From 97fc0658c90d5a51d3fa1cba470fa0d0ba2e6f84 Mon Sep 17 00:00:00 2001 From: Lukas Garberg Date: Mon, 9 Dec 2024 11:21:02 +0100 Subject: [PATCH] authlib: Avoid following LDAP referrals LDAP referrals seems to be a somewhat broken concept. By default the LDAP module uses a default anonymous bind to follow referrals which I would expect rarely (never) works. As NIPAP does not support setting up a separate connection for the referrals today, we just skip following them for now. Also avoided sending full LDAP error messages to clients and instead make sure the error is logged. --- nipap/nipap.conf.dist | 4 ++-- nipap/nipap/authlib.py | 7 ++++++- 2 files changed, 8 insertions(+), 3 deletions(-) diff --git a/nipap/nipap.conf.dist b/nipap/nipap.conf.dist index 25e9708d8..0f09964ab 100644 --- a/nipap/nipap.conf.dist +++ b/nipap/nipap.conf.dist @@ -113,7 +113,7 @@ db_path = /etc/nipap/local_auth.db ; path to SQLite database used # #basedn = ou=Users,dc=example,dc=com ; base DN #uri = ldaps://ldap.example.com ; LDAP server URI -#tls = False ; initiate TLS, use ldap:// +#tls = false ; initiate TLS, use ldap:// # # LDAP style #binddn_fmt = uid={},ou=Users,dc=example,dc=com @@ -209,4 +209,4 @@ secret_key = {{WWW_SECRET_KEY}} # Specify OTLP HTTP endpoint. Used to send traces to OpenTelemetry Collector but also used when proxying traces to OpenTelemetry-Collector from nipap-cli # otlp_http_endpoint=http://opentelemetry-collector:4318/v1/traces # Set sampler. Valid values are always_on, always_off, parentbased_always_on, parentbased_always_off, traceidratio and parentbased_traceidratio. Default is parentbased_always_on. -# otel_traces_sampler = always_on \ No newline at end of file +# otel_traces_sampler = always_on diff --git a/nipap/nipap/authlib.py b/nipap/nipap/authlib.py index 92fd12c73..07b812887 100644 --- a/nipap/nipap/authlib.py +++ b/nipap/nipap/authlib.py @@ -486,6 +486,10 @@ def __init__(self, name, username, password, authoritative_source, auth_options= self._logger.error('Unable to load Python ldap module, please verify it is installed') raise AuthError('Unable to authenticate') + # Avoid following referrals for now, as NIPAP doesn't support + # initializing a separate connection for them anyway. + ldap.set_option(ldap.OPT_REFERRALS, ldap.OPT_OFF) + self._logger.debug('LDAP URI: ' + self._ldap_uri) self._ldap_conn = ldap.initialize(self._ldap_uri) @@ -578,7 +582,8 @@ def authenticate(self): self.readonly = True except ldap.LDAPError as exc: - raise AuthError(exc) + self._logger.error("Got LDAP error: %s", exc) + raise AuthError("LDAP server returned an error") except KeyError: raise AuthError('LDAP attribute missing') except IndexError: