1. Peter Sagerson
  2. django-auth-ldap
  3. Issues

Issues

Issue #41 resolved

Group search bug when LDAP user doesn't contain a gidNumber attribute

Chloe Schulberg
created an issue

Our LDAP schema doesn't use gidNumber attribute. When we try to check if user belong to a specific group (posixGroupType) (with AUTH_LDAP_USER_FLAGS_BY_GROUP for exemple), django-auth-ldap fail and return that user doesn't belong to the group whereas the group has the good memberUid attribute. The code concerned is in config.py PosixGroupType user_group : This code fail so the exception is catched :

ldap_user.attrs['gidNumber'][0]

We have add a test to determine if the array index exists and it work again. Idem in is_member :

    def user_groups(self, ldap_user, group_search):
        """
        Searches for any group that is either the user's primary or contains the
        user as a member.
        """
        groups = []

        try:

            user_uid = ldap_user.attrs['uid'][0]
            if ('gidNumber') in ldap_user.attrs:
                user_gid = ldap_user.attrs['gidNumber'][0]
                filterstr = u'(|(gidNumber=%s)(memberUid=%s))' % (
                    self.ldap.filter.escape_filter_chars(user_gid),
                    self.ldap.filter.escape_filter_chars(user_uid)
                )
            else:
                filterstr = u'(memberUid=%s)' % (
                    self.ldap.filter.escape_filter_chars(user_uid)
                )


            search = group_search.search_with_additional_term_string(filterstr)
            groups = search.execute(ldap_user.connection)
        except (KeyError, IndexError):
            pass

        return groups

    def is_member(self, ldap_user, group_dn):
        """
        Returns True if the group is the user's primary group or if the user is
        listed in the group's memberUid attribute.
        """
        try:

            user_uid = ldap_user.attrs['uid'][0]

            try:
                is_member = ldap_user.connection.compare_s(group_dn.encode('utf-8'), 'memberUid', user_uid.encode('utf-8'))
            except self.ldap.NO_SUCH_ATTRIBUTE:
                is_member = False

            if not is_member:
                try:
                    user_gid = ldap_user.attrs['gidNumber'][0]
                    is_member = ldap_user.connection.compare_s(group_dn.encode('utf-8'), 'gidNumber', user_gid.encode('utf-8'))
                except self.ldap.NO_SUCH_ATTRIBUTE:
                    is_member = False
        except (KeyError, IndexError):
            is_member = False

        return is_member

Comments (2)

  1. Log in to comment