Module: check_mk
Branch: master
Commit: 2ee633e3c961aa55df600bc2daa37e1f0f3e4875
URL:
http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=2ee633e3c961aa…
Author: Lars Michelsen <lm(a)mathias-kettner.de>
Date: Thu Jul 17 14:46:22 2014 +0200
FIX LDAP: Using configured user filter during login to prevent temporary created users
When a LDAP user that is not allowed to log in to multisite according to the
"LDAP User Settings" OU and filtering options tries to login with valid
credentials
Multisite created a temporary user entry just to remove it later during the login
process. The user can not access Multisite, but an error message is shown and a
log entry in the WATO audit log is being created.
This has been changed that the initial credentials check takes the filters from
"LDAP User Settings" into account. Leaving all not permitted users with the
message
"invalid credentials".
---
.werks/1059 | 16 ++++++++++++++++
ChangeLog | 1 +
web/plugins/userdb/ldap.py | 10 ++++++----
3 files changed, 23 insertions(+), 4 deletions(-)
diff --git a/.werks/1059 b/.werks/1059
new file mode 100644
index 0000000..de0303a
--- /dev/null
+++ b/.werks/1059
@@ -0,0 +1,16 @@
+Title: LDAP: Using configured user filter during login to prevent temporary created
users
+Level: 1
+Component: multisite
+Version: 1.2.5i5
+Date: 1405600906
+Class: fix
+
+When a LDAP user that is not allowed to log in to multisite according to the
+"LDAP User Settings" OU and filtering options tries to login with valid
credentials
+Multisite created a temporary user entry just to remove it later during the login
+process. The user can not access Multisite, but an error message is shown and a
+log entry in the WATO audit log is being created.
+
+This has been changed that the initial credentials check takes the filters from
+"LDAP User Settings" into account. Leaving all not permitted users with the
message
+"invalid credentials".
diff --git a/ChangeLog b/ChangeLog
index fbfe2d5..3918954 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -62,6 +62,7 @@
* 0945 FIX: Sidebar snapin "Problem hosts": Now excludes hosts and services
in downtime
* 1036 FIX: doc/treasures/downtime: fix --url option, better error output
* 1074 FIX: Fix Virtual Host Tree snapin...
+ * 1059 FIX: LDAP: Using configured user filter during login to prevent temporary
created users...
WATO:
* 0825 WATO: Hover menu of user online state shows the last seen date/time now
diff --git a/web/plugins/userdb/ldap.py b/web/plugins/userdb/ldap.py
index 3627c55..3cf8883 100644
--- a/web/plugins/userdb/ldap.py
+++ b/web/plugins/userdb/ldap.py
@@ -468,12 +468,14 @@ def ldap_get_user(username, no_escape = False):
if username in g_ldap_user_cache:
return g_ldap_user_cache[username]
- # Check wether or not the user exists in the directory
- # It's only ok when exactly one entry is found.
- # Returns the DN and user_id as tuple in this case.
+ # Check wether or not the user exists in the directory matching the username AND
+ # the user search filter configured in the "LDAP User Settings".
+ # It's only ok when exactly one entry is found. Returns the DN and user_id
+ # as tuple in this case.
result = ldap_search(
ldap_replace_macros(config.ldap_userspec['dn']),
- '(%s=%s)' % (ldap_user_id_attr(),
ldap.filter.escape_filter_chars(username)),
+ '(&(%s=%s)%s)' % (ldap_user_id_attr(),
ldap.filter.escape_filter_chars(username),
+ config.ldap_userspec['filter']),
[ldap_user_id_attr()],
)