Only search nested group memberships when LDAP_IS_ACTIVE_DIRECTORY is True

2018-11-20 10:37:36 +01:00 · 2018-11-20 10:37:36 +01:00 · da10913045
parent 61839f4aca
commit da10913045
1 changed files with 22 additions and 13 deletions
--- a/lemur/auth/ldap.py
+++ b/lemur/auth/ldap.py
@ -41,6 +41,8 @@ class LdapPrincipal():
        self.ldap_default_role = current_app.config.get("LEMUR_DEFAULT_ROLE", None)
        self.ldap_required_group = current_app.config.get("LDAP_REQUIRED_GROUP", None)
        self.ldap_groups_to_roles = current_app.config.get("LDAP_GROUPS_TO_ROLES", None)
        self.ldap_is_active_directory = current_app.config.get("LDAP_IS_ACTIVE_DIRECTORY", False)
        self.ldap_attrs = ['memberOf']
        self.ldap_client = None
        self.ldap_groups = None
@ -167,20 +169,27 @@ class LdapPrincipal():
        except ldap.LDAPError as e:
            raise Exception("ldap error: {0}".format(e))
-        # Lookup user DN, needed to search for group membership
+        if self.ldap_is_active_directory:
-        userdn = self.ldap_client.search_s(self.ldap_base_dn,
+            # Lookup user DN, needed to search for group membership
-                                           ldap.SCOPE_SUBTREE, ldap_filter,
+            userdn = self.ldap_client.search_s(self.ldap_base_dn,
-                                           ['distinguishedName'])[0][1]['distinguishedName'][0]
+                                               ldap.SCOPE_SUBTREE, ldap_filter,
-        userdn = userdn.decode('utf-8')
+                                               ['distinguishedName'])[0][1]['distinguishedName'][0]
-        # Search all groups that have the userDN as a member
+            userdn = userdn.decode('utf-8')
-        groupfilter = '(&(objectclass=group)(member:1.2.840.113556.1.4.1941:={0}))'.format(userdn)
+            # Search all groups that have the userDN as a member
-        lgroups = self.ldap_client.search_s(self.ldap_base_dn, ldap.SCOPE_SUBTREE, groupfilter, ['cn'])
+            groupfilter = '(&(objectclass=group)(member:1.2.840.113556.1.4.1941:={0}))'.format(userdn)
            lgroups = self.ldap_client.search_s(self.ldap_base_dn, ldap.SCOPE_SUBTREE, groupfilter, ['cn'])
-        # Create a list of group CN's from the result
+            # Create a list of group CN's from the result
-        self.ldap_groups = []
+            self.ldap_groups = []
-        for group in lgroups:
+            for group in lgroups:
-            (dn, values) = group
+                (dn, values) = group
-            self.ldap_groups.append(values['cn'][0].decode('ascii'))
+                self.ldap_groups.append(values['cn'][0].decode('ascii'))
        else:
            lgroups = self.ldap_client.search_s(self.ldap_base_dn,
                                                ldap.SCOPE_SUBTREE, ldap_filter, self.ldap_attrs)[0][1]['memberOf']
            # lgroups is a list of utf-8 encoded strings
            # convert to a single string of groups to allow matching
            self.ldap_groups = b''.join(lgroups).decode('ascii')
        self.ldap_client.unbind()