Development #56115
LDAP Backend : check_group_to_role_mappings / get_groups_dns ne supportent pas le cas ou group_filter n'est pas défini
0%
Description
Nous avons des installations ou le mapping users/groups se fait uniquement sur les valeurs de l'attribut memberof (pas de recherches de groupes via group_filter ) et du coup, nous désactivons la recherche de groupes via group_filter pour éviter des recherches inutiles et chronophages ( group_filter="" ). Jusqu'ici, nous avions aucun problème avec ce cas de figure, mais le commit suivant introduit un problème :
commit 3cdd9e7d29320796fff4fb3c5460cce5a1020eb3 Author: Serghei Mihai <smihai@entrouvert.com> Date: Mon Feb 15 14:32:38 2021 +0100 ldap: log missing group dn when mapped to a role (#50928) diff --git a/src/authentic2/backends/ldap_backend.py b/src/authentic2/backends/ldap_backend.py index 28f212e3..1c1c74ce 100644 --- a/src/authentic2/backends/ldap_backend.py +++ b/src/authentic2/backends/ldap_backend.py @@ -589,6 +589,27 @@ class LDAPBackend(object): message = str(vars(c)) log.info('ldap: bind error with authz_id "%s" -> "%s"', authz_id, message) + @classmethod + def check_group_to_role_mappings(cls, block): + group_to_role_mapping = block.get('group_to_role_mapping') + if not group_to_role_mapping: + return + for conn in cls.get_connections(block): + existing_groups = cls.get_groups_dns(conn, block) + for group_dn, role_slugs in group_to_role_mapping: + if group_dn in existing_groups: + continue + log.warning('ldap: unknown group "%s" mapped to a role', group_dn) + + @classmethod + def get_groups_dns(cls, conn, block): + group_base_dn = block['group_basedn'] or block['basedn'] + # 1.1 is special attribute meaning, "no attribute requested" + results = conn.search_s(group_base_dn, ldap.SCOPE_SUBTREE, + block['group_filter'], ['1.1']) + results = cls.normalize_ldap_results(results) + return set([group_dn for group_dn, attrs in results]) + def authenticate(self, request=None, username=None, password=None, realm=None, ou=None): if username is None or password is None: return None @@ -1310,6 +1331,7 @@ class LDAPBackend(object): if conn is None: logger.warning(u'unable to synchronize with LDAP servers %s', force_text(block['url'])) continue + cls.check_group_to_role_mappings(block) user_basedn = force_text(block.get('user_basedn') or block['basedn']) user_filter = force_text(block['sync_ldap_users_filter'] or block['user_filter']) user_filter = user_filter.replace('%s', '*') [...]
Les méthodes check_group_to_role_mappings et get_groups_dns ne vérifie pas que group_filter est défini avant de l'utiliser ce qui fait planter la synchronisation :
Traceback (most recent call last): File "/usr/lib/authentic2/manage.py", line 20, in <module> execute_from_command_line(sys.argv[:1] + argv) File "/usr/lib/python3/dist-packages/django/core/management/__init__.py", line 364, in execute_from_command_line utility.execute() File "/usr/lib/python3/dist-packages/django/core/management/__init__.py", line 356, in execute self.fetch_command(subcommand).run_from_argv(self.argv) File "/usr/lib/python3/dist-packages/django/core/management/base.py", line 283, in run_from_argv self.execute(*args, **cmd_options) File "/usr/lib/python3/dist-packages/django/core/management/base.py", line 330, in execute output = self.handle(*args, **options) File "/usr/lib/python3/dist-packages/authentic2/management/commands/sync-ldap-users.py", line 34, in handle for user in LDAPBackend.get_users(): File "/usr/lib/python3/dist-packages/authentic2/backends/ldap_backend.py", line 1541, in get_users