add multiple group limit; fail when no group(s) match the group limit

2019-05-23 09:52:21 +02:00 · 2019-05-23 09:52:21 +02:00 · a32fcafafd
parent 37ae19d4c4
commit a32fcafafd
2 changed files with 26 additions and 7 deletions
--- a/README.md
+++ b/README.md
@ -126,6 +126,12 @@ proxy_set_header X-Ldap-GroupTemplate "(cn=%(groupname)s)"
 proxy_set_header X-Ldap-GroupLimit "group1"
 ```

+The limit can be done on multiple groups using:
+
+```
+proxy_set_header X-Ldap-GroupLimit "group1,group2"
+```
+
 The search filters can be combined from less complex filters using boolean operations and can be rather complex.

 The reference implementation uses cookie-based authentication. If you are using HTTP basic authentication instead, comment out the following directives as shown:
--- a/nginx-ldap-auth-daemon.py
+++ b/nginx-ldap-auth-daemon.py
@ -260,17 +260,30 @@ class LDAPAuthHandler(AuthHandler):
            self.log_message('Auth OK for user "%s"' % (ctx['user']))

            if ctx['grouplimit'] and ctx['groupbasedn']:
-                groupsearchfilter = ctx['grouptemplate'] % { 'groupname': ctx['grouplimit'] }
+                groups = ctx['grouplimit'].split(",", -1)
+                groupsearchfilter = ''
+                for group in groups:
+                    if (groupsearchfilter == ''):
+                        groupsearchfilter = '(|' + (ctx['grouptemplate'] % { 'groupname': group })
+                    else:
+                        groupsearchfilter += (ctx['grouptemplate'] % { 'groupname': group })
+
+                groupsearchfilter += ')'
+
                groupResults = ldap_obj.search_s(ctx['groupbasedn'], ldap.SCOPE_SUBTREE,
                                          groupsearchfilter, ["memberUid"])
+                foundInGroup = False
                if len(groupResults) > 0:
                    for dn, entry in groupResults:
                        if ctx['user'] in entry.get('memberUid'):
                            self.log_message(('found user "%s" in group "%s"') %
-                                (ctx['user'], ctx['grouplimit']))
-                        else:
-                            self.log_message(('user "%s" NOT in group "%s"') %
-                                (ctx['user'], ctx['grouplimit']))
+                                (ctx['user'], dn))
+                            foundInGroup = True
+                            break
+
+                if foundInGroup == False:
+                    self.log_message(('user not found in group(s) "%s"') %
+                        (ctx['grouplimit']))
                    self.auth_failed(ctx)
                    return