From 87ea8f8ba431ecc72de86d97fa5de9080a30f36b Mon Sep 17 00:00:00 2001 From: Christian Schmidt Date: Wed, 17 Feb 2021 01:04:50 +0100 Subject: [PATCH 1/3] Fixes more than 1 result in Active Directory When Active Directory has several domain trees, will respond with an array with the DN and the references. This removes all the references from the array. --- ldapauthenticator/ldapauthenticator.py | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/ldapauthenticator/ldapauthenticator.py b/ldapauthenticator/ldapauthenticator.py index c195786..b5d5ea7 100644 --- a/ldapauthenticator/ldapauthenticator.py +++ b/ldapauthenticator/ldapauthenticator.py @@ -513,9 +513,12 @@ def authenticate(self, handler: web.RequestHandler, data: dict) -> typing.Option search_scope=ldap3.SUBTREE, attributes=self.user_membership_attribute if self.allowed_groups else list(), paged_size=2) + + # remove all searchResRef from response + conn.response = [search_ref for search_ref in conn.response if 'type' in search_ref and search_ref['type'] != 'searchResRef'] # handle abnormal search results - if not conn.response or len(conn.response) > 1: + if (not conn.response or len(conn.response) > 1) and not active_directory: self.log.error(("LDAP search '{}' returned {} results. " + "Please narrow search to 1 result").format( auth_user_search_filter, len(conn.response))) From 18a9733272d6a4aa1092477dfd7d93a529a042a6 Mon Sep 17 00:00:00 2001 From: Christian Schmidt Date: Wed, 17 Feb 2021 01:10:03 +0100 Subject: [PATCH 2/3] Update ldapauthenticator.py --- ldapauthenticator/ldapauthenticator.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ldapauthenticator/ldapauthenticator.py b/ldapauthenticator/ldapauthenticator.py index b5d5ea7..f540385 100644 --- a/ldapauthenticator/ldapauthenticator.py +++ b/ldapauthenticator/ldapauthenticator.py @@ -518,7 +518,7 @@ def authenticate(self, handler: web.RequestHandler, data: dict) -> typing.Option conn.response = [search_ref for search_ref in conn.response if 'type' in search_ref and search_ref['type'] != 'searchResRef'] # handle abnormal search results - if (not conn.response or len(conn.response) > 1) and not active_directory: + if not conn.response or len(conn.response) > 1: self.log.error(("LDAP search '{}' returned {} results. " + "Please narrow search to 1 result").format( auth_user_search_filter, len(conn.response))) From 648918db61a4175eb0a1b01121c4e3afc66116eb Mon Sep 17 00:00:00 2001 From: Christian Schmidt Date: Wed, 17 Feb 2021 01:10:47 +0100 Subject: [PATCH 3/3] Update ldapauthenticator.py --- ldapauthenticator/ldapauthenticator.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ldapauthenticator/ldapauthenticator.py b/ldapauthenticator/ldapauthenticator.py index f540385..03cdf1a 100644 --- a/ldapauthenticator/ldapauthenticator.py +++ b/ldapauthenticator/ldapauthenticator.py @@ -518,7 +518,7 @@ def authenticate(self, handler: web.RequestHandler, data: dict) -> typing.Option conn.response = [search_ref for search_ref in conn.response if 'type' in search_ref and search_ref['type'] != 'searchResRef'] # handle abnormal search results - if not conn.response or len(conn.response) > 1: + if not conn.response or len(conn.response) > 1: self.log.error(("LDAP search '{}' returned {} results. " + "Please narrow search to 1 result").format( auth_user_search_filter, len(conn.response)))