Merge pull request #1405 from garberg/ldap_ro_and_cli_pwd_quote

Fix to LDAP RO group validation and CLI credentials quoting
SpriteLink · Nov 4, 2024 · 145fcf4 · 145fcf4
2 parents 64cde37 + 18d3ccd
commit 145fcf4
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 3 deletions.
diff --git a/nipap-cli/nipap_cli/nipap_cli.py b/nipap-cli/nipap_cli/nipap_cli.py
@@ -87,8 +87,8 @@ def setup_connection():
         con_params['password'] = getpass.getpass()
 
     # Quote username & password
-    con_params['username'] = quote(con_params['username'])
-    con_params['password'] = quote(con_params['password'])
+    con_params['username'] = quote(con_params['username'], safe="")
+    con_params['password'] = quote(con_params['password'], safe="")
 
     # build XML-RPC URI
     pynipap.xmlrpc_uri = "%(protocol)s://%(username)s:%(password)s@%(hostname)s:%(port)s" % con_params

diff --git a/nipap/nipap/authlib.py b/nipap/nipap/authlib.py
@@ -553,6 +553,8 @@ def authenticate(self):
                 ['cn', 'memberOf'],
             )
 
+            self._logger.debug("User %s is member of groups: %s", self.username, res[0][1].get('memberOf', []))
+
             # Data received from LDAP is bytes, make sure to decode/encode
             # accordingly before using it
             if res[0][1]['cn'][0] is not None:
@@ -569,7 +571,7 @@ def authenticate(self):
                     # if ro_group is configured, and the user is a member of
                     # neither the ro_group nor the rw_group, fail authentication.
                     if self._ldap_ro_group:
-                        if self._ldap_ro_group not in res[0][1].get('memberOf', []):
+                        if self._ldap_ro_group.encode('utf-8') not in res[0][1].get('memberOf', []):
                             self._authenticated = False
                             return self._authenticated
                     else: