Fix AD group based authentication

This commit is contained in:
Khanh Ngo 2018-08-22 16:55:44 +07:00
parent 421ea627d8
commit 24aaf7d746
No known key found for this signature in database
GPG Key ID: B9AE3BAF6D5A7B22

View File

@ -188,13 +188,12 @@ class User(db.Model):
LDAP_USER_GROUP = Setting().get('ldap_user_group') LDAP_USER_GROUP = Setting().get('ldap_user_group')
LDAP_GROUP_SECURITY_ENABLED = Setting().get('ldap_sg_enabled') LDAP_GROUP_SECURITY_ENABLED = Setting().get('ldap_sg_enabled')
if LDAP_TYPE == 'ldap': searchFilter = "(&({0}={1}){2})".format(LDAP_FILTER_USERNAME, self.username, LDAP_FILTER_BASIC)
searchFilter = "(&({0}={1}){2})".format(LDAP_FILTER_USERNAME, self.username, LDAP_FILTER_BASIC) logging.debug('Ldap searchFilter {0}'.format(searchFilter))
logging.debug('Ldap searchFilter "{0}"'.format(searchFilter))
elif LDAP_TYPE == 'ad':
searchFilter = "(&(objectcategory=person)({0}={1}){2})".format(LDAP_FILTER_USERNAME, self.username, LDAP_FILTER_BASIC)
ldap_result = self.ldap_search(searchFilter, LDAP_BASE_DN) ldap_result = self.ldap_search(searchFilter, LDAP_BASE_DN)
logging.debug('Ldap search result: {0}'.format(ldap_result))
if not ldap_result: if not ldap_result:
logging.warning('LDAP User "{0}" does not exist. Authentication request from {1}'.format(self.username, src_ip)) logging.warning('LDAP User "{0}" does not exist. Authentication request from {1}'.format(self.username, src_ip))
return False return False
@ -205,13 +204,29 @@ class User(db.Model):
# user can be assigned to ADMIN or USER role. # user can be assigned to ADMIN or USER role.
if LDAP_GROUP_SECURITY_ENABLED: if LDAP_GROUP_SECURITY_ENABLED:
try: try:
if (self.ldap_search(searchFilter, LDAP_ADMIN_GROUP)): if LDAP_TYPE == 'ldap':
isadmin = True if (self.ldap_search(searchFilter, LDAP_ADMIN_GROUP)):
logging.info('User {0} is part of the "{1}" group that allows admin access to PowerDNS-Admin'.format(self.username, LDAP_ADMIN_GROUP)) isadmin = True
elif (self.ldap_search(searchFilter, LDAP_USER_GROUP)): logging.info('User {0} is part of the "{1}" group that allows admin access to PowerDNS-Admin'.format(self.username, LDAP_ADMIN_GROUP))
logging.info('User {0} is part of the "{1}" group that allows user access to PowerDNS-Admin'.format(self.username, LDAP_USER_GROUP)) elif (self.ldap_search(searchFilter, LDAP_USER_GROUP)):
logging.info('User {0} is part of the "{1}" group that allows user access to PowerDNS-Admin'.format(self.username, LDAP_USER_GROUP))
else:
logging.error('User {0} is not part of the "{1}" or "{2}" groups that allow access to PowerDNS-Admin'.format(self.username, LDAP_ADMIN_GROUP, LDAP_USER_GROUP))
return False
elif LDAP_TYPE == 'ad':
user_ldap_groups = [g.decode("utf-8") for g in ldap_result[0][0][1]['memberOf']]
logging.debug('user_ldap_groups: {0}'.format(user_ldap_groups))
if (LDAP_ADMIN_GROUP in user_ldap_groups):
isadmin = True
logging.info('User {0} is part of the "{1}" group that allows admin access to PowerDNS-Admin'.format(self.username, LDAP_ADMIN_GROUP))
elif (LDAP_USER_GROUP in user_ldap_groups):
logging.info('User {0} is part of the "{1}" group that allows user access to PowerDNS-Admin'.format(self.username, LDAP_USER_GROUP))
else:
logging.error('User {0} is not part of the "{1}" or "{2}" groups that allow access to PowerDNS-Admin'.format(self.username, LDAP_ADMIN_GROUP, LDAP_USER_GROUP))
return False
else: else:
logging.error('User {0} is not part of the "{1}" or "{2}" groups that allow access to PowerDNS-Admin'.format(self.username, LDAP_ADMIN_GROUP, LDAP_USER_GROUP)) logging.error('Invalid LDAP type')
return False return False
except Exception as e: except Exception as e:
logging.error('LDAP group lookup for user "{0}" has failed. Authentication request from {1}'.format(self.username, src_ip)) logging.error('LDAP group lookup for user "{0}" has failed. Authentication request from {1}'.format(self.username, src_ip))
@ -234,9 +249,13 @@ class User(db.Model):
self.lastname = '' self.lastname = ''
try: try:
# try to get user's firstname, lastname and email address from LDAP attributes # try to get user's firstname, lastname and email address from LDAP attributes
self.firstname = ldap_result[0][0][1]['givenName'][0].decode("utf-8") if LDAP_TYPE == 'ldap':
self.lastname = ldap_result[0][0][1]['sn'][0].decode("utf-8") self.firstname = ldap_result[0][0][1]['givenName'][0].decode("utf-8")
self.email = ldap_result[0][0][1]['mail'][0].decode("utf-8") self.lastname = ldap_result[0][0][1]['sn'][0].decode("utf-8")
self.email = ldap_result[0][0][1]['mail'][0].decode("utf-8")
elif LDAP_TYPE == 'ad':
self.firstname = ldap_result[0][0][1]['name'][0].decode("utf-8")
self.email = ldap_result[0][0][1]['userPrincipalName'][0].decode("utf-8")
except Exception as e: except Exception as e:
logging.warning("Reading ldap data threw an exception {0}".format(e)) logging.warning("Reading ldap data threw an exception {0}".format(e))
logging.debug(traceback.format_exc()) logging.debug(traceback.format_exc())