cwinfo/powerdns-admin
5
0
Fork 0
mirror of https://github.com/cwinfo/powerdns-admin.git synced 2024-09-19 14:59:35 +00:00
Code Issues Packages Projects Releases Wiki Activity

Add group-based security implementation for non-AD LDAP servers.

Browse Source
This commit is contained in:
Ivan Filippov 2016-04-12 21:12:51 -06:00
parent 05944e8585
commit 5914c3cc86
1 changed files with 8 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
app/models.py
View File

@ -178,11 +178,16 @@ class User(db.Model):
l.simple_bind_s(ldap_username, self.password) l.simple_bind_s(ldap_username, self.password)
if LDAP_GROUP_SECURITY: if LDAP_GROUP_SECURITY:
try: try:
groupSearchFilter = "(&(objectcategory=group)(member=%s))" % ldap_username if LDAP_TYPE == 'ldap':
uid = result[0][0][1]['uid'][0]
groupSearchFilter = "(&(objectClass=posixGroup)(memberUid=%s))" % uid
else:
groupSearchFilter = "(&(objectcategory=group)(member=%s))" % ldap_username
groups = self.ldap_search(groupSearchFilter, LDAP_SEARCH_BASE) groups = self.ldap_search(groupSearchFilter, LDAP_SEARCH_BASE)
allowedlogin = False allowedlogin = False
isadmin = False isadmin = False
for group in groups: for group in groups:
logging.debug(group)
if (group[0][0] == LDAP_ADMIN_GROUP): if (group[0][0] == LDAP_ADMIN_GROUP):
allowedlogin = True allowedlogin = True
isadmin = True isadmin = True
@ -194,7 +199,7 @@ class User(db.Model):
logging.error('User %s is not part of the "%s" or "%s" groups that allow access to PowerDNS-Admin' % (self.username,LDAP_ADMIN_GROUP,LDAP_USER_GROUP)) logging.error('User %s is not part of the "%s" or "%s" groups that allow access to PowerDNS-Admin' % (self.username,LDAP_ADMIN_GROUP,LDAP_USER_GROUP))
return False return False
except: except:
logging.error('LDAP group lookup for user %s has failed' % self.username) logging.error('LDAP group lookup for user "%s" has failed' % self.username)
logging.info('User "%s" logged in successfully' % self.username) logging.info('User "%s" logged in successfully' % self.username)
# create user if not exist in the db # create user if not exist in the db
@ -227,7 +232,7 @@ class User(db.Model):
self.set_admin(isadmin) self.set_admin(isadmin)
return True return True
except: except:
logging.error('User "%s" input a wrong password(stage2)' % self.username) logging.error('User "%s" input a wrong password' % self.username)
return False return False
else: else:
logging.error('Unsupported authentication method') logging.error('Unsupported authentication method')