Question

我需要使用Django中的LDAP查询来检索用户所在的组列表。用例是：用户填写他的LDAP登录凭据，Django将对他进行身份验证，并且还将分配他的 LDAP组。

用户登录完美无瑕，但我无法使用memberUid=%(user)s过滤群组。 我正在寻找合适的方法将用户名作为过滤器参数传递给＆＃34; groupfilter＆＃34;属性即可。我用LDAP应用程序浏览器测试了查询，似乎工作正常。

操作系统：Ubuntu 14.04 x64
Python版本： 2.7.6
Django版本：（1,6,11，＆＃39; final＆＃39;，0）

RatticWeb LDAP配置

我使用RatticWeb django应用程序管理用户＆＃39;具有以下本地配置的密码（另请参阅Rattic repository wiki）：

的 CONF / local.cfg

[ldap]
requirecert = True
# LDAP server details
uri = ldap://localhost:port
# Bind DN
binddn = cn=admin,dc=mydomain
bindpw = mypassword
# User parameters
userbase = ou=Users,dc=mydomain
userfilter = (uid=%(user)s)
#userfilter = (objectClass=person)
userfirstname = givenName
userlastname = sn
useldapgroups = True
# Set up the basic group parameters.
groupbase = ou=Groups,dc=mydomain
groupfilter = (&(objectClass=posixGroup)(memberUid=%(user)s))  
grouptype = PosixGroupType
# How do I find staff
#staff = cn=staff,ou=groups,dc=example,dc=com
loglevel = DEBUG

此配置文件由 settings.py （source code）读取：

的 ratticweb / settings.py

 # Defaults to a bogus filter so that searching yields no errors in the log
 AUTH_LDAP_GROUP_FILTER = confget('ldap', 'groupfilter', '(objectClass=_fake)')
 AUTH_LDAP_USER_SEARCH = LDAPSearch(AUTH_LDAP_USER_BASE, ldap.SCOPE_SUBTREE, AUTH_LDAP_USER_FILTER)
 AUTH_LDAP_GROUP_SEARCH = LDAPSearch(AUTH_LDAP_GROUP_BASE, ldap.SCOPE_SUBTREE, AUTH_LDAP_GROUP_FILTER)

LOG

现在，我需要过滤LDAP组，传递来自用户登录表单的用户名参数，我尝试使用相同格式的 userfilter ，但服务器给我回复了以下错误：

[Wed Jan 13 16:51:24.257325 2016] [:error] [pid 11280] 2016-01-13 16:51:24,256 [ERROR] Caught Exception while authenticating myusername
[Wed Jan 13 16:51:24.257438 2016] [:error] [pid 11280] Traceback (most recent call last):
[Wed Jan 13 16:51:24.257478 2016] [:error] [pid 11280]   File "/usr/local/lib/python2.7/dist-packages/django_auth_ldap/backend.py", line 323, in authenticate
[Wed Jan 13 16:51:24.257515 2016] [:error] [pid 11280]     self._get_or_create_user()
[Wed Jan 13 16:51:24.257550 2016] [:error] [pid 11280]   File "/usr/local/lib/python2.7/dist-packages/django_auth_ldap/backend.py", line 539, in _get_or_create_user
[Wed Jan 13 16:51:24.257586 2016] [:error] [pid 11280]     self._mirror_groups()
[Wed Jan 13 16:51:24.257620 2016] [:error] [pid 11280]   File "/usr/local/lib/python2.7/dist-packages/django_auth_ldap/backend.py", line 638, in _mirror_groups
[Wed Jan 13 16:51:24.257697 2016] [:error] [pid 11280]     group_names = self._get_groups().get_group_names()
[Wed Jan 13 16:51:24.257734 2016] [:error] [pid 11280]   File "/usr/local/lib/python2.7/dist-packages/django_auth_ldap/backend.py", line 755, in get_group_names
[Wed Jan 13 16:51:24.257770 2016] [:error] [pid 11280]     group_infos = self._get_group_infos()
[Wed Jan 13 16:51:24.257804 2016] [:error] [pid 11280]   File "/usr/local/lib/python2.7/dist-packages/django_auth_ldap/backend.py", line 803, in _get_group_infos
[Wed Jan 13 16:51:24.257835 2016] [:error] [pid 11280]     self._group_search)
[Wed Jan 13 16:51:24.257864 2016] [:error] [pid 11280]   File "/usr/local/lib/python2.7/dist-packages/django_auth_ldap/config.py", line 374, in user_groups
[Wed Jan 13 16:51:24.257893 2016] [:error] [pid 11280]     groups = search.execute(ldap_user.connection)
[Wed Jan 13 16:51:24.257928 2016] [:error] [pid 11280]   File "/usr/local/lib/python2.7/dist-packages/django_auth_ldap/config.py", line 150, in execute
[Wed Jan 13 16:51:24.257957 2016] [:error] [pid 11280]     filterstr = self.filterstr % filterargs
[Wed Jan 13 16:51:24.257990 2016] [:error] [pid 11280] TypeError: format requires a mapping

编辑：错误原因

LDAPSearch的构造函数按如下方式填充其属性：

self.base_dn = 'groupbase = ou=Groups,dc=mydomain'
self.scope = ldap.SCOPE_SUBTREE
self.filterstr = '(&(objectClass=posixGroup)(memberUid=%(user)s))'

/usr/local/lib/python2.7/dist-packages/django_auth_ldap/config.py#150

def execute(self, connection, filterargs=()):
    """
    Executes the search on the given connection (an LDAPObject). filterargs
    is an object that will be used for expansion of the filter string.

    The python-ldap library returns utf8-encoded strings. For the sake of
    sanity, this method will decode all result strings and return them as
    Unicode.
    """
    try:
        filterstr = self.filterstr % filterargs
        results = connection.search_s(self.base_dn.encode('utf-8'),
                                      self.scope,
                                      filterstr.encode('utf-8'))
    except ldap.LDAPError, e:
        results = []
        logger.error(u"search_s('%s', %d, '%s') raised %s" %
                     (self.base_dn, self.scope, filterstr, pprint.pformat(e)))

    return self._process_results(results)

Answer 1

最后，我找到了解决方案：

的 CONF / local.cfg

[ldap] .... # Set up the basic group parameters. groupbase = ou=Groups,dc=mydomain groupfilter = (objectClass=posixGroup) grouptype = PosixGroupType ...

关键因素是使用groupType PosixGroupType，因为关于Groups的查询将由Django Auth LDAP在memberUid参数上过滤（观察user_groups函数的else部分：

class PosixGroupType(LDAPGroupType): """ An LDAPGroupType subclass that handles groups of class posixGroup. """ def user_groups(self, ldap_user, group_search): """ Searches for any group that is either the user's primary or contains the user as a member. """ groups = [] try: user_uid = ldap_user.attrs['uid'][0] if 'gidNumber' in ldap_user.attrs: user_gid = ldap_user.attrs['gidNumber'][0] filterstr = u'(|(gidNumber=%s)(memberUid=%s))' % ( self.ldap.filter.escape_filter_chars(user_gid), self.ldap.filter.escape_filter_chars(user_uid) ) else: filterstr = u'(memberUid=%s)' % ( self.ldap.filter.escape_filter_chars(user_uid), ) search = group_search.search_with_additional_term_string(filterstr) groups = search.execute(ldap_user.connection) except (KeyError, IndexError): pass return groups

根据Django

RatticWeb LDAP配置

LOG

编辑：错误原因

1 个答案: