From a32fcafafdc669e4798d2d5f5b15ae5cf4e3ed2b Mon Sep 17 00:00:00 2001
From: Colin Leroy <colin@colino.net>
Date: Thu, 23 May 2019 09:52:21 +0200
Subject: [PATCH] add multiple group limit; fail when no group(s) match the
 group limit

---
 README.md                 |  6 ++++++
 nginx-ldap-auth-daemon.py | 27 ++++++++++++++++++++-------
 2 files changed, 26 insertions(+), 7 deletions(-)

diff --git a/README.md b/README.md
index 24fabf1..d4fea53 100644
--- a/README.md
+++ b/README.md
@@ -126,6 +126,12 @@ proxy_set_header X-Ldap-GroupTemplate "(cn=%(groupname)s)"
 proxy_set_header X-Ldap-GroupLimit "group1"
 ```
 
+The limit can be done on multiple groups using:
+
+```
+proxy_set_header X-Ldap-GroupLimit "group1,group2"
+```
+
 The search filters can be combined from less complex filters using boolean operations and can be rather complex.
 
 The reference implementation uses cookie-based authentication. If you are using HTTP basic authentication instead, comment out the following directives as shown:
diff --git a/nginx-ldap-auth-daemon.py b/nginx-ldap-auth-daemon.py
index 7153f34..2691f00 100755
--- a/nginx-ldap-auth-daemon.py
+++ b/nginx-ldap-auth-daemon.py
@@ -260,19 +260,32 @@ class LDAPAuthHandler(AuthHandler):
             self.log_message('Auth OK for user "%s"' % (ctx['user']))
 
             if ctx['grouplimit'] and ctx['groupbasedn']:
-                groupsearchfilter = ctx['grouptemplate'] % { 'groupname': ctx['grouplimit'] }
+                groups = ctx['grouplimit'].split(",", -1)
+                groupsearchfilter = ''
+                for group in groups:
+                    if (groupsearchfilter == ''):
+                        groupsearchfilter = '(|' + (ctx['grouptemplate'] % { 'groupname': group })
+                    else:
+                        groupsearchfilter += (ctx['grouptemplate'] % { 'groupname': group })
+
+                groupsearchfilter += ')'
+
                 groupResults = ldap_obj.search_s(ctx['groupbasedn'], ldap.SCOPE_SUBTREE,
                                           groupsearchfilter, ["memberUid"])
+                foundInGroup = False
                 if len(groupResults) > 0:
                     for dn, entry in groupResults:
                         if ctx['user'] in entry.get('memberUid'):
                             self.log_message(('found user "%s" in group "%s"') %
-                                (ctx['user'], ctx['grouplimit']))
-                        else:
-                            self.log_message(('user "%s" NOT in group "%s"') %
-                                (ctx['user'], ctx['grouplimit']))
-                            self.auth_failed(ctx)
-                            return
+                                (ctx['user'], dn))
+                            foundInGroup = True
+                            break
+
+                if foundInGroup == False:
+                    self.log_message(('user not found in group(s) "%s"') %
+                        (ctx['grouplimit']))
+                    self.auth_failed(ctx)
+                    return
 
             # Successfully authenticated user
             self.send_response(200)