From 5e9f0e9ffa45fe0ffa9897a29129abd89abd0cc4 Mon Sep 17 00:00:00 2001 From: Ryan Gartin Date: Sat, 27 Jan 2018 17:43:38 -0500 Subject: [PATCH 1/2] Adding ability to limit LDAP login to users in specific group(s) --- octoprint_auth_ldap/__init__.py | 41 +++++++++++++++++-- octoprint_auth_ldap/templates/settings.jinja2 | 5 +++ 2 files changed, 43 insertions(+), 3 deletions(-) diff --git a/octoprint_auth_ldap/__init__.py b/octoprint_auth_ldap/__init__.py index 8fa8da3..7f6db02 100644 --- a/octoprint_auth_ldap/__init__.py +++ b/octoprint_auth_ldap/__init__.py @@ -23,6 +23,8 @@ class LDAPUserManager(FilebasedUserManager, username = self.escapeLDAP(username) dn = self.findLDAPUser(username) + if dn is None: + return False connection.bind_s(dn, password) connection.unbind_s() @@ -65,6 +67,7 @@ class LDAPUserManager(FilebasedUserManager, def findLDAPUser(self, userid): ldap_search_base = settings().get(["accessControl", "ldap_search_base"]) + groups = settings().get(["accessControl", "groups"]) userid = self.escapeLDAP(userid) if ldap_search_base is None: @@ -74,15 +77,46 @@ class LDAPUserManager(FilebasedUserManager, try: connection = self.getLDAPClient() + #verify user) result = connection.search_s(ldap_search_base, ldap.SCOPE_SUBTREE, "uid=" + userid) - connection.unbind_s() - if (result is None or len(result) == 0): + if result is None or len(result) == 0: return None + self._logger.error("LDAP-AUTH: User found!") + + #check group(s) + if groups is not None: + self._logger.error("LDAP-AUTH: Checking Groups...") + group_filter = "" + if "," in groups: + group_list = groups.split(",") + group_filter = "(|" + for g in group_list: + group_filter = group_filter + "(cn=%s)" % g + group_filter = group_filter + ")" + else: + group_filter = "(cn=%s)" % groups + + query = "(&(objectClass=posixGroup)%s(memberUid=%s))" % (group_filter, userid) + self._logger.error("LDAP-AUTH QUERY:" + query) + group_result = connection.search_s(ldap_search_base, ldap.SCOPE_SUBTREE, query) + + if group_result is None or len(group_result) == 0: + print("LDAP-AUTH: Group not found") + return None + + self._logger.error("LDAP-AUTH: Group matched!") + + #disconnect + connection.unbind_s() #Get the DN of first user found dn, data = result[0] return dn + except ldap.NO_SUCH_OBJECT: + self._logger.error("LDAP-AUTH: NO_SUCH_OBJECT") + return None + except ldap.LDAPError, e: if type(e.message) == dict: for (k, v) in e.message.iteritems(): @@ -149,7 +183,8 @@ class LDAPUserManager(FilebasedUserManager, accessControl=dict( ldap_uri=None, ldap_tls_reqcert='demand', - ldap_search_base=None + ldap_search_base=None, + groups=None ) ) diff --git a/octoprint_auth_ldap/templates/settings.jinja2 b/octoprint_auth_ldap/templates/settings.jinja2 index 05aa8b1..4946045 100644 --- a/octoprint_auth_ldap/templates/settings.jinja2 +++ b/octoprint_auth_ldap/templates/settings.jinja2 @@ -20,4 +20,9 @@
+ + +
+ +
From a36f059d110d29b47dfa2daf633b365d1adfb305 Mon Sep 17 00:00:00 2001 From: Ryan Gartin Date: Sun, 28 Jan 2018 12:13:38 -0500 Subject: [PATCH 2/2] Update README --- README.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/README.md b/README.md index e66b452..c03ca80 100644 --- a/README.md +++ b/README.md @@ -31,8 +31,13 @@ accessControl: ldap_uri: ldaps://ldap.server.com/ ldap_tls_reqcert: demand ldap_search_base: dc=server,dc=com + groups: TheGroupName ``` +#### Groups +- You can list multiple groups via comma seperation: Group1, Group2, Group3. +- Leaving blank will skip a group check. + #### Installation You can install it using ```pip install https://github.com/gillg/OctoPrint-LDAP/archive/master.zip```