search

dignajar / another-ldap-auth

LDAP Authentication for Nginx, Nginx ingress controller (Kubernetes), and HAProxy via a subrequest.
MIT License
41 stars 20 forks source link

Groups lookup fails if a single match doesn't have the regular expression match #29

Closed aakarshg closed 3 years ago

aakarshg commented 3 years ago

Let's take an example of a group as follows :

ipaUniqueID=blahblah-blah,cn=sudorules,cn=sudo,dc=blah,dc=net

When the search hits this particular group it will crash due to an AttributeError as the code doesn't handle it and not try to process the next set of groups. The error looks something like this:

  File "/home/aldap/main.py", line 200, in login
    validGroups, matchedGroups = cache.validateGroups(username, matchingGroups)
  File "/home/aldap/cache.py", line 98, in validateGroups
    matches = list(filter(None,list(map(self.__findMatch__, repeat(group), adGroups))))
  File "/home/aldap/cache.py", line 73, in __findMatch__
    adGroup = re.match('(?i)CN=((\w*\s?_?-?)*)', adGroup).group(1)
AttributeError: 'NoneType' object has no attribute 'group'
aakarshg commented 3 years ago

I've a fix incoming for this.. will be opening a PR shortly

dignajar commented 3 years ago

Why that structure for groups ?

For LDAP the groups are composed like this:

memberof=CN=YourGroup,....
aakarshg commented 3 years ago

Freeipa does it like that :sweat:

dignajar commented 3 years ago

Fixed in the new version. thank you!