directory: handle broken groups ACL, migrate to cn=sso

2020-10-10 18:56:07 +02:00 · 2020-10-10 18:56:07 +02:00 · b3483a9b6d
parent 2f8816cfda
commit b3483a9b6d
2 changed files with 16 additions and 9 deletions
--- a/sso/directory.py
+++ b/sso/directory.py
@ -57,15 +57,22 @@ class LDAPUserProxy(object):
        self.phone = data.get("mobile", [b""])[0].decode() or None
        self.personal_email = data.get("mailRoutingAddress", [b""])[0].decode() or None

-        self.groups = [
-            data["cn"][0].decode()
-            for dn, data in conn.search_s(
-                app.config["LDAP_GROUPS_BASEDN"],
-                ldap.SCOPE_SUBTREE,
-                app.config["LDAP_GROUP_MEMBERSHIP_FILTER"] % dn,
-                ["cn"],
+        try:
+            self.groups = [
+                data["cn"][0].decode()
+                for dn, data in conn.search_s(
+                    app.config["LDAP_GROUPS_BASEDN"],
+                    ldap.SCOPE_SUBTREE,
+                    app.config["LDAP_GROUP_MEMBERSHIP_FILTER"] % dn,
+                    ["cn"],
+                )
+            ]
+        except ldap.NO_SUCH_OBJECT:
+            logging.warning(
+                "ldap.NO_SUCH_OBJECT occured when searching groups, "
+                "LDAP_BIND_DN likely doesn't have access to groups basedn"
            )
-        ]
+            self.groups = []

    def __repr__(self):
        active = "active" if self.is_active else "inactive"
--- a/sso/settings.py
+++ b/sso/settings.py
@ -42,7 +42,7 @@ LDAP_GROUP_MEMBERSHIP_FILTER = env.str(
 )

 LDAP_BIND_DN = env.str(
-    "LDAP_BIND_DN", default="cn=auth,ou=Services,dc=hackerspace,dc=pl"
+    "LDAP_BIND_DN", default="cn=sso,ou=Services,dc=hackerspace,dc=pl"
 )
 LDAP_BIND_PASSWORD = env.str("LDAP_BIND_PASSWORD", default="insert password here")