Skip to content

Commit

Permalink
fix: allow the specification of any combination of groups in LDAP gro…
Browse files Browse the repository at this point in the history 
…up security configuration

Previous behavior required the specification of all three group security groups before the
"Save Settings" button would be enabled.

This adds a check into users.py which checks that the group is set before searching and
removes the javascript preventing the specification of any combination of groups.

Tested:
- Tested all combinations on AD after MR 1238
- Tested all combinations on OpenLDAP
- Tested enabling the Group Security with no groups set which correctly prevents login

Resolves PowerDNS-Admin#1462
  • Loading branch information
@nkukard
nkukard committed Mar 18, 2023
1 parent c24b4b0 commit 138532f
Show file tree
Hide file tree
Showing 2 changed files with 8 additions and 23 deletions.
25 changes: 8 additions & 17 deletions powerdnsadmin/models/user.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -255,33 +255,24 @@ def is_validate(self, method, src_ip='', trust_user=False):
if LDAP_TYPE == 'ldap':
groupSearchFilter = "(&({0}={1}){2})".format(LDAP_FILTER_GROUPNAME, ldap_username, LDAP_FILTER_GROUP)
current_app.logger.debug('Ldap groupSearchFilter {0}'.format(groupSearchFilter))
if (self.ldap_search(groupSearchFilter,
LDAP_ADMIN_GROUP)):
if (LDAP_ADMIN_GROUP and self.ldap_search(groupSearchFilter, LDAP_ADMIN_GROUP)):
role_name = 'Administrator'
current_app.logger.info(
'User {0} is part of the "{1}" group that allows admin access to PowerDNS-Admin'
.format(self.username,
LDAP_ADMIN_GROUP))
elif (self.ldap_search(groupSearchFilter,
LDAP_OPERATOR_GROUP)):
.format(self.username, LDAP_ADMIN_GROUP))
elif (LDAP_OPERATOR_GROUP and self.ldap_search(groupSearchFilter, LDAP_OPERATOR_GROUP)):
role_name = 'Operator'
current_app.logger.info(
'User {0} is part of the "{1}" group that allows operator access to PowerDNS-Admin'
.format(self.username,
LDAP_OPERATOR_GROUP))
elif (self.ldap_search(groupSearchFilter,
LDAP_USER_GROUP)):
.format(self.username, LDAP_OPERATOR_GROUP))
elif (LDAP_USER_GROUP and self.ldap_search(groupSearchFilter, LDAP_USER_GROUP)):
current_app.logger.info(
'User {0} is part of the "{1}" group that allows user access to PowerDNS-Admin'
.format(self.username,
LDAP_USER_GROUP))
.format(self.username, LDAP_USER_GROUP))
else:
current_app.logger.error(
'User {0} is not part of the "{1}", "{2}" or "{3}" groups that allow access to PowerDNS-Admin'
.format(self.username,
LDAP_ADMIN_GROUP,
LDAP_OPERATOR_GROUP,
LDAP_USER_GROUP))
'User {0} is not part of any security groups that allow access to PowerDNS-Admin'
.format(self.username))
return False
elif LDAP_TYPE == 'ad':
ldap_group_security_roles = OrderedDict(
Expand Down
6 changes: 0 additions & 6 deletions powerdnsadmin/templates/admin_setting_authentication.html
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1772,12 +1772,6 @@ <h3 class="card-title">Settings Help</h3>
$('#ldap_filter_username').prop('required', true);
$('#ldap_filter_groupname').prop('required', true);

if ($('#ldap_sg_on').is(":checked")) {
$('#ldap_admin_group').prop('required', true);
$('#ldap_operator_group').prop('required', true);
$('#ldap_user_group').prop('required', true);
}

if ($('#autoprovisioning_on').is(":checked")) {
$('#autoprovisioning_attribute').prop('required', true);
$('#urn_value').prop('required', true);
Expand Down

0 comments on commit 138532f

Please sign in to comment.