From 611e1d7824c23e4bf890686357d520010beee1a5 Mon Sep 17 00:00:00 2001 From: Andrew Otto Date: Wed, 19 Dec 2012 12:37:11 -0500 Subject: [PATCH] Fixing find_user when find_by_dn is True. Setting distinguishedName= in the search filter is not a valid way of searching by filter for an attribute. distinguishedName is not a valid attibute. Instead, if we know the full dn of the user we are searching for, just set search_dn to that it and don't filter using user_name_attr. --- apps/useradmin/src/useradmin/ldap_access.py | 21 +++++++++++++++------ 1 file changed, 15 insertions(+), 6 deletions(-) diff --git a/apps/useradmin/src/useradmin/ldap_access.py b/apps/useradmin/src/useradmin/ldap_access.py index 5668bc4..5fb2fc1 100644 --- a/apps/useradmin/src/useradmin/ldap_access.py +++ b/apps/useradmin/src/useradmin/ldap_access.py @@ -86,7 +86,6 @@ class LdapConnection(object): LDAP search helper method finding users. This supports searching for users by distinguished name, or the configured username attribute. """ - base_dn = self._get_root_dn() scope = ldap.SCOPE_SUBTREE user_filter = desktop.conf.LDAP.USERS.USER_FILTER.get() @@ -94,15 +93,25 @@ class LdapConnection(object): user_filter = '(' + user_filter + ')' user_name_attr = desktop.conf.LDAP.USERS.USER_NAME_ATTR.get() + # sanitize input + sanitized_username = ldap.filter.escape_filter_chars(username) + + # if we are to find this user by full distinguished name, + # then search by setting search_dn to the provided username + # rather than by filtering by user_name_filter. if find_by_dn: - sanitized_name = ldap.filter.escape_filter_chars(username) - user_name_filter = '(distinguishedName=' + sanitized_name + ')' + search_dn = sanitized_username + user_name_filter = '' + # else use the root dn as the search_dn as is and assume that + # the provided username is not a full distinguished name. + # Search for the username by filtering on user_name_attr. else: - sanitized_name = ldap.filter.escape_filter_chars(username) - user_name_filter = '(' + user_name_attr + '=' + sanitized_name + ')' + search_dn = self._get_root_dn() + user_name_filter = '(' + user_name_attr + '=' + sanitized_username + ')' + ldap_filter = '(&' + user_filter + user_name_filter + ')' - ldap_result_id = self.ldap_handle.search(base_dn, scope, ldap_filter) + ldap_result_id = self.ldap_handle.search(search_dn, scope, ldap_filter) result_type, result_data = self.ldap_handle.result(ldap_result_id) if result_type == ldap.RES_SEARCH_RESULT and result_data[0][0] is not None: data = result_data[0][1] -- 1.7.9.6 (Apple Git-31.1)