system: support LDAP queries with no user_group set
Though it might be better to allow multiple groups. On the other hand the main filter is in the group→ipset settings file anyway; any VPN user not in one of those groups will not get forwarded to anywhere.
This commit is contained in:
parent
ab2485c063
commit
d33fec65a2
|
|
@ -68,10 +68,18 @@ def save_config():
|
||||||
user_networks = collections.defaultdict(set)
|
user_networks = collections.defaultdict(set)
|
||||||
ldap = ldap3.Connection(ldap3.Server(settings.get('ldap_host'), use_ssl=True),
|
ldap = ldap3.Connection(ldap3.Server(settings.get('ldap_host'), use_ssl=True),
|
||||||
settings.get('ldap_user'), settings.get('ldap_pass'), auto_bind=True)
|
settings.get('ldap_user'), settings.get('ldap_pass'), auto_bind=True)
|
||||||
|
|
||||||
|
# All of these must match to consider an LDAP object.
|
||||||
|
ldap_query = [
|
||||||
|
'(objectClass=user)', # only users
|
||||||
|
'(objectCategory=person)', # that are people
|
||||||
|
'(!(userAccountControl:1.2.840.113556.1.4.803:=2))', # with enabled accounts
|
||||||
|
]
|
||||||
|
if group := settings.get('user_group'):
|
||||||
|
ldap_query += [f'(memberOf:1.2.840.113556.1.4.1941:={group})'] # in given group, recursively
|
||||||
|
|
||||||
ldap.search(settings.get('ldap_base_dn', ''),
|
ldap.search(settings.get('ldap_base_dn', ''),
|
||||||
'(&(objectClass=user)(objectCategory=person)' + # only people
|
f'(&{"".join(ldap_query)})', # conjuction (&(…)(…)(…)) of queries
|
||||||
'(!(userAccountControl:1.2.840.113556.1.4.803:=2))' + # with enabled accounts
|
|
||||||
f'(memberOf:1.2.840.113556.1.4.1941:={settings.get("user_group", "")}))', # in given group, recursively
|
|
||||||
attributes=['userPrincipalName', 'memberOf'])
|
attributes=['userPrincipalName', 'memberOf'])
|
||||||
for entry in ldap.entries:
|
for entry in ldap.entries:
|
||||||
for group in entry.memberOf:
|
for group in entry.memberOf:
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue