Improve LDAP lookup of user groups
This commit is contained in:
parent
9dc0fbb4fe
commit
719bcf7c55
|
@ -16,6 +16,7 @@ def create_app(test_config=None):
|
||||||
'ldap_user': '',
|
'ldap_user': '',
|
||||||
'ldap_pass': '',
|
'ldap_pass': '',
|
||||||
'ldap_base_dn': '',
|
'ldap_base_dn': '',
|
||||||
|
'user_group': '',
|
||||||
'oidc_tenant': '',
|
'oidc_tenant': '',
|
||||||
'oidc_client_id': '',
|
'oidc_client_id': '',
|
||||||
'oidc_client_secret': '',
|
'oidc_client_secret': '',
|
||||||
|
|
|
@ -58,12 +58,15 @@ def save_config():
|
||||||
user_networks = collections.defaultdict(set)
|
user_networks = collections.defaultdict(set)
|
||||||
ldap = ldap3.Connection(ldap3.Server(settings.get('ldap_host'), use_ssl=True),
|
ldap = ldap3.Connection(ldap3.Server(settings.get('ldap_host'), use_ssl=True),
|
||||||
settings.get('ldap_user'), settings.get('ldap_pass'), auto_bind=True)
|
settings.get('ldap_user'), settings.get('ldap_pass'), auto_bind=True)
|
||||||
for group, network in groups.items():
|
|
||||||
ldap.search(settings.get('ldap_base_dn', ''),
|
ldap.search(settings.get('ldap_base_dn', ''),
|
||||||
f'(distinguishedName={group})', attributes='member')
|
'(&(objectClass=user)(objectCategory=person)' + # only people
|
||||||
if ldap.entries:
|
'(!(userAccountControl:1.2.840.113556.1.4.803:=2))' + # with enabled accounts
|
||||||
for user in ldap.entries[0]['member']:
|
f'(memberOf:1.2.840.113556.1.4.1941:={settings.get("user_group", "")}))', # in given group, recursively
|
||||||
user_networks[user].add(network)
|
attributes=['userPrincipalName', 'memberOf'])
|
||||||
|
for entry in ldap.entries:
|
||||||
|
for group in entry.memberOf:
|
||||||
|
if group in groups:
|
||||||
|
user_networks[entry.userPrincipalName.value].add(groups[group])
|
||||||
|
|
||||||
# Now read the settings again and lock the database while generating
|
# Now read the settings again and lock the database while generating
|
||||||
# config files, then increment version before unlocking.
|
# config files, then increment version before unlocking.
|
||||||
|
|
Loading…
Reference in a new issue