From 67972123b6d36009d0263cb98ed4bff74d813e39 Mon Sep 17 00:00:00 2001 From: John Warburton Date: Fri, 17 May 2019 09:38:08 +1000 Subject: [PATCH] Add LDAP_GROUP_SECURITY groupOfNames groups support --- app/models.py | 12 +++++++--- .../admin_setting_authentication.html | 22 +++++++++++++++++++ app/views.py | 2 ++ 3 files changed, 33 insertions(+), 3 deletions(-) diff --git a/app/models.py b/app/models.py index 8ae1596..6153181 100644 --- a/app/models.py +++ b/app/models.py @@ -212,6 +212,8 @@ class User(db.Model): LDAP_BASE_DN = Setting().get('ldap_base_dn') LDAP_FILTER_BASIC = Setting().get('ldap_filter_basic') LDAP_FILTER_USERNAME = Setting().get('ldap_filter_username') + LDAP_FILTER_GROUP = Setting().get('ldap_filter_group') + LDAP_FILTER_GROUPNAME = Setting().get('ldap_filter_groupname') LDAP_ADMIN_GROUP = Setting().get('ldap_admin_group') LDAP_OPERATOR_GROUP = Setting().get('ldap_operator_group') LDAP_USER_GROUP = Setting().get('ldap_user_group') @@ -252,15 +254,17 @@ class User(db.Model): if LDAP_GROUP_SECURITY_ENABLED: try: if LDAP_TYPE == 'ldap': - if (self.ldap_search(searchFilter, LDAP_ADMIN_GROUP)): + groupSearchFilter = "(&({0}={1}){2})".format(LDAP_FILTER_GROUPNAME, ldap_username, LDAP_FILTER_GROUP) + logging.info('groupSearchFilter is {0}'.format(groupSearchFilter)) + if (self.ldap_search(groupSearchFilter, LDAP_ADMIN_GROUP)): role_name = 'Administrator' logging.info( 'User {0} is part of the "{1}" group that allows admin access to PowerDNS-Admin'.format(self.username, LDAP_ADMIN_GROUP)) - elif (self.ldap_search(searchFilter, LDAP_OPERATOR_GROUP)): + elif (self.ldap_search(groupSearchFilter, LDAP_OPERATOR_GROUP)): role_name = 'Operator' logging.info('User {0} is part of the "{1}" group that allows operator access to PowerDNS-Admin'.format( self.username, LDAP_OPERATOR_GROUP)) - elif (self.ldap_search(searchFilter, LDAP_USER_GROUP)): + elif (self.ldap_search(groupSearchFilter, LDAP_USER_GROUP)): logging.info( 'User {0} is part of the "{1}" group that allows user access to PowerDNS-Admin'.format(self.username, LDAP_USER_GROUP)) else: @@ -2015,7 +2019,9 @@ class Setting(db.Model): 'ldap_admin_username': '', 'ldap_admin_password': '', 'ldap_filter_basic': '', + 'ldap_filter_group': '', 'ldap_filter_username': '', + 'ldap_filter_groupname': '', 'ldap_sg_enabled': False, 'ldap_admin_group': '', 'ldap_operator_group': '', diff --git a/app/templates/admin_setting_authentication.html b/app/templates/admin_setting_authentication.html index 6e634b1..e5dda1b 100644 --- a/app/templates/admin_setting_authentication.html +++ b/app/templates/admin_setting_authentication.html @@ -140,6 +140,16 @@ +
+ + + +
+
+ + + +
GROUP SECURITY @@ -221,6 +231,12 @@
  • Username field - The field PDA will look for user's username. (e.g. uid for OpenLDAP and sAMAccountName for Active Directory)
    • +
  • + Group filter - The filter that will be applied to all LDAP group queries by PDA. (e.g. (objectClass=groupOfNames) for OpenLDAP) +
    • +
  • + Group name field - The field PDA will look for group names. (e.g. member for OpenLDAP) +
    • GROUP SECURITY
    @@ -475,7 +491,9 @@ $('#ldap_domain').prop('required', true); } $('#ldap_filter_basic').prop('required', true); + $('#ldap_filter_group').prop('required', true); $('#ldap_filter_username').prop('required', true); + $('#ldap_filter_groupname').prop('required', true); if ($('#ldap_sg_on').is(":checked")) { $('#ldap_admin_group').prop('required', true); @@ -489,7 +507,9 @@ $('#ldap_admin_username').prop('required', false); $('#ldap_admin_password').prop('required', false); $('#ldap_filter_basic').prop('required', false); + $('#ldap_filter_group').prop('required', false); $('#ldap_filter_username').prop('required', false); + $('#ldap_filter_groupname').prop('required', false); if ($('#ldap_sg_on').is(":checked")) { $('#ldap_admin_group').prop('required', false); @@ -539,7 +559,9 @@ $('#ldap_domain').prop('required', true); } $('#ldap_filter_basic').prop('required', true); + $('#ldap_filter_group').prop('required', true); $('#ldap_filter_username').prop('required', true); + $('#ldap_filter_groupname').prop('required', true); if ($('#ldap_sg_on').is(":checked")) { $('#ldap_admin_group').prop('required', true); diff --git a/app/views.py b/app/views.py index b94cbff..073e40f 100755 --- a/app/views.py +++ b/app/views.py @@ -1671,7 +1671,9 @@ def admin_setting_authentication(): Setting().set('ldap_admin_username', request.form.get('ldap_admin_username')) Setting().set('ldap_admin_password', request.form.get('ldap_admin_password')) Setting().set('ldap_filter_basic', request.form.get('ldap_filter_basic')) + Setting().set('ldap_filter_group', request.form.get('ldap_filter_group')) Setting().set('ldap_filter_username', request.form.get('ldap_filter_username')) + Setting().set('ldap_filter_groupname', request.form.get('ldap_filter_groupname')) Setting().set('ldap_sg_enabled', True if request.form.get('ldap_sg_enabled')=='ON' else False) Setting().set('ldap_admin_group', request.form.get('ldap_admin_group')) Setting().set('ldap_operator_group', request.form.get('ldap_operator_group'))