auth: Fix LDAP RO group handling

Make sure the LDAP RO group name is encoded before validating whether the user is member of it or not.
SpriteLink · Nov 4, 2024 · 18d3ccd · 18d3ccd
1 parent ce08819
commit 18d3ccd
Showing 1 changed file with 3 additions and 1 deletion.
diff --git a/nipap/nipap/authlib.py b/nipap/nipap/authlib.py
@@ -553,6 +553,8 @@ def authenticate(self):
                 ['cn', 'memberOf'],
             )
 
+            self._logger.debug("User %s is member of groups: %s", self.username, res[0][1].get('memberOf', []))
+
             # Data received from LDAP is bytes, make sure to decode/encode
             # accordingly before using it
             if res[0][1]['cn'][0] is not None:
@@ -569,7 +571,7 @@ def authenticate(self):
                     # if ro_group is configured, and the user is a member of
                     # neither the ro_group nor the rw_group, fail authentication.
                     if self._ldap_ro_group:
-                        if self._ldap_ro_group not in res[0][1].get('memberOf', []):
+                        if self._ldap_ro_group.encode('utf-8') not in res[0][1].get('memberOf', []):
                             self._authenticated = False
                             return self._authenticated
                     else: