From d33fec65a2c5dfe8bc009e587b1d8ace177762dc Mon Sep 17 00:00:00 2001 From: Timotej Lazar Date: Mon, 22 Apr 2024 10:43:50 +0200 Subject: [PATCH] system: support LDAP queries with no user_group set MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Though it might be better to allow multiple groups. On the other hand the main filter is in the group→ipset settings file anyway; any VPN user not in one of those groups will not get forwarded to anywhere. --- web/system.py | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/web/system.py b/web/system.py index 8d2d699..75d77c4 100644 --- a/web/system.py +++ b/web/system.py @@ -68,10 +68,18 @@ def save_config(): user_networks = collections.defaultdict(set) ldap = ldap3.Connection(ldap3.Server(settings.get('ldap_host'), use_ssl=True), settings.get('ldap_user'), settings.get('ldap_pass'), auto_bind=True) + + # All of these must match to consider an LDAP object. + ldap_query = [ + '(objectClass=user)', # only users + '(objectCategory=person)', # that are people + '(!(userAccountControl:1.2.840.113556.1.4.803:=2))', # with enabled accounts + ] + if group := settings.get('user_group'): + ldap_query += [f'(memberOf:1.2.840.113556.1.4.1941:={group})'] # in given group, recursively + ldap.search(settings.get('ldap_base_dn', ''), - '(&(objectClass=user)(objectCategory=person)' + # only people - '(!(userAccountControl:1.2.840.113556.1.4.803:=2))' + # with enabled accounts - f'(memberOf:1.2.840.113556.1.4.1941:={settings.get("user_group", "")}))', # in given group, recursively + f'(&{"".join(ldap_query)})', # conjuction (&(…)(…)(…)) of queries attributes=['userPrincipalName', 'memberOf']) for entry in ldap.entries: for group in entry.memberOf: