[checkmk-commits] 3576 FIX LDAP: Fixed "Internal error" when using the "Filter Group" option in an LDAP connection

Module: check_mk Branch: master Commit: 2cb43705c565e50b4a4727cdbf94526b6ec6348c URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=2cb43705c565e5… Author: Lars Michelsen &lt;lm(a)mathias-kettner.de&gt; Date: Wed May 25 10:08:39 2016 +0200 3576 FIX LDAP: Fixed "Internal error" when using the "Filter Group" option in an LDAP connection This exception occured when a user which is not in the group tried to log in to the GUI. --- .werks/3576 | 10 +++++++ ChangeLog | 1 + web/plugins/userdb/ldap.py | 71 +++++++++++++++++++++++++++++--------------- 3 files changed, 58 insertions(+), 24 deletions(-) diff --git a/.werks/3576 b/.werks/3576 new file mode 100644 index 0000000..a1774b2 --- /dev/null +++ b/.werks/3576 @@ -0,0 +1,10 @@ +Title: LDAP: Fixed "Internal error" when using the "Filter Group" option in an LDAP connection +Level: 1 +Component: multisite +Class: fix +Compatible: compat +State: unknown +Version: 1.2.9i1 +Date: 1464163656 + +This exception occured when a user which is not in the group tried to log in to the GUI. diff --git a/ChangeLog b/ChangeLog index e17841e..1ab73e7 100644 --- a/ChangeLog +++ b/ChangeLog @@ -307,6 +307,7 @@ * 3570 FIX: Dashboard: Fixed different issues with filtering using WATO folders * 3571 FIX: Fixed missing downtime author filter * 3537 FIX: PNP/Graph Templates: fixed incorrect scaling of check-mk-ping, check_mk-active-icmp and check-mk-host-ping... + * 3576 FIX: LDAP: Fixed "Internal error" when using the "Filter Group" option in an LDAP connection... WATO: * 3244 WATO BI Module: swap order of aggregation function and child node selection... diff --git a/web/plugins/userdb/ldap.py b/web/plugins/userdb/ldap.py index 54921ee..987438e 100644 --- a/web/plugins/userdb/ldap.py +++ b/web/plugins/userdb/ldap.py @@ -593,17 +593,37 @@ class LDAPUserConnector(UserConnector): [user_id_attr], self._config['user_scope'] ) - if result: - dn = result[0][0] - user_id = self.sanitize_user_id(result[0][1][user_id_attr][0]) - if user_id is None: + + if not result: + return None + + dn = result[0][0] + raw_user_id = result[0][1][user_id_attr][0] + + # Filter out users by the optional filter_group + filter_group_dn = self._config.get('user_filter_group', None) + if filter_group_dn: + member_attr = self.member_attr().lower() + is_member = False + for member in self.get_filter_group_members(filter_group_dn): + if member_attr == "memberuid" and raw_user_id == member: + is_member = True + elif dn == member: + is_member = True + + if not is_member: return None - self._user_cache[username] = (dn, user_id) - if no_escape: - return (dn, user_id) - else: - return (dn.replace('\\', '\\\\'), user_id) + user_id = self.sanitize_user_id(raw_user_id) + if user_id is None: + return None + self._user_cache[username] = (dn, user_id) + + if no_escape: + return (dn, user_id) + else: + return (dn.replace('\\', '\\\\'), user_id) + def get_users(self, add_filter = ''): @@ -617,7 +637,6 @@ class LDAPUserConnector(UserConnector): # Create filter by the optional filter_group filter_group_dn = self._config.get('user_filter_group', None) - member_filter = '' if filter_group_dn: member_attr = self.member_attr().lower() # posixGroup objects use the memberUid attribute to specify the group memberships. @@ -625,21 +644,8 @@ class LDAPUserConnector(UserConnector): # for filtering here. user_cmp_attr = member_attr == 'memberuid' and user_id_attr or 'distinguishedname' - # Apply configured group ldap filter - try: - group = self.ldap_search(self.replace_macros(filter_group_dn), columns=[member_attr], scope='base') - except MKLDAPException: - group = None - - if not group: - raise MKLDAPException(_('The configured ldap user filter group could not be found. ' - 'Please check <a href="%s">your configuration</a>.') % - 'wato.py?mode=ldap_config&varname=ldap_userspec') - - members = group[0][1].values()[0] - member_filter_items = [] - for member in members: + for member in self.get_filter_group_members(filter_group_dn): member_filter_items.append('(%s=%s)' % (user_cmp_attr, member)) add_filter += '(|%s)' % ''.join(member_filter_items) @@ -660,6 +666,23 @@ class LDAPUserConnector(UserConnector): return result + # TODO: Use get_group_memberships()? + def get_filter_group_members(self, filter_group_dn): + member_attr = self.member_attr().lower() + + try: + group = self.ldap_search(self.replace_macros(filter_group_dn), columns=[member_attr], scope='base') + except MKLDAPException: + group = None + + if not group: + raise MKLDAPException(_('The configured ldap user filter group could not be found. ' + 'Please check <a href="%s">your configuration</a>.') % + 'wato.py?mode=ldap_config&varname=ldap_userspec') + + return [ m.lower() for m in group[0][1].values()[0] ] + + def get_groups(self, specific_dn = None): filt = self.ldap_filter('groups') dn = self.replace_macros(self._config['group_dn'])