From 607b3af67b91bcfc8e340cf17ce6a0d38299d15d Mon Sep 17 00:00:00 2001 From: Peter Marschall Date: Wed, 1 Jan 2025 18:09:00 +0100 Subject: [PATCH 1/6] LDAP auth: calculate attributes to query in __init__() Remove code duplication by factoring out the calculation of the LDAP query attributes out of _login2() resp. _login3() into __init__(). --- radicale/auth/ldap.py | 17 +++++++---------- 1 file changed, 7 insertions(+), 10 deletions(-) diff --git a/radicale/auth/ldap.py b/radicale/auth/ldap.py index ee256fed..2290794b 100644 --- a/radicale/auth/ldap.py +++ b/radicale/auth/ldap.py @@ -43,6 +43,7 @@ class Auth(auth.BaseAuth): _ldap_reader_dn: str _ldap_secret: str _ldap_filter: str + _ldap_attributes: list[str] = ['memberOf'] _ldap_user_attr: str _ldap_load_groups: bool _ldap_module_version: int = 3 @@ -109,6 +110,10 @@ class Auth(auth.BaseAuth): logger.info("auth.ldap_ssl_ca_file : %r" % self._ldap_ssl_ca_file) else: logger.info("auth.ldap_ssl_ca_file : (not provided)") + """Extend attributes to to be returned in the user query""" + if self._ldap_user_attr: + self._ldap_attributes.append(self._ldap_user_attr) + logger.info("ldap_attributes : %r" % self._ldap_attributes) def _login2(self, login: str, password: str) -> str: try: @@ -121,15 +126,11 @@ class Auth(auth.BaseAuth): """Search for the dn of user to authenticate""" escaped_login = self.ldap.filter.escape_filter_chars(login) logger.debug(f"_login2 login escaped for LDAP filters: {escaped_login}") - attrs = ['memberof'] - if self._ldap_user_attr: - attrs = ['memberOf', self._ldap_user_attr] - logger.debug(f"_login2 attrs: {attrs}") res = conn.search_s( self._ldap_base, self.ldap.SCOPE_SUBTREE, filterstr=self._ldap_filter.format(escaped_login), - attrlist=attrs + attrlist=self._ldap_attributes ) if len(res) != 1: """User could not be found unambiguously""" @@ -198,15 +199,11 @@ class Auth(auth.BaseAuth): """Search the user dn""" escaped_login = self.ldap3.utils.conv.escape_filter_chars(login) logger.debug(f"_login3 login escaped for LDAP filters: {escaped_login}") - attrs = ['memberof'] - if self._ldap_user_attr: - attrs = ['memberOf', self._ldap_user_attr] - logger.debug(f"_login3 attrs: {attrs}") conn.search( search_base=self._ldap_base, search_filter=self._ldap_filter.format(escaped_login), search_scope=self.ldap3.SUBTREE, - attributes=attrs + attributes=self._ldap_attributes ) if len(conn.entries) != 1: """User could not be found unambiguously""" From 1ca41e2128e792ee7644908c4c341b598f6a6fe2 Mon Sep 17 00:00:00 2001 From: Peter Marschall Date: Sun, 29 Dec 2024 20:43:14 +0100 Subject: [PATCH 2/6] LDAP auth: only ask for memberOf if ldap_load_groups = True Ask for the 'memberOf' attribute to be returned in the user query only if 'ldap_load_groups' is set to True. This fixes the issue that currently LDAP authentication can only be used on LDAP servers that know this non-standard (it's an Active Directory extension) attribute. Other LDAP servers either do not necessarily have the group memberships stored in the user object (e.g. OpenLDAP), or use different attributes for this purpose (e.g. Novell eDirectory uses 'groupMembership') --- radicale/auth/ldap.py | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/radicale/auth/ldap.py b/radicale/auth/ldap.py index 2290794b..50b2768a 100644 --- a/radicale/auth/ldap.py +++ b/radicale/auth/ldap.py @@ -43,7 +43,7 @@ class Auth(auth.BaseAuth): _ldap_reader_dn: str _ldap_secret: str _ldap_filter: str - _ldap_attributes: list[str] = ['memberOf'] + _ldap_attributes: list[str] = [] _ldap_user_attr: str _ldap_load_groups: bool _ldap_module_version: int = 3 @@ -111,6 +111,8 @@ class Auth(auth.BaseAuth): else: logger.info("auth.ldap_ssl_ca_file : (not provided)") """Extend attributes to to be returned in the user query""" + if self._ldap_load_groups: + self._ldap_attributes.append('memberOf') if self._ldap_user_attr: self._ldap_attributes.append(self._ldap_user_attr) logger.info("ldap_attributes : %r" % self._ldap_attributes) From 6c1445d8db794897241bf23b5e9a81b04d4cf53a Mon Sep 17 00:00:00 2001 From: Peter Marschall Date: Wed, 1 Jan 2025 20:41:55 +0100 Subject: [PATCH 3/6] LDAP auth: introduce config option 'ldap_groups_attribute' This attribute is supposed to hold the group membership information if the config option 'ldap_load_groups' is True. If not given, it defaults to 'memberOf' for Active Directory. Introducing this options allows one to use radicale's LDAP auth with groups even on LDAP servers that keep their group memberships in a different attribute than 'memberOf', e.g. Novell eDirectory which uses 'groupMembership'. --- DOCUMENTATION.md | 6 ++++++ config | 3 +++ radicale/auth/ldap.py | 10 +++++++--- radicale/config.py | 4 ++++ 4 files changed, 20 insertions(+), 3 deletions(-) diff --git a/DOCUMENTATION.md b/DOCUMENTATION.md index 7c02cc58..cbca8899 100644 --- a/DOCUMENTATION.md +++ b/DOCUMENTATION.md @@ -941,6 +941,12 @@ Load the ldap groups of the authenticated user. These groups can be used later o Default: False +##### ldap_groups_attribute + +The LDAP attribute to read the group memberships from in the user's LDAP entry if `ldap_load_groups` is True. + +Default: `memberOf` + ##### ldap_use_ssl Use ssl on the ldap connection diff --git a/config b/config index ef7263a0..64fd0f9f 100644 --- a/config +++ b/config @@ -89,6 +89,9 @@ # If the ldap groups of the user need to be loaded #ldap_load_groups = True +# the attribute to read the group memberships from in the user's LDAP entry if ldap_load_groups is True. +#ldap_groups_attribute = memberOf + # The filter to find the DN of the user. This filter must contain a python-style placeholder for the login #ldap_filter = (&(objectClass=person)(uid={0})) diff --git a/radicale/auth/ldap.py b/radicale/auth/ldap.py index 50b2768a..4d576ef2 100644 --- a/radicale/auth/ldap.py +++ b/radicale/auth/ldap.py @@ -24,6 +24,7 @@ Following parameters are needed in the configuration: ldap_secret_file The path of the file containing the password of the ldap_reader_dn ldap_filter The search filter to find the user to authenticate by the username ldap_user_attribute The attribute to be used as username after authentication + ldap_groups_attribute The attribute containing group memberships in the LDAP user entry ldap_load_groups If the groups of the authenticated users need to be loaded Following parameters controls SSL connections: ldap_use_ssl If the connection @@ -46,6 +47,7 @@ class Auth(auth.BaseAuth): _ldap_attributes: list[str] = [] _ldap_user_attr: str _ldap_load_groups: bool + _ldap_groups_attr: str = "memberOf" _ldap_module_version: int = 3 _ldap_use_ssl: bool = False _ldap_ssl_verify_mode: int = ssl.CERT_REQUIRED @@ -70,6 +72,7 @@ class Auth(auth.BaseAuth): self._ldap_secret = configuration.get("auth", "ldap_secret") self._ldap_filter = configuration.get("auth", "ldap_filter") self._ldap_user_attr = configuration.get("auth", "ldap_user_attribute") + self._ldap_groups_attr = configuration.get("auth", "ldap_groups_attribute") ldap_secret_file_path = configuration.get("auth", "ldap_secret_file") if ldap_secret_file_path: with open(ldap_secret_file_path, 'r') as file: @@ -92,6 +95,7 @@ class Auth(auth.BaseAuth): logger.info("auth.ldap_user_attribute : %r" % self._ldap_user_attr) else: logger.info("auth.ldap_user_attribute : (not provided)") + logger.info("auth.ldap_groups_attribute: %r" % self._ldap_groups_attr) if ldap_secret_file_path: logger.info("auth.ldap_secret_file_path: %r" % ldap_secret_file_path) if self._ldap_secret: @@ -112,7 +116,7 @@ class Auth(auth.BaseAuth): logger.info("auth.ldap_ssl_ca_file : (not provided)") """Extend attributes to to be returned in the user query""" if self._ldap_load_groups: - self._ldap_attributes.append('memberOf') + self._ldap_attributes.append(self._ldap_groups_attr) if self._ldap_user_attr: self._ldap_attributes.append(self._ldap_user_attr) logger.info("ldap_attributes : %r" % self._ldap_attributes) @@ -155,7 +159,7 @@ class Auth(auth.BaseAuth): tmp: list[str] = [] if self._ldap_load_groups: tmp = [] - for g in user_entry[1]['memberOf']: + for g in user_entry[1][self._ldap_groups_attr]: """Get group g's RDN's attribute value""" g = g.decode('utf-8').split(',')[0] tmp.append(g.partition('=')[2]) @@ -225,7 +229,7 @@ class Auth(auth.BaseAuth): tmp: list[str] = [] if self._ldap_load_groups: tmp = [] - for g in user_entry['attributes']['memberOf']: + for g in user_entry['attributes'][self._ldap_groups_attr]: """Get group g's RDN's attribute value""" g = g.split(',')[0] tmp.append(g.partition('=')[2]) diff --git a/radicale/config.py b/radicale/config.py index 3af6c807..6b3205d1 100644 --- a/radicale/config.py +++ b/radicale/config.py @@ -251,6 +251,10 @@ DEFAULT_CONFIG_SCHEMA: types.CONFIG_SCHEMA = OrderedDict([ "value": "False", "help": "load the ldap groups of the authenticated user", "type": bool}), + ("ldap_groups_attribute", { + "value": "memberOf", + "help": "attribute to read the group memberships from", + "type": str}), ("ldap_use_ssl", { "value": "False", "help": "Use ssl on the ldap connection", From f9dd3efc3ac9b21128c5e34d9abd07b4455be0af Mon Sep 17 00:00:00 2001 From: Peter Marschall Date: Wed, 1 Jan 2025 20:52:55 +0100 Subject: [PATCH 4/6] LDAP auth: remove config option 'ldap_load_groups' The same effect can be achieved using the option 'ldap_groups_attribute' alone, if it's default becomes unset instead of 'memberOf' Benefit: one config option less to deal with. While at it, also fix header level for 'ldap_user_attribute' in documentation. --- DOCUMENTATION.md | 24 ++++++++++++------------ config | 5 +---- radicale/auth/ldap.py | 17 ++++++++--------- radicale/config.py | 6 +----- 4 files changed, 22 insertions(+), 30 deletions(-) diff --git a/DOCUMENTATION.md b/DOCUMENTATION.md index cbca8899..8bc2554e 100644 --- a/DOCUMENTATION.md +++ b/DOCUMENTATION.md @@ -926,26 +926,26 @@ The search filter to find the user DN to authenticate by the username. User '{0} Default: `(cn={0})` -#### ldap_user_attribute +##### ldap_user_attribute The LDAP attribute whose value shall be used as the user name after successful authentication Default: not set, i.e. the login name given is used directly. -##### ldap_load_groups - -Load the ldap groups of the authenticated user. These groups can be used later on to define rights. This also gives you access to the group calendars, if they exist. -* The group calendar will be placed under collection_root_folder/GROUPS -* The name of the calendar directory is the base64 encoded group name. -* The group calendar folders will not be created automaticaly. This must be created manually. [Here](https://github.com/Kozea/Radicale/wiki/LDAP-authentication) you can find a script to create group calendar folders https://github.com/Kozea/Radicale/wiki/LDAP-authentication - -Default: False - ##### ldap_groups_attribute -The LDAP attribute to read the group memberships from in the user's LDAP entry if `ldap_load_groups` is True. +The LDAP attribute to read the group memberships from in the authenticated user's LDAP entry. -Default: `memberOf` +If set, load the LDAP group memberships from the attribute given +These memberships can be used later on to define rights. +This also gives you access to the group calendars, if they exist. +* The group calendar will be placed under collection_root_folder/GROUPS +* The name of the calendar directory is the base64 encoded group name. +* The group calendar folders will not be created automatically. This must be done manually. In the [LDAP-authentication section of Radicale's wiki](https://github.com/Kozea/Radicale/wiki/LDAP-authentication) you can find a script to create a group calendar. + +Use 'memberOf' if you want to load groups on Active Directory and alikes, 'groupMembership' on Novell eDirectory, ... + +Default: unset ##### ldap_use_ssl diff --git a/config b/config index 64fd0f9f..dc2dc551 100644 --- a/config +++ b/config @@ -86,10 +86,7 @@ # Path of the file containing password of the reader DN #ldap_secret_file = /run/secrets/ldap_password -# If the ldap groups of the user need to be loaded -#ldap_load_groups = True - -# the attribute to read the group memberships from in the user's LDAP entry if ldap_load_groups is True. +# the attribute to read the group memberships from in the user's LDAP entry (default: not set) #ldap_groups_attribute = memberOf # The filter to find the DN of the user. This filter must contain a python-style placeholder for the login diff --git a/radicale/auth/ldap.py b/radicale/auth/ldap.py index 4d576ef2..cdba9f12 100644 --- a/radicale/auth/ldap.py +++ b/radicale/auth/ldap.py @@ -25,7 +25,6 @@ Following parameters are needed in the configuration: ldap_filter The search filter to find the user to authenticate by the username ldap_user_attribute The attribute to be used as username after authentication ldap_groups_attribute The attribute containing group memberships in the LDAP user entry - ldap_load_groups If the groups of the authenticated users need to be loaded Following parameters controls SSL connections: ldap_use_ssl If the connection ldap_ssl_verify_mode The certificate verification mode. NONE, OPTIONAL, default is REQUIRED @@ -46,8 +45,7 @@ class Auth(auth.BaseAuth): _ldap_filter: str _ldap_attributes: list[str] = [] _ldap_user_attr: str - _ldap_load_groups: bool - _ldap_groups_attr: str = "memberOf" + _ldap_groups_attr: str _ldap_module_version: int = 3 _ldap_use_ssl: bool = False _ldap_ssl_verify_mode: int = ssl.CERT_REQUIRED @@ -68,7 +66,6 @@ class Auth(auth.BaseAuth): self._ldap_uri = configuration.get("auth", "ldap_uri") self._ldap_base = configuration.get("auth", "ldap_base") self._ldap_reader_dn = configuration.get("auth", "ldap_reader_dn") - self._ldap_load_groups = configuration.get("auth", "ldap_load_groups") self._ldap_secret = configuration.get("auth", "ldap_secret") self._ldap_filter = configuration.get("auth", "ldap_filter") self._ldap_user_attr = configuration.get("auth", "ldap_user_attribute") @@ -89,13 +86,15 @@ class Auth(auth.BaseAuth): logger.info("auth.ldap_uri : %r" % self._ldap_uri) logger.info("auth.ldap_base : %r" % self._ldap_base) logger.info("auth.ldap_reader_dn : %r" % self._ldap_reader_dn) - logger.info("auth.ldap_load_groups : %s" % self._ldap_load_groups) logger.info("auth.ldap_filter : %r" % self._ldap_filter) if self._ldap_user_attr: logger.info("auth.ldap_user_attribute : %r" % self._ldap_user_attr) else: logger.info("auth.ldap_user_attribute : (not provided)") - logger.info("auth.ldap_groups_attribute: %r" % self._ldap_groups_attr) + if self._ldap_groups_attr: + logger.info("auth.ldap_groups_attribute: %r" % self._ldap_groups_attr) + else: + logger.info("auth.ldap_groups_attribute: (not provided)") if ldap_secret_file_path: logger.info("auth.ldap_secret_file_path: %r" % ldap_secret_file_path) if self._ldap_secret: @@ -115,7 +114,7 @@ class Auth(auth.BaseAuth): else: logger.info("auth.ldap_ssl_ca_file : (not provided)") """Extend attributes to to be returned in the user query""" - if self._ldap_load_groups: + if self._ldap_groups_attr: self._ldap_attributes.append(self._ldap_groups_attr) if self._ldap_user_attr: self._ldap_attributes.append(self._ldap_user_attr) @@ -157,7 +156,7 @@ class Auth(auth.BaseAuth): conn.set_option(self.ldap.OPT_REFERRALS, 0) conn.simple_bind_s(user_dn, password) tmp: list[str] = [] - if self._ldap_load_groups: + if self._ldap_groups_attr: tmp = [] for g in user_entry[1][self._ldap_groups_attr]: """Get group g's RDN's attribute value""" @@ -227,7 +226,7 @@ class Auth(auth.BaseAuth): logger.debug(f"_login3 user '{login}' cannot be found") return "" tmp: list[str] = [] - if self._ldap_load_groups: + if self._ldap_groups_attr: tmp = [] for g in user_entry['attributes'][self._ldap_groups_attr]: """Get group g's RDN's attribute value""" diff --git a/radicale/config.py b/radicale/config.py index 6b3205d1..ed294812 100644 --- a/radicale/config.py +++ b/radicale/config.py @@ -247,12 +247,8 @@ DEFAULT_CONFIG_SCHEMA: types.CONFIG_SCHEMA = OrderedDict([ "value": "", "help": "the attribute to be used as username after authentication", "type": str}), - ("ldap_load_groups", { - "value": "False", - "help": "load the ldap groups of the authenticated user", - "type": bool}), ("ldap_groups_attribute", { - "value": "memberOf", + "value": "", "help": "attribute to read the group memberships from", "type": str}), ("ldap_use_ssl", { From d6c4e6487aa79f071d216a8615cd97c9d6867117 Mon Sep 17 00:00:00 2001 From: Peter Marschall Date: Thu, 2 Jan 2025 14:23:15 +0100 Subject: [PATCH 5/6] LDAP auth: flexibilize parsing of 'ldap_groups_attribute' Use helper methods from the LDAP modules to get individual elements (like in our case the RDN value) out of attributes with DN syntax in a standard compliant way instead fiddling around ourselves. If these methods fail, fall back to using the whole attribute value, which allows us to also use attributes with non-DN syntax for groups and permissions. --- radicale/auth/ldap.py | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/radicale/auth/ldap.py b/radicale/auth/ldap.py index cdba9f12..a4c73808 100644 --- a/radicale/auth/ldap.py +++ b/radicale/auth/ldap.py @@ -160,8 +160,11 @@ class Auth(auth.BaseAuth): tmp = [] for g in user_entry[1][self._ldap_groups_attr]: """Get group g's RDN's attribute value""" - g = g.decode('utf-8').split(',')[0] - tmp.append(g.partition('=')[2]) + try: + rdns = self.ldap.dn.explode_dn(g, notypes=True) + tmp.append(rdns[0]) + except Exception: + tmp.append(g.decode('utf8')) self._ldap_groups = set(tmp) logger.debug("_login2 LDAP groups of user: %s", ",".join(self._ldap_groups)) if self._ldap_user_attr: @@ -230,8 +233,11 @@ class Auth(auth.BaseAuth): tmp = [] for g in user_entry['attributes'][self._ldap_groups_attr]: """Get group g's RDN's attribute value""" - g = g.split(',')[0] - tmp.append(g.partition('=')[2]) + try: + rdns = self.ldap3.utils.dn.parse_dn(g) + tmp.append(rdns[0][1]) + except Exception: + tmp.append(g) self._ldap_groups = set(tmp) logger.debug("_login3 LDAP groups of user: %s", ",".join(self._ldap_groups)) if self._ldap_user_attr: From 5ebaf4ef1cf1bef9c265f79c485e6d512b325d5d Mon Sep 17 00:00:00 2001 From: Peter Marschall Date: Fri, 3 Jan 2025 21:56:25 +0100 Subject: [PATCH 6/6] changelog for https://github.com/Kozea/Radicale/pull/1669 --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 18ec7df5..75ee148a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -10,6 +10,7 @@ * Improve: [auth] constant execution time for failed logins independent of external backend or by htpasswd used digest method * Drop: support for Python 3.8 * Add: option [auth] ldap_user_attribute +* Add: option [auth] ldap_groups_attribute as a more flexible replacement of removed ldap_load_groups ## 3.3.3 * Add: display mtime_ns precision of storage folder with condition warning if too less