Project

General

Profile

0004-ldap-bind-serverctrls-is-not-used-when-use_controls-.patch

Loïc Dachary, 11 February 2021 04:10 PM

Download (4.71 KB)

View differences:

Subject: [PATCH 4/4] ldap: bind serverctrls is not used when use_controls is
 false

 src/authentic2/backends/ldap_backend.py | 12 +++++---
 tests/test_ldap.py                      | 37 ++++++++++++++++++++-----
 2 files changed, 38 insertions(+), 11 deletions(-)
src/authentic2/backends/ldap_backend.py
540 540
        'can_reset_password': False,
541 541
        # mapping from LDAP attributes to User attributes
542 542
        'user_attributes': [],
543
        # https://www.python-ldap.org/en/python-ldap-3.3.0/reference/ldap.html#ldap-controls
544
        'use_controls': True,
543 545
    }
544 546
    _REQUIRED = ('url', 'basedn')
545 547
    _TO_ITERABLE = ('url', 'groupsu', 'groupstaff', 'groupactive')
......
672 674
                        if failed:
673 675
                            continue
674 676
                        try:
675
                            results = conn.simple_bind_s(authz_id, password, serverctrls=[
676
                                ppolicy.PasswordPolicyControl()
677
                            ])
677
                            if block.get('use_controls'):
678
                                serverctrls = [ppolicy.PasswordPolicyControl()]
679
                            else:
680
                                serverctrls = []
681
                            results = conn.simple_bind_s(authz_id, password, serverctrls=serverctrls)
678 682
                            self.process_controls(request, authz_id, results[3])
679 683
                            user_login_success(authz_id)
680 684
                            if not block['connect_with_user_credentials']:
......
685 689
                                    raise ldap.SERVER_DOWN
686 690
                            break
687 691
                        except ldap.INVALID_CREDENTIALS as e:
688
                            if len(e.args) > 0 and 'ctrls' in e.args[0]:
692
                            if block.get('use_controls') and len(e.args) > 0 and 'ctrls' in e.args[0]:
689 693
                                self.process_controls(request, authz_id, DecodeControlTuples(e.args[0]['ctrls']))
690 694
                            user_login_failure(authz_id)
691 695
                            pass
tests/test_ldap.py
951 951
    assert 'account is locked' in str(response.pyquery('.messages'))
952 952

  
953 953

  
954
def test_authenticate_ppolicy_pwdMaxFailure(slapd_ppolicy, settings, db, caplog):
955
    settings.LDAP_AUTH_SETTINGS = [{
956
        'url': [slapd_ppolicy.ldap_url],
957
        'basedn': u'o=ôrga',
958
        'use_tls': False,
959
    }]
960

  
954
def ppolicy_authenticate_exactly_pwdMaxFailure(slapd_ppolicy, caplog):
961 955
    pwdMaxFailure = 2
962 956
    slapd_ppolicy.add_ldif('''
963 957
dn: cn=default,ou=ppolicies,o=ôrga
......
987 981
    for _ in range(pwdMaxFailure):
988 982
        assert authenticate(username=USERNAME, password='incorrect') is None
989 983
        assert "failed to login" in caplog.text
984

  
985

  
986
def test_authenticate_ppolicy_pwdMaxFailure(slapd_ppolicy, settings, db, caplog):
987
    settings.LDAP_AUTH_SETTINGS = [{
988
        'url': [slapd_ppolicy.ldap_url],
989
        'basedn': u'o=ôrga',
990
        'use_tls': False,
991
    }]
992

  
993
    ppolicy_authenticate_exactly_pwdMaxFailure(slapd_ppolicy, caplog)
990 994
    assert 'account is locked' not in caplog.text
991 995
    assert authenticate(username=USERNAME, password='incorrect') is None
992 996
    assert 'account is locked' in caplog.text
993 997

  
994 998

  
999
def test_do_not_use_controls(slapd_ppolicy, settings, db, caplog):
1000
    """
1001
    Same as test_authenticate_ppolicy_pwdMaxFailure but with use_controls
1002
    deactivated and therefore not logging when an account is locked.
1003
    """
1004
    settings.LDAP_AUTH_SETTINGS = [{
1005
        'url': [slapd_ppolicy.ldap_url],
1006
        'basedn': u'o=ôrga',
1007
        'use_tls': False,
1008
        'use_controls': False,
1009
    }]
1010

  
1011
    ppolicy_authenticate_exactly_pwdMaxFailure(slapd_ppolicy, caplog)
1012
    assert 'account is locked' not in caplog.text
1013
    assert authenticate(username=USERNAME, password='incorrect') is None
1014
    # this following line is the difference with test_authenticate_ppolicy_pwdMaxFailure
1015
    assert 'account is locked' not in caplog.text
1016

  
1017

  
995 1018
def test_authenticate_ppolicy_pwdGraceAuthnLimit(slapd_ppolicy, settings, db, caplog):
996 1019
    settings.LDAP_AUTH_SETTINGS = [{
997 1020
        'url': [slapd_ppolicy.ldap_url],
998
-