Returned group memberships is empty
psychomantys opened this issue · comments
I have the ldap database:
version: 1
dn: dc=br
objectClass: top
objectClass: dcObject
objectClass: organization
dc: br
o: SCS
dn: dc=com,dc=br
objectClass: domain
objectClass: top
dc: com
dn: cn=admin,dc=br
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
dn: dc=vfd,dc=com,dc=br
objectClass: domain
objectClass: top
dc: vfd
dn: ou=Groups,dc=vfd,dc=com,dc=br
objectClass: organizationalUnit
objectClass: top
ou: Groups
dn: ou=People,dc=vfd,dc=com,dc=br
objectClass: organizationalUnit
objectClass: top
ou: People
dn: cn=owncloud,ou=Groups,dc=vfd,dc=com,dc=br
objectClass: groupOfUniqueNames
objectClass: top
cn: owncloud
uniqueMember: uid=psycho,ou=People,dc=vfd,dc=com,dc=br
dn: uid=psycho,ou=People,dc=vfd,dc=com,dc=br
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: shadowAccount
objectClass: mailAccount
objectClass: posixAccount
objectClass: top
cn: Baltazar
gidNumber: 1000
homeDirectory: /home/psycho
sn: Tavares Vanderlei
uid: psycho
uidNumber: 1000
loginShell: /bin/bashAnd the following config:
app=create_app(config={
"SQLALCHEMY_DATABASE_URI" : 'sqlite:///test.db',
"SECRET_KEY" : 'XXXXXXXXXXXXXXXXXX',
"DEBUG" : True,
"LDAP_HOST" : 'ldaps://localhost',
# Base DN of your directory
"LDAP_BASE_DN" : 'dc=br',
# Users DN to be prepended to the Base DN
"LDAP_USER_DN" : 'ou=People,dc=vfd,dc=com',
# Groups DN to be prepended to the Base DN
"LDAP_GROUP_DN" : 'ou=Groups,dc=vfd,dc=com',
"LDAP_GROUP_OBJECT_FILTER" : '(objectClass=groupOfUniqueNames)',
# The Username to bind to LDAP with
"LDAP_BIND_USER_DN" : None,
# The Password to bind to LDAP with
"LDAP_BIND_USER_PASSWORD" : None,
"LDAP_USER_SEARCH_SCOPE" : "SUBTREE",
"LDAP_GROUP_SEARCH_SCOPE" : "SUBTREE",
"LDAP_SEARCH_FOR_GROUPS" : True,
"LDAP_GROUP_MEMBERS_ATTR" : "uniqueMember"
})When I use the Flask-Ldap3-Login code:
@ldap_manager.save_user
def save_user(dn, username, data, memberships=None):
print(memberships)
...The line print(memberships) print only []. The list had to contain the groups that user belonged, or I did not get it right?
The code for groups is working, i'm doing something wrong or maybe something more?
I need this to implement the flask-principal(or something like this). I'm holding myself to not use ldap's api directly. Is possible to help me in this? More people can have this error and need this. If someone help, i can generate the test code to serve as example.
Hi, thanks for raising the issue.
So I can get a little more info, what is the output of:
import logging
logging.getLogger('flask_ldap3_login').setLevel(logging.DEBUG)
...
ldap_manager.get_user_groups(dn='uid=psycho,ou=People,dc=vfd,dc=com,dc=br')Thanks!
Hi, sorry about the delay, but i'm implement the flask-principal integration with ldap3 now, but is nice to have less dependency on my project.
My ldap users not have permission to view the groups, this is the error maybe. The new ldap-ldif config is making me crazy.
But, i think maybe a found something: How is the user used for bind in the search? I modified the config to use a admin user, but i think the user used is the bind user, not the admin I provided on config....
The output relevant:
DEBUG:flask_ldap3_login:Opening connection with bind user 'uid=psycho,ou=People,dc=vfd,dc=com,dc=br'
DEBUG:flask_ldap3_login:Authentication was successful for user 'psycho'
DEBUG:flask_ldap3_login:Searching for groups for specific user with filter '(&(objectClass=groupOfUniqueNames)(uniqueMember=uid=psycho,ou=People,dc=vfd,dc=com,dc=br))' , base 'ou=Groups,dc=vfd,dc=com,dc=br' and scope 'SUBTREE'
ERROR:flask_ldap3_login:LDAPNoSuchObjectResult - 32 - noSuchObject - None - None - searchResDone - None
DEBUG:flask_ldap3_login:Destroying connection at <0x7f2584731780>
127.0.0.1 - - [30/Nov/2018 09:31:22] "POST /login HTTP/1.1" 200 -
INFO:werkzeug:127.0.0.1 - - [30/Nov/2018 09:31:22] "POST /login HTTP/1.1" 200 -
My ldap users not have permission to view the groups, this is the error maybe. The new ldap-ldif config is making me crazy.
Ah this sounds exactly like the issue! By default, the LDAP search for groups will be performed in the context of the user who is authenticating. If those users have no permission, then you won't be able to see the groups.
The alternative to this is to use a LDAP_BIND_USER_DN and LDAP_BIND_USER_PASSWORD, which flask_ldap3_login will use to query the LDAP server. However this won't work out of the box, since groups found during login are fetched using the user's bind context.
Instead you must make an additional call to manager.get_user_groups(), which will query the tree for user groups using LDAP_BIND_USER_DN and LDAP_BIND_USER_PASSWORD.
Hope this helps!
Closing due to inactivity.
Sorry to comment on such an old thread but I believe I'm struggling with exactly this. I am able to use the get_user_groups() function to successfully return memberships, but how do I feed that data to the login process? No matter what, despite successful authentication, every login attempt ends up redirecting to my @login_manager.unauthorized_handler view.