public_git
/
nginx-ldap-auth
mirror of https://github.com/nginxinc/nginx-ldap-auth.git
1
0
Fork 1
Code Issues Releases Wiki Activity

add multiple group limit; fail when no group(s) match the group limit

This commit is contained in:
Colin Leroy 2019-05-23 09:52:21 +02:00
parent 37ae19d4c4
commit a32fcafafd
2 changed files with 26 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
README.md
View File

@ -126,6 +126,12 @@ proxy_set_header X-Ldap-GroupTemplate "(cn=%(groupname)s)"
proxy_set_header X-Ldap-GroupLimit "group1" proxy_set_header X-Ldap-GroupLimit "group1"
``` ```
The limit can be done on multiple groups using:
```
proxy_set_header X-Ldap-GroupLimit "group1,group2"
```
The search filters can be combined from less complex filters using boolean operations and can be rather complex. The search filters can be combined from less complex filters using boolean operations and can be rather complex.
The reference implementation uses cookie-based authentication. If you are using HTTP basic authentication instead, comment out the following directives as shown: The reference implementation uses cookie-based authentication. If you are using HTTP basic authentication instead, comment out the following directives as shown:

27
nginx-ldap-auth-daemon.py
View File

@ -260,19 +260,32 @@ class LDAPAuthHandler(AuthHandler):
self.log_message('Auth OK for user "%s"' % (ctx['user'])) self.log_message('Auth OK for user "%s"' % (ctx['user']))
if ctx['grouplimit'] and ctx['groupbasedn']: if ctx['grouplimit'] and ctx['groupbasedn']:
groupsearchfilter = ctx['grouptemplate'] % { 'groupname': ctx['grouplimit'] } groups = ctx['grouplimit'].split(",", -1)
groupsearchfilter = ''
for group in groups:
if (groupsearchfilter == ''):
groupsearchfilter = '(|' + (ctx['grouptemplate'] % { 'groupname': group })
else:
groupsearchfilter += (ctx['grouptemplate'] % { 'groupname': group })
groupsearchfilter += ')'
groupResults = ldap_obj.search_s(ctx['groupbasedn'], ldap.SCOPE_SUBTREE, groupResults = ldap_obj.search_s(ctx['groupbasedn'], ldap.SCOPE_SUBTREE,
groupsearchfilter, ["memberUid"]) groupsearchfilter, ["memberUid"])
foundInGroup = False
if len(groupResults) > 0: if len(groupResults) > 0:
for dn, entry in groupResults: for dn, entry in groupResults:
if ctx['user'] in entry.get('memberUid'): if ctx['user'] in entry.get('memberUid'):
self.log_message(('found user "%s" in group "%s"') % self.log_message(('found user "%s" in group "%s"') %
(ctx['user'], ctx['grouplimit'])) (ctx['user'], dn))
else: foundInGroup = True
self.log_message(('user "%s" NOT in group "%s"') % break
(ctx['user'], ctx['grouplimit']))
self.auth_failed(ctx) if foundInGroup == False:
return self.log_message(('user not found in group(s) "%s"') %
(ctx['grouplimit']))
self.auth_failed(ctx)
return
# Successfully authenticated user # Successfully authenticated user
self.send_response(200) self.send_response(200)