Merge pull request #1118 from cropalato/master

Fixing AD login if there is a infinity loop in memberOf groups.
This commit is contained in:
Vasileios Markopoulos 2022-04-13 10:15:54 +03:00 committed by GitHub
commit c9c82d4244
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

View File

@ -174,28 +174,6 @@ class User(db.Model):
current_app.logger.error(e) current_app.logger.error(e)
return False return False
def ad_recursive_groups(self, groupDN):
"""
Recursively list groups belonging to a group. It will allow checking deep in the Active Directory
whether a user is allowed to enter or not
"""
LDAP_BASE_DN = Setting().get('ldap_base_dn')
groupSearchFilter = "(&(objectcategory=group)(member=%s))" % ldap.filter.escape_filter_chars(
groupDN)
result = [groupDN]
try:
groups = self.ldap_search(groupSearchFilter, LDAP_BASE_DN)
for group in groups:
result += [group[0][0]]
if 'memberOf' in group[0][1]:
for member in group[0][1]['memberOf']:
result += self.ad_recursive_groups(
member.decode("utf-8"))
return result
except ldap.LDAPError as e:
current_app.logger.exception("Recursive AD Group search error")
return result
def is_validate(self, method, src_ip='', trust_user=False): def is_validate(self, method, src_ip='', trust_user=False):
""" """
Validate user credential Validate user credential
@ -307,7 +285,17 @@ class User(db.Model):
LDAP_USER_GROUP)) LDAP_USER_GROUP))
return False return False
elif LDAP_TYPE == 'ad': elif LDAP_TYPE == 'ad':
user_ldap_groups = [] ldap_admin_group_filter, ldap_operator_group, ldap_user_group = "", "", ""
if LDAP_ADMIN_GROUP:
ldap_admin_group_filter = "(memberOf:1.2.840.113556.1.4.1941:={0})".format(LDAP_ADMIN_GROUP)
if LDAP_OPERATOR_GROUP:
ldap_operator_group = "(memberOf:1.2.840.113556.1.4.1941:={0})".format(LDAP_OPERATOR_GROUP)
if LDAP_USER_GROUP:
ldap_user_group = "(memberOf:1.2.840.113556.1.4.1941:={0})".format(LDAP_USER_GROUP)
searchFilter = "(&({0}={1})(|{2}{3}{4}))".format(LDAP_FILTER_USERNAME, self.username,
LDAP_FILTER_GROUP, ldap_admin_group_filter,
ldap_operator_group, ldap_user_group)
ldap_result = self.ldap_search(searchFilter, LDAP_BASE_DN)
user_ad_member_of = ldap_result[0][0][1].get( user_ad_member_of = ldap_result[0][0][1].get(
'memberOf') 'memberOf')
@ -317,26 +305,21 @@ class User(db.Model):
.format(self.username)) .format(self.username))
return False return False
for group in [ user_ad_member_of = [g.decode("utf-8") for g in user_ad_member_of]
g.decode("utf-8")
for g in user_ad_member_of
]:
user_ldap_groups += self.ad_recursive_groups(
group)
if (LDAP_ADMIN_GROUP in user_ldap_groups): if (LDAP_ADMIN_GROUP in user_ad_member_of):
role_name = 'Administrator' role_name = 'Administrator'
current_app.logger.info( current_app.logger.info(
'User {0} is part of the "{1}" group that allows admin access to PowerDNS-Admin' 'User {0} is part of the "{1}" group that allows admin access to PowerDNS-Admin'
.format(self.username, .format(self.username,
LDAP_ADMIN_GROUP)) LDAP_ADMIN_GROUP))
elif (LDAP_OPERATOR_GROUP in user_ldap_groups): elif (LDAP_OPERATOR_GROUP in user_ad_member_of):
role_name = 'Operator' role_name = 'Operator'
current_app.logger.info( current_app.logger.info(
'User {0} is part of the "{1}" group that allows operator access to PowerDNS-Admin' 'User {0} is part of the "{1}" group that allows operator access to PowerDNS-Admin'
.format(self.username, .format(self.username,
LDAP_OPERATOR_GROUP)) LDAP_OPERATOR_GROUP))
elif (LDAP_USER_GROUP in user_ldap_groups): elif (LDAP_USER_GROUP in user_ad_member_of):
current_app.logger.info( current_app.logger.info(
'User {0} is part of the "{1}" group that allows user access to PowerDNS-Admin' 'User {0} is part of the "{1}" group that allows user access to PowerDNS-Admin'
.format(self.username, .format(self.username,