You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I used the GitHub search to find a similar issue and didn't find it.
I searched the Mealie documentation, with the integrated search.
I already read the docs and didn't find an answer.
What is the issue you are experiencing?
When using LDAP, it is not possible to login or create an user due to an incorrect if statement.
In the security.py code, on line 83, a search for the user dn and attributes is done within LDAP, which returns an array with the matches. Afterward, an if statement check the result of the search query. However, this if statement has an incorrect negation in it.
The current logic checks if a results is found, if that is the case, false will be returned which equals an incorrect login. The not should be removed from this if statement.
Current code:
# Search "username" against "cn" attribute for Linux, "sAMAccountName" attribute
# for Windows and "mail" attribute for email addresses. The "mail" attribute is
# required to obtain the user's DN for the LDAP_ADMIN_FILTER.
user_entry = conn.search_s(
settings.LDAP_BASE_DN,
ldap.SCOPE_SUBTREE,
f"(&(objectClass=user)(|(cn={username})(sAMAccountName={username})(mail={username})))",
["name", "mail"],
)
if not user_entry:
user_dn, user_attr = user_entry[0]
else:
return False
The code should look like this:
# Search "username" against "cn" attribute for Linux, "sAMAccountName" attribute
# for Windows and "mail" attribute for email addresses. The "mail" attribute is
# required to obtain the user's DN for the LDAP_ADMIN_FILTER.
user_entry = conn.search_s(
settings.LDAP_BASE_DN,
ldap.SCOPE_SUBTREE,
f"(&(objectClass=user)(|(cn={username})(sAMAccountName={username})(mail={username})))",
["name", "mail"],
)
if user_entry:
user_dn, user_attr = user_entry[0]
else:
return False
After the above fix, login is possible.
However, if a user is created, the user has the binary values within the name and email fields, instead of the string values.
The problem is the user_attr values are binary instead of strings. When looking at the python-ldap documentation this is to be expected. In the documentation it states the following: Attribute values, on the other hand, MAY contain any type of data, including text. To know what type of data is represented, python-ldap would need access to the schema, which is not always available (nor always correct). Thus, attribute values are always treated as bytes. Encoding/decoding to other formats – text, images, etc. – is left to the caller.
This means the user attributes (name and mail) need to be decoded to string.
Deployment
Docker (Linux)
Deployment Details
Docker install using a portainer stack on an unraid system.
The text was updated successfully, but these errors were encountered:
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
First Check
What is the issue you are experiencing?
When using LDAP, it is not possible to login or create an user due to an incorrect if statement.
In the security.py code, on line 83, a search for the user dn and attributes is done within LDAP, which returns an array with the matches. Afterward, an if statement check the result of the search query. However, this if statement has an incorrect negation in it.
The current logic checks if a results is found, if that is the case, false will be returned which equals an incorrect login. The
not
should be removed from this if statement.Current code:
The code should look like this:
After the above fix, login is possible.
However, if a user is created, the user has the binary values within the name and email fields, instead of the string values.
The following code creates the user.
The problem is the user_attr values are binary instead of strings. When looking at the python-ldap documentation this is to be expected. In the documentation it states the following:
Attribute values, on the other hand, MAY contain any type of data, including text. To know what type of data is represented, python-ldap would need access to the schema, which is not always available (nor always correct). Thus, attribute values are always treated as bytes. Encoding/decoding to other formats – text, images, etc. – is left to the caller.
This means the user attributes (name and mail) need to be decoded to string.
Deployment
Docker (Linux)
Deployment Details
Docker install using a portainer stack on an unraid system.
The text was updated successfully, but these errors were encountered: