mirror of
https://github.com/cwinfo/powerdns-admin.git
synced 2024-11-08 14:40:27 +00:00
Recursively find ActiveDirectory groups to check whether user is in LDAP_ADMIN_GROUP or LDAP_OPERATOR_GROUP
This commit is contained in:
parent
9a4eebfd42
commit
51043837f0
@ -160,6 +160,26 @@ class User(db.Model):
|
||||
logging.error(e)
|
||||
return False
|
||||
|
||||
def ad_recursive_groups(self, groupDN):
|
||||
"""
|
||||
Recursively list groups belonging to a group. It will allow checking deep in the Active Directory
|
||||
whether a user is allowed to enter or not
|
||||
"""
|
||||
LDAP_BASE_DN = Setting().get('ldap_base_dn')
|
||||
groupSearchFilter = "(&(objectcategory=group)(member=%s))" % groupDN
|
||||
result=[ groupDN ]
|
||||
try:
|
||||
groups = self.ldap_search(groupSearchFilter, LDAP_BASE_DN)
|
||||
for group in groups:
|
||||
result += [ group[0][0] ]
|
||||
if 'memberOf' in group[0][1]:
|
||||
for member in group[0][1]['memberOf']:
|
||||
result += self.ad_recursive_groups( member.decode("utf-8") )
|
||||
return result
|
||||
except:
|
||||
logging.exception("Recursive AD Group search error")
|
||||
return result
|
||||
|
||||
def is_validate(self, method, src_ip=''):
|
||||
"""
|
||||
Validate user credential
|
||||
@ -218,8 +238,9 @@ class User(db.Model):
|
||||
logging.error('User {0} is not part of the "{1}", "{2}" or "{3}" groups that allow access to PowerDNS-Admin'.format(self.username, LDAP_ADMIN_GROUP, LDAP_OPERATOR_GROUP, LDAP_USER_GROUP))
|
||||
return False
|
||||
elif LDAP_TYPE == 'ad':
|
||||
user_ldap_groups = [g.decode("utf-8") for g in ldap_result[0][0][1]['memberOf']]
|
||||
logging.debug('user_ldap_groups: {0}'.format(user_ldap_groups))
|
||||
user_ldap_groups = []
|
||||
for group in [g.decode("utf-8") for g in ldap_result[0][0][1]['memberOf']]:
|
||||
user_ldap_groups += self.ad_recursive_groups( group )
|
||||
|
||||
if (LDAP_ADMIN_GROUP in user_ldap_groups):
|
||||
role_name = 'Administrator'
|
||||
|
Loading…
Reference in New Issue
Block a user