From b3483a9b6d1248eaf68e429692589217220d9205 Mon Sep 17 00:00:00 2001 From: Piotr Dobrowolski Date: Sat, 10 Oct 2020 18:56:07 +0200 Subject: [PATCH] directory: handle broken groups ACL, migrate to cn=sso --- sso/directory.py | 23 +++++++++++++++-------- sso/settings.py | 2 +- 2 files changed, 16 insertions(+), 9 deletions(-) diff --git a/sso/directory.py b/sso/directory.py index 08464b4..25a259f 100644 --- a/sso/directory.py +++ b/sso/directory.py @@ -57,15 +57,22 @@ class LDAPUserProxy(object): self.phone = data.get("mobile", [b""])[0].decode() or None self.personal_email = data.get("mailRoutingAddress", [b""])[0].decode() or None - self.groups = [ - data["cn"][0].decode() - for dn, data in conn.search_s( - app.config["LDAP_GROUPS_BASEDN"], - ldap.SCOPE_SUBTREE, - app.config["LDAP_GROUP_MEMBERSHIP_FILTER"] % dn, - ["cn"], + try: + self.groups = [ + data["cn"][0].decode() + for dn, data in conn.search_s( + app.config["LDAP_GROUPS_BASEDN"], + ldap.SCOPE_SUBTREE, + app.config["LDAP_GROUP_MEMBERSHIP_FILTER"] % dn, + ["cn"], + ) + ] + except ldap.NO_SUCH_OBJECT: + logging.warning( + "ldap.NO_SUCH_OBJECT occured when searching groups, " + "LDAP_BIND_DN likely doesn't have access to groups basedn" ) - ] + self.groups = [] def __repr__(self): active = "active" if self.is_active else "inactive" diff --git a/sso/settings.py b/sso/settings.py index e60409d..1f75b70 100644 --- a/sso/settings.py +++ b/sso/settings.py @@ -42,7 +42,7 @@ LDAP_GROUP_MEMBERSHIP_FILTER = env.str( ) LDAP_BIND_DN = env.str( - "LDAP_BIND_DN", default="cn=auth,ou=Services,dc=hackerspace,dc=pl" + "LDAP_BIND_DN", default="cn=sso,ou=Services,dc=hackerspace,dc=pl" ) LDAP_BIND_PASSWORD = env.str("LDAP_BIND_PASSWORD", default="insert password here")