Fix for groups in LDAP auth
|Reported by:||makub||Owned by:|
The implementation of handling LDAP groups in Indico 0.98.1 is broken.
There were two plain bugs in the user.py and Core.js.pack files.
The MaKaC/user.py file had a missing import for ldapFindGroupMemberUids function.
The Core.js.pack file had a hardcoded list of local and CERNGroup only, it has caused admin pages working with LDAP groups to hang indefinitely.
Another problem most probably comes from the fact that there are two common ways how to implement group membership in LDAP, the Active Directory way and the OpenLDAP/SLAPD way. The difference is that in Active Directory users have multivalued attribute memberof with list of groups, while in OpenLDAP/SLAPD groups have multivalued attribute member with list of users.
I have changed the MaKaC/common/Configuration.py file to add a new setting groupStyle which have one of two values: SLAPD or ActiveDirectory?. The membershipQuery setting was removed because it is no longer necessary, the query depends on the groupStyle setting.
I have changed the MaKaC/authentication/LDAPAuthentication.py file to have alternative implementations for group membership queries for ActiveDirectory? and SLAPD, and also a bit refactored the handling of personal information so that it can be more easily customised.
Change History (10)
comment:1 Changed 18 months ago by jbenito
- Milestone changed from v0.98.2 to v0.99.0
- Priority changed from normal to critical
- Status changed from new to awaiting_merge
comment:5 Changed 16 months ago by arescope
- Resolution set to duplicate
- Status changed from new to closed