Skip to content

Commit

Permalink
feat: add "ignore referrals" config option
Browse files Browse the repository at this point in the history
Weekly release 2024-01-22
  • Loading branch information
alycejenni authored Jan 22, 2024
2 parents 4805200 + e726b11 commit ff64ed0
Show file tree
Hide file tree
Showing 3 changed files with 7 additions and 1 deletion.
2 changes: 1 addition & 1 deletion README.md
Original file line number Diff line number Diff line change
Expand Up @@ -106,7 +106,7 @@ These are the options that can be specified in your .ini config file.
| `ckanext.ldap.debug_level` | [python-ldap debug level](https://www.python-ldap.org/en/python-ldap-3.0.0b1/reference/ldap.html?highlight=debug_level#ldap.OPT_DEBUG_LEVEL). **Security warning**: it is strongly recommended to keep this parameter set to 0 (zero) on production systems, otherwise [plaintext passwords will be logged by `python-ldap`](https://github.com/python-ldap/python-ldap/issues/384) | 0-9 | 0 |
| `ckanext.ldap.trace_level` | [python-ldap trace level](https://www.python-ldap.org/en/python-ldap-3.0.0b1/reference/ldap.html?highlight=trace_level#ldap.initialize). **Security warning**: it is strongly recommended to keep this parameter set to 0 (zero) on production systems, otherwise [plaintext passwords will be logged by `python-ldap`](https://github.com/python-ldap/python-ldap/issues/384) | 0-9 | 0 |
| `ckanext.ldap.allow_password_reset` | If true, allows LDAP users to reset their passwords, if false, disallows this functionality. Note that if this is true, the password that is reset is the CKAN user password, not the LDAP one. If set to false, the request to reset will be denied only if the user is an LDAP user, if not they will be allowed to reset regardless of the value of this option. | True/False | true |

| `ckanext.ldap.ignore_referrals` | If true, The plugin will ignore referral query results sent by the LDAP server. This might be necessary if your base_dn is at the domain level, but the LDAP server searches in multiple paths for the user, resulting in queries containing more than one result. | True/False | false |
<!--configuration-end-->

# Usage
Expand Down
5 changes: 5 additions & 0 deletions ckanext/ldap/lib/search.py
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,9 @@ def find_ldap_user(login):
cnx = ldap.initialize(toolkit.config['ckanext.ldap.uri'], bytes_mode=False,
trace_level=toolkit.config['ckanext.ldap.trace_level'])
cnx.set_option(ldap.OPT_NETWORK_TIMEOUT, 10)
if toolkit.config['ckanext.ldap.ignore_referrals']:
cnx.set_option(ldap.OPT_REFERRALS, 0)

if toolkit.config.get('ckanext.ldap.auth.dn'):
try:
if toolkit.config['ckanext.ldap.auth.method'] == 'SIMPLE':
Expand Down Expand Up @@ -92,6 +95,8 @@ def ldap_search(cnx, filter_str, attributes, non_unique='raise'):
try:
res = cnx.search_s(toolkit.config['ckanext.ldap.base_dn'], ldap.SCOPE_SUBTREE,
filterstr=filter_str, attrlist=attributes)
if toolkit.config['ckanext.ldap.ignore_referrals']:
res = [ x for x in res if x[0] is not None ]
except ldap.SERVER_DOWN:
log.error('LDAP server is not reachable')
return None
Expand Down
1 change: 1 addition & 0 deletions ckanext/ldap/plugin.py
Original file line number Diff line number Diff line change
Expand Up @@ -104,6 +104,7 @@ def configure(self, config):
'ckanext.ldap.migrate': {'default': False, 'parse': toolkit.asbool},
'ckanext.ldap.debug_level': {'default': 0, 'parse': toolkit.asint},
'ckanext.ldap.trace_level': {'default': 0, 'parse': toolkit.asint},
'ckanext.ldap.ignore_referrals': {'default': False, 'parse': toolkit.asbool},
}
errors = []
for key, options in schema.items():
Expand Down

0 comments on commit ff64ed0

Please sign in to comment.