Opened 5 years ago
Last modified 5 years ago
#13487 new defect
KeyError: 'uid' - When browsing "Users" section in Account Manager
Reported by: | Owned by: | c0redumb | |
---|---|---|---|
Priority: | high | Component: | LDAPAcctMngrPlugin |
Severity: | major | Keywords: | needinfo |
Cc: | totalcaos | Trac Release: | 1.2 |
Description (last modified by )
When browsing to the users section in account manager i see this error:
Trac detected an internal error: KeyError: 'uid' Tracelog: File "build/bdist.linux-x86_64/egg/security/ldapstore.py", line 59, in get_users Code fragment: try: 51 con = self.init_connection() 52 resp = con.search_s(base, ldap.SCOPE_SUBTREE, filter, ['dn','uid']) 53 finally: 54 if con != None: 55 con.unbind() 56 57 self.log.debug('List users: get %d users' % (len(resp))) 58 for entry in resp: 59 if entry[1]['uid'][0]: 60 yield entry[1]['uid'][0]
The issue is that the user_matchfilter = sAMAccountName=%s
not the default uid
which i believe is hard referenced in your code (line 52)
Is there a way to make this more generic?
Attachments (1)
Change History (9)
comment:1 Changed 5 years ago by
Description: | modified (diff) |
---|
comment:2 follow-up: 3 Changed 5 years ago by
comment:3 follow-up: 5 Changed 5 years ago by
Thanks for the patch,
I modifed the ldapstore.py based on your patch, and have this config in trac.ini:
[ldap] bind_anonymous = no bind_dn = CN=srv_ldap,CN=ServiceAccounts,CN=Users,DC=corp,DC=xxxx,DC=com bind_passwd = XXXX bind_server = ldap://xxxx:389 user_matchfilter = sAMAccountName=%s user_field = sAMAccountName=%s user_searchbase = CN=Staff,CN=Users,DC=corp,DC=xxx,DC=com user_searchfilter = objectClass=person
I no longer see the KeyError: 'uid'
when going to Admin -> Users, but don't see a list of my LDAP users. What am I doing that not correct?
How do I help you test this patch?
Thanks!
comment:4 Changed 5 years ago by
Cc: | totalcaos added |
---|
comment:5 Changed 5 years ago by
Replying to totalcaos@…:
I modifed the ldapstore.py based on your patch, and have this config in trac.ini:
[ldap] bind_anonymous = no bind_dn = CN=srv_ldap,CN=ServiceAccounts,CN=Users,DC=corp,DC=xxxx,DC=com bind_passwd = XXXX bind_server = ldap://xxxx:389 user_matchfilter = sAMAccountName=%s user_field = sAMAccountName=%s user_searchbase = CN=Staff,CN=Users,DC=corp,DC=xxx,DC=com user_searchfilter = objectClass=personI no longer see the
KeyError: 'uid'
when going to Admin -> Users, but don't see a list of my LDAP users. What am I doing that not correct?
The user_field
option should be sAMAccountName
, not sAMAccountName=%s
.
user_field = sAMAccountName
Changed 5 years ago by
Attachment: | t13487-v2.diff added |
---|
comment:6 Changed 5 years ago by
The patch is revised and tested with Active Directory 2012 R2: t13487-v2.diff
Could you please try the patch?
P.S. I noticed the LDAPStore authenticates wrongly any username with empty password. The patch includes fix for this.
comment:7 Changed 5 years ago by
Here is configuration for the testing.
[ldap] bind_anonymous = no bind_dn = administrator@DOMAIN.REALM bind_passwd = passphrase bind_server = ldap://DOMAIN.REALM/ user_matchfilter = sAMAccountName=%s user_field = sAMAccountName user_searchbase = dc=DOMAIN,dc=REALM user_searchfilter = &(objectClass=user)(!(objectClass=computer))
comment:8 Changed 5 years ago by
Keywords: | needinfo added |
---|
I think that it should add an option to specify LDAP field to match the username and authenticate rather than a part of LDAP filter.
Also, the username to use in LDAP filter should be escaped using ldap.filter.filter_format().
Untested patch:
ldapacctmngrplugin/trunk/ldapacctmngrplugin/security/ldapstore.py
, ['dn'])