Home Explore Help
Sign In
mirrors
/
Radicale
mirror of https://github.com/Kozea/Radicale
1
0
Fork 0
Files Issues 0 Wiki
Browse Source

LDAP auth: require exactly one result when searching for the LDAP user DN

This makes sure not fail securely when the query returns multiple entries

- correct grammar in some cases
- we're doing _authentication here, not authorization
- uppercase LDAP in messages & comments
- rename variable _ldap_version to _ldap_module_version
  to avoid misunderstanding it as LDAP's protocol version
- align formatting & messages better between _login2() and _login3()
Peter Marschall 1 year ago
parent
6f82333ff7
commit
c243ae4ebf
1 changed files with 6 additions and 5 deletions
Split View Show Diff Stats
  1. 6 5
      radicale/auth/ldap.py

+ 6 - 5
radicale/auth/ldap.py
View File 

@@ -118,8 +118,9 @@ class Auth(auth.BaseAuth):
 
                 filterstr=self._ldap_filter.format(login),
 
                 attrlist=['memberOf']
 
             )
 
-            if len(res) == 0:
 
-                """User could not be found"""
 
+            if len(res) != 1:
 
+                """User could not be found unambiguously"""
 
+                logger.debug(f"_login2 no unique DN found for '{login}'")
 
                 return ""
 
             user_entry = res[0]
 
             user_dn = user_entry[0]
 
@@ -181,9 +182,9 @@ class Auth(auth.BaseAuth):
 
             search_scope=self.ldap3.SUBTREE,
 
             attributes=['memberOf']
 
         )
 
-        if len(conn.entries) == 0:
 
-            """User could not be found"""
 
-            logger.debug(f"_login3 user '{login}' cannot be found")
 
+        if len(conn.entries) != 1:
 
+            """User could not be found unambiguously"""
 
+            logger.debug(f"_login3 no unique DN found for '{login}'")
 
             return ""
 
 
         user_entry = conn.response[0]