From 2c297c7606802c333ec60f2f8f98607525735b4b Mon Sep 17 00:00:00 2001 From: Peter Marschall Date: Thu, 2 Jan 2025 14:23:15 +0100 Subject: [PATCH] LDAP auth: flexibilize parsing of 'ldap_groups_attribute' Use helper methods from the LDAP modules to get individual elements (like in our case the RDN value) out of attributes with DN syntax in a standard compliant way instead fiddling around ourselves. If these methods fail, fall back to using the whole attribute value, which allows us to also use attributes with non-DN syntax for groups and permissions. --- radicale/auth/ldap.py | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/radicale/auth/ldap.py b/radicale/auth/ldap.py index cdba9f12..a4c73808 100644 --- a/radicale/auth/ldap.py +++ b/radicale/auth/ldap.py @@ -160,8 +160,11 @@ def _login2(self, login: str, password: str) -> str: tmp = [] for g in user_entry[1][self._ldap_groups_attr]: """Get group g's RDN's attribute value""" - g = g.decode('utf-8').split(',')[0] - tmp.append(g.partition('=')[2]) + try: + rdns = self.ldap.dn.explode_dn(g, notypes=True) + tmp.append(rdns[0]) + except Exception: + tmp.append(g.decode('utf8')) self._ldap_groups = set(tmp) logger.debug("_login2 LDAP groups of user: %s", ",".join(self._ldap_groups)) if self._ldap_user_attr: @@ -230,8 +233,11 @@ def _login3(self, login: str, password: str) -> str: tmp = [] for g in user_entry['attributes'][self._ldap_groups_attr]: """Get group g's RDN's attribute value""" - g = g.split(',')[0] - tmp.append(g.partition('=')[2]) + try: + rdns = self.ldap3.utils.dn.parse_dn(g) + tmp.append(rdns[0][1]) + except Exception: + tmp.append(g) self._ldap_groups = set(tmp) logger.debug("_login3 LDAP groups of user: %s", ",".join(self._ldap_groups)) if self._ldap_user_attr: