LDAP auth: introduce config option 'ldap_groups_attribute'

This attribute is supposed to hold the group membership information if the config option 'ldap_load_groups' is True. If not given, it defaults to 'memberOf' for Active Directory. Introducing this options allows one to use radicale's LDAP auth with groups even on LDAP servers that keep their group memberships in a different attribute than 'memberOf', e.g. Novell eDirectory which uses 'groupMembership'.
2025-04-04 21:57:43 +03:00 · 2025-01-01 20:41:55 +01:00 · 2025-01-01 20:41:55 +01:00 · 6c1445d8db
commit 6c1445d8db
parent 1ca41e2128
4 changed files with 20 additions and 3 deletions
--- a/DOCUMENTATION.md
+++ b/DOCUMENTATION.md
@ -941,6 +941,12 @@ Load the ldap groups of the authenticated user. These groups can be used later o

 Default: False

+##### ldap_groups_attribute
+
+The LDAP attribute to read the group memberships from in the user's LDAP entry if `ldap_load_groups` is True.
+
+Default: `memberOf`
+
 ##### ldap_use_ssl

 Use ssl on the ldap connection
--- a/3
+++ b/3
@ -89,6 +89,9 @@
 # If the ldap groups of the user need to be loaded
 #ldap_load_groups = True

+# the attribute to read the group memberships from in the user's LDAP entry if ldap_load_groups is True.
+#ldap_groups_attribute = memberOf
+
 # The filter to find the DN of the user. This filter must contain a python-style placeholder for the login
 #ldap_filter = (&(objectClass=person)(uid={0}))

--- a/radicale/auth/ldap.py
+++ b/radicale/auth/ldap.py
@ -24,6 +24,7 @@ Following parameters are needed in the configuration:
   ldap_secret_file    The path of the file containing the password of the ldap_reader_dn
   ldap_filter         The search filter to find the user to authenticate by the username
   ldap_user_attribute The attribute to be used as username after authentication
+   ldap_groups_attribute The attribute containing group memberships in the LDAP user entry
   ldap_load_groups    If the groups of the authenticated users need to be loaded
 Following parameters controls SSL connections:
   ldap_use_ssl   If the connection
@ -46,6 +47,7 @@ class Auth(auth.BaseAuth):
    _ldap_attributes: list[str] = []
    _ldap_user_attr: str
    _ldap_load_groups: bool
+    _ldap_groups_attr: str = "memberOf"
    _ldap_module_version: int = 3
    _ldap_use_ssl: bool = False
    _ldap_ssl_verify_mode: int = ssl.CERT_REQUIRED
@ -70,6 +72,7 @@ class Auth(auth.BaseAuth):
        self._ldap_secret = configuration.get("auth", "ldap_secret")
        self._ldap_filter = configuration.get("auth", "ldap_filter")
        self._ldap_user_attr = configuration.get("auth", "ldap_user_attribute")
+        self._ldap_groups_attr = configuration.get("auth", "ldap_groups_attribute")
        ldap_secret_file_path = configuration.get("auth", "ldap_secret_file")
        if ldap_secret_file_path:
            with open(ldap_secret_file_path, 'r') as file:
@ -92,6 +95,7 @@ class Auth(auth.BaseAuth):
            logger.info("auth.ldap_user_attribute  : %r" % self._ldap_user_attr)
        else:
            logger.info("auth.ldap_user_attribute  : (not provided)")
+        logger.info("auth.ldap_groups_attribute: %r" % self._ldap_groups_attr)
        if ldap_secret_file_path:
            logger.info("auth.ldap_secret_file_path: %r" % ldap_secret_file_path)
            if self._ldap_secret:
@ -112,7 +116,7 @@ class Auth(auth.BaseAuth):
                logger.info("auth.ldap_ssl_ca_file     : (not provided)")
        """Extend attributes to to be returned in the user query"""
        if self._ldap_load_groups:
-            self._ldap_attributes.append('memberOf')
+            self._ldap_attributes.append(self._ldap_groups_attr)
        if self._ldap_user_attr:
            self._ldap_attributes.append(self._ldap_user_attr)
        logger.info("ldap_attributes           : %r" % self._ldap_attributes)
@ -155,7 +159,7 @@ class Auth(auth.BaseAuth):
            tmp: list[str] = []
            if self._ldap_load_groups:
                tmp = []
-                for g in user_entry[1]['memberOf']:
+                for g in user_entry[1][self._ldap_groups_attr]:
                    """Get group g's RDN's attribute value"""
                    g = g.decode('utf-8').split(',')[0]
                    tmp.append(g.partition('=')[2])
@ -225,7 +229,7 @@ class Auth(auth.BaseAuth):
            tmp: list[str] = []
            if self._ldap_load_groups:
                tmp = []
-                for g in user_entry['attributes']['memberOf']:
+                for g in user_entry['attributes'][self._ldap_groups_attr]:
                    """Get group g's RDN's attribute value"""
                    g = g.split(',')[0]
                    tmp.append(g.partition('=')[2])
--- a/radicale/config.py
+++ b/radicale/config.py
@ -251,6 +251,10 @@ DEFAULT_CONFIG_SCHEMA: types.CONFIG_SCHEMA = OrderedDict([
            "value": "False",
            "help": "load the ldap groups of the authenticated user",
            "type": bool}),
+        ("ldap_groups_attribute", {
+            "value": "memberOf",
+            "help": "attribute to read the group memberships from",
+            "type": str}),
        ("ldap_use_ssl", {
            "value": "False",
            "help": "Use ssl on the ldap connection",