KeyError: 'uid' - When browsing "Users" section in Account Manager

[totalcaos@…]

When browsing to the users section in account manager i see this error:

Trac detected an internal error:
KeyError: 'uid'

Tracelog:

File "build/bdist.linux-x86_64/egg/security/ldapstore.py", line 59, in get_users
Code fragment:
	
        try:
51	            con = self.init_connection()
52	            resp = con.search_s(base, ldap.SCOPE_SUBTREE, filter, ['dn','uid'])
53	        finally:
54	            if con != None:
55	                con.unbind()
56	       
57	        self.log.debug('List users: get %d users' % (len(resp)))
58	        for entry in resp:
59	            if entry[1]['uid'][0]:
60	                yield entry[1]['uid'][0]

The issue is that the user_matchfilter = sAMAccountName=%s not the default uid which i believe is hard referenced in your code (line 52)

Is there a way to make this more generic?

[Jun Omae]

I think that it should add an option to specify LDAP field to match the username and authenticate rather than a part of LDAP filter.

Also, the username to use in LDAP filter should be escaped using ​ldap.filter.filter_format().

Untested patch:

ldapacctmngrplugin/trunk/ldapacctmngrplugin/security/ldapstore.py

@@ -11 +11 @@
     bind_passwd = Option('ldap', 'bind_passwd', '', doc='For server not accepting anonymous bind, specify a bind_dn and password.')
     user_searchbase = Option('ldap', 'user_searchbase', 'dc=company,dc=com', doc='Where to look for users. It is usually "dc=your_company_name,dc=com". Please consult the structure of your LDAP tree.')
     user_searchfilter = Option('ldap', 'user_searchfilter', 'objectClass=inetOrgPerson', doc='Filter for listing valid users. The default ("objectClass=inetOrgPerson") should work for most of the cases.')
-    user_matchfilter = Option('ldap', 'user_matchfilter', 'uid=%s', doc='The LDAP field for matching username when authenticating. The query is almost always "uid=%s".')
+    user_field = Option('ldap', 'user_field', 'uid',
+        doc="""The LDAP field to match the username and authenticate.""")
 
     implements(IPasswordStore)
 
@@ -19 +20 @@
         # Authenticate a user by checking password
         con = None
         base = self.user_searchbase
-        filter = self.user_matchfilter % user
+        user_field = self.user_field
+        filter_ = ldap.filter.filter_format('%s=%s', [user_field, user])
 
         # nested "try:" for python2.4
         try:
             try:
                 con = self.init_connection()
-                resp = con.search_s(base, ldap.SCOPE_SUBTREE, filter, ['dn'])
+                resp = con.search_s(base, ldap.SCOPE_SUBTREE, filter_, ['dn'])
 
                 # Added to prevent empty password authentication (some server allows that)
                 if not len(resp) :
@@ -44 +46 @@
         # Get list of users from LDAP server
         con = None
         base = self.user_searchbase
+        user_field = self.user_field
         filter = self.user_searchfilter
         resp = None
 
         try:
             con = self.init_connection()
-            resp = con.search_s(base, ldap.SCOPE_SUBTREE, filter, ['dn','uid'])
+            resp = con.search_s(base, ldap.SCOPE_SUBTREE, filter,
+                                ['dn', user_field])
         finally:
             if con != None:
                 con.unbind()
 
         self.log.debug('List users: get %d users' % (len(resp)))
         for entry in resp:
-            if entry[1]['uid'][0]:
-                yield entry[1]['uid'][0]
+            value = entry[1][user_field][0]
+            if value:
+                yield value
 
     def init_connection(self):
         # Initialize LDAP connection

[totalcaos@…]

Thanks for the patch,

I modifed the ldapstore.py based on your patch, and have this config in trac.ini:

[ldap]
bind_anonymous = no
bind_dn = CN=srv_ldap,CN=ServiceAccounts,CN=Users,DC=corp,DC=xxxx,DC=com
bind_passwd = XXXX
bind_server = ldap://xxxx:389
user_matchfilter = sAMAccountName=%s
user_field = sAMAccountName=%s
user_searchbase = CN=Staff,CN=Users,DC=corp,DC=xxx,DC=com
user_searchfilter = objectClass=person

I no longer see the KeyError: 'uid' when going to Admin -> Users, but don't see a list of my LDAP users. What am I doing that not correct?

How do I help you test this patch?

Thanks!

[Jun Omae]

Replying to totalcaos@…:

I modifed the ldapstore.py based on your patch, and have this config in trac.ini:

[ldap]
bind_anonymous = no
bind_dn = CN=srv_ldap,CN=ServiceAccounts,CN=Users,DC=corp,DC=xxxx,DC=com
bind_passwd = XXXX
bind_server = ldap://xxxx:389
user_matchfilter = sAMAccountName=%s
user_field = sAMAccountName=%s
user_searchbase = CN=Staff,CN=Users,DC=corp,DC=xxx,DC=com
user_searchfilter = objectClass=person

I no longer see the KeyError: 'uid' when going to Admin -> Users, but don't see a list of my LDAP users. What am I doing that not correct?

The user_field option should be sAMAccountName, not sAMAccountName=%s.

user_field = sAMAccountName

[Jun Omae]

The patch is revised and tested with Active Directory 2012 R2: t13487-v2.diff​

Could you please try the patch?

P.S. I noticed the LDAPStore authenticates wrongly any username with empty password. The patch includes fix for this.

[Jun Omae]

Here is configuration for the testing.

[ldap]
bind_anonymous = no
bind_dn = administrator@DOMAIN.REALM
bind_passwd = passphrase
bind_server = ldap://DOMAIN.REALM/
user_matchfilter = sAMAccountName=%s
user_field = sAMAccountName
user_searchbase = dc=DOMAIN,dc=REALM
user_searchfilter = &(objectClass=user)(!(objectClass=computer))