cwinfo/powerdns-admin
5
0
Fork 0
mirror of https://github.com/cwinfo/powerdns-admin.git synced 2024-11-09 23:20:27 +00:00
Code Issues Packages Projects Releases Wiki Activity

Fix LDAP group restrictions by allowing the use of any combination of groups. (#1463)

Browse Source
This commit is contained in:
Matt Scott 2023-03-18 19:15:01 -04:00 committed by GitHub
commit d3da1e43ed
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 8 additions and 23 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
powerdnsadmin/models/user.py
View File

@ -255,33 +255,24 @@ class User(db.Model):
if LDAP_TYPE == 'ldap': if LDAP_TYPE == 'ldap':
groupSearchFilter = "(&({0}={1}){2})".format(LDAP_FILTER_GROUPNAME, ldap_username, LDAP_FILTER_GROUP) groupSearchFilter = "(&({0}={1}){2})".format(LDAP_FILTER_GROUPNAME, ldap_username, LDAP_FILTER_GROUP)
current_app.logger.debug('Ldap groupSearchFilter {0}'.format(groupSearchFilter)) current_app.logger.debug('Ldap groupSearchFilter {0}'.format(groupSearchFilter))
if (self.ldap_search(groupSearchFilter, if (LDAP_ADMIN_GROUP and self.ldap_search(groupSearchFilter, LDAP_ADMIN_GROUP)):
LDAP_ADMIN_GROUP)):
role_name = 'Administrator' role_name = 'Administrator'
current_app.logger.info( current_app.logger.info(
'User {0} is part of the "{1}" group that allows admin access to PowerDNS-Admin' 'User {0} is part of the "{1}" group that allows admin access to PowerDNS-Admin'
.format(self.username, .format(self.username, LDAP_ADMIN_GROUP))
LDAP_ADMIN_GROUP)) elif (LDAP_OPERATOR_GROUP and self.ldap_search(groupSearchFilter, LDAP_OPERATOR_GROUP)):
elif (self.ldap_search(groupSearchFilter,
LDAP_OPERATOR_GROUP)):
role_name = 'Operator' role_name = 'Operator'
current_app.logger.info( current_app.logger.info(
'User {0} is part of the "{1}" group that allows operator access to PowerDNS-Admin' 'User {0} is part of the "{1}" group that allows operator access to PowerDNS-Admin'
.format(self.username, .format(self.username, LDAP_OPERATOR_GROUP))
LDAP_OPERATOR_GROUP)) elif (LDAP_USER_GROUP and self.ldap_search(groupSearchFilter, LDAP_USER_GROUP)):
elif (self.ldap_search(groupSearchFilter,
LDAP_USER_GROUP)):
current_app.logger.info( current_app.logger.info(
'User {0} is part of the "{1}" group that allows user access to PowerDNS-Admin' 'User {0} is part of the "{1}" group that allows user access to PowerDNS-Admin'
.format(self.username, .format(self.username, LDAP_USER_GROUP))
LDAP_USER_GROUP))
else: else:
current_app.logger.error( current_app.logger.error(
'User {0} is not part of the "{1}", "{2}" or "{3}" groups that allow access to PowerDNS-Admin' 'User {0} is not part of any security groups that allow access to PowerDNS-Admin'
.format(self.username, .format(self.username))
LDAP_ADMIN_GROUP,
LDAP_OPERATOR_GROUP,
LDAP_USER_GROUP))
return False return False
elif LDAP_TYPE == 'ad': elif LDAP_TYPE == 'ad':
ldap_group_security_roles = OrderedDict( ldap_group_security_roles = OrderedDict(

6
powerdnsadmin/templates/admin_setting_authentication.html
View File

@ -1772,12 +1772,6 @@
$('#ldap_filter_username').prop('required', true); $('#ldap_filter_username').prop('required', true);
$('#ldap_filter_groupname').prop('required', true); $('#ldap_filter_groupname').prop('required', true);
if ($('#ldap_sg_on').is(":checked")) {
$('#ldap_admin_group').prop('required', true);
$('#ldap_operator_group').prop('required', true);
$('#ldap_user_group').prop('required', true);
}
if ($('#autoprovisioning_on').is(":checked")) { if ($('#autoprovisioning_on').is(":checked")) {
$('#autoprovisioning_attribute').prop('required', true); $('#autoprovisioning_attribute').prop('required', true);
$('#urn_value').prop('required', true); $('#urn_value').prop('required', true);