LDAP_FOLLOW_REFERRALS (#7384)

haiwen · Jan 19, 2025 · 0076228 · 0076228
1 parent 4d8601a
commit 0076228
Show file tree

Hide file tree

Showing 3 changed files with 19 additions and 15 deletions.
diff --git a/seahub/api2/endpoints/admin/users.py b/seahub/api2/endpoints/admin/users.py
@@ -73,7 +73,8 @@
     MULTI_LDAP_1_ADMIN_PASSWORD, MULTI_LDAP_1_LOGIN_ATTR, \
     MULTI_LDAP_1_PROVIDER, MULTI_LDAP_1_FILTER, \
     MULTI_LDAP_1_ENABLE_SASL, MULTI_LDAP_1_SASL_MECHANISM, MULTI_LDAP_1_USER_OBJECT_CLASS, \
-    MULTI_LDAP_1_PROVIDER, MULTI_LDAP_1_FILTER, MULTI_LDAP_1_ENABLE_SASL, MULTI_LDAP_1_SASL_MECHANISM
+    MULTI_LDAP_1_PROVIDER, MULTI_LDAP_1_FILTER, MULTI_LDAP_1_ENABLE_SASL, MULTI_LDAP_1_SASL_MECHANISM, \
+    LDAP_FOLLOW_REFERRALS, MULTI_LDAP_1_FOLLOW_REFERRALS
 
 logger = logging.getLogger(__name__)
 json_content_type = 'application/json; charset=utf-8'
@@ -111,11 +112,11 @@ def get_user_objs_from_ccnet(email_list):
     return user_objs, None
 
 
-def ldap_bind(server_url, dn, authc_id, password, enable_sasl, sasl_mechanism):
+def ldap_bind(server_url, dn, authc_id, password, enable_sasl, sasl_mechanism, follow_referrals):
     bind_conn = ldap.initialize(server_url)
 
     try:
-        bind_conn.set_option(ldap.OPT_REFERRALS, 0)
+        bind_conn.set_option(ldap.OPT_REFERRALS, 1 if follow_referrals else 0)
     except Exception as e:
         raise Exception('Failed to set referrals option: %s' % e)
 
@@ -139,9 +140,9 @@ def ldap_bind(server_url, dn, authc_id, password, enable_sasl, sasl_mechanism):
 
 
 def get_ldap_users(server_url, admin_dn, admin_password, enable_sasl, sasl_mechanism, base_dn,
-                   login_attr, serch_filter, object_class):
+                   login_attr, serch_filter, object_class, follow_referrals):
     try:
-        admin_bind = ldap_bind(server_url, admin_dn, admin_dn, admin_password, enable_sasl, sasl_mechanism)
+        admin_bind = ldap_bind(server_url, admin_dn, admin_dn, admin_password, enable_sasl, sasl_mechanism, follow_referrals)
     except Exception as e:
         raise Exception(e)
 
@@ -940,7 +941,7 @@ def get(self, request):
         try:
             ldap_users = get_ldap_users(LDAP_SERVER_URL, LDAP_ADMIN_DN, LDAP_ADMIN_PASSWORD,
                                         ENABLE_SASL, SASL_MECHANISM, LDAP_BASE_DN, LDAP_LOGIN_ATTR,
-                                        LDAP_FILTER, LDAP_USER_OBJECT_CLASS)
+                                        LDAP_FILTER, LDAP_USER_OBJECT_CLASS, LDAP_FOLLOW_REFERRALS)
         except Exception as e:
             logger.error(e)
             error_msg = 'Internal Server Error'
@@ -953,7 +954,7 @@ def get(self, request):
                                                   MULTI_LDAP_1_ADMIN_PASSWORD, MULTI_LDAP_1_ENABLE_SASL,
                                                   MULTI_LDAP_1_SASL_MECHANISM, MULTI_LDAP_1_BASE_DN,
                                                   MULTI_LDAP_1_LOGIN_ATTR, MULTI_LDAP_1_FILTER,
-                                                  MULTI_LDAP_1_USER_OBJECT_CLASS)
+                                                  MULTI_LDAP_1_USER_OBJECT_CLASS, MULTI_LDAP_1_FOLLOW_REFERRALS)
             except Exception as e:
                 logger.error(e)
                 error_msg = 'Internal Server Error'

diff --git a/seahub/base/accounts.py b/seahub/base/accounts.py
@@ -54,7 +54,8 @@
     MULTI_LDAP_1_ADMIN_PASSWORD, MULTI_LDAP_1_LOGIN_ATTR, \
     MULTI_LDAP_1_PROVIDER, MULTI_LDAP_1_FILTER, MULTI_LDAP_1_CONTACT_EMAIL_ATTR, \
     MULTI_LDAP_1_USER_ROLE_ATTR, MULTI_LDAP_1_ENABLE_SASL, MULTI_LDAP_1_SASL_MECHANISM, \
-    MULTI_LDAP_1_SASL_AUTHC_ID_ATTR, LDAP_UPDATE_USER_WHEN_LOGIN
+    MULTI_LDAP_1_SASL_AUTHC_ID_ATTR, LDAP_UPDATE_USER_WHEN_LOGIN, \
+    LDAP_FOLLOW_REFERRALS, MULTI_LDAP_1_FOLLOW_REFERRALS
 
 logger = logging.getLogger(__name__)
 
@@ -884,11 +885,11 @@ def get_user(self, username):
             user = None
         return user
 
-    def ldap_bind(self, server_url, dn, authc_id, password, enable_sasl, sasl_mechanism):
+    def ldap_bind(self, server_url, dn, authc_id, password, enable_sasl, sasl_mechanism, follow_referrals):
         bind_conn = ldap.initialize(server_url)
 
         try:
-            bind_conn.set_option(ldap.OPT_REFERRALS, 0)
+            bind_conn.set_option(ldap.OPT_REFERRALS, 1 if follow_referrals else 0)
         except Exception as e:
             raise Exception('Failed to set referrals option: %s' % e)
 
@@ -912,9 +913,9 @@ def ldap_bind(self, server_url, dn, authc_id, password, enable_sasl, sasl_mechan
 
     def search_user(self, server_url, admin_dn, admin_password, enable_sasl, sasl_mechanism,
                     sasl_authc_id_attr, base_dn, login_attr_conf, login_attr, password, serch_filter,
-                    contact_email_attr, role_attr):
+                    contact_email_attr, role_attr, follow_referrals):
         try:
-            admin_bind = self.ldap_bind(server_url, admin_dn, admin_dn, admin_password, enable_sasl, sasl_mechanism)
+            admin_bind = self.ldap_bind(server_url, admin_dn, admin_dn, admin_password, enable_sasl, sasl_mechanism, follow_referrals)
         except Exception as e:
             raise Exception(e)
 
@@ -949,7 +950,7 @@ def search_user(self, server_url, admin_dn, admin_password, enable_sasl, sasl_me
             raise Exception('parse ldap result failed: %s' % e)
 
         try:
-            user_bind = self.ldap_bind(server_url, dn, authc_id, password, enable_sasl, sasl_mechanism)
+            user_bind = self.ldap_bind(server_url, dn, authc_id, password, enable_sasl, sasl_mechanism, follow_referrals)
         except Exception as e:
             raise Exception(e)
 
@@ -971,7 +972,7 @@ def authenticate(self, ldap_user=None, password=None):
             nickname, contact_email, user_role = self.search_user(
                 LDAP_SERVER_URL, LDAP_ADMIN_DN, LDAP_ADMIN_PASSWORD, ENABLE_SASL, SASL_MECHANISM,
                 SASL_AUTHC_ID_ATTR, LDAP_BASE_DN, LDAP_LOGIN_ATTR, login_attr, password, LDAP_FILTER,
-                LDAP_CONTACT_EMAIL_ATTR, LDAP_USER_ROLE_ATTR)
+                LDAP_CONTACT_EMAIL_ATTR, LDAP_USER_ROLE_ATTR, LDAP_FOLLOW_REFERRALS)
             ldap_provider = LDAP_PROVIDER
         except Exception as e:
             if ENABLE_MULTI_LDAP:
@@ -986,7 +987,7 @@ def authenticate(self, ldap_user=None, password=None):
                         MULTI_LDAP_1_SERVER_URL, MULTI_LDAP_1_ADMIN_DN, MULTI_LDAP_1_ADMIN_PASSWORD,
                         MULTI_LDAP_1_ENABLE_SASL, MULTI_LDAP_1_SASL_MECHANISM, MULTI_LDAP_1_SASL_AUTHC_ID_ATTR,
                         MULTI_LDAP_1_BASE_DN, MULTI_LDAP_1_LOGIN_ATTR, login_attr, password, MULTI_LDAP_1_FILTER,
-                        MULTI_LDAP_1_CONTACT_EMAIL_ATTR, MULTI_LDAP_1_USER_ROLE_ATTR)
+                        MULTI_LDAP_1_CONTACT_EMAIL_ATTR, MULTI_LDAP_1_USER_ROLE_ATTR, MULTI_LDAP_1_FOLLOW_REFERRALS)
                     ldap_provider = MULTI_LDAP_1_PROVIDER
                 except Exception as e:
                     logger.error(e)

diff --git a/seahub/utils/ldap.py b/seahub/utils/ldap.py
@@ -14,6 +14,7 @@
 
 LDAP_PROVIDER = getattr(settings, 'LDAP_PROVIDER', 'ldap')
 LDAP_USER_OBJECT_CLASS = getattr(settings, 'LDAP_USER_OBJECT_CLASS', 'person')
+LDAP_FOLLOW_REFERRALS = getattr(settings, 'LDAP_FOLLOW_REFERRALS', True)
 
 # multi ldap
 ENABLE_MULTI_LDAP = getattr(settings, 'ENABLE_MULTI_LDAP', False)
@@ -28,6 +29,7 @@
 MULTI_LDAP_1_FILTER = getattr(settings, 'MULTI_LDAP_1_FILTER', '')
 MULTI_LDAP_1_ENABLE_SASL = getattr(settings, 'MULTI_LDAP_1_ENABLE_SASL', False)
 MULTI_LDAP_1_SASL_MECHANISM = getattr(settings, 'MULTI_LDAP_1_SASL_MECHANISM', '')
+MULTI_LDAP_1_FOLLOW_REFERRALS = getattr(settings, 'MULTI_LDAP_1_FOLLOW_REFERRALS', True)
 
 MULTI_LDAP_1_CONTACT_EMAIL_ATTR = getattr(settings, 'MULTI_LDAP_1_CONTACT_EMAIL_ATTR', '')
 MULTI_LDAP_1_USER_ROLE_ATTR = getattr(settings, 'MULTI_LDAP_1_USER_ROLE_ATTR', '')