cls.check_group_to_role_mappings(block) File "/usr/lib/python3/dist-packages/authentic2/backends/ldap_backend.py", line 690, in check_group_to_role_mappings existing_groups = cls.get_groups_dns(conn, block) File "/usr/lib/python3/dist-packages/authentic2/backends/ldap_backend.py", line 700, in get_groups_dns results = conn.search_s(group_base_dn, ldap.SCOPE_SUBTREE, block['group_filter'], ['1.1']) File "/usr/lib/python3/dist-packages/ldap/ldapobject.py", line 852, in search_s return self.search_ext_s(base,scope,filterstr,attrlist,attrsonly,None,None,timeout=self.timeout) File "/usr/lib/python3/dist-packages/ldap/ldapobject.py", line 1259, in search_ext_s return self._apply_method_s(SimpleLDAPObject.search_ext_s,*args,**kwargs) File "/usr/lib/python3/dist-packages/ldap/ldapobject.py", line 1197, in _apply_method_s return func(self,*args,**kwargs) File "/usr/lib/python3/dist-packages/ldap/ldapobject.py", line 846, in search_ext_s return self.result(msgid,all=1,timeout=timeout)[1] File "/usr/lib/python3/dist-packages/ldap/ldapobject.py", line 738, in result resp_type, resp_data, resp_msgid = self.result2(msgid,all,timeout) File "/usr/lib/python3/dist-packages/ldap/ldapobject.py", line 742, in result2 resp_type, resp_data, resp_msgid, resp_ctrls = self.result3(msgid,all,timeout) File "/usr/lib/python3/dist-packages/ldap/ldapobject.py", line 749, in result3 resp_ctrl_classes=resp_ctrl_classes File "/usr/lib/python3/dist-packages/authentic2/backends/ldap_backend.py", line 174, in result4 resp_ctrl_classes=resp_ctrl_classes, File "/usr/lib/python3/dist-packages/ldap/ldapobject.py", line 756, in result4 ldap_result = self._ldap_call(self._l.result4,msgid,all,timeout,add_ctrls,add_intermediates,add_extop) File "/usr/lib/python3/dist-packages/ldap/ldapobject.py", line 329, in _ldap_call reraise(exc_type, exc_value, exc_traceback) File "/usr/lib/python3/dist-packages/ldap/compat.py", line 44, in reraise raise exc_value File "/usr/lib/python3/dist-packages/ldap/ldapobject.py", line 313, in _ldap_call result = func(*args,**kwargs) ldap.PROTOCOL_ERROR: {'desc': 'Protocol error'}
Je joins un hot-patch qui ajoute la gestion de ce cas.
Note : Au passage, pour désactiver la recherche via group_filter, on est obligé de mettre group_filter="" car on ne peut pas bêtement mettre group_filter=None qui génère une erreur :
[...] File "/usr/lib/python3/dist-packages/authentic2/backends/ldap_backend.py", line 1782, in update_default raise ImproperlyConfigured('LDAP_AUTH_SETTINGS: attribute %r must be a string' % d) django.core.exceptions.ImproperlyConfigured: LDAP_AUTH_SETTINGS: attribute 'group_filter' must be a string
Fichiers
Révisions associées
Historique
Mis à jour par Valentin Deniaud il y a plus de 2 ans
- Fichier 0001-ldap_backend-do-not-check-group-dns-if-there-is-no-g.patch 0001-ldap_backend-do-not-check-group-dns-if-there-is-no-g.patch ajouté
- Tracker changé de Support à Development
- Statut changé de Nouveau à Solution proposée
Mis à jour par Serghei Mihai il y a plus de 2 ans
- Statut changé de Solution proposée à Solution validée
Mis à jour par Valentin Deniaud il y a plus de 2 ans
- Statut changé de Solution validée à Résolu (à déployer)
commit 73aaee270ab31b87888e2d46395eb188be8633d0 Author: Valentin Deniaud <vdeniaud@entrouvert.com> Date: Mon Aug 23 17:28:45 2021 +0200 ldap_backend: do not check group dns if there is no group filter (#56115)
Mis à jour par Frédéric Péters il y a plus de 2 ans
- Statut changé de Résolu (à déployer) à Solution déployée
ldap_backend: do not check group dns if there is no group filter (#56115)