authlib: Avoid following LDAP referrals

LDAP referrals seems to be a somewhat broken concept. By default the LDAP module uses a default anonymous bind to follow referrals which I would expect rarely (never) works. As NIPAP does not support setting up a separate connection for the referrals today, we just skip following them for now. Also avoided sending full LDAP error messages to clients and instead make sure the error is logged.
SpriteLink · Dec 9, 2024 · 97fc065 · 97fc065
1 parent a528fc1
commit 97fc065
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 3 deletions.
diff --git a/nipap/nipap.conf.dist b/nipap/nipap.conf.dist
@@ -113,7 +113,7 @@ db_path = /etc/nipap/local_auth.db     ; path to SQLite database used
 #
 #basedn = ou=Users,dc=example,dc=com       ; base DN
 #uri = ldaps://ldap.example.com            ; LDAP server URI
-#tls = False                            ; initiate TLS, use ldap://
+#tls = false                               ; initiate TLS, use ldap://
 #
 # LDAP style
 #binddn_fmt = uid={},ou=Users,dc=example,dc=com
@@ -209,4 +209,4 @@ secret_key = {{WWW_SECRET_KEY}}
 # Specify OTLP HTTP endpoint. Used to send traces to OpenTelemetry Collector but also used when proxying traces to OpenTelemetry-Collector from nipap-cli
 # otlp_http_endpoint=http://opentelemetry-collector:4318/v1/traces
 # Set sampler. Valid values are always_on, always_off, parentbased_always_on, parentbased_always_off, traceidratio and parentbased_traceidratio. Default is parentbased_always_on.
-# otel_traces_sampler = always_on
+# otel_traces_sampler = always_on
diff --git a/nipap/nipap/authlib.py b/nipap/nipap/authlib.py
@@ -486,6 +486,10 @@ def __init__(self, name, username, password, authoritative_source, auth_options=
             self._logger.error('Unable to load Python ldap module, please verify it is installed')
             raise AuthError('Unable to authenticate')
 
+        # Avoid following referrals for now, as NIPAP doesn't support
+        # initializing a separate connection for them anyway.
+        ldap.set_option(ldap.OPT_REFERRALS, ldap.OPT_OFF)
+
         self._logger.debug('LDAP URI: ' + self._ldap_uri)
         self._ldap_conn = ldap.initialize(self._ldap_uri)
 
@@ -578,7 +582,8 @@ def authenticate(self):
                         self.readonly = True
 
         except ldap.LDAPError as exc:
-            raise AuthError(exc)
+            self._logger.error("Got LDAP error: %s", exc)
+            raise AuthError("LDAP server returned an error")
         except KeyError:
             raise AuthError('LDAP attribute missing')
         except IndexError: