From 4936446940d2977f2b96d26578446156e5959ee8 Mon Sep 17 00:00:00 2001 From: Colin Leroy Date: Tue, 27 Nov 2018 12:02:31 +0100 Subject: [PATCH] * Add optional group limit --- debian/nginx-ldap-auth.init | 2 +- nginx-ldap-auth-daemon.py | 31 +++++++++++++++++++++++++++++++ nginx-ldap-auth.default | 3 +++ nginx-ldap-auth.service | 2 +- 4 files changed, 36 insertions(+), 2 deletions(-) diff --git a/debian/nginx-ldap-auth.init b/debian/nginx-ldap-auth.init index 86082f4..ab60847 100755 --- a/debian/nginx-ldap-auth.init +++ b/debian/nginx-ldap-auth.init @@ -40,7 +40,7 @@ case "$1" in fi SSDOPTS="--quiet --oknodo --background --no-close --make-pidfile --pidfile $PIDFILE --chuid $USER:$GROUP --exec $DAEMON" - DAEMON_ARGS="$URL $BASE $BIND_DN $BIND_PASS $COOKIE $FILTER $REALM" + DAEMON_ARGS="$URL $BASE $GROUP_BASE $BIND_DN $BIND_PASS $COOKIE $FILTER $GROUP_FILTER $GROUP_LIMIT $REALM" if start-stop-daemon --start $SSDOPTS -- $DAEMON_ARGS > $LOG 2>&1 then diff --git a/nginx-ldap-auth-daemon.py b/nginx-ldap-auth-daemon.py index bdfafff..7153f34 100755 --- a/nginx-ldap-auth-daemon.py +++ b/nginx-ldap-auth-daemon.py @@ -151,7 +151,10 @@ class LDAPAuthHandler(AuthHandler): 'starttls': ('X-Ldap-Starttls', 'false'), 'disable_referrals': ('X-Ldap-DisableReferrals', 'false'), 'basedn': ('X-Ldap-BaseDN', None), + 'groupbasedn': ('X-Ldap-GroupBaseDN', None), + 'grouplimit': ('X-Ldap-GroupLimit', None), 'template': ('X-Ldap-Template', '(cn=%(username)s)'), + 'grouptemplate': ('X-Ldap-GroupTemplate', '(cn=%(groupname)s)'), 'binddn': ('X-Ldap-BindDN', ''), 'bindpasswd': ('X-Ldap-BindPass', ''), 'cookiename': ('X-CookieName', '') @@ -223,6 +226,9 @@ class LDAPAuthHandler(AuthHandler): '"%s" with filter "%s"') % (ctx['url'], ctx['basedn'], searchfilter)) + self.log_message(('groupBaseDn is "%s", groupLimit is "%s"') % + (ctx['groupbasedn'], ctx['grouplimit'])) + ctx['action'] = 'running search query' results = ldap_obj.search_s(ctx['basedn'], ldap.SCOPE_SUBTREE, searchfilter, ['objectclass'], 1) @@ -253,6 +259,21 @@ class LDAPAuthHandler(AuthHandler): self.log_message('Auth OK for user "%s"' % (ctx['user'])) + if ctx['grouplimit'] and ctx['groupbasedn']: + groupsearchfilter = ctx['grouptemplate'] % { 'groupname': ctx['grouplimit'] } + groupResults = ldap_obj.search_s(ctx['groupbasedn'], ldap.SCOPE_SUBTREE, + groupsearchfilter, ["memberUid"]) + if len(groupResults) > 0: + for dn, entry in groupResults: + if ctx['user'] in entry.get('memberUid'): + self.log_message(('found user "%s" in group "%s"') % + (ctx['user'], ctx['grouplimit'])) + else: + self.log_message(('user "%s" NOT in group "%s"') % + (ctx['user'], ctx['grouplimit'])) + self.auth_failed(ctx) + return + # Successfully authenticated user self.send_response(200) self.end_headers() @@ -295,6 +316,10 @@ if __name__ == '__main__': help=("Sets ldap.OPT_REFERRALS to zero (Default: false)")) group.add_argument('-b', metavar="baseDn", dest="basedn", default='', help="LDAP base dn (Default: unset)") + group.add_argument('-g', metavar="groupBaseDn", dest="groupbasedn", default='', + help="LDAP group base dn (Default: unset)") + group.add_argument('-G', metavar="groupLimit", dest="grouplimit", default='', + help="Limit to users in group (Default: unset)") group.add_argument('-D', metavar="bindDn", dest="binddn", default='', help="LDAP bind DN (Default: anonymous)") group.add_argument('-w', metavar="passwd", dest="bindpw", default='', @@ -302,6 +327,9 @@ if __name__ == '__main__': group.add_argument('-f', '--filter', metavar='filter', default='(cn=%(username)s)', help="LDAP filter (Default: cn=%%(username)s)") + group.add_argument('-x', '--groupfilter', metavar='groupfilter', + default='(cn=%(groupname)s)', + help="LDAP group filter (Default: cn=%%(groupname)s)") # http options: group = parser.add_argument_group(title="HTTP options") group.add_argument('-R', '--realm', metavar='"Restricted Area"', @@ -318,7 +346,10 @@ if __name__ == '__main__': 'starttls': ('X-Ldap-Starttls', args.starttls), 'disable_referrals': ('X-Ldap-DisableReferrals', args.disable_referrals), 'basedn': ('X-Ldap-BaseDN', args.basedn), + 'groupbasedn': ('X-Ldap-GroupBaseDN', args.groupbasedn), + 'grouplimit': ('X-Ldap-GroupLimit', args.grouplimit), 'template': ('X-Ldap-Template', args.filter), + 'grouptemplate': ('X-Ldap-GroupTemplate', args.groupfilter), 'binddn': ('X-Ldap-BindDN', args.binddn), 'bindpasswd': ('X-Ldap-BindPass', args.bindpw), 'cookiename': ('X-CookieName', args.cookie) diff --git a/nginx-ldap-auth.default b/nginx-ldap-auth.default index 39dc74f..5a13570 100644 --- a/nginx-ldap-auth.default +++ b/nginx-ldap-auth.default @@ -4,10 +4,13 @@ # #URL="--url ldap://example.com:389" #BASE="-b dc=nodomain" +#GROUP_BASE="-b dc=nodomain" #BIND_DN="-D cn=admin,dc=nodomain" #BIND_PASS="-w secret" #COOKIE="-c nginxauth" #FILTER="-f (cn=%(username)s)" +#GROUP_FILTER="-x (cn=%(groupname)s)" +#GROUP_LIMIT="" #REALM="-R 'Restricted Area'" # these are used with init scripts only diff --git a/nginx-ldap-auth.service b/nginx-ldap-auth.service index ef9eddf..bc11cb6 100644 --- a/nginx-ldap-auth.service +++ b/nginx-ldap-auth.service @@ -8,7 +8,7 @@ User=nginx-ldap-auth Group=nginx-ldap-auth WorkingDirectory=/var/run EnvironmentFile=/etc/default/nginx-ldap-auth -ExecStart=/usr/bin/nginx-ldap-auth-daemon $URL $BASE $BIND_DN $BIND_PASS $COOKIE $FILTER $REALM +ExecStart=/usr/bin/nginx-ldap-auth-daemon $URL $BASE $GROUP_BASE $BIND_DN $BIND_PASS $COOKIE $FILTER $GROUP_FILTER $GROUP_LIMIT $REALM KillMode=process KillSignal=SIGINT Restart=on-failure