ldap: log missing group dn when mapped to a role (#50928)
This commit is contained in:
parent
ebd152fe86
commit
3cdd9e7d29
|
@ -589,6 +589,27 @@ class LDAPBackend(object):
|
||||||
message = str(vars(c))
|
message = str(vars(c))
|
||||||
log.info('ldap: bind error with authz_id "%s" -> "%s"', authz_id, message)
|
log.info('ldap: bind error with authz_id "%s" -> "%s"', authz_id, message)
|
||||||
|
|
||||||
|
@classmethod
|
||||||
|
def check_group_to_role_mappings(cls, block):
|
||||||
|
group_to_role_mapping = block.get('group_to_role_mapping')
|
||||||
|
if not group_to_role_mapping:
|
||||||
|
return
|
||||||
|
for conn in cls.get_connections(block):
|
||||||
|
existing_groups = cls.get_groups_dns(conn, block)
|
||||||
|
for group_dn, role_slugs in group_to_role_mapping:
|
||||||
|
if group_dn in existing_groups:
|
||||||
|
continue
|
||||||
|
log.warning('ldap: unknown group "%s" mapped to a role', group_dn)
|
||||||
|
|
||||||
|
@classmethod
|
||||||
|
def get_groups_dns(cls, conn, block):
|
||||||
|
group_base_dn = block['group_basedn'] or block['basedn']
|
||||||
|
# 1.1 is special attribute meaning, "no attribute requested"
|
||||||
|
results = conn.search_s(group_base_dn, ldap.SCOPE_SUBTREE,
|
||||||
|
block['group_filter'], ['1.1'])
|
||||||
|
results = cls.normalize_ldap_results(results)
|
||||||
|
return set([group_dn for group_dn, attrs in results])
|
||||||
|
|
||||||
def authenticate(self, request=None, username=None, password=None, realm=None, ou=None):
|
def authenticate(self, request=None, username=None, password=None, realm=None, ou=None):
|
||||||
if username is None or password is None:
|
if username is None or password is None:
|
||||||
return None
|
return None
|
||||||
|
@ -1310,6 +1331,7 @@ class LDAPBackend(object):
|
||||||
if conn is None:
|
if conn is None:
|
||||||
logger.warning(u'unable to synchronize with LDAP servers %s', force_text(block['url']))
|
logger.warning(u'unable to synchronize with LDAP servers %s', force_text(block['url']))
|
||||||
continue
|
continue
|
||||||
|
cls.check_group_to_role_mappings(block)
|
||||||
user_basedn = force_text(block.get('user_basedn') or block['basedn'])
|
user_basedn = force_text(block.get('user_basedn') or block['basedn'])
|
||||||
user_filter = force_text(block['sync_ldap_users_filter'] or block['user_filter'])
|
user_filter = force_text(block['sync_ldap_users_filter'] or block['user_filter'])
|
||||||
user_filter = user_filter.replace('%s', '*')
|
user_filter = user_filter.replace('%s', '*')
|
||||||
|
|
|
@ -511,7 +511,7 @@ def test_group_staff(slapd, settings, client, db):
|
||||||
assert not response.context['user'].is_superuser
|
assert not response.context['user'].is_superuser
|
||||||
|
|
||||||
|
|
||||||
def test_get_users(slapd, settings, db, monkeypatch):
|
def test_get_users(slapd, settings, db, monkeypatch, caplog):
|
||||||
import django.db.models.base
|
import django.db.models.base
|
||||||
from types import MethodType
|
from types import MethodType
|
||||||
from django.contrib.auth.models import Group
|
from django.contrib.auth.models import Group
|
||||||
|
@ -525,6 +525,9 @@ def test_get_users(slapd, settings, db, monkeypatch):
|
||||||
[u'cn=group2,o=ôrga', ['Group2']],
|
[u'cn=group2,o=ôrga', ['Group2']],
|
||||||
],
|
],
|
||||||
'group_filter': '(&(memberUid={uid})(objectClass=posixGroup))',
|
'group_filter': '(&(memberUid={uid})(objectClass=posixGroup))',
|
||||||
|
'group_to_role_mapping': [
|
||||||
|
['cn=unknown,o=dn', ['Role2']],
|
||||||
|
]
|
||||||
}]
|
}]
|
||||||
save = mock.Mock(wraps=ldap_backend.LDAPUser.save)
|
save = mock.Mock(wraps=ldap_backend.LDAPUser.save)
|
||||||
bulk_create = mock.Mock(wraps=django.db.models.query.QuerySet.bulk_create)
|
bulk_create = mock.Mock(wraps=django.db.models.query.QuerySet.bulk_create)
|
||||||
|
@ -546,7 +549,8 @@ def test_get_users(slapd, settings, db, monkeypatch):
|
||||||
# Check that if nothing changed no save() is made
|
# Check that if nothing changed no save() is made
|
||||||
save.reset_mock()
|
save.reset_mock()
|
||||||
bulk_create.reset_mock()
|
bulk_create.reset_mock()
|
||||||
users = list(ldap_backend.LDAPBackend.get_users())
|
with utils.check_log(caplog, 'ldap: unknown group "cn=unknown,o=dn" mapped to a role'):
|
||||||
|
users = list(ldap_backend.LDAPBackend.get_users())
|
||||||
assert save.call_count == 0
|
assert save.call_count == 0
|
||||||
assert bulk_create.call_count == 0
|
assert bulk_create.call_count == 0
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue