[Fix] AD recursive problem

- Fixing #1011[https://github.com/PowerDNS-Admin/PowerDNS-Admin/issues/1011]
2025-01-08 19:35:40 +00:00 · 2022-04-07 07:31:27 -04:00 · 2022-04-07 07:31:27 -04:00 · ee0511ff4c
commit ee0511ff4c
parent cd94b5c0ac
1 changed files with 19 additions and 36 deletions
--- a/powerdnsadmin/models/user.py
+++ b/powerdnsadmin/models/user.py
@ -174,28 +174,6 @@ class User(db.Model):
            current_app.logger.error(e)
            return False
    def ad_recursive_groups(self, groupDN):
        """
        Recursively list groups belonging to a group. It will allow checking deep in the Active Directory
        whether a user is allowed to enter or not
        """
        LDAP_BASE_DN = Setting().get('ldap_base_dn')
        groupSearchFilter = "(&(objectcategory=group)(member=%s))" % ldap.filter.escape_filter_chars(
            groupDN)
        result = [groupDN]
        try:
            groups = self.ldap_search(groupSearchFilter, LDAP_BASE_DN)
            for group in groups:
                result += [group[0][0]]
                if 'memberOf' in group[0][1]:
                    for member in group[0][1]['memberOf']:
                        result += self.ad_recursive_groups(
                            member.decode("utf-8"))
            return result
        except ldap.LDAPError as e:
            current_app.logger.exception("Recursive AD Group search error")
            return result
    def is_validate(self, method, src_ip='', trust_user=False):
        """
        Validate user credential
@ -307,7 +285,17 @@ class User(db.Model):
                                                LDAP_USER_GROUP))
                                    return False
                            elif LDAP_TYPE == 'ad':
-                                user_ldap_groups = []
+                                ldap_admin_group_filter, ldap_operator_group, ldap_user_group = "", "", ""
                                if LDAP_ADMIN_GROUP:
                                    ldap_admin_group_filter = "(memberOf:1.2.840.113556.1.4.1941:={0})".format(LDAP_ADMIN_GROUP)
                                if LDAP_OPERATOR_GROUP:
                                    ldap_operator_group = "(memberOf:1.2.840.113556.1.4.1941:={0})".format(LDAP_OPERATOR_GROUP)
                                if LDAP_USER_GROUP:
                                    ldap_user_group = "(memberOf:1.2.840.113556.1.4.1941:={0})".format(LDAP_USER_GROUP)
                                searchFilter = "(&({0}={1})(|{2}{3}{4}))".format(LDAP_FILTER_USERNAME, self.username,
                                                                                 LDAP_FILTER_GROUP, ldap_admin_group_filter,
                                                                                 ldap_operator_group, ldap_user_group)
                                ldap_result = self.ldap_search(searchFilter, LDAP_BASE_DN)
                                user_ad_member_of = ldap_result[0][0][1].get(
                                    'memberOf')
@ -317,26 +305,21 @@ class User(db.Model):
                                        .format(self.username))
                                    return False
-                                for group in [
+                                user_ad_member_of = [g.decode("utf-8") for g in user_ad_member_of]
                                        g.decode("utf-8")
                                        for g in user_ad_member_of
                                ]:
                                    user_ldap_groups += self.ad_recursive_groups(
                                        group)
-                                if (LDAP_ADMIN_GROUP in user_ldap_groups):
+                                if (LDAP_ADMIN_GROUP in user_ad_member_of):
                                    role_name = 'Administrator'
                                    current_app.logger.info(
                                        'User {0} is part of the "{1}" group that allows admin access to PowerDNS-Admin'
                                        .format(self.username,
                                                LDAP_ADMIN_GROUP))
-                                elif (LDAP_OPERATOR_GROUP in user_ldap_groups):
+                                elif (LDAP_OPERATOR_GROUP in user_ad_member_of):
                                    role_name = 'Operator'
                                    current_app.logger.info(
                                        'User {0} is part of the "{1}" group that allows operator access to PowerDNS-Admin'
                                        .format(self.username,
                                                LDAP_OPERATOR_GROUP))
-                                elif (LDAP_USER_GROUP in user_ldap_groups):
+                                elif (LDAP_USER_GROUP in user_ad_member_of):
                                    current_app.logger.info(
                                        'User {0} is part of the "{1}" group that allows user access to PowerDNS-Admin'
                                        .format(self.username,