Merge pull request #4 from nitrag/master

Add Group Verfications

README.md

@@ -31,8 +31,13 @@ accessControl:
   ldap_uri: ldaps://ldap.server.com/
   ldap_tls_reqcert: demand
   ldap_search_base: dc=server,dc=com
+  groups: TheGroupName
 ```
 
+#### Groups
+- You can list multiple groups via comma seperation: Group1, Group2, Group3. 
+- Leaving blank will skip a group check.
+
 #### Installation
 
 You can install it using ```pip install https://github.com/gillg/OctoPrint-LDAP/archive/master.zip```

octoprint_auth_ldap/__init__.py

@@ -23,6 +23,8 @@ class LDAPUserManager(FilebasedUserManager,
 
             username = self.escapeLDAP(username)
             dn = self.findLDAPUser(username)
+            if dn is None:
+                return False
             connection.bind_s(dn, password)
             connection.unbind_s()
 
@@ -65,6 +67,7 @@ class LDAPUserManager(FilebasedUserManager,
 
     def findLDAPUser(self, userid):
         ldap_search_base = settings().get(["accessControl", "ldap_search_base"])
+        groups = settings().get(["accessControl", "groups"])
         userid = self.escapeLDAP(userid)
 
         if ldap_search_base is None:
@@ -74,15 +77,46 @@ class LDAPUserManager(FilebasedUserManager,
         try:
             connection = self.getLDAPClient()
 
+            #verify user)
             result = connection.search_s(ldap_search_base, ldap.SCOPE_SUBTREE, "uid=" + userid)
-            connection.unbind_s()
-            if (result is None or len(result) == 0):
+            if result is None or len(result) == 0:
                 return None
+            self._logger.error("LDAP-AUTH: User found!")
+
+            #check group(s)
+            if groups is not None:
+                self._logger.error("LDAP-AUTH: Checking Groups...")
+                group_filter = ""
+                if "," in groups:
+                    group_list = groups.split(",")
+                    group_filter = "(|"
+                    for g in group_list:
+                        group_filter = group_filter + "(cn=%s)" % g
+                    group_filter = group_filter + ")"
+                else:
+                    group_filter = "(cn=%s)" % groups
+
+                query = "(&(objectClass=posixGroup)%s(memberUid=%s))" % (group_filter, userid)
+                self._logger.error("LDAP-AUTH QUERY:" + query)
+                group_result = connection.search_s(ldap_search_base, ldap.SCOPE_SUBTREE, query)
+
+                if group_result is None or len(group_result) == 0:
+                    print("LDAP-AUTH: Group not found")
+                    return None
+
+                self._logger.error("LDAP-AUTH: Group matched!")
+
+            #disconnect
+            connection.unbind_s()
 
             #Get the DN of first user found
             dn, data = result[0]
             return dn
 
+        except ldap.NO_SUCH_OBJECT:
+            self._logger.error("LDAP-AUTH: NO_SUCH_OBJECT")
+            return None
+
         except ldap.LDAPError, e:
             if type(e.message) == dict:
                 for (k, v) in e.message.iteritems():
@@ -149,7 +183,8 @@ class LDAPUserManager(FilebasedUserManager,
             accessControl=dict(
                 ldap_uri=None,
                 ldap_tls_reqcert='demand',
-                ldap_search_base=None
+                ldap_search_base=None,
+                groups=None
             )
         )
 

octoprint_auth_ldap/templates/settings.jinja2

@@ -20,4 +20,9 @@
     <div class="controls">
         <input id="plugin_ldap_search_base" type="text" class="input-block-level" data-bind="value: settings.accessControl.ldap_search_base"/>
     </div>
+    
+    <label for="plugin_ldap_groups" class="control-label">{{ _('Groups (comma-separated if multiple)') }}</label>
+    <div class="controls">
+        <input id="plugin_ldap_groups" type="text" class="input-block-level" data-bind="value: settings.accessControl.groups"/>
+    </div>
 </form>