ldap: fix group membership search handling when the group members are listed by 'dn' (#4684) (#4688)

Also, fixed typo in group member list return size check.
6 years ago · 43bca4df40
1 changed files with 15 additions and 5 deletions
--- a/pkg/auth/ldap/ldap.go
+++ b/pkg/auth/ldap/ldap.go
@ -268,12 +268,21 @@ func (ls *Source) SearchEntry(name, passwd string, directBind bool) (string, str
 		if err != nil {
 			log.Error(2, "LDAP: Group search failed: %v", err)
 			return "", "", "", "", false, false
-		} else if len(sr.Entries) < 1 {
+		} else if len(srg.Entries) < 1 {
 			log.Error(2, "LDAP: Group search failed: 0 entries")
 			return "", "", "", "", false, false
 		}

 		isMember := false
+		if ls.UserUID == "dn" {
+			for _, group := range srg.Entries {
+				for _, member := range group.GetAttributeValues(ls.GroupMemberUID) {
+					if member == sr.Entries[0].DN {
+						isMember = true
+					}
+				}
+			}
+		} else {
 			for _, group := range srg.Entries {
 				for _, member := range group.GetAttributeValues(ls.GroupMemberUID) {
 					if member == uid {
@ -281,6 +290,7 @@ func (ls *Source) SearchEntry(name, passwd string, directBind bool) (string, str
 					}
 				}
 			}
+		}

 		if !isMember {
 			log.Trace("LDAP: Group membership test failed [username: %s, group_member_uid: %s, user_uid: %s", username, ls.GroupMemberUID, uid)