||||
|
# convert to a single string of groups to allow matching
|
||||||
|
self.ldap_groups = b''.join(lgroups).decode('ascii')
|
||||||
|
|
||||||
self.ldap_client.unbind()
|
self.ldap_client.unbind()
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue