mirror of
https://github.com/Kozea/Radicale.git
synced 2025-04-05 14:17:35 +03:00
LDAP auth: introduce config option 'ldap_groups_attribute'
This attribute is supposed to hold the group membership information if the config option 'ldap_load_groups' is True. If not given, it defaults to 'memberOf' for Active Directory. Introducing this options allows one to use radicale's LDAP auth with groups even on LDAP servers that keep their group memberships in a different attribute than 'memberOf', e.g. Novell eDirectory which uses 'groupMembership'.
This commit is contained in:
Peter Marschall
parent
1ca41e2128
commit
6c1445d8db
4 changed files with 20 additions and 3 deletions
|
|
@ -941,6 +941,12 @@ Load the ldap groups of the authenticated user. These groups can be used later o
|
||||||
|
|
||||||
Default: False
|
Default: False
|
||||||
|
|
||||||
|
##### ldap_groups_attribute
|
||||||
|
|
||||||
|
The LDAP attribute to read the group memberships from in the user's LDAP entry if `ldap_load_groups` is True.
|
||||||
|
|
||||||
|
Default: `memberOf`
|
||||||
|
|
||||||
##### ldap_use_ssl
|
##### ldap_use_ssl
|
||||||
|
|
||||||
Use ssl on the ldap connection
|
Use ssl on the ldap connection
|
||||||
|
|
|
||||||
3
config
3
config
|
|
@ -89,6 +89,9 @@
|
||||||
# If the ldap groups of the user need to be loaded
|
# If the ldap groups of the user need to be loaded
|
||||||
#ldap_load_groups = True
|
#ldap_load_groups = True
|
||||||
|
|
||||||
|
# the attribute to read the group memberships from in the user's LDAP entry if ldap_load_groups is True.
|
||||||
|
#ldap_groups_attribute = memberOf
|
||||||
|
|
||||||
# The filter to find the DN of the user. This filter must contain a python-style placeholder for the login
|
# The filter to find the DN of the user. This filter must contain a python-style placeholder for the login
|
||||||
#ldap_filter = (&(objectClass=person)(uid={0}))
|
#ldap_filter = (&(objectClass=person)(uid={0}))
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -24,6 +24,7 @@ Following parameters are needed in the configuration:
|
||||||
ldap_secret_file The path of the file containing the password of the ldap_reader_dn
|
ldap_secret_file The path of the file containing the password of the ldap_reader_dn
|
||||||
ldap_filter The search filter to find the user to authenticate by the username
|
ldap_filter The search filter to find the user to authenticate by the username
|
||||||
ldap_user_attribute The attribute to be used as username after authentication
|
ldap_user_attribute The attribute to be used as username after authentication
|
||||||
|
ldap_groups_attribute The attribute containing group memberships in the LDAP user entry
|
||||||
ldap_load_groups If the groups of the authenticated users need to be loaded
|
ldap_load_groups If the groups of the authenticated users need to be loaded
|
||||||
Following parameters controls SSL connections:
|
Following parameters controls SSL connections:
|
||||||
ldap_use_ssl If the connection
|
ldap_use_ssl If the connection
|
||||||
|
|
@ -46,6 +47,7 @@ class Auth(auth.BaseAuth):
|
||||||
_ldap_attributes: list[str] = []
|
_ldap_attributes: list[str] = []
|
||||||
_ldap_user_attr: str
|
_ldap_user_attr: str
|
||||||
_ldap_load_groups: bool
|
_ldap_load_groups: bool
|
||||||
|
_ldap_groups_attr: str = "memberOf"
|
||||||
_ldap_module_version: int = 3
|
_ldap_module_version: int = 3
|
||||||
_ldap_use_ssl: bool = False
|
_ldap_use_ssl: bool = False
|
||||||
_ldap_ssl_verify_mode: int = ssl.CERT_REQUIRED
|
_ldap_ssl_verify_mode: int = ssl.CERT_REQUIRED
|
||||||
|
|
@ -70,6 +72,7 @@ class Auth(auth.BaseAuth):
|
||||||
self._ldap_secret = configuration.get("auth", "ldap_secret")
|
self._ldap_secret = configuration.get("auth", "ldap_secret")
|
||||||
self._ldap_filter = configuration.get("auth", "ldap_filter")
|
self._ldap_filter = configuration.get("auth", "ldap_filter")
|
||||||
self._ldap_user_attr = configuration.get("auth", "ldap_user_attribute")
|
self._ldap_user_attr = configuration.get("auth", "ldap_user_attribute")
|
||||||
|
self._ldap_groups_attr = configuration.get("auth", "ldap_groups_attribute")
|
||||||
ldap_secret_file_path = configuration.get("auth", "ldap_secret_file")
|
ldap_secret_file_path = configuration.get("auth", "ldap_secret_file")
|
||||||
if ldap_secret_file_path:
|
if ldap_secret_file_path:
|
||||||
with open(ldap_secret_file_path, 'r') as file:
|
with open(ldap_secret_file_path, 'r') as file:
|
||||||
|
|
@ -92,6 +95,7 @@ class Auth(auth.BaseAuth):
|
||||||
logger.info("auth.ldap_user_attribute : %r" % self._ldap_user_attr)
|
logger.info("auth.ldap_user_attribute : %r" % self._ldap_user_attr)
|
||||||
else:
|
else:
|
||||||
logger.info("auth.ldap_user_attribute : (not provided)")
|
logger.info("auth.ldap_user_attribute : (not provided)")
|
||||||
|
logger.info("auth.ldap_groups_attribute: %r" % self._ldap_groups_attr)
|
||||||
if ldap_secret_file_path:
|
if ldap_secret_file_path:
|
||||||
logger.info("auth.ldap_secret_file_path: %r" % ldap_secret_file_path)
|
logger.info("auth.ldap_secret_file_path: %r" % ldap_secret_file_path)
|
||||||
if self._ldap_secret:
|
if self._ldap_secret:
|
||||||
|
|
@ -112,7 +116,7 @@ class Auth(auth.BaseAuth):
|
||||||
logger.info("auth.ldap_ssl_ca_file : (not provided)")
|
logger.info("auth.ldap_ssl_ca_file : (not provided)")
|
||||||
"""Extend attributes to to be returned in the user query"""
|
"""Extend attributes to to be returned in the user query"""
|
||||||
if self._ldap_load_groups:
|
if self._ldap_load_groups:
|
||||||
self._ldap_attributes.append('memberOf')
|
self._ldap_attributes.append(self._ldap_groups_attr)
|
||||||
if self._ldap_user_attr:
|
if self._ldap_user_attr:
|
||||||
self._ldap_attributes.append(self._ldap_user_attr)
|
self._ldap_attributes.append(self._ldap_user_attr)
|
||||||
logger.info("ldap_attributes : %r" % self._ldap_attributes)
|
logger.info("ldap_attributes : %r" % self._ldap_attributes)
|
||||||
|
|
@ -155,7 +159,7 @@ class Auth(auth.BaseAuth):
|
||||||
tmp: list[str] = []
|
tmp: list[str] = []
|
||||||
if self._ldap_load_groups:
|
if self._ldap_load_groups:
|
||||||
tmp = []
|
tmp = []
|
||||||
for g in user_entry[1]['memberOf']:
|
for g in user_entry[1][self._ldap_groups_attr]:
|
||||||
"""Get group g's RDN's attribute value"""
|
"""Get group g's RDN's attribute value"""
|
||||||
g = g.decode('utf-8').split(',')[0]
|
g = g.decode('utf-8').split(',')[0]
|
||||||
tmp.append(g.partition('=')[2])
|
tmp.append(g.partition('=')[2])
|
||||||
|
|
@ -225,7 +229,7 @@ class Auth(auth.BaseAuth):
|
||||||
tmp: list[str] = []
|
tmp: list[str] = []
|
||||||
if self._ldap_load_groups:
|
if self._ldap_load_groups:
|
||||||
tmp = []
|
tmp = []
|
||||||
for g in user_entry['attributes']['memberOf']:
|
for g in user_entry['attributes'][self._ldap_groups_attr]:
|
||||||
"""Get group g's RDN's attribute value"""
|
"""Get group g's RDN's attribute value"""
|
||||||
g = g.split(',')[0]
|
g = g.split(',')[0]
|
||||||
tmp.append(g.partition('=')[2])
|
tmp.append(g.partition('=')[2])
|
||||||
|
|
|
||||||
|
|
@ -251,6 +251,10 @@ DEFAULT_CONFIG_SCHEMA: types.CONFIG_SCHEMA = OrderedDict([
|
||||||
"value": "False",
|
"value": "False",
|
||||||
"help": "load the ldap groups of the authenticated user",
|
"help": "load the ldap groups of the authenticated user",
|
||||||
"type": bool}),
|
"type": bool}),
|
||||||
|
("ldap_groups_attribute", {
|
||||||
|
"value": "memberOf",
|
||||||
|
"help": "attribute to read the group memberships from",
|
||||||
|
"type": str}),
|
||||||
("ldap_use_ssl", {
|
("ldap_use_ssl", {
|
||||||
"value": "False",
|
"value": "False",
|
||||||
"help": "Use ssl on the ldap connection",
|
"help": "Use ssl on the ldap connection",
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue