cwinfo/powerdns-admin
5
0
Fork 0
mirror of https://github.com/cwinfo/powerdns-admin.git synced 2024-11-08 14:40:27 +00:00
Code Issues Packages Projects Releases Wiki Activity

Recursively find ActiveDirectory groups to check whether user is in LDAP_ADMIN_GROUP or LDAP_OPERATOR_GROUP

Browse Source
This commit is contained in:
Olivier DUMAS 2018-10-01 19:27:52 +02:00
parent 9a4eebfd42
commit 51043837f0
1 changed files with 23 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
app/models.py
View File

@ -160,6 +160,26 @@ class User(db.Model):
logging.error(e) logging.error(e)
return False return False
def ad_recursive_groups(self, groupDN):
"""
Recursively list groups belonging to a group. It will allow checking deep in the Active Directory
whether a user is allowed to enter or not
"""
LDAP_BASE_DN = Setting().get('ldap_base_dn')
groupSearchFilter = "(&(objectcategory=group)(member=%s))" % groupDN
result=[ groupDN ]
try:
groups = self.ldap_search(groupSearchFilter, LDAP_BASE_DN)
for group in groups:
result += [ group[0][0] ]
if 'memberOf' in group[0][1]:
for member in group[0][1]['memberOf']:
result += self.ad_recursive_groups( member.decode("utf-8") )
return result
except:
logging.exception("Recursive AD Group search error")
return result
def is_validate(self, method, src_ip=''): def is_validate(self, method, src_ip=''):
""" """
Validate user credential Validate user credential
@ -218,8 +238,9 @@ class User(db.Model):
logging.error('User {0} is not part of the "{1}", "{2}" or "{3}" groups that allow access to PowerDNS-Admin'.format(self.username, LDAP_ADMIN_GROUP, LDAP_OPERATOR_GROUP, LDAP_USER_GROUP)) logging.error('User {0} is not part of the "{1}", "{2}" or "{3}" groups that allow access to PowerDNS-Admin'.format(self.username, LDAP_ADMIN_GROUP, LDAP_OPERATOR_GROUP, LDAP_USER_GROUP))
return False return False
elif LDAP_TYPE == 'ad': elif LDAP_TYPE == 'ad':
user_ldap_groups = [g.decode("utf-8") for g in ldap_result[0][0][1]['memberOf']] user_ldap_groups = []
logging.debug('user_ldap_groups: {0}'.format(user_ldap_groups)) for group in [g.decode("utf-8") for g in ldap_result[0][0][1]['memberOf']]:
user_ldap_groups += self.ad_recursive_groups( group )
if (LDAP_ADMIN_GROUP in user_ldap_groups): if (LDAP_ADMIN_GROUP in user_ldap_groups):
role_name = 'Administrator' role_name = 'Administrator'