MT#63027 repoapi: use LDAP search with recursion for user retrieval

Switch from AUTH_LDAP_USER_DN_TEMPLATE to AUTH_LDAP_USER_SEARCH, so we're more flexible: AUTH_LDAP_USER_DN_TEMPLATE builds the user's DN (Distinguished Name) directly from a template, without searching though (it assumes you know the exact DN structure). While being faster, it's also less flexible. AUTH_LDAP_USER_SEARCH on the other hand performs an LDAP search to find the user, and by enabling SCOPE_SUBTREE we can also enable recursion. This change is required to provide e.g. Jose from operations access to our repoapi. Also see MT#54080 for some historic information about those changes. Change-Id: I30b3a3a5801ec3321ac67e533c32e5d4682c1ce3
9 months ago · 88b90e03b8
parent 60032927ba
commit 88b90e03b8
1 changed files with 5 additions and 1 deletions
--- a/repoapi/settings/prod.py
+++ b/repoapi/settings/prod.py
@ -85,7 +85,11 @@ AUTH_LDAP_REQUIRE_GROUP_LIST = server_config.get(
    "server", "AUTH_LDAP_REQUIRE_GROUP_LIST"
 ).split(",")
 require_grp_list_size = len(AUTH_LDAP_REQUIRE_GROUP_LIST)
-AUTH_LDAP_USER_DN_TEMPLATE = "uid=%(user)s," + AUTH_LDAP_USER_BASE
+AUTH_LDAP_USER_SEARCH = LDAPSearch(
+    AUTH_LDAP_USER_BASE,
+    ldap.SCOPE_SUBTREE,
+    "(uid=%(user)s)"
+)
 AUTH_LDAP_USER_ATTR_MAP = {
    "first_name": "givenName",
    "last_name": "sn",