Also find groups added through groupOfUniqueNames

when looking up groups assigned to a user
theforeman · Apr 8, 2024 · 88e5ed8 · 88e5ed8
1 parent 77a387a
commit 88e5ed8
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 5 deletions.
diff --git a/lib/ldap_fluff/posix_member_service.rb b/lib/ldap_fluff/posix_member_service.rb
@@ -16,9 +16,11 @@ def find_user(uid, base_dn = @base)
   # return an ldap user with groups attached
   # note : this method is not particularly fast for large ldap systems
   def find_user_groups(uid)
+    unique_filter = Net::LDAP::Filter.eq('uniquemember', "uid=#{uid},#{@base}") &
+                    Net::LDAP::Filter.eq('objectClass', 'groupOfUniqueNames')
     groups = []
     @ldap.search(
-      :filter => Net::LDAP::Filter.eq('memberuid', uid),
+      :filter => Net::LDAP::Filter.eq('memberuid', uid) | unique_filter,
       :base => @group_base, :attributes => ["cn"]
     ).each do |entry|
       groups << entry[:cn][0]

diff --git a/test/posix_member_services_test.rb b/test/posix_member_services_test.rb
@@ -19,20 +19,26 @@ def test_find_user
 
   def test_find_user_groups
     user = posix_group_payload
-    @ldap.expect(:search, user, [:filter => @ms.name_filter('john'),
+    username = 'john'
+    filter = Net::LDAP::Filter.eq('uniquemember', "uid=#{username},#{config.base_dn}") &
+             Net::LDAP::Filter.eq('objectclass', 'groupOfUniqueNames')
+    @ldap.expect(:search, user, [:filter => @ms.name_filter(username) | filter,
                                  :base => config.group_base,
                                  :attributes => ["cn"]])
     @ms.ldap = @ldap
-    assert_equal ['broze'], @ms.find_user_groups('john')
+    assert_equal ['broze'], @ms.find_user_groups(username)
     @ldap.verify
   end
 
   def test_find_no_groups
-    @ldap.expect(:search, [], [:filter => @ms.name_filter("john"),
+    username = 'john'
+    filter = Net::LDAP::Filter.eq('uniquemember', "uid=#{username},#{config.base_dn}") &
+             Net::LDAP::Filter.eq('objectclass', 'groupOfUniqueNames')
+    @ldap.expect(:search, [], [:filter => @ms.name_filter(username) | filter,
                                :base => config.group_base,
                                :attributes => ["cn"]])
     @ms.ldap = @ldap
-    assert_equal [], @ms.find_user_groups('john')
+    assert_equal [], @ms.find_user_groups(username)
     @ldap.verify
   end