0004-ldap-bind-serverctrls-is-not-used-when-use_controls-.patch
src/authentic2/backends/ldap_backend.py | ||
---|---|---|
540 | 540 |
'can_reset_password': False, |
541 | 541 |
# mapping from LDAP attributes to User attributes |
542 | 542 |
'user_attributes': [], |
543 |
# https://www.python-ldap.org/en/python-ldap-3.3.0/reference/ldap.html#ldap-controls |
|
544 |
'use_controls': True, |
|
543 | 545 |
} |
544 | 546 |
_REQUIRED = ('url', 'basedn') |
545 | 547 |
_TO_ITERABLE = ('url', 'groupsu', 'groupstaff', 'groupactive') |
... | ... | |
672 | 674 |
if failed: |
673 | 675 |
continue |
674 | 676 |
try: |
675 |
results = conn.simple_bind_s(authz_id, password, serverctrls=[ |
|
676 |
ppolicy.PasswordPolicyControl() |
|
677 |
]) |
|
677 |
if block.get('use_controls'): |
|
678 |
serverctrls = [ppolicy.PasswordPolicyControl()] |
|
679 |
else: |
|
680 |
serverctrls = [] |
|
681 |
results = conn.simple_bind_s(authz_id, password, serverctrls=serverctrls) |
|
678 | 682 |
self.process_controls(request, authz_id, results[3]) |
679 | 683 |
user_login_success(authz_id) |
680 | 684 |
if not block['connect_with_user_credentials']: |
... | ... | |
685 | 689 |
raise ldap.SERVER_DOWN |
686 | 690 |
break |
687 | 691 |
except ldap.INVALID_CREDENTIALS as e: |
688 |
if len(e.args) > 0 and 'ctrls' in e.args[0]: |
|
692 |
if block.get('use_controls') and len(e.args) > 0 and 'ctrls' in e.args[0]:
|
|
689 | 693 |
self.process_controls(request, authz_id, DecodeControlTuples(e.args[0]['ctrls'])) |
690 | 694 |
user_login_failure(authz_id) |
691 | 695 |
pass |
tests/test_ldap.py | ||
---|---|---|
951 | 951 |
assert 'account is locked' in str(response.pyquery('.messages')) |
952 | 952 | |
953 | 953 | |
954 |
def test_authenticate_ppolicy_pwdMaxFailure(slapd_ppolicy, settings, db, caplog): |
|
955 |
settings.LDAP_AUTH_SETTINGS = [{ |
|
956 |
'url': [slapd_ppolicy.ldap_url], |
|
957 |
'basedn': u'o=ôrga', |
|
958 |
'use_tls': False, |
|
959 |
}] |
|
960 | ||
954 |
def ppolicy_authenticate_exactly_pwdMaxFailure(slapd_ppolicy, caplog): |
|
961 | 955 |
pwdMaxFailure = 2 |
962 | 956 |
slapd_ppolicy.add_ldif(''' |
963 | 957 |
dn: cn=default,ou=ppolicies,o=ôrga |
... | ... | |
987 | 981 |
for _ in range(pwdMaxFailure): |
988 | 982 |
assert authenticate(username=USERNAME, password='incorrect') is None |
989 | 983 |
assert "failed to login" in caplog.text |
984 | ||
985 | ||
986 |
def test_authenticate_ppolicy_pwdMaxFailure(slapd_ppolicy, settings, db, caplog): |
|
987 |
settings.LDAP_AUTH_SETTINGS = [{ |
|
988 |
'url': [slapd_ppolicy.ldap_url], |
|
989 |
'basedn': u'o=ôrga', |
|
990 |
'use_tls': False, |
|
991 |
}] |
|
992 | ||
993 |
ppolicy_authenticate_exactly_pwdMaxFailure(slapd_ppolicy, caplog) |
|
990 | 994 |
assert 'account is locked' not in caplog.text |
991 | 995 |
assert authenticate(username=USERNAME, password='incorrect') is None |
992 | 996 |
assert 'account is locked' in caplog.text |
993 | 997 | |
994 | 998 | |
999 |
def test_do_not_use_controls(slapd_ppolicy, settings, db, caplog): |
|
1000 |
""" |
|
1001 |
Same as test_authenticate_ppolicy_pwdMaxFailure but with use_controls |
|
1002 |
deactivated and therefore not logging when an account is locked. |
|
1003 |
""" |
|
1004 |
settings.LDAP_AUTH_SETTINGS = [{ |
|
1005 |
'url': [slapd_ppolicy.ldap_url], |
|
1006 |
'basedn': u'o=ôrga', |
|
1007 |
'use_tls': False, |
|
1008 |
'use_controls': False, |
|
1009 |
}] |
|
1010 | ||
1011 |
ppolicy_authenticate_exactly_pwdMaxFailure(slapd_ppolicy, caplog) |
|
1012 |
assert 'account is locked' not in caplog.text |
|
1013 |
assert authenticate(username=USERNAME, password='incorrect') is None |
|
1014 |
# this following line is the difference with test_authenticate_ppolicy_pwdMaxFailure |
|
1015 |
assert 'account is locked' not in caplog.text |
|
1016 | ||
1017 | ||
995 | 1018 |
def test_authenticate_ppolicy_pwdGraceAuthnLimit(slapd_ppolicy, settings, db, caplog): |
996 | 1019 |
settings.LDAP_AUTH_SETTINGS = [{ |
997 | 1020 |
'url': [slapd_ppolicy.ldap_url], |
998 |
- |