feat(auth): optional LDAP user primary group

Support absence of primary group attribute optional in LDAP user entries. Just emit warning log instead of raising exception when the attribute is missing. fix #5
rackslab · Aug 28, 2024 · 120cdd5 · 120cdd5
1 parent 486fc69
commit 120cdd5
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 10 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -19,6 +19,10 @@ and this project adheres to
     initializer with default values _posixGroup_ and _groupOfNames_ to define
     alternative LDAP group object classes (#6).
 
+### Changed
+- auth: Support absence of primary group attribute optional in LDAP user
+  entries (#5).
+
 ### Fixed
 - auth: Handle `UnicodeDecodeError` when loading JWT private key (#3).
 

diff --git a/src/authentication/rfl/authentication/ldap.py b/src/authentication/rfl/authentication/ldap.py
@@ -136,19 +136,21 @@ def _get_user_info(
             ) from err
         try:
             gid = int(results[0][1][self.user_primary_group_attribute][0])
-        except KeyError as err:
-            raise LDAPAuthenticationError(
-                "Unable to extract user primary group with "
-                f"{self.user_primary_group_attribute} attribute from user entries"
-            ) from err
+        except KeyError:
+            logger.warning(
+                "Unable to extract user primary group with %s attribute from user "
+                "entry",
+                self.user_primary_group_attribute
+            )
+            gid = None
         return fullname, gid
 
     def _get_groups(
         self,
         connection: ldap.ldapobject.LDAPObject,
         user_name: str,
         user_dn: str,
-        gid: int,
+        gid: Optional[int],
     ) -> List[str]:
         """Return the list of groups whose provided user is member, including its
         primary group ID. This function supports both RFC 2307 (aka. NIS schema) and
@@ -159,17 +161,19 @@ def _get_groups(
         # In RFC 2307 bis schema, group members are declared with member attributes
         # (with full user dn as values).
         #
-        # In both cases, user primary group declared in user entry must not be forgiven.
+        # In both cases, user primary group declared in user entry (gid argument) must
+        # not be forgiven if defined.
         object_class_filter = "".join(
             [
                 f"(objectClass={object_class})"
                 for object_class in self.group_object_classes
             ]
         )
+        gid_filter = f"(gidNumber={gid})" if gid is not None else ""
         search_filter = (
             "(&"
             f"(|{object_class_filter})"
-            f"(|(memberUid={user_name})(member={user_dn})(gidNumber={gid})))"
+            f"(|(memberUid={user_name})(member={user_dn}){gid_filter}))"
         )
         try:
             results = connection.search_s(
@@ -190,9 +194,9 @@ def _get_groups(
         )
         if not len(results):
             logger.warning(
-                "Unable to find groups in LDAP for user %s or gidNumber %s",
+                "Unable to find groups in LDAP for user %s%s",
                 user_name,
-                gid,
+                f" or gidNumber {gid}" if gid is not None else "",
             )
         try:
             return [