Modify

Opened 7 years ago

Closed 6 years ago

#13061 closed defect (fixed)

DirectoryAuth - expand_user_groups fails with group_nameattr = dn

Reported by: Martin Kofahl Owned by: bebbo
Priority: normal Component: DirectoryAuthPlugin
Severity: normal Keywords: patch
Cc: Trac Release: 1.0

Description

Having group_nameattr set to dn, a LDAP server may not return the dn twice and auth.py fails. Patch attached. 

Traceback (most recent call last):
  File "/usr/lib/python2.7/dist-packages/trac/web/main.py", line 512, in _dispatch_request
    dispatcher.dispatch(req)
  File "/usr/lib/python2.7/dist-packages/trac/web/main.py", line 221, in dispatch
    resp = chosen_handler.process_request(req)
  File "/usr/lib/python2.7/dist-packages/acct_mgr/web_ui.py", line 381, in process_request
    if req.path_info.startswith('/login') and req.authname == 'anonymous':
  File "/usr/lib/python2.7/dist-packages/trac/web/api.py", line 353, in __getattr__
    value = self.callbacks[name](self)
  File "/usr/lib/python2.7/dist-packages/trac/web/main.py", line 136, in authenticate
    authname = authenticator.authenticate(req)
  File "/usr/lib/python2.7/dist-packages/acct_mgr/util.py", line 82, in wrap
    return func(self, *args, **kwds)
  File "/usr/lib/python2.7/dist-packages/acct_mgr/web_ui.py", line 338, in authenticate
    user = self._remote_user(req)
  File "/usr/lib/python2.7/dist-packages/acct_mgr/web_ui.py", line 684, in _remote_user
    if acctmgr.check_password(user, password) == True:
  File "/usr/lib/python2.7/dist-packages/acct_mgr/api.py", line 259, in check_password
    valid = store.check_password(user, password)
  File "build/bdist.linux-x86_64/egg/tracext/dirauth/auth.py", line 243, in check_password
    usergroups = self._expand_user_groups(user, NOCACHE)
  File "build/bdist.linux-x86_64/egg/tracext/dirauth/auth.py", line 381, in _expand_user_groups
    group = entry[1][self.group_nameattr][0]
KeyError: u'dn'

Attachments (1)

directoryauthplugin_auth.patch (3.3 KB) - added by Martin Kofahl 7 years ago.

Download all attachments as: .zip

Change History (6)

Changed 7 years ago by Martin Kofahl

Attachment: directoryauthplugin_auth.patch added

comment:1 Changed 7 years ago by Martin Kofahl

Remarks and discussion points on the extended patch:

  • L96: The configured group_validusers has to be lower-case right now. But comparing with .lower() in check_password() might be somewhat more straightforward.
  • L381: If group_nameattr is set to dn, a LDAP may return only one column.
  • L389: This prevents enumerating nested groups.
  • L393: _get_parent_groups() returns an extened list, so don't create a multidimensional array.
  • L407: In my tests, the groups didn't had a @ prepended.
  • L429: Bracket missing
  • L436: If group_nameattr is set to dn, a LDAP may return only one column.
  • L466: _get_parent_groups() returns an extened list, so don't create a multidimensional array.

comment:2 Changed 7 years ago by figaro

Keywords: patch added

comment:3 Changed 6 years ago by bebbo

  • @L96: the case must match the ldap servers response. lowercase is not always true.
  • @L407: use the constant GROUP_PREFIX

also add the group.

Now it's still working here.

comment:4 Changed 6 years ago by bebbo

In 17285:

refs #13061: apply and fix the provided patch

comment:5 Changed 6 years ago by bebbo

Resolution: fixed
Status: newclosed

Modify Ticket

Change Properties
Set your email in Preferences
Action
as closed The owner will remain bebbo.
The resolution will be deleted. Next status will be 'reopened'.

Add Comment

E-mail address and name can be saved in the Preferences.

AttachmentsDescription
 
Note: See TracTickets for help on using tickets.