pas.plugins.ldap does not handle correctly LDAP aliases

collective / pas.plugins.ldap

Zope (and Plone) PAS Plugin providing users and groups from LDAP directory

http://pypi.python.org/pypi/pas.plugins.ldap

Other

13 stars 20 forks source link

pas.plugins.ldap does not handle correctly LDAP aliases #41

Closed netdiver closed 7 years ago

netdiver commented 7 years ago

Plone 5.0.6 pas.plugins.ldap 1.5.1 openldap 2.4.31

Our LDAP tree is full of aliased objects. The node inspector is unable to handle the aliases. When opening an aliased subtree this error shows in log:

Traceback (innermost last):
  Module ZPublisher.Publish, line 138, in publish
  Module ZPublisher.mapply, line 77, in mapply
  Module ZPublisher.Publish, line 48, in call_object
  Module pas.plugins.ldap.plonecontrolpanel.inspector, line 50, in node_attributes
  Module node.ext.ldap._node, line 439, in node_by_dn
ValueError: Invalid base DN

is it a node.ext.ldap problem?

rnixx commented 7 years ago

Either it's a configuration problem or a bug in node.ext.ldap. May you provide an LDIF dump, the pas.plugins.ldap settings and the steps to reproduce please?

netdiver commented 7 years ago

I noticed that I didn't mention that the pas.plugis.ldap product does not work in our setup, the node inspector behavior is only a side effect demonstrating the inability to browse the tree. I'm trying to set up a test bed and give full details about how to reproduce.

netdiver commented 7 years ago

We made a little debugging effort. Since I need some time to create a test LDAP tree, I'll try to explain. We use aliases, so in a certain base, for example: ou=people,ou=department,dc=example,dc=org we have a list of aliases that are dereferenced (correctly) as uid=john.doe,ou=people,dc=example,dc=org But at line 438-439 of _node.py in node.ext.ldap:

if not dn.endswith(base_dn):
            raise ValueError(u'Invalid base DN')

as you can see, the right part of the user, i.e. ou=people,dc=example,dc=org, is not equal to the base DN, i.e. ou=people,ou=department,dc=example,dc=org so the if-statement is true and the error is raised. So node.ext.ldap is not capable of handling LDAP trees with aliases, or pas.plugins.ldap should have been feeding the node.ext.ldap.node_by_dn method with different values for base DN of the object inspected, dynamically checking the unaliased object.

rnixx commented 7 years ago

So this issue belongs to node.ext.ldap. Thanks for pointing this out.

martinmesa commented 7 years ago

Hello, I have tried configuring pas.plugins.ldap to connect to Active Directory. The connection process is fine, but when I click on the LDAP Inspector and select the user option, the system lists all the organization units without problems, but when I click on some it does not work. System logs: 2017-04-10T10:44:06 ERROR Zope.SiteErrorLog 1491835446.220.670995204384 http://plone.xxxx.xx:8080/Plone/@@plone_ldapnodeattributes Traceback (innermost last): Module ZPublisher.Publish, line 138, in publish Module ZPublisher.mapply, line 77, in mapply Module ZPublisher.Publish, line 48, in call_object Module pas.plugins.ldap.plonecontrolpanel.inspector, line 50, in node_attributes Module node.ext.ldap.node, line 443, in nodeby_dn ValueError: Invalid base DN

GET /Plone/@@plone_ldapnodeattributes?dn=OU=XXXXXX,OU=Usuarios,DC=xxx,DC=xxx,DC=xx&base=users&=1491835356150

rnixx commented 7 years ago

Looks like you have not correctly configured the search base DN for principals.

rnixx commented 7 years ago

with node.ext.ldap 1.0b4 this problem should be gone. may you test this please?